SlideShare uma empresa Scribd logo

A look at the prevalence of client-side JavaScript vulnerabilities in web applications

IBM Rational software
IBM Rational software
Tecnologia
1 de 8
Baixar para ler offline
IBM Software Technical White Paper Rational Close encounters of the third kind A look at the prevalence of client-side JavaScript vulnerabilities in web applications Executive summary Contents In the past ten years, many whitepapers, research articles, and blog posts have been published on the subject of server-side web application 1 Executive summary vulnerabilities such as SQL injection, Cross-site scripting, and HTTP response splitting. In addition, several projects such as the WASC Web 2 Technical details Hacking Incident Database1 or the WASC Statistics2 projects have tried 7 Summary to estimate the incidence of such issues in the real world. On the other hand, there is a dearth of information and statistics on the incidence of 8 Vulnerability disclosure client-side JavaScript™ vulnerabilities in web applications, even though these vulnerabilities are just as severe as their server-side counterparts. We suspect that the main reason for this lack of information is that client-side vulnerabilities are harder to locate, and require deep knowl- edge of JavaScript and the ability to perform code review for HTML pages and JavaScript files. As Web 2.0, AJAX applications and rich internet applications (RIAs) become more common, client-side JavaScript vulnerabilities will prob- ably become more relevant, and we foresee a rise in the amount of such issues being exploited by malicious hackers. This whitepaper presents the results of a research recently performed by the IBM® Rational® application security group into the prevalence of client-side JavaScript vulnerabilities. For this research, we used a new IBM technology called JavaScript Security Analyzer (JSA), which performs static taint analysis on JavaScript code that was collected from web pages extracted by an automated deep web crawl process. This kind of analysis is superior to and more accurate than regular static taint analysis of JavaScript code, as it includes the entire JavaScript codebase in its natural environment: fully rendered HTML pages and the browser’s Document Object Model (DOM).
IBM Software Technical White Paper Rational The research used a sample group of approximately 675 web- Of the 98 vulnerable sites, 92 sites (94 percent) suffered from sites, consisting of all the Fortune 500 companies and another DOM-based cross-site scripting issues, whereas only 11 sites 175 handpicked websites, including IT, web application (11 percent) suffered from open redirects. The total amount security vendors, and social networking sites. In order to of DOM-based cross-site scripting issues found was 2370, avoid damage to the sites or interference with their regular while only 221 open redirects were found. behavior, we used a non-intrusive web crawler, similar to that of a web search engine, which retrieved approximately Lastly, based on the dataset that we analyzed, we may extrap- 200 web pages and JavaScript files per site from the applica- olate that the likelihood that a random page on the internet tion into a repository. These pages were then analyzed offline contains a client-side JavaScript vulnerability is approximately for client-side JavaScript vulnerabilities, using the JavaScript one in 55. Security Analyzer, concentrating on two main types of issues: DOM-based Cross-site scripting, and Open redirects. We would like to stress the fact that our research concen- The results of our research were quite disturbing: about trated on only two issue types (DOM-based cross-site script- 14 percent (98 sites) of the 675 sites suffer from many severe ing and Open redirects), and was performed using the first client-side JavaScript issues, which could allow malicious version of the JavaScript Security Analyzer technology. Our hackers to perform attacks such as: analysis was run on a relatively small number of web pages, and was performed without digging deeply into each site ● Infect users of these sites with Malware and viruses. (for example, no credentials were used to log in to the sites). ● Hijack users’ web sessions and perform actions on their We are quite certain that a more thorough web crawl and a behalf. longer list of client-side JavaScript issues to look for would ● Perform Phishing attacks on users of these sites. reveal significantly more security vulnerabilities. ● Spoof web contents Technical details The troubling fact about these statistics is that most organi- In order to understand the difficulties involved in assessing zations have no efficient process or automated solution to web applications for client-side JavaScript issues, we must assist them with the task of locating these types of issues. first understand how these types of issues differ from server- side web application vulnerabilities. Our research also showed that 38 percent of the vulnerable sites suffered from these vulnerabilities as a result of using In 2005, Amit Klein, a distinguished security researcher, pub- third party JavaScript code such as: lished a whitepaper called “DOM Based Cross Site Scripting or XSS of the Third Kind.”3 The paper discussed a unique ● Marketing campaign JavaScript snippets. variant of Cross-site scripting which, unlike “Stored” and ● Flash embedding JavaScript snippets. “Reflected” Cross-site scripting, did not rely on user input ● Deep linking JavaScript libraries for Adobe® Flash and being sent to the application and then reflected back in a AJAX applications. web page, but instead exploited the fact that the vulnerable ● Social networking JavaScript snippets. HTML page used information from JavaScript objects such as document.URL, document.location or document.referrer, all of which could be controlled by a malicious attacker in some way. 2
IBM Software Technical White Paper Rational The paper presented the following vulnerable example HTML page, with the URL address: http://www.vulnerable.site/welcome.html <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf(‘name=’)+5; document.write(document.URL.substring(pos,document.URL.length)) </SCRIPT> <BR> Welcome to our system … </HTML> According to the original paper, a typical access to The whitepaper also discussed how this third kind of Cross- this web page would be via the following URL: site scripting could be used to mount attacks that evade http://www.vulnerable.site/welcome.html?name=Joe server-side detection and prevention mechanisms, such as However, if this web page is retrieved via the following mali- web application firewalls, by using the HTML fragment cious URL: http://www.vulnerable.site/welcome.html?name= identifier (#), a fact that makes this type of vulnerability <script>alert(document.cookie)</script> particularly dangerous. A Cross-site scripting condition occurs. Many security experts believe5 that the task of locating client- The whitepaper then described how this Cross-site scripting side JavaScript issues such as DOM-based