SlideShare uma empresa Scribd logo

NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner

Transferir como PPTX, PDF
Nishant Das Patnaik
Nishant Das Patnaik

Ra.2 is a proof-of-concept blackbox DOM based XSS scanner. It is a plugin for the Mozilla Firefox browser.

Tecnologia
1 de 27
A DOM-based XSS scanner, for the rest of us! Nishant Das Patnaik Sarathi Sabyasachi Sahoo nishant.dp@gmail.com sarathisahoo@gmail.com
Nishant Das Patnaik • Application Security Enthusiast • Present: Security Engineer at Yahoo! Inc., India • Past: Security Engineer at eBay Inc. • I express my views at http://nishant.daspatnaik.com • Play electronic keyboards and love to cook  Sarathi Sabyasachi Sahoo • Web Application Developer • Senior Software Engineer at Yahoo! R & D, India • Die-hard Shah Rukh Khan fan 
• What is DOM based XSS? Introduction • It’s relevance • test manually? How to • proposed solution. • Introducing RA.2 RA.2 Internals • Unique Selling Points • DOMinator V/s Ra.2 Case Study • What’s next? Future Plans
What is DOM XSS? • DOM or the document object model is a way by which scripts can access the structure of a page they reside in, and it is used to manipulate the page content in modern WEB 2.0 applications. • JavaScript often use user inputs to modify the DOM. These inputs can be evil. • Input can be URL parameters, XHR responses, HTTP Headers etc. • Server side input validation logic fails at data sanitization. Think of “page.html#evil”. • Equally dangerous as Reflective XSS and Stored XSS. Browser-integrated XSS filters are useless against it.
Terminology • Sources: These are the input data that can be directly or indirectly controlled by an attacker. • Sinks: These are the potentially dangerous functions that can lead to code execution, when abused, to take advantage of some kind of exploitation. • Filters: These are the operations which change the content or check for specific structures/values.
Sources • Everything taken from the URL • document.URL • document.URLUnencoded • document.location(.pathname|.href|.search|.hash) • window.location(.pathname|.href|.search|.hash) • The Referrer • document.referrer • The window name • window.name and many more. • Did you find a clue? All GET parameters and few HTTP headers. • Why not POST variables? You say!
Sinks • Every functionality that will create HTML: • innerHTML • outerHTML • document.write • Every functionality that will interpret a user input string as JavaScript code: • eval • execScript • function • setTimeout • setInterval • script.src • iframe.src • location.(replace|assign) etc.
DOM XSS Example Page - 01 01 <script type="text/javascript"> 02 var param = location.hash.split("#")[1]; 03 document.write("Hello " + param + "!"); 04 </script>
DOM XSS Example Page - 02 ... 01 function timedMsg(callback) 02 { 03 if(callback) 04 { 05 var t=setTimeout(eval('callback'),3000); 06 return 0; 07 } 08 } 09 function fire() 10 { 11 var call = location.hash.split("#")[1]; 12 timedMsg(call); 13 } 14 </script> 15 </head> 16 <body onload="fire()"> ...
DOM XSS Example Page - 03 ... 01 function go() 02 { 03 if (document.location.hash.split("#")[1]) 04 { 05 location.replace(location.hash.split("#")[1]); 06 } 07 } 08 </script> 09 </head> 10 <body onload="go()"> ...
DOM XSS Example Page - 04 01 <script> 02 var param = document.location.hash.split("#")[1]; 03 if (param) 04 { 05 var d = document.createElement('div'); 06 d.innerHTML = param; 07 if (document.body != null) 08 { 09 document.body.appendChild(d); 10 } 11 } 12 </script>
DOM XSS Example Page - 05 ... 01 <a id="anchor" name="anchor">Continue</a> 02 <script type="text/javascript“> 03 var redir = location.hash.split("#")[1]; 04 x = document.getElementById('anchor'); 05 x.setAttribute('href',redir); 06 </script> ...
DOM XSS Example Page - 06 ... <body onload=reload()> <iframe id="frame1" name="frame1" src="about:blank"></iframe> <script> function reload() { var redir = location.hash.split("#")[1]; if (redir) { x = document.getElementById('frame1'); x.setAttribute('src',redir); } } ...
Why do we care about it? st • Not new, Amit Klein was the 1 to talk about it; but now code shifting towards client-side: AJAX, Web 2.0, RIA • 56 out of Alexa Top 100 sites are vulnerable to DOM-XSS. (Source: DOMinator’s Blog) • Integrated XSS filters in browsers are failing to filter DOM-based XSS. • Server-side input validation is bypassed. • Has the same severity of impact on your user, as regular XSS. • DOMinator is probably the only tool that tries to solve this issue to some extent. Do you agree? Anyone?
Test DOM XSS manually Source-code review is THE BEST way! But..like this? Yeah, I know it’s kind of hard.
Possible Solutions 1. Static Analyzer • Pro: Very good at finding flows, if well implemented. Very fast. • Cons: The problem with every Static Analyzer: Knowledge Base, lack of runtime analysis, lots of false positives/negatives etc. 2. Dynamic Analyzer • Pro: uses native interpreter so no problem with obfuscation/compression • Cons: cannot follow the flow.
Proposed Solution Browser Automation Black-box Fuzzing Firefox JS Engine Interpretation Goodness of Automation + Goodness Blackbox Fuzzing = Win!
Introducing Ra.2 • Ra.2? – Code name of our tool. The coder (Sarathi) is a fan of Shah Rukh Khan!  • Ra.2 is a Mozilla Firefox Add-on. • It uses Firefox’s JavaScript Engine to dynamically execute vectors injected into possible sources, to locate most exploitable DOM XSS issues.
7. Generates customizable 1. Initiate a scan How it works? report 2. Injects its custom 6. XHR sends the JavaScript code to the vulnerable URL to a <head> of current your DB host DOM 5. Callback generates XHR 3. Fuzzes possible to our DB sources with our custom host, if it lands defined callback in a sink 4. Automate some event handlers to trigger the callback
Unique Selling Points • Ra.2 is designed to be False Positive Free, since vulnerable URLs are saved in DB, if and only if, our JS payload is executed successfully by the browser. Hence marked exploitable. • Large collection of injection vectors, includes “modified” R’Snake’s vectors as well. • Supports transforming characters. Content Aware Application. Unicode Characters. • Automatically handles JavaScript obfuscation/compression, as it relies on native interpreter • Its light-weight and fast • Pretty easy learning curve. Point-n-Click.
DOMinator V/S Ra.2 • Gray box scanner • Blackbox Scanner • Runtime code-flow analysis • Basic Browser Automation Support • Manual analysis required • False Positive Free • Steep learning curve • Point-n-Click Tool • Slow; requires heavy manual analysis • Lightweight & Fast • Standalone tool • Firefox Add-on; easier deployment • Not free for enterprise use • Free to use Verdict: Both are complementary to each other. 
Last Notes • Our tool can pretty well detect low-hanging fruits. • It is a work-in-progress and like other automated tools, it can not detect all issues automatically, but it’s efficiency is continually improving. • As like with any other tool, it is not a replacement to manual penetration testing. 
What’s next? • A way to detect browser dependent DOM-XSS issues. • Better browser instrumentation • Run-time code flow analysis engine = Fewer False Negative • Better reporting • Your suggestions? 
Positive criticisms, feedback, brainstorming: • Stefano Di Paola – stefano@mindedsecurity.com • Bishan Singh – c70n3r@gmail.com • Daniel M. Wong – dmwong@yahoo.com If you find it useful, please drop a line to them. 
Thank You! Any questions, please?

