• No results found

Client Side Cross Site Scripting

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Client Side Cross Site Scripting"

Copied!
30
0
0

Loading.... (view fulltext now)

Download now ( 30 Page )

Full text

(1)

Client Side Cross Site

Scripting

(2)

Client Side

Cross Site

(3)

Soluzioni e sicurezza per applicazioni

mobile e payments

Consorzio Triveneto, azienda leader nei sistemi di

pagamento

a

livello

italiano

da

sempre

all’avanguardia nello studio e nella

speri-mentazione di nuove tecnologie nell’ambito dei

pagamenti, è una realtà del Gruppo Bassilichi che

opera prevalentemente nei campi della Monetica

– con la gestione dei servizi POS e di Commercio

Elettronico – e del Corporate Banking a supporto

delle imprese.

SPONSOR

DELL’EVENTO

Sponsor e

sostenitori di

ISACA VENICE

Chapter

Con il

(4)

Who Am I

Stefano Di Paola @WisecWisec

Research

OWASP-Italy Senior Member

Testing Guide Contributor

OWASP SWFIntruder

Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)

Security Since '99

Work

CTO @ Minded Security Application Security Consulting

Director of Minded Security Research Labs

Lead of WAPT & Code Review Activities

Blog: http://blog.mindedsecurity.com

(5)

Agenda

XSS

Client Side XSS (aka DOM Based XSS)

Examples

Tools and Expertise

Some Stats

(6)

XSS...

(7)

taintedInput=<script>evilJs</script>

User-Victim

“<html>..+

taintedInput

+”..</html>”

Three kinds:

Reflected

Stored

DOM Based

<html>.

.

<script>evilJs</sc

ript>

..</html>

(8)

Image Courtesy of John Wilander

“<html>..+

taintedInput

+”..</html>”

taintedInput=<script>evilJs</script>

User-Victim

<html>.

.

<script>evilJs</sc

ript>

..</html>

(9)

taintedInput=<script>evilJs</script>

(10)

Image Courtesy of John Wilander

User-Victim

“<html>..+

taintedInput

+”..</html>”

<html>.

.

<script>evilJs</sc

ript>

..</html>

(11)

taintedInput=<script>evilJs</script>

User-Victim

“<html>..+

taintedInput

+”..</html>”

<html>.

.

<script>evilJs</sc

ript>

..</html>

(12)

Courtesy of John Wilander

User-Victim

Injection Happens at Client Side Level!

+ Sometimes no server roundtrip

Eg.

http://host/#XXX=Inject

..

(13)

DOM Based XSS...

(14)

Courtesy of Dave Wichers

DOM XSS – Page Application Perspective

(15)

Traditional XSS Vs DOM Based

Impacts/Risks are identical

Detectability is lower for DOM-Based XSS as its

(16)
(17)

3rd Party JS

Experiment take the first top 100 Sites from Alexa:

Extract all script sources and count how many external scripts

are used.

Result:

~70% contained 3rd Party Js.

Do you trust 3rd Party Code in your site?

… Let me rephrase it:

(18)

Client Side Vulnerabilities

Vulnerability

Impact

JS Execution

Complete Control Over User's

Page. (CI)

HTML Injection/

Content Spoofing

Arbitrary HTML Insertion.

Attacker can completely spoof

the content. Cannot Access

Cookies and other JS Data. (CI)

Client Side SQL Injection

Data exfiltration (CI)

URL Redirect

URL Spoofing (C)

CSS Injection

Extract Sensitive Information

(C)

Resource Manipulation

Change the location of a

resource requested by a page.

(CI)

(19)

 ....<script>

var  

nextlink

=getParameterFromLocation('

nextid

');

document.write('<a 

href="page'+

nextlink

+'.html">Next Step</a>');

</script>...