Cross-site scripting vulnerability works: is a daunting one, often requiring that a penetration tester perform thorough code review of both the HTML and the “The victim’s browser receives this link, sends an HTTP request to JavaScript source code that is included with it. In addition, www.vulnerable.site, and receives the above (static!) HTML many believe that current automated methods for performing page. The victim’s browser then starts parsing this HTML dynamic and static security analysis of web applications into DOM. The DOM contains an object called document, fall short, and are incapable of accurately locating most which contains a property called URL, and this property is client-side JavaScript issues. populated with the URL of the current page, as part of DOM creation. When the parser arrives to the JavaScript code, it For our research we used a new technology, developed by the executes it and it modifies the raw HTML of the page. In IBM Rational application security group, which is available as this case, the code references document.URL, and so, a part part of IBM Rational AppScan® Standard Edition software of this string is embedded at parsing time in the HTML, v8.0.6 This technology is called JavaScript Security Analyzer which is then immediately parsed and the JavaScript code (JSA), and works in the following way: found (alert(…)) is executed in the context of the same page, hence the XSS condition.”4 3
IBM Software Technical White Paper Rational JSA goes over all URLs visited by the web crawler of and other popular websites. We retrieved approximately Rational AppScan Standard Edition software, one by one. For 200 pages and JavaScript files per site, using a non-intrusive each URL, JSA saves the entire HTTP response stream. JSA web crawling process that only follows HTML links, and then looks for JavaScript entry points in the current visited executes JavaScript code in each page to find dynamically URL, and applies a set of JavaScript-specific taint analysis generated links and simulate real user interaction with the rules. These rules include specifications of source, sink, and site, which is necessary for AJAX-type sites. To avoid damage sanitizer functions. JSA reports on data flows from source to to or any non-standard interaction with the sites, our web sink that do not go through a sanitizer. JSA reports on six dif- crawler did not fill out any HTML forms, did not log in to ferent issue types. Issues reported by JSA appear in Rational the application, and did not submit any additional HTTP AppScan Standard Edition software. Trace information for requests to the sites. In essence, our web crawler merely each issue is displayed in the issue information pane in performed an indexing of each application similar to that of Rational AppScan Standard Edition software. web search engines. Note that JSA runs entirely on the local machine, pulling Each application was tested for two main client-side visited URLs from the current scan, and performing no JavaScript issues: DOM-based Cross-site scripting, and Open communication with the site at all. This makes it possible to redirects7 a vulnerability which allows a malicious attacker to run JSA on existing scan files, even if the scanned host is not force the victim’s browser to automatically redirect to a site available. The engine of JSA uses a sophisticated taint analy- he/she owns, and which can be used for Phishing purposes. sis algorithm, and is based on a static analysis platform devel- oped by IBM research. Our research found that of the 675 websites analyzed, 98 (14.5 percent) were infested with DOM-based Cross-site Modern websites, which use Web 2.0 and AJAX, often gener- scripting and open redirects (Figure 1). ate HTML and JavaScript code on the fly. This means that standard static code analyzers cannot fully scan the source code and locate client-side JavaScript issues, since the source code itself does not yet include the entire HTML and 85.5% JavaScript code. On the other hand, because the input for the assessment done by JSA includes both the fully rendered HTML and the JavaScript code (both extracted by deep crawling of the website), client-side issues can be detected with superior accuracy. In essence, JSA enjoys the best of both dynamic and static analysis, amalgamating the two approaches, in order to accu- rately assess JavaScript code in its natural environment. 14.5% For this research, we used a sample group of 675 websites, Vulnerable sites including all 500 of the Fortune 500 companies, plus Not vulnerable sites 175 handpicked websites including IT security companies, web application security companies, social networking sites Figure 1: Percentage of sites vulnerable to client-side JavaScript issues 4
IBM Software Technical White Paper Rational Another interesting piece of information was that out of Looking at the distribution of vulnerability types (Figure 3), the 98 vulnerable sites, 38 percent suffered from a vulnerabil- we see that of the 98 vulnerable sites, 92 (94 percent) ity introduced by a third-party JavaScript code snippet suffered from DOM-based Cross-site scripting issues, and (Figure 2). These snippets were included for adding one of only 11 (11 percent) suffered from Open redirects. The total the following capabilities: amount of DOM-based Cross-site scripting issues that were found was 2370, versus only 221 Open redirects. ● Marketing campaign JavaScript snippets. ● Flash embedding JavaScript snippets. In total, our scan included 169,443 web pages, out of which ● Deep linking JavaScript libraries for Flash and AJAX 90,929 were unique. Out of the unique pages, we have found applications. that 1659 web pages had a verified client-side JavaScript vul- ● Social networking JavaScript snippets. nerability, which means that the approximate likelihood for a random web page on the internet to contain a client-side JavaScript vulnerability is one in 55. 62% 2370 1200 1000 800 600 38% 400 221 200 92 0 11 In-house written JavaScript code DOM-based XSS 3rd party JavaScript code Open Redirect Sites Vulnerable Total Issues Figure 2: Vulnerable third party JavaScript code vs. in-house written code Figure 3: Distribution of vulnerability types (DOM-based Cross-site Snippets of this kind are quite common in web applications Scripting vs. Open redirects) these days, and we see a growing use of such third party JavaScript code, especially in Web 2.0 and AJAX web applica- tions. Moreover, web developers often add these snippets blindly, without performing any security verification on them—they are unaware of the hazards they introduce to what could have been a reasonably secure application. 5
IBM Software Technical White Paper Rational In order to validate each of the issues found, and to avoid false positive results, we used the trace information provided by JSA, and manually verified each vulnerability. Below (Figure 4) you can see an example of such JavaScript trace information of a real vulnerability found during our research: Figure 4: JavaScript taint analysis trace information The example above is quite common. As can be seen, hacker-controlled data is first used in line #42, through the usage of the document.URL object, and is later used in the HTML code in line #1504. The various steps of the malicious data flow can also be observed. 6