Recomendados

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developersn|u - The Open Security Community
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 

Recomendados

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developersn|u - The Open Security Community
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPiyush Pattanayak
 
JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemstitanlambda
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
JSON Injection
JSON InjectionJSON Injection
JSON Injectionn|u - The Open Security Community
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guideihji
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxMathias Karlsson
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Java scipt
Java sciptJava scipt
Java sciptAshish Gajjar Samvad Cell
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
AJAX - An introduction
AJAX - An introductionAJAX - An introduction
AJAX - An introductionEleonora Ciceri
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
HTML5 - An introduction
HTML5 - An introductionHTML5 - An introduction
HTML5 - An introductionEleonora Ciceri
 
20120306 dublin js
20120306 dublin js20120306 dublin js
20120306 dublin jsRichard Rodger
 
20120802 timisoara
20120802 timisoara20120802 timisoara
20120802 timisoaraRichard Rodger
 

Mais conteúdo relacionado

Mais procurados

Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPiyush Pattanayak
 
JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemstitanlambda
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guideihji
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxMathias Karlsson
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 

Mais procurados (20)

XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
 
JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problems
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
JSON Injection
JSON InjectionJSON Injection
JSON Injection
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Java scipt
Java sciptJava scipt
Java scipt
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
AJAX - An introduction
AJAX - An introductionAJAX - An introduction
AJAX - An introduction
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
 
HTML5 - An introduction
HTML5 - An introductionHTML5 - An introduction
HTML5 - An introduction
 

Semelhante a NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner

Sahi Principles and Architecture
Sahi Principles and ArchitectureSahi Principles and Architecture
Sahi Principles and ArchitectureTyto Software
 
Chirp 2010: Scaling Twitter
Chirp 2010: Scaling TwitterChirp 2010: Scaling Twitter
Chirp 2010: Scaling TwitterJohn Adams
 
Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitAbhisek Datta
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Usersnap and the javascript magic behind the scenes - ViennaJS
Usersnap and the javascript magic behind the scenes - ViennaJSUsersnap and the javascript magic behind the scenes - ViennaJS
Usersnap and the javascript magic behind the scenes - ViennaJSUsersnap
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSSam Bowne
 
The Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devicesThe Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devicesWesley Hales
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Fixing twitter
Fixing twitterFixing twitter
Fixing twitterRoger Xia
 

Semelhante a NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner (20)

20120306 dublin js
20120306 dublin js20120306 dublin js
20120306 dublin js
 
20120802 timisoara
20120802 timisoara20120802 timisoara
20120802 timisoara
 
Apache Drill (ver. 0.2)
Apache Drill (ver. 0.2)Apache Drill (ver. 0.2)
Apache Drill (ver. 0.2)
 
Sahi Principles and Architecture
Sahi Principles and ArchitectureSahi Principles and Architecture
Sahi Principles and Architecture
 
Chirp 2010: Scaling Twitter
Chirp 2010: Scaling TwitterChirp 2010: Scaling Twitter
Chirp 2010: Scaling Twitter
 
Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and Profit
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Usersnap and the javascript magic behind the scenes - ViennaJS
Usersnap and the javascript magic behind the scenes - ViennaJSUsersnap and the javascript magic behind the scenes - ViennaJS
Usersnap and the javascript magic behind the scenes - ViennaJS
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
Javascript for Wep Apps
Javascript for Wep AppsJavascript for Wep Apps
Javascript for Wep Apps
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
 
The Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devicesThe Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devices
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Fixing twitter
Fixing twitterFixing twitter
Fixing twitter
 
Fixing_Twitter
Fixing_TwitterFixing_Twitter
Fixing_Twitter
 

Último

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Último (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner

