Upload
tranliem
View
224
Download
0
Embed Size (px)
Citation preview
27.9.2013 - Venezia - ISACA VENICE Chapter1
Client Side XSS - S. Di Paola
Client Side Cross Site Scripting
27.9.2013 - Venezia - ISACA VENICE Chapter 2
CLIENT SIDE XSS - DI PAOLA
Client Side
Cross Site
Scripting
27.9.2013 - Venezia - ISACA VENICE Chapter 3
CLIENT SIDE XSS - DI PAOLA
Soluzioni e sicurezza per applicazioni mobile e payments
Consorzio Triveneto, azienda leader nei sistemi di pagamento a livello italiano da sempre all’avanguardia nello studio e nella speri-mentazione di nuove tecnologie nell’ambito dei pagamenti, è una realtà del Gruppo Bassilichi che opera prevalentemente nei campi della Monetica – con la gestione dei servizi POS e di Commercio Elettronico – e del Corporate Banking a supporto delle imprese.
SPONSOR DELL’EVENTO
Sponsor e sostenitori di ISACA VENICE Chapter
Con il patrocinio di
27.9.2013 - Venezia - ISACA VENICE Chapter2
Client Side XSS - S. Di Paola
Who Am I
● Stefano Di Paola @WisecWisec● Research
● OWASP-Italy Senior Member● Testing Guide Contributor● OWASP SWFIntruder● Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)● Security Since '99
● Work● CTO @ Minded Security Application Security Consulting● Director of Minded Security Research Labs● Lead of WAPT & Code Review Activities● Blog: http://blog.mindedsecurity.com
27.9.2013 - Venezia - ISACA VENICE Chapter3
Client Side XSS - S. Di Paola
Agenda
● XSS ● Client Side XSS (aka DOM Based XSS)● Examples● Tools and Expertise● Some Stats● Conclusions
27.9.2013 - Venezia - ISACA VENICE Chapter4
Client Side XSS - S. Di Paola
XSS... The Flaw that Keeps Being Hacked
27.9.2013 - Venezia - ISACA VENICE Chapter5
Client Side XSS - S. Di Paola
Image Courtesy of John Wilander
taintedInput=<script>evilJs</script>
User-Victim
“<html>..+taintedInput+”..</html>”Three kinds:
● Reflected
● Stored
● DOM Based
<html>..<script>evilJs</script>..</html>
27.9.2013 - Venezia - ISACA VENICE Chapter6
Client Side XSS - S. Di Paola
Image Courtesy of John Wilander
“<html>..+taintedInput+”..</html>”
taintedInput=<script>evilJs</script>
User-Victim
<html>..<script>evilJs</script>..</html>
27.9.2013 - Venezia - ISACA VENICE Chapter7
Client Side XSS - S. Di Paola
taintedInput=<script>evilJs</script>
Image Courtesy of John Wilander
User-Victim
27.9.2013 - Venezia - ISACA VENICE Chapter8
Client Side XSS - S. Di Paola
Image Courtesy of John Wilander
User-Victim
“<html>..+taintedInput+”..</html>”
<html>..<script>evilJs</script>..</html>
27.9.2013 - Venezia - ISACA VENICE Chapter9
Client Side XSS - S. Di Paola
taintedInput=<script>evilJs</script>
Image Courtesy of John Wilander
User-Victim
“<html>..+taintedInput+”..</html>”
<html>..<script>evilJs</script>..</html>
27.9.2013 - Venezia - ISACA VENICE Chapter10
Client Side XSS - S. Di Paola
Courtesy of John Wilander
User-Victim
Injection Happens at Client Side Level!+ Sometimes no server roundtripEg.http://host/#XXX=Inject..location.hash
27.9.2013 - Venezia - ISACA VENICE Chapter11
Client Side XSS - S. Di Paola
DOM Based XSS...The Elephant in the XSS Room
27.9.2013 - Venezia - ISACA VENICE Chapter12
Client Side XSS - S. Di Paola
Courtesy of Dave Wichers
DOM XSS – Page Application Perspective
3rd Party JS (?)
27.9.2013 - Venezia - ISACA VENICE Chapter13
Client Side XSS - S. Di Paola
Traditional XSS Vs DOM Based
XSS Risk from OWASP Top 10
● Impacts/Risks are identical
● Detectability is lower for DOM-Based XSS as its harder for defenders to find
27.9.2013 - Venezia - ISACA VENICE Chapter15
Client Side XSS - S. Di Paola
3rd Party JS
Script used to extract: http://pastebin.com/N3pkxbzd
● Experiment take the first top 100 Sites from Alexa:
● Extract all script sources and count how many external scripts are used.
Result: ~70% contained 3rd Party Js.
● Do you trust 3rd Party Code in your site?
… Let me rephrase it:
Have you ever tested your 3rd Party JS?