IBM Software Technical White Paper Rational Summary Omri Weisman, software development manager Our research, which ran on a modest-sized sample group of Omri Weisman is a software development manager in IBM. 675 websites, showed that client-side JavaScript issues such as For the past nine years, Omri has been leading software DOM-based Cross-site scripting and Open redirects are far development projects in the field of application security and more common than previously thought. Moreover, as vulnerability assessment. In his current position Omri man- Web 2.0 and AJAX design patterns that rely on untrusted ages the Static Analysis Group in IBM Rational, responsible third party JavaScript code gain popularity, it is likely that for building technologies for detecting security vulnerabilities client-side security issues will become more and more through code scanning. Omri holds a B.Sc. in mathematics common. and computer science from the Ben Gurion University. We suggest that the dearth of accurate statistics on the preva- Adi Sharabani, cross-Rational security strategy and lence of such issues in public discussions, projects, and architecture whitepapers on web application vulnerabilities is due to their Adi Sharabani is in charge of the cross-Rational security complex nature and the difficulty involved in manually or strategy. As part of his role, Adi is responsible for leading, automatically locating them. However, our research has designing, and deploying overall security processes within the demonstrated a new automated and accurate approach for Rational development groups. Adi was formerly head the locating client-side JavaScript issues, by amalgamating two IBM Rational Application Security Research, responsible for separate security analysis approaches: static taint analysis of research activities on web application security. Adi holds a JavaScript code, and deep dynamic web crawling of running B.A. in physics and in mathematics (both cum laude) from web applications. Our approach harnesses the best of both the Tel Aviv University and was a researcher at the techniques to locate vulnerabilities in web applications with University’s Astrophysics Lab precision. Yair Amit, security and research group manager, Vulnerability disclosure Rational IBM has notified the third party JavaScript vendors whose Yair Amit is the manager of the Rational Application code was found by our research to contain vulnerabilities Security and Research group. Yair manages technological about the severe issues found by IBM and offered assistance and security research and is responsible for the security in solving them. content of IBM Rational’s application security product line. Yair is recognized for his rich web and network security background; his research has found numerous security About the authors vulnerabilities and has been presented in various security Ory Segal, security products architect and IBM Rational events over the years. Yair holds a double major B.A. degree AppScan product manager in computer science and life sciences with specialization in Ory Segal is a leading expert in web application security and Bioinformatics (both summa-cum laude) from the Tel-Aviv an experienced product manager with more than 12 years of University. security and research experience. Ory is responsible for researching technologies and recommending strategic Lotem Guy directions for IBM Rational’s application security product Lotem Guy is a senior security researcher at the Rational line. Ory holds a degree in computer science from the Application Security and Research group. Lotem is responsi- Open University of Israel, and recently received an ble for researching new web application vulnerabilities, per- IBM Outstanding Technical Achievement Award. Ory is forming application security audits and developing security also an officer of the Web Application Security Consortium related features for the Rational AppScan products family. (WASC). Lotem holds a B.A. in computer science and computational biology from the Hebrew University in Jerusalem. 7
For more information To learn more about IBM Rational AppScan products, contact your IBM representative or IBM Business Partner, or visit: ibm.com/software/rational/offerings/testing/ © Copyright IBM Corporation 2010 webapplicationsecurity IBM Corporation Additionally, financing solutions from IBM Global Financing Software Group Route 100 can enable effective cash management, protection from tech- Somers, NY 10589 nology obsolescence, improved total cost of ownership and U.S.A. return on investment. Also, our Global Asset Recovery Produced in the United States of America Services help address environmental concerns with new, December, 2010 more energy-efficient solutions. For more information on All Rights Reserved IBM Global Financing, visit: ibm.com/financing IBM, the IBM logo, ibm.com, Rational, and AppScan are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Adobe, Flash, and the Flash logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Other company, product, or service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The information contained in this documentation is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this documentation, it is provided “as is” without warranty of any kind, express or implied. In addition, this information is based on IBM’s 3 Klein, Amit. 2005. DOM Based Cross Site Scripting or XSS of the current product plans and strategy, which are subject to change by Third Kind. http://www.webappsec.org/projects/articles/071105.shtml IBM without notice. IBM shall not be responsible for any damages 4 Klein, Amit. 2005. DOM Based Cross Site Scripting or XSS of the arising out of the use of, or otherwise related to, this documentation or Third Kind. http://www.webappsec.org/projects/articles/071105.shtml any other documentation. Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or 5 Open Web Application Security Project. OWASP Testing Guide: representations from IBM (or its suppliers or licensors), or altering the Testing for DOM-based Cross site scripting (OWASP-DV-003). terms and conditions of the applicable license agreement governing http://www.owasp.org/index.php/Testing_for_DOM-based_ the use of IBM software. Cross_site_scripting_(OWASP-DV-003) 1 Web Application Security Consortium. Web Hacking Incidents 6 Rational AppScan Standard Edition. http://www-01.ibm.com/software/ Database (WHID). http://projects.webappsec.org/Web-Hacking- awdtools/appscan/standard/ Incident-Database 7 MITRE. CWE-601: URL Redirection to Untrusted Site (‘Open 2 Web Application Security Consortium. WASC Statistics Project. Redirect’). http://cwe.mitre.org/data/definitions/601.html http://projects.webappsec.org/Web-Application-Security-Statistics Please Recycle RAW14252-USEN-00