  • 1. A DOM-based XSS scanner, for the rest of us! Nishant Das Patnaik Sarathi Sabyasachi Sahoo nishant.dp@gmail.com sarathisahoo@gmail.com
  • 2. Nishant Das Patnaik • Application Security Enthusiast • Present: Security Engineer at Yahoo! Inc., India • Past: Security Engineer at eBay Inc. • I express my views at http://nishant.daspatnaik.com • Play electronic keyboards and love to cook  Sarathi Sabyasachi Sahoo • Web Application Developer • Senior Software Engineer at Yahoo! R & D, India • Die-hard Shah Rukh Khan fan 
  • 3. • What is DOM based XSS? Introduction • It’s relevance • test manually? How to • proposed solution. • Introducing RA.2 RA.2 Internals • Unique Selling Points • DOMinator V/s Ra.2 Case Study • What’s next? Future Plans
  • 4. What is DOM XSS? • DOM or the document object model is a way by which scripts can access the structure of a page they reside in, and it is used to manipulate the page content in modern WEB 2.0 applications. • JavaScript often use user inputs to modify the DOM. These inputs can be evil. • Input can be URL parameters, XHR responses, HTTP Headers etc. • Server side input validation logic fails at data sanitization. Think of “page.html#evil”. • Equally dangerous as Reflective XSS and Stored XSS. Browser-integrated XSS filters are useless against it.
  • 5. Terminology • Sources: These are the input data that can be directly or indirectly controlled by an attacker. • Sinks: These are the potentially dangerous functions that can lead to code execution, when abused, to take advantage of some kind of exploitation. • Filters: These are the operations which change the content or check for specific structures/values.
  • 6. Sources • Everything taken from the URL • document.URL • document.URLUnencoded • document.location(.pathname|.href|.search|.hash) • window.location(.pathname|.href|.search|.hash) • The Referrer • document.referrer • The window name • window.name and many more. • Did you find a clue? All GET parameters and few HTTP headers. • Why not POST variables? You say!
  • 7. Sinks • Every functionality that will create HTML: • innerHTML • outerHTML • document.write • Every functionality that will interpret a user input string as JavaScript code: • eval • execScript • function • setTimeout • setInterval • script.src • iframe.src • location.(replace|assign) etc.
  • 8. DOM XSS Example Page - 01 01 <script type="text/javascript"> 02 var param = location.hash.split("#")[1]; 03 document.write("Hello " + param + "!"); 04 </script>
  • 9. DOM XSS Example Page - 02 ... 01 function timedMsg(callback) 02 { 03 if(callback) 04 { 05 var t=setTimeout(eval('callback'),3000); 06 return 0; 07 } 08 } 09 function fire() 10 { 11 var call = location.hash.split("#")[1]; 12 timedMsg(call); 13 } 14 </script> 15 </head> 16 <body onload="fire()"> ...
  • 10. DOM XSS Example Page - 03 ... 01 function go() 02 { 03 if (document.location.hash.split("#")[1]) 04 { 05 location.replace(location.hash.split("#")[1]); 06 } 07 } 08 </script> 09 </head> 10 <body onload="go()"> ...
  • 11. DOM XSS Example Page - 04 01 <script> 02 var param = document.location.hash.split("#")[1]; 03 if (param) 04 { 05 var d = document.createElement('div'); 06 d.innerHTML = param; 07 if (document.body != null) 08 { 09 document.body.appendChild(d); 10 } 11 } 12 </script>
  • 12. DOM XSS Example Page - 05 ... 01 <a id="anchor" name="anchor">Continue</a> 02 <script type="text/javascript“> 03 var redir = location.hash.split("#")[1]; 04 x = document.getElementById('anchor'); 05 x.setAttribute('href',redir); 06 </script> ...
  • 13. DOM XSS Example Page - 06 ... <body onload=reload()> <iframe id="frame1" name="frame1" src="about:blank"></iframe> <script> function reload() { var redir = location.hash.split("#")[1]; if (redir) { x = document.getElementById('frame1'); x.setAttribute('src',redir); } } ...
  • 14.
  • 15. Why do we care about it? st • Not new, Amit Klein was the 1 to talk about it; but now code shifting towards client-side: AJAX, Web 2.0, RIA • 56 out of Alexa Top 100 sites are vulnerable to DOM-XSS. (Source: DOMinator’s Blog) • Integrated XSS filters in browsers are failing to filter DOM-based XSS. • Server-side input validation is bypassed. • Has the same severity of impact on your user, as regular XSS. • DOMinator is probably the only tool that tries to solve this issue to some extent. Do you agree? Anyone?
  • 16. Test DOM XSS manually Source-code review is THE BEST way! But..like this? Yeah, I know it’s kind of hard.
  • 17. Possible Solutions 1. Static Analyzer • Pro: Very good at finding flows, if well implemented. Very fast. • Cons: The problem with every Static Analyzer: Knowledge Base, lack of runtime analysis, lots of false positives/negatives etc. 2. Dynamic Analyzer • Pro: uses native interpreter so no problem with obfuscation/compression • Cons: cannot follow the flow.
  • 18. Proposed Solution Browser Automation Black-box Fuzzing Firefox JS Engine Interpretation Goodness of Automation + Goodness Blackbox Fuzzing = Win!
  • 19. Introducing Ra.2 • Ra.2? – Code name of our tool. The coder (Sarathi) is a fan of Shah Rukh Khan!  • Ra.2 is a Mozilla Firefox Add-on. • It uses Firefox’s JavaScript Engine to dynamically execute vectors injected into possible sources, to locate most exploitable DOM XSS issues.
  • 20. 7. Generates customizable 1. Initiate a scan How it works? report 2. Injects its custom 6. XHR sends the JavaScript code to the vulnerable URL to a <head> of current your DB host DOM 5. Callback generates XHR 3. Fuzzes possible to our DB sources with our custom host, if it lands defined callback in a sink 4. Automate some event handlers to trigger the callback
  • 21. Unique Selling Points • Ra.2 is designed to be False Positive Free, since vulnerable URLs are saved in DB, if and only if, our JS payload is executed successfully by the browser. Hence marked exploitable. • Large collection of injection vectors, includes “modified” R’Snake’s vectors as well. • Supports transforming characters. Content Aware Application. Unicode Characters. • Automatically handles JavaScript obfuscation/compression, as it relies on native interpreter • Its light-weight and fast • Pretty easy learning curve. Point-n-Click.
  • 22. DOMinator V/S Ra.2 • Gray box scanner • Blackbox Scanner • Runtime code-flow analysis • Basic Browser Automation Support • Manual analysis required • False Positive Free • Steep learning curve • Point-n-Click Tool • Slow; requires heavy manual analysis • Lightweight & Fast • Standalone tool • Firefox Add-on; easier deployment • Not free for enterprise use • Free to use Verdict: Both are complementary to each other. 
  • 23.
  • 24. Last Notes • Our tool can pretty well detect low-hanging fruits. • It is a work-in-progress and like other automated tools, it can not detect all issues automatically, but it’s efficiency is continually improving. • As like with any other tool, it is not a replacement to manual penetration testing. 
  • 25. What’s next? • A way to detect browser dependent DOM-XSS issues. • Better browser instrumentation • Run-time code flow analysis engine = Fewer False Negative • Better reporting • Your suggestions? 
  • 26. Positive criticisms, feedback, brainstorming: • Stefano Di Paola – stefano@mindedsecurity.com • Bishan Singh – c70n3r@gmail.com • Daniel M. Wong – dmwong@yahoo.com If you find it useful, please drop a line to them. 