DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.

1. Financial Cyber-Threat Briefing
“Planning for Attack-Resilient Web Applications”
11th July 2014
Hosted @Sponsored By
Stefano Di Paola
CTO Minded Security
Preventing In-Browser Malicious Code Execution

2. Who Am I
 Stefano Di Paola
 Research
 OWASP-Italy Senior Member
 Testing Guide Contributor
 OWASP SWFIntruder
 DOMinator (JavaScript Runtime Taint Engine)
 Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)
 Security Since '99
 Work
 CTO @ Minded Security Application Security Consulting
 Director of Minded Security Research Labs
 Blog: http://blog.mindedsecurity.com
 Twitter: @wisecwisec
2

3. Agenda
 Introduction
 Impacts & Concerns
 Approach & Proposed Solutions
3

4. Introduction
4
OWASP Top Ten 2013
A list of the 10 Most Critical Web Application Security Risks
 A1 Injection
 A2 Broken Authentication and Session Management
 A3 Cross-Site Scripting (XSS)
 A4 Insecure Direct Object References
 A5 Security Misconfiguration
 A6 Sensitive Data Exposure
 A7 Missing Function Level Access Control
 A8 Cross-Site Request Forgery (CSRF)
 A9 Using Components with Known Vulnerabilities
 A10 Unvalidated Redirects and Forwards
 OWASP Top Ten 2013
 A list of the 10 Most Critical Web Application Security Risks
 A1 Injection
 A2 Broken Authentication and Session Management
 A3 Cross-Site Scripting (XSS)
 A4 Insecure Direct Object References
 A5 Security Misconfiguration
 A6 Sensitive Data Exposure
 A7 Missing Function Level Access Control
 A8 Cross-Site Request Forgery (CSRF)
 A9 Using Components with Known Vulnerabilities
 A10 Unvalidated Redirects and Forwards

5. Introduction - Cross Site Scripting Analysis
5

6. Cross Site Scripting – Identification and Detection
6
“<html>..+
taintedInput+”..</html>”
<html>..
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors

7. Reflected Cross Site Scripting - Identification and Detection
7
“<html>..+
taintedInput+”..</html>”
<html>..
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors

8. Stored Cross Site Scripting - Identification and Detection
8
“<html>..+
taintedInput+”..</html>”
<html>..
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
Security Scanners

9. DOM Based Cross Site Scripting – Identification and Detection
9
<html>..
<script>evilJs</script>
..</html> “<html>..+
taintedInput+”..</html>”
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
???
???
In Browser Attacks

10. DOM Based XSS Demo on Yahoo! Mail - Video
10

11. Agenda
 Introduction
 Impacts & Concerns
 Approach & Proposed Solutions
11

12. Introduction - Cross Site Scripting Analysis
12
Does the Risk Analysis fit the DOM Based Cross Site Scripting?

13. DOM Based Cross Site Scripting - Analysis

13
 Impacts/Risks are identical
 Detectability is Lower for DOM-Based XSS as its harder for
defenders to find (no Network In/Out Observation)
 Yet DOM Based XSS is still part of the OWASP Top Ten.
Does the Risk Analysis fit the DOM Based Cross Site Scripting?

14. Client Side Issues And Impacts
14
Vulnerability Impact
JS Execution (DOM Based Cross Site
Scripting)
Complete Control Over User's Page. (CI)
HTML Injection/
Content Spoofing
Arbitrary HTML Insertion. Attacker can
completely spoof the content. Cannot
Access Cookies and other JS Data. (CI)
Client Side SQL Injection Data exfiltration (CI)
URL Redirect URL Spoofing (C)
CSS Injection Extract Sensitive Information (C)
Resource Manipulation Change the location of a resource
requested by a page. (CI)
... ...
C=Confidentiality, I=Integrity

15. Trends 2005 – 2014 . From Server To Client
Usage of JavaScript Over the Years
15

16. 3rd Party JavaScript Usage
 Experiment take the first top 100 Sites from Alexa:
Extract all script sources and count how many
external scripts are used.
 Result: ~70% contained 3rd Party Js.
Do you trust 3rd Party Code in your site?
… Let me rephrase it:
Have you ever tested your 3rd Party JS?
16

17. Agenda
 Introduction
 Impacts & Concerns
 Approach & Proposed Solutions
17

18. Identification Approach
 Static Analysis
 Blind Fuzzing
 Runtime Taint Analysis 18

19. Approach & Solutions
19
Minimized Client Side JavaScript Server Side Java/C#/Whatever
But Automated Static Analysis can do it.. doesn't it?
Spot the Difference!

20. Static Analysis
On Structured Languages like Java or C# some good coverage can be performed
(according to Static Analysis limits)
 On Flexible/Dynamic languages like JavaScript:
location.search
window.location.search
document.location.search
window[“location”]['search']
window[“l”+”o”+”x63”+”ation”][atob('c2VhcmNo')]
window[arr[43]][obj['theSearch']]
very poor coverage!
Runtime ?
20

21. Runtime Approach
 Runtime Blind Fuzzing:
 BlackBox Scanning, fault injection with patterns, hoping to reach
the sink (dangerous function).
 Poor coverage, Lot of False Negatives
 Real Time Taint Propagation with Instrumentation:
 Propagates the "taint" flag during Real Time execution.
 Real Client State emulation. (In-browser test cases)
 OWASP Project: DOMinator by Minded Security
21

22. Minded Security DOMinatorPro
 First experiment in 2010 we took the first Alexa top 100.
 Analyzed them using DOMinatorPro
 We found 56 to be vulnerable to DOM Based XSS Attacks
22

23. Minded Security DOMinatorPro Enterprise
 The Automation Suite:
 Browser Based Crawler
 Web Management
 Selenium Based Connector with DOMinatorPro
 Remote Alert Collector (Local Web Server)
 Cli Interactive Interface to Selenium
 Management by Project
 Scripting possibilities
DEMO Time
23

24. Minded Security DOMinatorPro Enterprise
 Developers:
 Unit and Functional Testing.
 Test their own code.
 Identify the issue and fix it
QA Testers:
Unit and Functional Testing.
Alerts while QA testing
 Security Testers:
Black Box browsing
Details about operations without encodings
 3rd Party JavaScript
24

25. DOMinatorPro Helps Companies Around The World
25

26. 26
Thank you!
Q&A
https://dominator.mindedsecurity.com
@mindedsecurity
Mail: stefano.dipaola@mindedsecurity.com
@wisecwisec
Commercial support:
info@mindedsecurity.com

27. Software Actors
 Internal Client Side Developers
 Contractors
 3rd Party JavaScript (Libraries, Adv, Analytics, Social.. )
Security Testing Actors
 Quality Assurance / Test Cases (In house process)
 Internal Manual Security Audits
 Internal Automatic Security Audits
 External Manual Security Audits
 External Automatic Security Audits
27