Recomendados

Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
CS6262_Group9_FinalReport
CS6262_Group9_FinalReportCS6262_Group9_FinalReport
CS6262_Group9_FinalReportGarrett Mallory
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
MS
MSMS
MSAustin Byers
 

Recomendados

Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
CS6262_Group9_FinalReport
CS6262_Group9_FinalReportCS6262_Group9_FinalReport
CS6262_Group9_FinalReportGarrett Mallory
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
MS
MSMS
MSAustin Byers
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
A web content analytics
A web content analyticsA web content analytics
A web content analyticscsandit
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006losalamos
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
Double guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web ApplicationsDouble guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web ApplicationsIJMER
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRFzakieh alizadeh
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Attack with-html5
Attack with-html5Attack with-html5
Attack with-html5Sony Arianto
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
Ensamblaje
EnsamblajeEnsamblaje
Ensamblajeunisabana
 
Evaluation q3
Evaluation q3Evaluation q3
Evaluation q3Stunnah
 

Mais conteúdo relacionado

Mais procurados

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
A web content analytics
A web content analyticsA web content analytics
A web content analyticscsandit
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006losalamos
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
Double guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web ApplicationsDouble guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web ApplicationsIJMER
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 

Mais procurados (20)

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
A web content analytics
A web content analyticsA web content analytics
A web content analytics
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web security
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Double guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web ApplicationsDouble guard: Detecting Interruptions in N- Tier Web Applications
Double guard: Detecting Interruptions in N- Tier Web Applications
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Attack with-html5
Attack with-html5Attack with-html5
Attack with-html5
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 

Destaque

Evaluation q3
Evaluation q3Evaluation q3
Evaluation q3Stunnah
 
Evaluation q3
Evaluation q3Evaluation q3
Evaluation q3Stunnah
 
Lecture 16 Part 2
Lecture 16 Part 2Lecture 16 Part 2
Lecture 16 Part 2giskende
 
360 degree
360 degree360 degree
360 degreeguddinti
 
The red river_rebellions1869_1870[1]
The red river_rebellions1869_1870[1]The red river_rebellions1869_1870[1]
The red river_rebellions1869_1870[1]Nicolemarie4
 
SES 2014 - Local Search - Bigger than you think
SES 2014 - Local Search - Bigger than you thinkSES 2014 - Local Search - Bigger than you think
SES 2014 - Local Search - Bigger than you thinkPeter Young
 
Lecture 12
Lecture 12Lecture 12
Lecture 12giskende
 
How to accelerate your financial services compliance initiatives
How to accelerate your financial services compliance initiativesHow to accelerate your financial services compliance initiatives
How to accelerate your financial services compliance initiativesIBM Rational software
 
Presentacion en albacete del manual sobre el informe sectorial de accesibilid...
Presentacion en albacete del manual sobre el informe sectorial de accesibilid...Presentacion en albacete del manual sobre el informe sectorial de accesibilid...
Presentacion en albacete del manual sobre el informe sectorial de accesibilid...JCCM1925
 
Nick manij
Nick manijNick manij
Nick manijStunnah
 
Lab 1: Generating document-style reports
Lab 1: Generating document-style reportsLab 1: Generating document-style reports
Lab 1: Generating document-style reportsIBM Rational software
 
Lecture 19
Lecture 19Lecture 19
Lecture 19giskende
 
Advertisement presentation 1
Advertisement presentation 1Advertisement presentation 1
Advertisement presentation 1JacobHamblin
 
Terve tuho - tietä tuottaville työpaikoille ja kasvulle
Terve tuho - tietä tuottaville työpaikoille ja kasvulleTerve tuho - tietä tuottaville työpaikoille ja kasvulle
Terve tuho - tietä tuottaville työpaikoille ja kasvulleevathinktank
 
Presentación1 (3) allison
Presentación1 (3) allisonPresentación1 (3) allison
Presentación1 (3) allisonfalabyu
 
Social Brand Footprint - sierpień 2013
Social Brand Footprint - sierpień 2013Social Brand Footprint - sierpień 2013
Social Brand Footprint - sierpień 2013NapoleonCat.com
 

Destaque (20)

Ensamblaje
EnsamblajeEnsamblaje
Ensamblaje
 
Evaluation q3
Evaluation q3Evaluation q3
Evaluation q3
 
Evaluation q3
Evaluation q3Evaluation q3
Evaluation q3
 
Lecture 16 Part 2
Lecture 16 Part 2Lecture 16 Part 2
Lecture 16 Part 2
 
360 degree
360 degree360 degree
360 degree
 
The red river_rebellions1869_1870[1]
The red river_rebellions1869_1870[1]The red river_rebellions1869_1870[1]
The red river_rebellions1869_1870[1]
 
SES 2014 - Local Search - Bigger than you think
SES 2014 - Local Search - Bigger than you thinkSES 2014 - Local Search - Bigger than you think
SES 2014 - Local Search - Bigger than you think
 
World cancer day isha
World cancer day ishaWorld cancer day isha
World cancer day isha
 
Hanke esittely-siiliset14042011
Hanke esittely-siiliset14042011Hanke esittely-siiliset14042011
Hanke esittely-siiliset14042011
 
Lecture 12
Lecture 12Lecture 12
Lecture 12
 
How to accelerate your financial services compliance initiatives
How to accelerate your financial services compliance initiativesHow to accelerate your financial services compliance initiatives
How to accelerate your financial services compliance initiatives
 
Modelado
ModeladoModelado
Modelado
 
Presentacion en albacete del manual sobre el informe sectorial de accesibilid...
Presentacion en albacete del manual sobre el informe sectorial de accesibilid...Presentacion en albacete del manual sobre el informe sectorial de accesibilid...
Presentacion en albacete del manual sobre el informe sectorial de accesibilid...
 
