Abraham Aranguren, profile picture
Uploaded byAbraham Aranguren
PDF, PPTX2,652 views

VSA: The Virtual Scripted Attacker, Brucon 2012

This document discusses DOM cross-site scripting (XSS) vulnerabilities and a new tool called VSA that aims to automatically find such vulnerabilities. It notes that DOM XSS is difficult to detect as it occurs client-side, but that VSA claims to find many more vulnerabilities than traditional tools through running entirely on the browser where JavaScript executes. The document provides examples of top companies that have had DOM XSS issues found via bug bounty programs. It also includes a question about whether readers want VSA to scan their sites.

Embed presentation

Download as PDF, PPTX
27th September 2012 Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de
Review JavaScript code on the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
Top security aware companies … with DOM XSS reported via bug bounty programs: • Google • PayPal • Facebook • Etsy • Yandex •…
Are they searching for DOM XSS without pants like this? this? Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
The Problem Websites have a LOT of JavaScript and DOM XSS is hard to find because: because: • DOM XSS happens on the client-side client- • Traditional HTTP fuzzing does not work for DOM XSS • Traditional tools are unaware of client-side logic client- • Most tools cannot verify the DOM XSS exploit worked • Most tools cannot find DOM XSS in a 100% automated way • Even DOMINATOR Pro is only a manual testing tool for the Pro DOM XSS often requires: requires: • User interaction: Click buttons, drag items, etc • Timing constraints A HARD problem to SOLVE
Created by • Mario Heiderich (XSS PhD!) • Gareth Heyes • Abraham Aranguren • Alfred Farrugia • Frederik Braun What are we doing differently? differently? • VSA is 100% automated • We have tested we find MANY more DOM XSS vulnerabilities • We can verify that the DOM XSS payload worked • We are finding DOM XSS on the BROWSER -where JavaScript runs- • We are verifying DOM XSS on the BROWSER -where JavaScript runs- • We can tell you the line of code that is vulnerable • We can tell you the JavaScript file where the vulnerability is • We have the means to implement VIRTUAL PATCHING Do you want us to scan YOUR site? ☺ site?
Demo Time
Q&A Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de

More Related Content

PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
PDF
DEfcon15 XXE XXS
bypentest pentest
 
PPTX
XSS - Do you know EVERYTHING?
byYurii Bilyk
 
PDF
Html5: something wicked this way comes - HackPra
byKrzysztof Kotowicz
 
PDF
Hacking sites for fun and profit
byDavid Stockton
 
PPT
Front end-security
byMiao Siyu
 
PDF
Hacking sites for fun and profit
byDavid Stockton
 
PPTX
Web Application Security in front end
byErlend Oftedal
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
DEfcon15 XXE XXS
bypentest pentest
 
XSS - Do you know EVERYTHING?
byYurii Bilyk
 
Html5: something wicked this way comes - HackPra
byKrzysztof Kotowicz
 
Hacking sites for fun and profit
byDavid Stockton
 
Front end-security
byMiao Siyu
 
Hacking sites for fun and profit
byDavid Stockton
 
Web Application Security in front end
byErlend Oftedal
 

What's hot

PDF
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
PPTX
Dom based xss
byLê Giáp
 
PDF
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
PPTX
Browser Internals-Same Origin Policy
byKrishna T
 
PPTX
Java script, security and you - Tri-Cities Javascript Developers Group
byAdam Caudill
 
PDF
The Hidden XSS - Attacking the Desktop & Mobile Platforms
bykosborn
 
PPTX
JSFoo Chennai 2012
byKrishna T
 
PPTX
Secure web messaging in HTML5
byKrishna T
 
PPTX
Clickjacking DevCon2011
byKrishna T
 
PPT
Xss is more than a simple threat
byAvădănei Andrei
 
PPTX
Html5 security
byKrishna T
 
PDF
JavaScript Security
byJason Harwig
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
PPTX
Building Secure User Interfaces With JWTs
byrobertjd
 
PPTX
Javascript Security
byjgrahamc
 
PPT
Django (Web Applications that are Secure by Default)
byKishor Kumar
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
PDF
WebView security on iOS (EN)
bylpilorz
 
PDF
Breaking AngularJS Javascript sandbox
byMathias Karlsson
 
PDF
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
When Ajax Attacks! Web application security fundamentals
bySimon Willison
 
Dom based xss
byLê Giáp
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
Browser Internals-Same Origin Policy
byKrishna T
 
Java script, security and you - Tri-Cities Javascript Developers Group
byAdam Caudill
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
bykosborn
 
JSFoo Chennai 2012
byKrishna T
 
Secure web messaging in HTML5
byKrishna T
 
Clickjacking DevCon2011
byKrishna T
 
Xss is more than a simple threat
byAvădănei Andrei
 
Html5 security
byKrishna T
 
JavaScript Security
byJason Harwig
 
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
Building Secure User Interfaces With JWTs
byrobertjd
 
Javascript Security
byjgrahamc
 
Django (Web Applications that are Secure by Default)
byKishor Kumar
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
WebView security on iOS (EN)
bylpilorz
 
