Your SlideShare is downloading. ×
  • Like
DOM-based XSS
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

DOM-based XSS

  • 1,309 views
Published

Presentation to the M.Sc. project thesis: …

Presentation to the M.Sc. project thesis:
DOM-based XSS to the
Chair of Network and Data Security,
RUB, HGI
Prof. Jörg Schwenk

The paper will be soon available- after the attestation.

Published in Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,309
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
16
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DOM-based XSS Krassen Deltchev Zdravko Danailov{Krassen Deltchev|Zdravko Danailov} %2540 rub.de 10.04.12
  • 2. Gliederung 1. Stats und Grundwissen 2. Klassische XSS vs. DOMXSS 3. Technischer Hintergrund 4. S3 Meta-Model 5. URL- obfuscation 6. Demo 7. Verteidigungsmechanismen 8. Ansätze und Modelle 9. Pen-testing tools 2 10. Zusammenfassung
  • 3. Stats und Grundwissen 3 Quelle 1
  • 4. Stats und Grundwissen 4 Quelle 2
  • 5. Klassische XSS vs. DOMXSS1. Klassische XSS:  NP-XSS( reflected XSS)  P-XSS( stored, persistent XSS)  Man braucht einen laufenden Web-Server  Forensics gibt es, auch WAFs  Man schützt den Server, oder die Server-Konstellation2. DOMXSS  Klientseitig( client-side)  Ein laufender Web-Server ist nicht unbedingt  Client-Side Forensics s**xs, keine WAFs  Man schützt das Browser-/User-Agent-Verhalten 5
  • 6. Technischer Hintergrund 6
  • 7. S3 Meta-Model 7
  • 8. URL-obfuscation 8
  • 9. 9
  • 10. Verteidigungsmechanismen 1. Basic level:  Routine tasks  Dokumentation  Version kontrolling  Cheat sheets:  DOM based XSS Prevention Cheat Sheet, in 3  HTML5 Security Cheatsheet, in 4  HTML5_Security_Cheat_Sheet XSS (Cross Site Scripting) Preventi- on Cheat Sheet, in 5  XSS (Cross Site Scripting) Cheat Sheet, Esp: for filter evasion, in 6 2. Advanced level: Approach I & Approach II 3. HoneyWebEnv + WebScarab 10
  • 11. Verteidigungsmechanismen Approach I & Approach II 11
  • 12. Ansätze und Modelle Defensive STO Modell Level Type Strategical layer Tactical layer Operational layer Realization Basic security All tasks are Admin tasks, (Level of security necessary manuals, model) cheatsheets Advanced Find proper Models: Patterns, Security security S3MM, AFA APIs, Coaching Execution Questions: manual documentation (Manual vs. ●Manual/ automated Web-scanners Automated) automated ●concurrency semi-automated Forensics Deployment stage Improving the Comparing to other Apply approprate SSDLC SSDLCs decisions on every stage of the SDLC 12
  • 13. Ansätze und Modelle 13
  • 14. Ansätze und Modelle 14
  • 15. Ansätze und Modelle Client-side Web-Application filtering 15
  • 16. Penetration Testing 1. Static code checkers:  DOM XSS Scanner 2. Dynamic code checkers:  DOMScan,  DOMTracer and  WebScarab(NG) 3. Mixed tools:  DOM Snitch  Dominator 4. Educational tools: 16  WebGoat , innerHTML
  • 17. Zusammenfassung 1. Über 100 Seiten getestet → alle weisen auf XSS, o. DOMXSS 2. Domxsswiki ist wichtig → Literatur organisiert 3. Vereinfachte Modelle sind präsent: S3MM, DSTO, SSDLC, A I & A II 4. S3MM DOMXSS DBS ist wichtig 5. 3rd party libraries brauchen Evaluierung(Dojo, Knockout., Backbone.js etc.) 6. IceShield ist viel versprechend  Nebenläufige Evaluierung 7. PHPIDS & ESAPI4JS brauchen Verbesserung 8. DOMXSS PT-Tools müssen verbessert werden  DOMinator, DOMXSSScanner 17 9. Kognitive Filter( WOT) und Semantic Search sind wichtig
  • 18. Fragen 18
  • 19. Quellenverzeichnis1. 2011: Web Application Security Metrics Landscape, Arian Evans2. 2011: WhiteHat Website Security Statistic Report, WhiteHat3. https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_S4. http://html5sec.org/ https://www.owasp.org/index.php/5. https://www.owasp.org/index.php/XSS_Prevention_Cheat_Sheet6. http://ha.ckers.org/xss.html 19