Nick manij
Nick manijNick manij
Nick manij
 
Lab 1: Generating document-style reports
Lab 1: Generating document-style reportsLab 1: Generating document-style reports
Lab 1: Generating document-style reports
 
Lecture 19
Lecture 19Lecture 19
Lecture 19
 
Advertisement presentation 1
Advertisement presentation 1Advertisement presentation 1
Advertisement presentation 1
 
Terve tuho - tietä tuottaville työpaikoille ja kasvulle
Terve tuho - tietä tuottaville työpaikoille ja kasvulleTerve tuho - tietä tuottaville työpaikoille ja kasvulle
Terve tuho - tietä tuottaville työpaikoille ja kasvulle
 
Presentación1 (3) allison
Presentación1 (3) allisonPresentación1 (3) allison
Presentación1 (3) allison
 
Social Brand Footprint - sierpień 2013
Social Brand Footprint - sierpień 2013Social Brand Footprint - sierpień 2013
Social Brand Footprint - sierpień 2013
 

Semelhante a A look at the prevalence of client-side JavaScript vulnerabilities in web applications

Qg was guide
Qg was guideQg was guide
Qg was guidenat page
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!Shelly Megan
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentCase Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentProlexic
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Web browser and Security Threats
Web browser and Security ThreatsWeb browser and Security Threats
Web browser and Security ThreatsHTS Hosting
 
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Tracing out Cross Site Scripting Vulnerabilities in Modern ScriptsTracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Tracing out Cross Site Scripting Vulnerabilities in Modern ScriptsEswar Publications
 

Semelhante a A look at the prevalence of client-side JavaScript vulnerabilities in web applications (20)

A26001006
A26001006A26001006
A26001006
 
Qg was guide
Qg was guideQg was guide
Qg was guide
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence Flaws
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection Model
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentCase Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
 
Web Application Solutions
Web Application SolutionsWeb Application Solutions
Web Application Solutions
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Web browser and Security Threats
Web browser and Security ThreatsWeb browser and Security Threats
Web browser and Security Threats
 
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Tracing out Cross Site Scripting Vulnerabilities in Modern ScriptsTracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
 

Mais de IBM Rational software

DMT-2467 Like the Features in Rational DOORS 9? Come Check Them Out in DOORS...
DMT-2467 Like the Features in Rational DOORS 9? Come Check Them Out in DOORS...DMT-2467 Like the Features in Rational DOORS 9? Come Check Them Out in DOORS...
DMT-2467 Like the Features in Rational DOORS 9? Come Check Them Out in DOORS...IBM Rational software
 
Dmt 5899 workshop - Learn to Collaborate, Trace, Review and Reuse Your Requir...
Dmt 5899 workshop - Learn to Collaborate, Trace, Review and Reuse Your Requir...Dmt 5899 workshop - Learn to Collaborate, Trace, Review and Reuse Your Requir...
Dmt 5899 workshop - Learn to Collaborate, Trace, Review and Reuse Your Requir...IBM Rational software
 
Steer at the Team Level with Rational Team Concert
Steer at the Team Level with Rational Team ConcertSteer at the Team Level with Rational Team Concert
Steer at the Team Level with Rational Team ConcertIBM Rational software
 
UrbanCode Deploy course and product overview slides
UrbanCode Deploy course and product overview slidesUrbanCode Deploy course and product overview slides
UrbanCode Deploy course and product overview slidesIBM Rational software
 
IBM InterConnect Speaker Proposal Tips
IBM InterConnect Speaker Proposal TipsIBM InterConnect Speaker Proposal Tips
IBM InterConnect Speaker Proposal TipsIBM Rational software
 
Factors to consider when starting a brand-new requirements management project...
Factors to consider when starting a brand-new requirements management project...Factors to consider when starting a brand-new requirements management project...
Factors to consider when starting a brand-new requirements management project...IBM Rational software
 
IBM DevOps Announcements - June 2014
IBM DevOps Announcements - June 2014IBM DevOps Announcements - June 2014
IBM DevOps Announcements - June 2014IBM Rational software
 
IBM Rational Developer for System z Quick Start Sales Presentation
IBM Rational Developer for System z Quick Start Sales PresentationIBM Rational Developer for System z Quick Start Sales Presentation
IBM Rational Developer for System z Quick Start Sales PresentationIBM Rational software
 
Rational consulting café to go menu
Rational consulting café to go menuRational consulting café to go menu
Rational consulting café to go menuIBM Rational software
 

Mais de IBM Rational software (20)

DMT-2467 Like the Features in Rational DOORS 9? Come Check Them Out in DOORS...
DMT-2467 Like the Features in Rational DOORS 9? Come Check Them Out in DOORS...DMT-2467 Like the Features in Rational DOORS 9? Come Check Them Out in DOORS...
DMT-2467 Like the Features in Rational DOORS 9? Come Check Them Out in DOORS...
 
Dmt 5899 workshop - Learn to Collaborate, Trace, Review and Reuse Your Requir...
Dmt 5899 workshop - Learn to Collaborate, Trace, Review and Reuse Your Requir...Dmt 5899 workshop - Learn to Collaborate, Trace, Review and Reuse Your Requir...
Dmt 5899 workshop - Learn to Collaborate, Trace, Review and Reuse Your Requir...
 
Deployment module slides
Deployment module slidesDeployment module slides
Deployment module slides
 
Security
SecuritySecurity
Security
 
Steer at the Team Level with Rational Team Concert
Steer at the Team Level with Rational Team ConcertSteer at the Team Level with Rational Team Concert
Steer at the Team Level with Rational Team Concert
 
Applications lab
Applications lab Applications lab
Applications lab
 
Application slides
Application slidesApplication slides
Application slides
 
Components lab
Components labComponents lab
Components lab
 
UCD components
UCD components UCD components
UCD components
 
Resource lab
Resource labResource lab
Resource lab
 
Resources slides
Resources slidesResources slides
Resources slides
 
UrbanCode Deploy course and product overview slides
UrbanCode Deploy course and product overview slidesUrbanCode Deploy course and product overview slides
UrbanCode Deploy course and product overview slides
 
IBM InterConnect Speaker Proposal Tips
IBM InterConnect Speaker Proposal TipsIBM InterConnect Speaker Proposal Tips
IBM InterConnect Speaker Proposal Tips
 
Factors to consider when starting a brand-new requirements management project...
Factors to consider when starting a brand-new requirements management project...Factors to consider when starting a brand-new requirements management project...
Factors to consider when starting a brand-new requirements management project...
 
