VSA: The Virtual Scripted Attacker, Brucon 2012

Abraham Aranguren
Abraham ArangurenManaging Director at 7ASecurity
27th September 2012 Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de
VSA: The Virtual Scripted Attacker, Brucon 2012
Review JavaScript code on the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
Top security aware companies … with DOM XSS reported via bug bounty programs: • Google • PayPal • Facebook • Etsy • Yandex •…
Are they searching for DOM XSS without pants like this? this? Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
The Problem Websites have a LOT of JavaScript and DOM XSS is hard to find because: because: • DOM XSS happens on the client-side client- • Traditional HTTP fuzzing does not work for DOM XSS • Traditional tools are unaware of client-side logic client- • Most tools cannot verify the DOM XSS exploit worked • Most tools cannot find DOM XSS in a 100% automated way • Even DOMINATOR Pro is only a manual testing tool for the Pro DOM XSS often requires: requires: • User interaction: Click buttons, drag items, etc • Timing constraints A HARD problem to SOLVE
Created by • Mario Heiderich (XSS PhD!) • Gareth Heyes • Abraham Aranguren • Alfred Farrugia • Frederik Braun What are we doing differently? differently? • VSA is 100% automated • We have tested we find MANY more DOM XSS vulnerabilities • We can verify that the DOM XSS payload worked • We are finding DOM XSS on the BROWSER -where JavaScript runs- • We are verifying DOM XSS on the BROWSER -where JavaScript runs- • We can tell you the line of code that is vulnerable • We can tell you the JavaScript file where the vulnerability is • We have the means to implement VIRTUAL PATCHING Do you want us to scan YOUR site? ☺ site?
Demo Time
Q&A Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de
1 of 9

VSA: The Virtual Scripted Attacker, Brucon 2012

Download to read offline

http://blog.7-a.org/2013/02/vsa-virtual-scripted-attacker-slides.html

Abraham Aranguren
Abraham ArangurenManaging Director at 7ASecurity

Recommended

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services by
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
19.5K views37 slides
DEfcon15 XXE XXS by
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXSpentest pentest
1.3K views59 slides
XSS - Do you know EVERYTHING? by
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
4.8K views52 slides
Html5: something wicked this way comes - HackPra by
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
5.7K views64 slides
Hacking sites for fun and profit by
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
4.5K views69 slides
Front end-security by
Front end-securityFront end-security
Front end-securityMiao Siyu
936 views17 slides

More Related Content

What's hot

When Ajax Attacks! Web application security fundamentals by
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
5.6K views58 slides
Dom based xss by
Dom based xssDom based xss
Dom based xssLê Giáp
3K views24 slides
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter by
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
38.8K views141 slides
Browser Internals-Same Origin Policy by
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
4.2K views23 slides
Java script, security and you - Tri-Cities Javascript Developers Group by
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
712 views16 slides
The Hidden XSS - Attacking the Desktop & Mobile Platforms by
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
5.8K views28 slides

What's hot(20)

When Ajax Attacks! Web application security fundamentals by Simon Willison
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison5.6K views
Dom based xss by Lê Giáp
Dom based xssDom based xss
Dom based xss
Lê Giáp3K views
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter by Masato Kinugawa
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa38.8K views
Browser Internals-Same Origin Policy by Krishna T
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T4.2K views
Java script, security and you - Tri-Cities Javascript Developers Group by Adam Caudill
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill712 views
The Hidden XSS - Attacking the Desktop & Mobile Platforms by kosborn
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn5.8K views
JSFoo Chennai 2012 by Krishna T
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T999 views
Secure web messaging in HTML5 by Krishna T
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T2K views
Clickjacking DevCon2011 by Krishna T
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T2.8K views
Xss is more than a simple threat by Avădănei Andrei
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei5K views
Html5 security by Krishna T
Html5 securityHtml5 security
Html5 security
Krishna T2.6K views
JavaScript Security by Jason Harwig
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig2.4K views
Case Study of Django: Web Frameworks that are Secure by Default by Mohammed ALDOUB
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB9.3K views
Building Secure User Interfaces With JWTs by robertjd
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd658 views
Javascript Security by jgrahamc
Javascript SecurityJavascript Security
Javascript Security
jgrahamc13.1K views
Django (Web Applications that are Secure by Default) by Kishor Kumar
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar644 views
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015 by CODE BLUE
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE6.5K views
WebView security on iOS (EN) by lpilorz
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
lpilorz9.8K views
Breaking AngularJS Javascript sandbox by Mathias Karlsson
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
Mathias Karlsson2.2K views
Building Advanced XSS Vectors by Rodolfo Assis (Brute)
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)7.8K views

Similar to VSA: The Virtual Scripted Attacker, Brucon 2012

Devouring Security Insufficient data validation risks Cross Site Scripting by
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
3.4K views51 slides
Browser Security 101 by
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
2.1K views48 slides
Thoughts on Defensive Development for Sitecore by
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
3.1K views65 slides
BsidesDelhi 2018: DomGoat - the DOM Security Playground by
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi
202 views53 slides
Rich Web App Security - Keeping your application safe by
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
8.1K views38 slides
XSS (Cross Site Scripting) by
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)Shubham Gupta
293 views23 slides