Breaking AngularJS Javascript sandbox
byMathias Karlsson
 
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 

Similar to VSA: The Virtual Scripted Attacker, Brucon 2012

PPTX
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
byNishant Das Patnaik
 
PDF
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
PDF
Complete xss walkthrough
byAhmed Elhady Mohamed
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
PDF
XSS.pdf
byOkan YILDIZ
 
PDF
XSS.pdf
byOkan YILDIZ
 
PPTX
Cross Site Scripting
byAli Mattash
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
PDF
The innerHTML Apocalypse
byMario Heiderich
 
PDF
XSS Injection Vulnerabilities
byMindfire Solutions
 
PDF
Ch 12 Attacking Users - XSS
bySam Bowne
 
PPTX
Cross Site Scripting (XSS)
byAvi Aryan
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
PPT
Same Origin Policy Weaknesses
bykuza55
 
PDF
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
byMoscowJS
 
PPTX
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
byGitam Gadtaula
 
PPTX
Post XSS Exploitation : Advanced Attacks and Remedies
byAdwiteeya Agrawal
 
PDF
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
byPROIDEA
 
PDF
BsidesDelhi 2018: DomGoat - the DOM Security Playground
byBSides Delhi
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
byNishant Das Patnaik
 
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
Complete xss walkthrough
byAhmed Elhady Mohamed
 
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
XSS.pdf
byOkan YILDIZ
 
XSS.pdf
byOkan YILDIZ
 
Cross Site Scripting
byAli Mattash
 
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
The innerHTML Apocalypse
byMario Heiderich
 
XSS Injection Vulnerabilities
byMindfire Solutions
 
Ch 12 Attacking Users - XSS
bySam Bowne
 
Cross Site Scripting (XSS)
byAvi Aryan
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
Same Origin Policy Weaknesses
bykuza55
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
byMoscowJS
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
byGitam Gadtaula
 
Post XSS Exploitation : Advanced Attacks and Remedies
byAdwiteeya Agrawal
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
byPROIDEA
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
byBSides Delhi
 

More from Abraham Aranguren

PDF
Why should you do a pentest?
byAbraham Aranguren
 
PDF
Pwning mobile apps without root or jailbreak
byAbraham Aranguren
 
PDF
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
byAbraham Aranguren
 
PDF
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
byAbraham Aranguren
 
PDF
Pentesting like a grandmaster BSides London 2013
byAbraham Aranguren
 
PDF
Introducing OWASP OWTF Workshop BruCon 2012
byAbraham Aranguren
 
PDF
Legal and efficient web app testing without permission
byAbraham Aranguren
 
PDF
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
byAbraham Aranguren
 
PDF
Silent web app testing by example - BerlinSides 2011
byAbraham Aranguren
 
PDF
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
byAbraham Aranguren
 
Why should you do a pentest?
byAbraham Aranguren
 
Pwning mobile apps without root or jailbreak
byAbraham Aranguren
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
byAbraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
byAbraham Aranguren
 
Pentesting like a grandmaster BSides London 2013
byAbraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
byAbraham Aranguren
 
Legal and efficient web app testing without permission
byAbraham Aranguren
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
byAbraham Aranguren
 
Silent web app testing by example - BerlinSides 2011
byAbraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
byAbraham Aranguren
 

VSA: The Virtual Scripted Attacker, Brucon 2012

  • 1.
    27th September 2012 Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de
  • 3.
    Review JavaScript codeon the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  • 4.
    Top security awarecompanies … with DOM XSS reported via bug bounty programs: • Google • PayPal • Facebook • Etsy • Yandex •…
  • 5.
    Are they searchingfor DOM XSS without pants like this? this? Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
  • 6.
    The Problem Websites havea LOT of JavaScript and DOM XSS is hard to find because: because: • DOM XSS happens on the client-side client- • Traditional HTTP fuzzing does not work for DOM XSS • Traditional tools are unaware of client-side logic client- • Most tools cannot verify the DOM XSS exploit worked • Most tools cannot find DOM XSS in a 100% automated way • Even DOMINATOR Pro is only a manual testing tool for the Pro DOM XSS often requires: requires: • User interaction: Click buttons, drag items, etc • Timing constraints A HARD problem to SOLVE
  • 7.
    Created by • MarioHeiderich (XSS PhD!) • Gareth Heyes • Abraham Aranguren • Alfred Farrugia • Frederik Braun What are we doing differently? differently? • VSA is 100% automated • We have tested we find MANY more DOM XSS vulnerabilities • We can verify that the DOM XSS payload worked • We are finding DOM XSS on the BROWSER -where JavaScript runs- • We are verifying DOM XSS on the BROWSER -where JavaScript runs- • We can tell you the line of code that is vulnerable • We can tell you the JavaScript file where the vulnerability is • We have the means to implement VIRTUAL PATCHING Do you want us to scan YOUR site? ☺ site?
  • 8.
  • 9.
    Q&A Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de