IBM DevOps Announcements - June 2014
IBM DevOps Announcements - June 2014IBM DevOps Announcements - June 2014
IBM DevOps Announcements - June 2014
 
IBM Rational Developer for System z Quick Start Sales Presentation
IBM Rational Developer for System z Quick Start Sales PresentationIBM Rational Developer for System z Quick Start Sales Presentation
IBM Rational Developer for System z Quick Start Sales Presentation
 
Rational consulting café to go menu
Rational consulting café to go menuRational consulting café to go menu
Rational consulting café to go menu
 
Lab3 RTC Source Control
Lab3 RTC Source ControlLab3 RTC Source Control
Lab3 RTC Source Control
 
Lab2 RTC Work Items
Lab2 RTC Work ItemsLab2 RTC Work Items
Lab2 RTC Work Items
 
Lab4 RTC Builds
Lab4 RTC BuildsLab4 RTC Builds
Lab4 RTC Builds
 

Último

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Último (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

A look at the prevalence of client-side JavaScript vulnerabilities in web applications

  • 1. IBM Software Technical White Paper Rational Close encounters of the third kind A look at the prevalence of client-side JavaScript vulnerabilities in web applications Executive summary Contents In the past ten years, many whitepapers, research articles, and blog posts have been published on the subject of server-side web application 1 Executive summary vulnerabilities such as SQL injection, Cross-site scripting, and HTTP response splitting. In addition, several projects such as the WASC Web 2 Technical details Hacking Incident Database1 or the WASC Statistics2 projects have tried 7 Summary to estimate the incidence of such issues in the real world. On the other hand, there is a dearth of information and statistics on the incidence of 8 Vulnerability disclosure client-side JavaScript™ vulnerabilities in web applications, even though these vulnerabilities are just as severe as their server-side counterparts. We suspect that the main reason for this lack of information is that client-side vulnerabilities are harder to locate, and require deep knowl- edge of JavaScript and the ability to perform code review for HTML pages and JavaScript files. As Web 2.0, AJAX applications and rich internet applications (RIAs) become more common, client-side JavaScript vulnerabilities will prob- ably become more relevant, and we foresee a rise in the amount of such issues being exploited by malicious hackers. This whitepaper presents the results of a research recently performed by the IBM® Rational® application security group into the prevalence of client-side JavaScript vulnerabilities. For this research, we used a new IBM technology called JavaScript Security Analyzer (JSA), which performs static taint analysis on JavaScript code that was collected from web pages extracted by an automated deep web crawl process. This kind of analysis is superior to and more accurate than regular static taint analysis of JavaScript code, as it includes the entire JavaScript codebase in its natural environment: fully rendered HTML pages and the browser’s Document Object Model (DOM).
  • 2. IBM Software Technical White Paper Rational The research used a sample group of approximately 675 web- Of the 98 vulnerable sites, 92 sites (94 percent) suffered from sites, consisting of all the Fortune 500 companies and another DOM-based cross-site scripting issues, whereas only 11 sites 175 handpicked websites, including IT, web application (11 percent) suffered from open redirects. The total amount security vendors, and social networking sites. In order to of DOM-based cross-site scripting issues found was 2370, avoid damage to the sites or interference with their regular while only 221 open redirects were found. behavior, we used a non-intrusive web crawler, similar to that of a web search engine, which retrieved approximately Lastly, based on the dataset that we analyzed, we may extrap- 200 web pages and JavaScript files per site from the applica- olate that the likelihood that a random page on the internet tion into a repository. These pages were then analyzed offline contains a client-side JavaScript vulnerability is approximately for client-side JavaScript vulnerabilities, using the JavaScript one in 55. Security Analyzer, concentrating on two main types of issues: DOM-based Cross-site scripting, and Open redirects. We would like to stress the fact that our research concen- The results of our research were quite disturbing: about trated on only two issue types (DOM-based cross-site script- 14 percent (98 sites) of the 675 sites suffer from many severe ing and Open redirects), and was performed using the first client-side JavaScript issues, which could allow malicious version of the JavaScript Security Analyzer technology. Our hackers to perform attacks such as: analysis was run on a relatively small number of web pages, and was performed without digging deeply into each site ● Infect users of these sites with Malware and viruses. (for example, no credentials were used to log in to the sites). ● Hijack users’ web sessions and perform actions on their We are quite certain that a more thorough web crawl and a behalf. longer list of client-side JavaScript issues to look for would ● Perform Phishing attacks on users of these sites. reveal significantly more security vulnerabilities. ● Spoof web contents Technical details The troubling fact about these statistics is that most organi- In order to understand the difficulties involved in assessing zations have no efficient process or automated solution to web applications for client-side JavaScript issues, we must assist them with the task of locating these types of issues. first understand how these types of issues differ from server- side web application vulnerabilities. Our research also showed that 38 percent of the vulnerable sites suffered from these vulnerabilities as a result of using In 2005, Amit Klein, a distinguished security researcher, pub- third party JavaScript code such as: lished a whitepaper called “DOM Based Cross Site Scripting or XSS of the Third Kind.”3 The paper discussed a unique ● Marketing campaign JavaScript snippets. variant of Cross-site scripting which, unlike “Stored” and ● Flash embedding JavaScript snippets. “Reflected” Cross-site scripting, did not rely on user input ● Deep linking JavaScript libraries for Adobe® Flash and being sent to the application and then reflected back in a AJAX applications. web page, but instead exploited the fact that the vulnerable ● Social networking JavaScript snippets. HTML page used information from JavaScript objects such as document.URL, document.location or document.referrer, all of which could be controlled by a malicious attacker in some way. 2