Similar to VSA: The Virtual Scripted Attacker, Brucon 2012(20)

Devouring Security Insufficient data validation risks Cross Site Scripting by gmaran23
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran233.4K views
Browser Security 101 by Stormpath
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath2.1K views
Thoughts on Defensive Development for Sitecore by PINT Inc
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
PINT Inc3.1K views
BsidesDelhi 2018: DomGoat - the DOM Security Playground by BSides Delhi
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi202 views
Rich Web App Security - Keeping your application safe by Jeremiah Grossman
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman8.1K views
XSS (Cross Site Scripting) by Shubham Gupta
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
Shubham Gupta293 views
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting by Sam Bowne
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne210 views
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting by Sam Bowne
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne90 views
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF by Brian Huff
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff8.6K views
Something wicked this way comes - CONFidence by Krzysztof Kotowicz
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz2.8K views
Ch 12 Attacking Users - XSS by Sam Bowne
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
Sam Bowne194 views
Krzysztof kotowicz. something wicked this way comes by Yury Chemerkin
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin1.3K views
Analysis of web application worms and viruses by UltraUploader
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
UltraUploader389 views
Usersnap and the javascript magic behind the scenes - ViennaJS by Usersnap
Usersnap and the javascript magic behind the scenes - ViennaJSUsersnap and the javascript magic behind the scenes - ViennaJS
Usersnap and the javascript magic behind the scenes - ViennaJS
Usersnap1K views
Xss talk, attack and defense by Prakashchand Suthar
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
Prakashchand Suthar21.7K views
Hacking sites for fun and profit by David Stockton
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton867 views
Web & Cloud Security in the real world by Madhu Akula
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula1.5K views
Web Security - Introduction by SQALab
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
SQALab32.7K views
Web Security - Introduction v.1.3 by Oles Seheda
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda78.6K views
Javascript Security - Three main methods of defending your MEAN stack by Ran Bar-Zik
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik2K views

More from Abraham Aranguren

Pwning mobile apps without root or jailbreak by
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
12.1K views69 slides
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting by
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
16.2K views112 slides
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013 by
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
9.4K views177 slides
Pentesting like a grandmaster BSides London 2013 by
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
10.9K views110 slides
Introducing OWASP OWTF Workshop BruCon 2012 by
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
6.4K views165 slides
Legal and efficient web app testing without permission by
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
5K views129 slides

More from Abraham Aranguren(9)

Pwning mobile apps without root or jailbreak by Abraham Aranguren
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren12.1K views
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting by Abraham Aranguren
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren16.2K views
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013 by Abraham Aranguren
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren9.4K views
Pentesting like a grandmaster BSides London 2013 by Abraham Aranguren
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren10.9K views
Introducing OWASP OWTF Workshop BruCon 2012 by Abraham Aranguren
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren6.4K views
Legal and efficient web app testing without permission by Abraham Aranguren
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
Abraham Aranguren5K views
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid... by Abraham Aranguren
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren2.9K views
Silent web app testing by example - BerlinSides 2011 by Abraham Aranguren
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren8.4K views
BruCon 2011 Lightning talk winner: Web app testing without attack traffic by Abraham Aranguren
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
Abraham Aranguren4.1K views

VSA: The Virtual Scripted Attacker, Brucon 2012

  • 1. 27th September 2012 Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de
  • 3. Review JavaScript code on the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  • 4. Top security aware companies … with DOM XSS reported via bug bounty programs: • Google • PayPal • Facebook • Etsy • Yandex •…
  • 5. Are they searching for DOM XSS without pants like this? this? Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
  • 6. The Problem Websites have a LOT of JavaScript and DOM XSS is hard to find because: because: • DOM XSS happens on the client-side client- • Traditional HTTP fuzzing does not work for DOM XSS • Traditional tools are unaware of client-side logic client- • Most tools cannot verify the DOM XSS exploit worked • Most tools cannot find DOM XSS in a 100% automated way • Even DOMINATOR Pro is only a manual testing tool for the Pro DOM XSS often requires: requires: • User interaction: Click buttons, drag items, etc • Timing constraints A HARD problem to SOLVE
  • 7. Created by • Mario Heiderich (XSS PhD!) • Gareth Heyes • Abraham Aranguren • Alfred Farrugia • Frederik Braun What are we doing differently? differently? • VSA is 100% automated • We have tested we find MANY more DOM XSS vulnerabilities • We can verify that the DOM XSS payload worked • We are finding DOM XSS on the BROWSER -where JavaScript runs- • We are verifying DOM XSS on the BROWSER -where JavaScript runs- • We can tell you the line of code that is vulnerable • We can tell you the JavaScript file where the vulnerability is • We have the means to implement VIRTUAL PATCHING Do you want us to scan YOUR site? ☺ site?
  • 9. Q&A Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de