Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
27th September 2012                      Abraham Aranguren                              @7a_                      abraham@...
Review JavaScript code on the page:    <script>    document.write("Site is at: " + document.location.href + ".");    </scr...
Top security aware companies …with DOM XSS reported via bug bounty programs:• Google• PayPal• Facebook• Etsy• Yandex•…
Are they searching for DOM XSS without pants like this?                                                  this?  Phil Steve...
The ProblemWebsites have a LOT of JavaScript and DOM XSS is hard to find because:                                         ...
Created by• Mario Heiderich (XSS PhD!)• Gareth Heyes• Abraham Aranguren• Alfred Farrugia• Frederik BraunWhat are we doing ...
Demo Time
Q&A Abraham Aranguren         @7a_ abraham@cure53.de   http://cure53.de
VSA: The Virtual Scripted Attacker, Brucon 2012
Upcoming SlideShare
Loading in …5
×

VSA: The Virtual Scripted Attacker, Brucon 2012

1,003 views

Published on

http://blog.7-a.org/2013/02/vsa-virtual-scripted-attacker-slides.html

  • Be the first to comment

  • Be the first to like this

VSA: The Virtual Scripted Attacker, Brucon 2012

  1. 1. 27th September 2012 Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de
  2. 2. Review JavaScript code on the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xsshttp://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  3. 3. Top security aware companies …with DOM XSS reported via bug bounty programs:• Google• PayPal• Facebook• Etsy• Yandex•…
  4. 4. Are they searching for DOM XSS without pants like this? this? Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
  5. 5. The ProblemWebsites have a LOT of JavaScript and DOM XSS is hard to find because: because:• DOM XSS happens on the client-side client-• Traditional HTTP fuzzing does not work for DOM XSS• Traditional tools are unaware of client-side logic client-• Most tools cannot verify the DOM XSS exploit worked• Most tools cannot find DOM XSS in a 100% automated way• Even DOMINATOR Pro is only a manual testing tool for the ProDOM XSS often requires: requires:• User interaction: Click buttons, drag items, etc• Timing constraintsA HARD problem to SOLVE
  6. 6. Created by• Mario Heiderich (XSS PhD!)• Gareth Heyes• Abraham Aranguren• Alfred Farrugia• Frederik BraunWhat are we doing differently? differently?• VSA is 100% automated• We have tested we find MANY more DOM XSS vulnerabilities• We can verify that the DOM XSS payload worked• We are finding DOM XSS on the BROWSER -where JavaScript runs-• We are verifying DOM XSS on the BROWSER -where JavaScript runs-• We can tell you the line of code that is vulnerable• We can tell you the JavaScript file where the vulnerability is• We have the means to implement VIRTUAL PATCHING Do you want us to scan YOUR site? ☺ site?
  7. 7. Demo Time
  8. 8. Q&A Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de

×