Ul#mate(DOMBased(XSS( DeteconScannerOnCloud( · • Analysis%how% “an=gen”%(untrusted%...

Post on 20-Jul-2020

0 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of Ul#mate(DOMBased(XSS( DeteconScannerOnCloud( · • Analysis%how% “an=gen”%(untrusted%...

Ul#mate  DOM  Based  XSS  Detec#on  Scanner  On  Cloud  

Nera  W.  C.  Liu  &  Albert  Yu  Paranoids  Yahoo  

•  DOM  XSS  •  Our  solu=on  •  DEMO!

Agenda

Who  are  we What  people  think  we  are? What  we  think  we  are?

What  we  actually  are?

DO[r]M  XSS

•  Does  not  rely  on  flaws  in  applica=on  containers  •  Easier  target  for  aIacker  •  Harder  for  defender  to  detect    See  “DOM  Based  Cross  Site  Scrip=ng  or  XSS  of  the  Third  Kind”.  Amit  Klein.  2005.  hIp://www.webappsec.org/projects/ar=cles/071105.shtml  

“XSS  of  the  3rd  Kind”

hDp://www.vulnerable.site/welcome.html#foo<script

Sta#c  Analysis

⌥⌘U

If  that’s  not  enough

•  Anonymous  func=ons        •  Dynamic  loading  

The  Chemistry  of  DOM  what  is  executable?

The  Chemistry  of  DOM  what  is  executable?

DOM  XSS  DETECTION  

•  Analysis  how  “an=gen”  (untrusted  data)  get  into  our  “body”  (DOM)  

What  we  want  to  do

char*

•  All  arithme=c  opera=ons  need  to  be  overridden  

•  Enable  to  propagate  through  different  context  (HTML/CSS/JS)  

Tainted  Phantomjs

•  Hacking  the  JavaScriptCore  and  WebKit  engine  by  propaga=ng  the  tainted  signal  during  the  javascript  execu=on.  

Source  code  of  Tainted  PhantomJS

sink  –  document.write  

Source  –  loca=on.href  

Sink  –  document.writeln  

Propaga=on  –  String.concat  

Flow  Analysis

•  [screenshots]

Flow  Analysis

False  alarm  rate    =  non-­‐issues  /  issues  reported  More  you  fix,  the  higher  the  false  alarm  rate  Our  ul=mate  goal:    

   0  false  alarm  =  0%  rate!

Usable  Security

Benchmark  and  Comparisons  peak  memory  usage

The  tainted  logic  performance  hit  is  negligible!

The  average  peak  memory  usage

DEMO      hIp://www.youtube.com/watch?v=VU3YnAwc2Ag  

•  hIp://www.flickr.com/photos/58053205@N06/6999839463/  •  hIp://www.flickr.com/photos/67272961@N03/6123892769/  •  hIp://upload.wikimedia.org/wikipedia/commons/7/75/UCLA_dorm_room.JPG  •  hIp://www.flickr.com/photos/44124348109@N01/4682168995/  •  hIp://www.flickr.com/photos/15923063@N00/3150765076/  •  hIp://www.flickr.com/photos/88063120@N00/3529818070/  •  hIp://en.wikipedia.org/wiki/File:Angiome_annulaire.JPG  •  hIp://www.flickr.com/photos/free-­‐stock/4817475664/  •  hIp://www.flickr.com/photos/78428166@N00/9604922912/  

Crea#ve  Commons

THANK  YOU!

Top related

XSS Attack Prevention Using DOM based filtering APIethesis.nitrkl.ac.in/5633/1/e-66.pdf · XSS Attack Prevention Using DOM based fitering API Dissertation submitted in May 2014
 Documents
CSP - the panacea for XSS - owasp.org another security blogger . XSS. 4 XSS ... Over 12 million email messages daily ... CSP Based IDS Magic XSS XSS XSS Test & Fix . 29
 Documents
Ultimate DOM-based XSS Detection Scanner on Cloud
 Software
DOM Based XSS and Proper Output Encoding By Abraham Kang Principal Security Researcher HP Fortify.
 Documents
 · db file nbr ( acre irr irr dom dom dom dom dom dom dom dom dom dom dom dom dom dom dom dom dom san dom dom dom dom dom dom dom dom dom dom dom dom dom dom dom dom dom dom dom
 Documents
DOM Based XSS and Proper Output Encoding
 Documents
Auto-patching DOM-Based XSS at Scale
 Documents
Combinatorial XSS Attack Grammars - SBA Research · Combinatorial XSS Attack Grammars XSS Vectors for ... SBA Research April 10, 2015 SBA Research, Vienna. Outline Introduction XSS
 Documents
INJECTING SECURITY - hackinparis.com · INJECTING SECURITY ... Templates escapes User Input - Just HTML Escape -> XSS ... Preventing DOM XSS. RASP BY API INSTRUMENTATION AND DYNAMIC
 Documents
Trusted Types and the end of DOM XSS
 Documents
The Future of Web Application Security - NCC Group · The Future of Web Application Security W3Conf, November 15 & 16, ... Omniture, more… DOM XSS Sources: –document.URL
 Documents
THEXSS ULTIMATE - OWASP Xenotix XSS Exploit … Ultimate XSS Protection Cheat Sheet for... · XSS or Cross Site Scripting is a web application vulnerability that occurs when untrusted
 Documents
XSS - brutelogic.com.brbrutelogic.com.br/docs/XSS-FTW.pdf · Agenda Fast Intro to XSS Dangers of XSS Virtual Defacement LSD - Leakage, Spying and Deceiving Account Stealing Memory
 Documents
Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework
 Documents
Secure Personal Content Networking over Untrusted Devices · Secure Personal Content Networking over Untrusted Devices ... distributed network without specifying where the ... untrusted
 Documents
Dom XSS: Encounters of the3rd kind
 Technology
Analysis and Identification of DOM Based XSS Issues · 2012-01-25 · Analysis and Identification of DOM Based XSS Issues Stefano di Paola CTO @ Minded Security stefano.dipaola@mindedsecurity.com
 Documents
Sandboxing Untrusted JavaScript
 Documents
Future of XSS Defense - SANS Institute · Best Practice: DOM Based XSS Defense • Untrusted data should only be treated as displayable text • JavaScript encode and delimit untrusted
 Documents
The Future of Web Application Security · The Future of Web Application Security W3Conf, November 15 & 16, ... Omniture, more… DOM XSS Sources: –document.URL
 Documents

Copyright © 2022 FDOCUMENTS