  • 3. IBM Software Technical White Paper Rational The paper presented the following vulnerable example HTML page, with the URL address: http://www.vulnerable.site/welcome.html <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf(‘name=’)+5; document.write(document.URL.substring(pos,document.URL.length)) </SCRIPT> <BR> Welcome to our system … </HTML> According to the original paper, a typical access to The whitepaper also discussed how this third kind of Cross- this web page would be via the following URL: site scripting could be used to mount attacks that evade http://www.vulnerable.site/welcome.html?name=Joe server-side detection and prevention mechanisms, such as However, if this web page is retrieved via the following mali- web application firewalls, by using the HTML fragment cious URL: http://www.vulnerable.site/welcome.html?name= identifier (#), a fact that makes this type of vulnerability <script>alert(document.cookie)</script> particularly dangerous. A Cross-site scripting condition occurs. Many security experts believe5 that the task of locating client- The whitepaper then described how this Cross-site scripting side JavaScript issues such as DOM-based Cross-site scripting vulnerability works: is a daunting one, often requiring that a penetration tester perform thorough code review of both the HTML and the “The victim’s browser receives this link, sends an HTTP request to JavaScript source code that is included with it. In addition, www.vulnerable.site, and receives the above (static!) HTML many believe that current automated methods for performing page. The victim’s browser then starts parsing this HTML dynamic and static security analysis of web applications into DOM. The DOM contains an object called document, fall short, and are incapable of accurately locating most which contains a property called URL, and this property is client-side JavaScript issues. populated with the URL of the current page, as part of DOM creation. When the parser arrives to the JavaScript code, it For our research we used a new technology, developed by the executes it and it modifies the raw HTML of the page. In IBM Rational application security group, which is available as this case, the code references document.URL, and so, a part part of IBM Rational AppScan® Standard Edition software of this string is embedded at parsing time in the HTML, v8.0.6 This technology is called JavaScript Security Analyzer which is then immediately parsed and the JavaScript code (JSA), and works in the following way: found (alert(…)) is executed in the context of the same page, hence the XSS condition.”4 3
  • 4. IBM Software Technical White Paper Rational JSA goes over all URLs visited by the web crawler of and other popular websites. We retrieved approximately Rational AppScan Standard Edition software, one by one. For 200 pages and JavaScript files per site, using a non-intrusive each URL, JSA saves the entire HTTP response stream. JSA web crawling process that only follows HTML links, and then looks for JavaScript entry points in the current visited executes JavaScript code in each page to find dynamically URL, and applies a set of JavaScript-specific taint analysis generated links and simulate real user interaction with the rules. These rules include specifications of source, sink, and site, which is necessary for AJAX-type sites. To avoid damage sanitizer functions. JSA reports on data flows from source to to or any non-standard interaction with the sites, our web sink that do not go through a sanitizer. JSA reports on six dif- crawler did not fill out any HTML forms, did not log in to ferent issue types. Issues reported by JSA appear in Rational the application, and did not submit any additional HTTP AppScan Standard Edition software. Trace information for requests to the sites. In essence, our web crawler merely each issue is displayed in the issue information pane in performed an indexing of each application similar to that of Rational AppScan Standard Edition software. web search engines. Note that JSA runs entirely on the local machine, pulling Each application was tested for two main client-side visited URLs from the current scan, and performing no JavaScript issues: DOM-based Cross-site scripting, and Open communication with the site at all. This makes it possible to redirects7 a vulnerability which allows a malicious attacker to run JSA on existing scan files, even if the scanned host is not force the victim’s browser to automatically redirect to a site available. The engine of JSA uses a sophisticated taint analy- he/she owns, and which can be used for Phishing purposes. sis algorithm, and is based on a static analysis platform devel- oped by IBM research. Our research found that of the 675 websites analyzed, 98 (14.5 percent) were infested with DOM-based Cross-site Modern websites, which use Web 2.0 and AJAX, often gener- scripting and open redirects (Figure 1). ate HTML and JavaScript code on the fly. This means that standard static code analyzers cannot fully scan the source code and locate client-side JavaScript issues, since the source code itself does not yet include the entire HTML and 85.5% JavaScript code. On the other hand, because the input for the assessment done by JSA includes both the fully rendered HTML and the JavaScript code (both extracted by deep crawling of the website), client-side issues can be detected with superior accuracy. In essence, JSA enjoys the best of both dynamic and static analysis, amalgamating the two approaches, in order to accu- rately assess JavaScript code in its natural environment. 14.5% For this research, we used a sample group of 675 websites, Vulnerable sites including all 500 of the Fortune 500 companies, plus Not vulnerable sites 175 handpicked websites including IT security companies, web application security companies, social networking sites Figure 1: Percentage of sites vulnerable to client-side JavaScript issues 4
  • 5. IBM Software Technical White Paper Rational Another interesting piece of information was that out of Looking at the distribution of vulnerability types (Figure 3), the 98 vulnerable sites, 38 percent suffered from a vulnerabil- we see that of the 98 vulnerable sites, 92 (94 percent) ity introduced by a third-party JavaScript code snippet suffered from DOM-based Cross-site scripting issues, and (Figure 2). These snippets were included for adding one of only 11 (11 percent) suffered from Open redirects. The total the following capabilities: amount of DOM-based Cross-site scripting issues that were found was 2370, versus only 221 Open redirects. ● Marketing campaign JavaScript snippets. ● Flash embedding JavaScript snippets. In total, our scan included 169,443 web pages, out of which ● Deep linking JavaScript libraries for Flash and AJAX 90,929 were unique. Out of the unique pages, we have found applications. that 1659 web pages had a verified client-side JavaScript vul- ● Social networking JavaScript snippets. nerability, which means that the approximate likelihood for a random web page on the internet to contain a client-side JavaScript vulnerability is one in 55. 62% 2370 1200 1000 800 600 38% 400 221 200 92 0 11 In-house written JavaScript code DOM-based XSS 3rd party JavaScript code Open Redirect Sites Vulnerable Total Issues Figure 2: Vulnerable third party JavaScript code vs. in-house written code Figure 3: Distribution of vulnerability types (DOM-based Cross-site Snippets of this kind are quite common in web applications Scripting vs. Open redirects) these days, and we see a growing use of such third party JavaScript code, especially in Web 2.0 and AJAX web applica- tions. Moreover, web developers often add these snippets blindly, without performing any security verification on them—they are unaware of the hazards they introduce to what could have been a reasonably secure application. 5
