DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.
4. Introduction
4
OWASP Top Ten 2013
A list of the 10 Most Critical Web Application Security Risks
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
OWASP Top Ten 2013
A list of the 10 Most Critical Web Application Security Risks
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
6. Cross Site Scripting – Identification and Detection
6
“<html>..+
taintedInput+”..</html>”
<html>..
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
7. Reflected Cross Site Scripting - Identification and Detection
7
“<html>..+
taintedInput+”..</html>”
<html>..
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
8. Stored Cross Site Scripting - Identification and Detection
8
“<html>..+
taintedInput+”..</html>”
<html>..
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
Security Scanners
9. DOM Based Cross Site Scripting – Identification and Detection
9
<html>..
<script>evilJs</script>
..</html> “<html>..+
taintedInput+”..</html>”
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
???
???
In Browser Attacks
12. Introduction - Cross Site Scripting Analysis
12
Does the Risk Analysis fit the DOM Based Cross Site Scripting?
13. DOM Based Cross Site Scripting - Analysis
13
Impacts/Risks are identical
Detectability is Lower for DOM-Based XSS as its harder for
defenders to find (no Network In/Out Observation)
Yet DOM Based XSS is still part of the OWASP Top Ten.
Does the Risk Analysis fit the DOM Based Cross Site Scripting?
14. Client Side Issues And Impacts
14
Vulnerability Impact
JS Execution (DOM Based Cross Site
Scripting)
Complete Control Over User's Page. (CI)
HTML Injection/
Content Spoofing
Arbitrary HTML Insertion. Attacker can
completely spoof the content. Cannot
Access Cookies and other JS Data. (CI)
Client Side SQL Injection Data exfiltration (CI)
URL Redirect URL Spoofing (C)
CSS Injection Extract Sensitive Information (C)
Resource Manipulation Change the location of a resource
requested by a page. (CI)
... ...
C=Confidentiality, I=Integrity
15. Trends 2005 – 2014 . From Server To Client
Usage of JavaScript Over the Years
15
16. 3rd Party JavaScript Usage
Experiment take the first top 100 Sites from Alexa:
Extract all script sources and count how many
external scripts are used.
Result: ~70% contained 3rd Party Js.
Do you trust 3rd Party Code in your site?
… Let me rephrase it:
Have you ever tested your 3rd Party JS?
16
19. Approach & Solutions
19
Minimized Client Side JavaScript Server Side Java/C#/Whatever
But Automated Static Analysis can do it.. doesn't it?
Spot the Difference!
20. Static Analysis
On Structured Languages like Java or C# some good coverage can be performed
(according to Static Analysis limits)
On Flexible/Dynamic languages like JavaScript:
location.search
window.location.search
document.location.search
window[“location”]['search']
window[“l”+”o”+”x63”+”ation”][atob('c2VhcmNo')]
window[arr[43]][obj['theSearch']]
very poor coverage!
Runtime ?
20
21. Runtime Approach
Runtime Blind Fuzzing:
BlackBox Scanning, fault injection with patterns, hoping to reach
the sink (dangerous function).
Poor coverage, Lot of False Negatives
Real Time Taint Propagation with Instrumentation:
Propagates the "taint" flag during Real Time execution.
Real Client State emulation. (In-browser test cases)
OWASP Project: DOMinator by Minded Security
21
22. Minded Security DOMinatorPro
First experiment in 2010 we took the first Alexa top 100.
Analyzed them using DOMinatorPro
We found 56 to be vulnerable to DOM Based XSS Attacks
22
23. Minded Security DOMinatorPro Enterprise
The Automation Suite:
Browser Based Crawler
Web Management
Selenium Based Connector with DOMinatorPro
Remote Alert Collector (Local Web Server)
Cli Interactive Interface to Selenium
Management by Project
Scripting possibilities
DEMO Time
23
24. Minded Security DOMinatorPro Enterprise
Developers:
Unit and Functional Testing.
Test their own code.
Identify the issue and fix it
QA Testers:
Unit and Functional Testing.
Alerts while QA testing
Security Testers:
Black Box browsing
Details about operations without encodings
3rd Party JavaScript
24