Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Financial Cyber-Threat Briefing
“Planning for Attack-Resilient Web Applications”
11th July 2014
Hosted @Sponsored By
Stefa...
Who Am I
 Stefano Di Paola
 Research
 OWASP-Italy Senior Member
 Testing Guide Contributor
 OWASP SWFIntruder
 DOMin...
Agenda
 Introduction
 Impacts & Concerns
 Approach & Proposed Solutions
3
Introduction
4
OWASP Top Ten 2013
A list of the 10 Most Critical Web Application Security Risks
 A1 Injection
 A2 Brok...
Introduction - Cross Site Scripting Analysis
5
Cross Site Scripting – Identification and Detection
6
“<html>..+
taintedInput+”..</html>”
<html>..
<script>evilJs</script>...
Reflected Cross Site Scripting - Identification and Detection
7
“<html>..+
taintedInput+”..</html>”
<html>..
<script>evilJ...
Stored Cross Site Scripting - Identification and Detection
8
“<html>..+
taintedInput+”..</html>”
<html>..
<script>evilJs</...
DOM Based Cross Site Scripting – Identification and Detection
9
<html>..
<script>evilJs</script>
..</html> “<html>..+
tain...
DOM Based XSS Demo on Yahoo! Mail - Video
10
Agenda
 Introduction
 Impacts & Concerns
 Approach & Proposed Solutions
11
Introduction - Cross Site Scripting Analysis
12
Does the Risk Analysis fit the DOM Based Cross Site Scripting?
DOM Based Cross Site Scripting - Analysis

13
 Impacts/Risks are identical
 Detectability is Lower for DOM-Based XSS as...
Client Side Issues And Impacts
14
Vulnerability Impact
JS Execution (DOM Based Cross Site
Scripting)
Complete Control Over...
Trends 2005 – 2014 . From Server To Client
Usage of JavaScript Over the Years
15
3rd Party JavaScript Usage
 Experiment take the first top 100 Sites from Alexa:
Extract all script sources and count how...
Agenda
 Introduction
 Impacts & Concerns
 Approach & Proposed Solutions
17
Identification Approach
 Static Analysis
 Blind Fuzzing
 Runtime Taint Analysis 18
Approach & Solutions
19
Minimized Client Side JavaScript Server Side Java/C#/Whatever
But Automated Static Analysis can do...
Static Analysis
On Structured Languages like Java or C# some good coverage can be performed
(according to Static Analysis...
Runtime Approach
 Runtime Blind Fuzzing:
 BlackBox Scanning, fault injection with patterns, hoping to reach
the sink (da...
Minded Security DOMinatorPro
 First experiment in 2010 we took the first Alexa top 100.
 Analyzed them using DOMinatorPr...
Minded Security DOMinatorPro Enterprise
 The Automation Suite:
 Browser Based Crawler
 Web Management
 Selenium Based ...
Minded Security DOMinatorPro Enterprise
 Developers:
 Unit and Functional Testing.
 Test their own code.
 Identify the...
DOMinatorPro Helps Companies Around The World
25
26
Thank you!
Q&A
https://dominator.mindedsecurity.com
@mindedsecurity
Mail: stefano.dipaola@mindedsecurity.com
@wisecwise...
Software Actors
 Internal Client Side Developers
 Contractors
 3rd Party JavaScript (Libraries, Adv, Analytics, Social....
Upcoming SlideShare
Loading in …5
×

Preventing In-Browser Malicious Code Execution

803 views

Published on

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.

