The document introduces the Malware Script Detector (MSD) designed by d0ubl3_h3lix, which focuses on identifying malicious JavaScript and XSS threats to enhance web client security. It outlines the functionality of MSD as a browser-independent solution, including its versioning, detection capabilities, and limitations, specifically within Gecko browsers with the Greasemonkey addon. Additionally, it encourages user contributions and discusses the inadequacies of traditional security measures against embedded malicious scripts.

1. Introducing The Malware Script Detector (MSD) By d0ubl3_h3lix http ://yehg.net Tue Feb 19 2008

2. Agenda Counter Strategy Overview XSS Coverage Versioning Info Standalone MSD Detection Screenshots Why MSD? Weaknesses

3. Counter Strategy Using the Power of JavaScript, Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript

4. Overview Run on Gecko browsers (Firefox, Flock, Netscape, …etc) GreaseMonkey addon needed Acted as Browser IDS Intended for Web Client Security Recommended for every web surfer Please don’t underestimate MSD by looking its simplest source code

5. Overview (Cont.) Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon

6. XSS Coverage MSD was coded to detect the following XSS exploitation areas: data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html jar: protocol exploitation file: protocol exploitation by locally saved malicious web pages

7. XSS Coverage Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc unicode injection utf-7,null-byte (\00), black slash injection (u\r\l), comments star slash injection (/* */),injection like \u00, \x00....etc

8. XSS Coverage MSD was thoroughly tested with: - RSnake’s XSS CheatSheet - XSS-ME Addon Attack List - Dabbledb.com’s Xssdb list - CAL9000 XSS List

9. Versioning Info GreaseMonkey Version Main Objective: Alert XSS Attacks to users Must be Installed by users Requires Gecko Browser + GreaseMonkey Addon Version 1 – Detect Malware Scripts Version 2 – Detect Malware Scripts + Prevailing XSS

10. Versioning Info Standalone Version Main Objective: Alert XSS Attacks to users & webmaster Must be Deployed by web developers Browser-Independent No Checking if users have GreaseMonkey version Version 1 – Detect Malware Scripts + Prevailing XSS

11. Standalone MSD Standalone version was created as single .js file for web developers To embed in their footer files To notify both visitors and webmasters of XSS injection attempts & attacks Browser-independent unlike GreaseMonkey Script version Intended for web application security as a portable lightweight solution

13. Detection Screenshots

14. Why MSD? XSS Payloads like http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc

15. Why MSD? (Cont.) Never get DETECTED by Web Server-level Firewall/IDS/IPS Because the code is Totally Executed at Client’s Browser

16. Why MSD? (Cont.) Malicious sites intentionally embed malicious JavaScript attack frameworks Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users

17. Why MSD? (Cont.) No ways to detect such Malware scripts unless we check HTML source codes Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases According to above scenarios, MSD becomes a nice solution for us

18. Oh, But …

19. Weaknesses Doesn’t check POSTS/COOKIES variables No guarantee for full protection of XSS Many ways to bypass MSD XSS Filtering needs to be updated regularly where extensive filtering may cause false alerts and much annoyance to users

20. Where Can I get it ? Check Under Tools Section http://yehg.net/lab/#tools.greasemonkey If you wish to contribute, there is a smoketest page. Insert your own XSS payload to defeat MSD. Notify me of whenever new Attack frameworks are created

21. Special Thanks Goes to Mario, http://php-ids.org Secgeek, http://www.secgeek s .com Andres Riancho , http://w3af.sf.net For encouragements and suggestions

22. Reference XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth Fogie Syngress Publishing ISBN-13:987-1-59749-154-9

23. Thank you!