Client Side Cross Site
Scripting
Client Side
Cross Site
Soluzioni e sicurezza per applicazioni
mobile e payments
Consorzio Triveneto, azienda leader nei sistemi di
pagamento
a
livello
italiano
da
sempre
all’avanguardia nello studio e nella
speri-mentazione di nuove tecnologie nell’ambito dei
pagamenti, è una realtà del Gruppo Bassilichi che
opera prevalentemente nei campi della Monetica
– con la gestione dei servizi POS e di Commercio
Elettronico – e del Corporate Banking a supporto
delle imprese.
SPONSOR
DELL’EVENTO
Sponsor e
sostenitori di
ISACA VENICE
Chapter
Con il
Who Am I
●
Stefano Di Paola @WisecWisec
●
Research
●
OWASP-Italy Senior Member
●Testing Guide Contributor
●OWASP SWFIntruder
●
Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)
●Security Since '99
●
Work
●
CTO @ Minded Security Application Security Consulting
●Director of Minded Security Research Labs
●
Lead of WAPT & Code Review Activities
●Blog: http://blog.mindedsecurity.com
Agenda
●
XSS
●
Client Side XSS (aka DOM Based XSS)
●
Examples
●
Tools and Expertise
●
Some Stats
XSS...
taintedInput=<script>evilJs</script>
User-Victim
“<html>..+
taintedInput
+”..</html>”
Three kinds:
●
Reflected
●
Stored
●
DOM Based
<html>.
.
<script>evilJs</sc
ript>
..</html>
Image Courtesy of John Wilander
“<html>..+
taintedInput
+”..</html>”
taintedInput=<script>evilJs</script>
User-Victim
<html>.
.
<script>evilJs</sc
ript>
..</html>
taintedInput=<script>evilJs</script>
Image Courtesy of John Wilander
User-Victim
“<html>..+
taintedInput
+”..</html>”
<html>.
.
<script>evilJs</sc
ript>
..</html>
taintedInput=<script>evilJs</script>
User-Victim
“<html>..+
taintedInput
+”..</html>”
<html>.
.
<script>evilJs</sc
ript>
..</html>
Courtesy of John Wilander
User-Victim
Injection Happens at Client Side Level!
+ Sometimes no server roundtrip
Eg.
http://host/#XXX=Inject
..
DOM Based XSS...
Courtesy of Dave Wichers
DOM XSS – Page Application Perspective
Traditional XSS Vs DOM Based
●
Impacts/Risks are identical
●
Detectability is lower for DOM-Based XSS as its
3rd Party JS
●
Experiment take the first top 100 Sites from Alexa:
●
Extract all script sources and count how many external scripts
are used.
Result:
~70% contained 3rd Party Js.
●
Do you trust 3rd Party Code in your site?
… Let me rephrase it:
Client Side Vulnerabilities
Vulnerability
Impact
JS Execution
Complete Control Over User's
Page. (CI)
HTML Injection/
Content Spoofing
Arbitrary HTML Insertion.
Attacker can completely spoof
the content. Cannot Access
Cookies and other JS Data. (CI)
Client Side SQL Injection
Data exfiltration (CI)
URL Redirect
URL Spoofing (C)
CSS Injection
Extract Sensitive Information
(C)
Resource Manipulation
Change the location of a
resource requested by a page.
(CI)
....<script>
var
nextlink
=getParameterFromLocation('
nextid
');
document.write('<a
href="page'+
nextlink
+'.html">Next Step</a>');
</script>...
Client Side HTML Injection
http://www.vic.tim.com/page.html?nextId=2
A Client Side XSS Example – Twitter 2010
( function(g){
var
a
=location.href.split("#!")[1];
if(
a
){
g.loca
tion
=
g.HBR=
a
;
}
}
)(window);
A Client Side XSS Example – Twitter 2010
( function(g){
var a=location.href.split("#!")[1];
if(a){
g.loca
tion
=g.HBR=a;
}
}
)(window);
'http://twitter.com#!/WisecWisec'.split('#!')[1]
Returns
“/WisecWisec” →
g.location=”/WisecWisec” →
http://twitter.com/WisecWisec
A Client Side XSS Example – Twitter 2010
Pseudo-Protocol
'http://twitter.com#!javascript:ICanHasCookies()'.split('#!')[1]
Returns
“javascript:ICanHasCookies()”
window.location= 'javascript:ICanHasCookies()'
A Client Side XSS Example – Twitter 2010
Client Side Issues - Examples
Code Analysis - Manual
Minimized Client Side JavaScript
Server Side Java/C#/Whatever
Code Analysis – Automated static analysis
●
Problems with Minimizers|Obfuscators AND JavaScript
●Rigid langs – Ie. Java:
request.getQueryString() ;
Ok.. some coverage can be performed (according to Static Analysis limits)
●