Published in: Internet
  • Be the first to comment

Preventing In-Browser Malicious Code Execution

  1. 1. Financial Cyber-Threat Briefing “Planning for Attack-Resilient Web Applications” 11th July 2014 Hosted @Sponsored By Stefano Di Paola CTO Minded Security Preventing In-Browser Malicious Code Execution
  2. 2. Who Am I  Stefano Di Paola  Research  OWASP-Italy Senior Member  Testing Guide Contributor  OWASP SWFIntruder  DOMinator (JavaScript Runtime Taint Engine)  Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)  Security Since '99  Work  CTO @ Minded Security Application Security Consulting  Director of Minded Security Research Labs  Blog: http://blog.mindedsecurity.com  Twitter: @wisecwisec 2
  3. 3. Agenda  Introduction  Impacts & Concerns  Approach & Proposed Solutions 3
  4. 4. Introduction 4 OWASP Top Ten 2013 A list of the 10 Most Critical Web Application Security Risks  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Unvalidated Redirects and Forwards  OWASP Top Ten 2013  A list of the 10 Most Critical Web Application Security Risks  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Unvalidated Redirects and Forwards
  5. 5. Introduction - Cross Site Scripting Analysis 5
  6. 6. Cross Site Scripting – Identification and Detection 6 “<html>..+ taintedInput+”..</html>” <html>.. <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script> Security Scanners/Sensors
  7. 7. Reflected Cross Site Scripting - Identification and Detection 7 “<html>..+ taintedInput+”..</html>” <html>.. <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script> Security Scanners/Sensors
  8. 8. Stored Cross Site Scripting - Identification and Detection 8 “<html>..+ taintedInput+”..</html>” <html>.. <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script> Security Scanners/Sensors Security Scanners
  9. 9. DOM Based Cross Site Scripting – Identification and Detection 9 <html>.. <script>evilJs</script> ..</html> “<html>..+ taintedInput+”..</html>” taintedInput=<script>evilJs</script> Security Scanners/Sensors ??? ??? In Browser Attacks
  10. 10. DOM Based XSS Demo on Yahoo! Mail - Video 10
  11. 11. Agenda  Introduction  Impacts & Concerns  Approach & Proposed Solutions 11
  12. 12. Introduction - Cross Site Scripting Analysis 12 Does the Risk Analysis fit the DOM Based Cross Site Scripting?
  13. 13. DOM Based Cross Site Scripting - Analysis  13  Impacts/Risks are identical  Detectability is Lower for DOM-Based XSS as its harder for defenders to find (no Network In/Out Observation)  Yet DOM Based XSS is still part of the OWASP Top Ten. Does the Risk Analysis fit the DOM Based Cross Site Scripting?
  14. 14. Client Side Issues And Impacts 14 Vulnerability Impact JS Execution (DOM Based Cross Site Scripting) Complete Control Over User's Page. (CI) HTML Injection/ Content Spoofing Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI) Client Side SQL Injection Data exfiltration (CI) URL Redirect URL Spoofing (C) CSS Injection Extract Sensitive Information (C) Resource Manipulation Change the location of a resource requested by a page. (CI) ... ... C=Confidentiality, I=Integrity
  15. 15. Trends 2005 – 2014 . From Server To Client Usage of JavaScript Over the Years 15
  16. 16. 3rd Party JavaScript Usage  Experiment take the first top 100 Sites from Alexa: Extract all script sources and count how many external scripts are used.  Result: ~70% contained 3rd Party Js. Do you trust 3rd Party Code in your site? … Let me rephrase it: Have you ever tested your 3rd Party JS? 16
  17. 17. Agenda  Introduction  Impacts & Concerns  Approach & Proposed Solutions 17
  18. 18. Identification Approach  Static Analysis  Blind Fuzzing  Runtime Taint Analysis 18
  19. 19. Approach & Solutions 19 Minimized Client Side JavaScript Server Side Java/C#/Whatever But Automated Static Analysis can do it.. doesn't it? Spot the Difference!
  20. 20. Static Analysis On Structured Languages like Java or C# some good coverage can be performed (according to Static Analysis limits)  On Flexible/Dynamic languages like JavaScript: location.search window.location.search document.location.search window[“location”]['search'] window[“l”+”o”+”x63”+”ation”][atob('c2VhcmNo')] window[arr[43]][obj['theSearch']] very poor coverage! Runtime ? 20
  21. 21. Runtime Approach  Runtime Blind Fuzzing:  BlackBox Scanning, fault injection with patterns, hoping to reach the sink (dangerous function).  Poor coverage, Lot of False Negatives  Real Time Taint Propagation with Instrumentation:  Propagates the "taint" flag during Real Time execution.  Real Client State emulation. (In-browser test cases)  OWASP Project: DOMinator by Minded Security 21
  22. 22. Minded Security DOMinatorPro  First experiment in 2010 we took the first Alexa top 100.  Analyzed them using DOMinatorPro  We found 56 to be vulnerable to DOM Based XSS Attacks 22
  23. 23. Minded Security DOMinatorPro Enterprise  The Automation Suite:  Browser Based Crawler  Web Management  Selenium Based Connector with DOMinatorPro  Remote Alert Collector (Local Web Server)  Cli Interactive Interface to Selenium  Management by Project  Scripting possibilities DEMO Time 23
  24. 24. Minded Security DOMinatorPro Enterprise  Developers:  Unit and Functional Testing.  Test their own code.  Identify the issue and fix it QA Testers: Unit and Functional Testing. Alerts while QA testing  Security Testers: Black Box browsing Details about operations without encodings  3rd Party JavaScript 24
  25. 25. DOMinatorPro Helps Companies Around The World 25
  26. 26. 26 Thank you! Q&A https://dominator.mindedsecurity.com @mindedsecurity Mail: stefano.dipaola@mindedsecurity.com @wisecwisec Commercial support: info@mindedsecurity.com
  27. 27. Software Actors  Internal Client Side Developers  Contractors  3rd Party JavaScript (Libraries, Adv, Analytics, Social.. ) Security Testing Actors  Quality Assurance / Test Cases (In house process)  Internal Manual Security Audits  Internal Automatic Security Audits  External Manual Security Audits  External Automatic Security Audits 27

×