  • 6. IBM Software Technical White Paper Rational In order to validate each of the issues found, and to avoid false positive results, we used the trace information provided by JSA, and manually verified each vulnerability. Below (Figure 4) you can see an example of such JavaScript trace information of a real vulnerability found during our research: Figure 4: JavaScript taint analysis trace information The example above is quite common. As can be seen, hacker-controlled data is first used in line #42, through the usage of the document.URL object, and is later used in the HTML code in line #1504. The various steps of the malicious data flow can also be observed. 6
  • 7. IBM Software Technical White Paper Rational Summary Omri Weisman, software development manager Our research, which ran on a modest-sized sample group of Omri Weisman is a software development manager in IBM. 675 websites, showed that client-side JavaScript issues such as For the past nine years, Omri has been leading software DOM-based Cross-site scripting and Open redirects are far development projects in the field of application security and more common than previously thought. Moreover, as vulnerability assessment. In his current position Omri man- Web 2.0 and AJAX design patterns that rely on untrusted ages the Static Analysis Group in IBM Rational, responsible third party JavaScript code gain popularity, it is likely that for building technologies for detecting security vulnerabilities client-side security issues will become more and more through code scanning. Omri holds a B.Sc. in mathematics common. and computer science from the Ben Gurion University. We suggest that the dearth of accurate statistics on the preva- Adi Sharabani, cross-Rational security strategy and lence of such issues in public discussions, projects, and architecture whitepapers on web application vulnerabilities is due to their Adi Sharabani is in charge of the cross-Rational security complex nature and the difficulty involved in manually or strategy. As part of his role, Adi is responsible for leading, automatically locating them. However, our research has designing, and deploying overall security processes within the demonstrated a new automated and accurate approach for Rational development groups. Adi was formerly head the locating client-side JavaScript issues, by amalgamating two IBM Rational Application Security Research, responsible for separate security analysis approaches: static taint analysis of research activities on web application security. Adi holds a JavaScript code, and deep dynamic web crawling of running B.A. in physics and in mathematics (both cum laude) from web applications. Our approach harnesses the best of both the Tel Aviv University and was a researcher at the techniques to locate vulnerabilities in web applications with University’s Astrophysics Lab precision. Yair Amit, security and research group manager, Vulnerability disclosure Rational IBM has notified the third party JavaScript vendors whose Yair Amit is the manager of the Rational Application code was found by our research to contain vulnerabilities Security and Research group. Yair manages technological about the severe issues found by IBM and offered assistance and security research and is responsible for the security in solving them. content of IBM Rational’s application security product line. Yair is recognized for his rich web and network security background; his research has found numerous security About the authors vulnerabilities and has been presented in various security Ory Segal, security products architect and IBM Rational events over the years. Yair holds a double major B.A. degree AppScan product manager in computer science and life sciences with specialization in Ory Segal is a leading expert in web application security and Bioinformatics (both summa-cum laude) from the Tel-Aviv an experienced product manager with more than 12 years of University. security and research experience. Ory is responsible for researching technologies and recommending strategic Lotem Guy directions for IBM Rational’s application security product Lotem Guy is a senior security researcher at the Rational line. Ory holds a degree in computer science from the Application Security and Research group. Lotem is responsi- Open University of Israel, and recently received an ble for researching new web application vulnerabilities, per- IBM Outstanding Technical Achievement Award. Ory is forming application security audits and developing security also an officer of the Web Application Security Consortium related features for the Rational AppScan products family. (WASC). Lotem holds a B.A. in computer science and computational biology from the Hebrew University in Jerusalem. 7
  • 8. For more information To learn more about IBM Rational AppScan products, contact your IBM representative or IBM Business Partner, or visit: ibm.com/software/rational/offerings/testing/ © Copyright IBM Corporation 2010 webapplicationsecurity IBM Corporation Additionally, financing solutions from IBM Global Financing Software Group Route 100 can enable effective cash management, protection from tech- Somers, NY 10589 nology obsolescence, improved total cost of ownership and U.S.A. return on investment. Also, our Global Asset Recovery Produced in the United States of America Services help address environmental concerns with new, December, 2010 more energy-efficient solutions. For more information on All Rights Reserved IBM Global Financing, visit: ibm.com/financing IBM, the IBM logo, ibm.com, Rational, and AppScan are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Adobe, Flash, and the Flash logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Other company, product, or service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The information contained in this documentation is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this documentation, it is provided “as is” without warranty of any kind, express or implied. In addition, this information is based on IBM’s 3 Klein, Amit. 2005. DOM Based Cross Site Scripting or XSS of the current product plans and strategy, which are subject to change by Third Kind. http://www.webappsec.org/projects/articles/071105.shtml IBM without notice. IBM shall not be responsible for any damages 4 Klein, Amit. 2005. DOM Based Cross Site Scripting or XSS of the arising out of the use of, or otherwise related to, this documentation or Third Kind. http://www.webappsec.org/projects/articles/071105.shtml any other documentation. Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or 5 Open Web Application Security Project. OWASP Testing Guide: representations from IBM (or its suppliers or licensors), or altering the Testing for DOM-based Cross site scripting (OWASP-DV-003). terms and conditions of the applicable license agreement governing http://www.owasp.org/index.php/Testing_for_DOM-based_ the use of IBM software. Cross_site_scripting_(OWASP-DV-003) 1 Web Application Security Consortium. Web Hacking Incidents 6 Rational AppScan Standard Edition. http://www-01.ibm.com/software/ Database (WHID). http://projects.webappsec.org/Web-Hacking- awdtools/appscan/standard/ Incident-Database 7 MITRE. CWE-601: URL Redirection to Untrusted Site (‘Open 2 Web Application Security Consortium. WASC Statistics Project. Redirect’). http://cwe.mitre.org/data/definitions/601.html http://projects.webappsec.org/Web-Application-Security-Statistics Please Recycle RAW14252-USEN-00