Client Side HTML Injection

http://www.vic.tim.com/page.html?nextId=2

(20)

A Client Side XSS Example – Twitter 2010

( function(g){

var

a

=location.href.split("#!")[1];

if(

a

){

g.loca

tion

=

g.HBR=

a

;

}

}

)(window);

(21)

A Client Side XSS Example – Twitter 2010

( function(g){

var a=location.href.split("#!")[1];

if(a){

g.loca

tion

=g.HBR=a;

}

}

)(window);

'http://twitter.com#!/WisecWisec'.split('#!')[1]

Returns

“/WisecWisec” →

g.location=”/WisecWisec” →

http://twitter.com/WisecWisec

(22)

A Client Side XSS Example – Twitter 2010

Pseudo-Protocol

'http://twitter.com#!javascript:ICanHasCookies()'.split('#!')[1]

Returns

“javascript:ICanHasCookies()”

window.location= 'javascript:ICanHasCookies()'

(23)

A Client Side XSS Example – Twitter 2010

(24)

Client Side Issues - Examples

(25)

Code Analysis - Manual

Minimized Client Side JavaScript

Server Side Java/C#/Whatever

(26)

Code Analysis – Automated static analysis

Problems with Minimizers|Obfuscators AND JavaScript

Rigid langs – Ie. Java:

request.getQueryString() ;

Ok.. some coverage can be performed (according to Static Analysis limits)

Flexible/Dynamic langs - JavaScript:

location.search

window.

location.search

document.

location.search

window[“location”]['search']

window

[“l”+”o”+”\x63”+”ation”][

atob

('c2VhcmNo')]

window

[

arr

[43]][

obj

['theSearch']]

Very poor coverage.

(27)

Runtime Analysis

Runtime Fuzzing:

BlackBox Scanning, fault injection with patterns, hoping to

reach the sink (dangerous function).

Poor coverage, Lot of False Negatives

Real Time Taint Propagation with Instrumentation:

While executing it propagates the "taint" flag.

In the JavaScript case if the Browser is "instrumented" there

are other Pros, like Real Client State emulation. (Use

Selenium, JSUnits...)

(28)

Some Stats from 2010-2011

Took first 100 from Top 1 Million Alexa list.

Found several others in top 1 Million most of them

advertising hosted as 3rd party scripts.

For example Omniture, Google AdWords, or widgets,

buttons etc.

Using DOMinator + my brain I found that

56 out of

100 top

Alexa sites where vulnerable to directly

exploitable DOM Based Xss.

(29)

Conclusions

Client Side Issues are very hard to find.

JavaScript is a language for tough people :)

Strongly depends on both Client AND Server States.

It's a quite untested topic.

Even Google Microsoft and big companies have difficulties in

identification.

Only now, after 8 years scanners are starting to add some kind of

(30)

Tnx!

^_^

Q&A

Mail:

stefano.dipaola@mindedsecurity.com

Twitter: wisecwisec

References

Download now ( PDF - 30 Page - 1.22 MB )

Related documents

Congregation Beth El. Shabbat in Honour of Remembrance Day. Friday, Nov. 8 at 7:00 pm. Audrey Bondy will be leading our Shabbat Service

In memory of Harold Taub, beloved husband of Paula Taub by: Karen &amp; Charles Rosen.. Honouring Maria Belenkova-Buford on her marriage by: Karen &amp;

Quantization Effects in Digital Filters

The exact estimation of quantization effects requires numerical simulation and is not amenable to exact analytical methods.. But an approach that has proven useful is to treat

Trueflight's Feather Facts

concentrate on the objective at hand, not on equipment. This &#34;forgiveness&#34; doesn't end when the shaft leaves your bow. Suppose the arrow passes near a branch or twig. If

Evolving Web Applications with AJAX - A Review

Section III gives introduction about synchronous communication and its application in classic web development, also talks about the asynchronous communication used in Ajax

Managing investment risk in a multi-boutique firm

Investment risk management oversight at WellsCap is coordinated by “the Office of the CIO”, which consists of me (the CIO); Chief Equity Officer Jon Baranko; Head of LDI and

Understanding the Effects of Blast Wave on the Intracranial Pressure and Traumatic Brain Injury in Rodents and Humans Using Experimental Shock Tube and Numerical Simulations

To address these questions, the following goals were set: (a) to reproduce field explosions pertaining to primary blast injury as accurate as possible in a controlled

Avid AirSpeed I/O Applications

If an event is loaded in the Pilot Controller when Play 1 or Play 2 is selected, and you want to select the Record channel, you need to click the Erase button to unload the

EXPLOSIVE ORDNANCE DISPOSAL

To better enable DOD to plan for funding EOD mission requirements and enhance future use of EOD forces in joint combat operations, GAO recommends that DOD direct (1) the