27.9.2013 - Venezia - ISACA VENICE Chapter16
Client Side XSS - S. Di Paola
Client Side Vulnerabilities
Vulnerability Impact
JS Execution Complete Control Over User's Page. (CI)
HTML Injection/Content Spoofing
Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI)
Client Side SQL Injection Data exfiltration (CI)
URL Redirect URL Spoofing (C)
CSS Injection Extract Sensitive Information (C)
Resource Manipulation Change the location of a resource requested by a page. (CI)
... ...
27.9.2013 - Venezia - ISACA VENICE Chapter17
Client Side XSS - S. Di Paola
....<script>var nextlink=getParameterFromLocation('nextid');
document.write('<a href="page'+nextlink+'.html">Next Step</a>');
</script>.....
Client Side HTML Injection
http://www.vic.tim.com/page.html?nextId=2
http://www.vic.tim.com/page.html?nextId=2 ”><img src='a' onerror=alert(1)>
27.9.2013 - Venezia - ISACA VENICE Chapter18
Client Side XSS - S. Di Paola
A Client Side XSS Example – Twitter 2010
( function(g){ var a=location.href.split("#!")[1]; if(a){ g.location=g.HBR=a; }})(window);
27.9.2013 - Venezia - ISACA VENICE Chapter19
Client Side XSS - S. Di Paola
A Client Side XSS Example – Twitter 2010
( function(g){ var a=location.href.split("#!")[1]; if(a){ g.location=g.HBR=a; }})(window);
'http://twitter.com#!/WisecWisec'.split('#!')[1]
Returns “/WisecWisec” →
g.location=”/WisecWisec” →
http://twitter.com/WisecWisec
27.9.2013 - Venezia - ISACA VENICE Chapter20
Client Side XSS - S. Di Paola
A Client Side XSS Example – Twitter 2010
Pseudo-Protocol
'http://twitter.com#!javascript:ICanHasCookies()'.split('#!')[1]
Returns “javascript:ICanHasCookies()”
window.location= 'javascript:ICanHasCookies()'
27.9.2013 - Venezia - ISACA VENICE Chapter21
Client Side XSS - S. Di Paola
A Client Side XSS Example – Twitter 2010
Pseudo-Protocol
27.9.2013 - Venezia - ISACA VENICE Chapter22
Client Side XSS - S. Di Paola
Client Side Issues - Examples
DEMO
27.9.2013 - Venezia - ISACA VENICE Chapter23
Client Side XSS - S. Di Paola
Code Analysis - Manual
Minimized Client Side JavaScript Server Side Java/C#/Whatever
Spot the Difference!
But Automated Static Analysis can do it.. doesn't it?
27.9.2013 - Venezia - ISACA VENICE Chapter24
Client Side XSS - S. Di Paola
Code Analysis – Automated static analysis
● Problems with Minimizers|Obfuscators AND JavaScript● Rigid langs – Ie. Java: request.getQueryString() ;
Ok.. some coverage can be performed (according to Static Analysis limits)
● Flexible/Dynamic langs - JavaScript:location.searchwindow.location.searchdocument.location.search
window[“location”]['search']
window[“l”+”o”+”\x63”+”ation”][atob('c2VhcmNo')] window[arr[43]][obj['theSearch']]
Very poor coverage.
OK so … What About Runtime ?
27.9.2013 - Venezia - ISACA VENICE Chapter25
Client Side XSS - S. Di Paola
Runtime Analysis
● Runtime Fuzzing:● BlackBox Scanning, fault injection with patterns, hoping to
reach the sink (dangerous function). ● Poor coverage, Lot of False Negatives
● Real Time Taint Propagation with Instrumentation: ● While executing it propagates the "taint" flag.● In the JavaScript case if the Browser is "instrumented" there
are other Pros, like Real Client State emulation. (Use Selenium, JSUnits...)
● OWASP Project: DOMinator by Minded Security
27.9.2013 - Venezia - ISACA VENICE Chapter26
Client Side XSS - S. Di Paola
Some Stats from 2010-2011
● Took first 100 from Top 1 Million Alexa list.
● Found several others in top 1 Million most of them advertising hosted as 3rd party scripts.
● For example Omniture, Google AdWords, or widgets, buttons etc.
● Using DOMinator + my brain I found that 56 out of 100 top Alexa sites where vulnerable to directly exploitable DOM Based Xss.
● Means, remote attacker with a reliable scenario.
27.9.2013 - Venezia - ISACA VENICE Chapter27
Client Side XSS - S. Di Paola
Conclusions
● Client Side Issues are very hard to find.
● JavaScript is a language for tough people :)
● Strongly depends on both Client AND Server States.
● It's a quite untested topic.
● Even Google Microsoft and big companies have difficulties in identification.
● Only now, after 8 years scanners are starting to add some kind of identification technique in order to give. some coverage.
● We need more tools but, more important, we need more brains!
27.9.2013 - Venezia - ISACA VENICE Chapter28
Client Side XSS - S. Di Paola
Tnx!^_^
Q&AMail:
Twitter: wisecwisec