SlideShare a Scribd company logo

Preventing In-Browser Malicious Code Execution

Download as PPTX, PDF
Stefano Di Paola
Stefano Di Paola

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.

Internet
1 of 27
Financial Cyber-Threat Briefing “Planning for Attack-Resilient Web Applications” 11th July 2014 Hosted @Sponsored By Stefano Di Paola CTO Minded Security Preventing In-Browser Malicious Code Execution
Who Am I  Stefano Di Paola  Research  OWASP-Italy Senior Member  Testing Guide Contributor  OWASP SWFIntruder  DOMinator (JavaScript Runtime Taint Engine)  Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)  Security Since '99  Work  CTO @ Minded Security Application Security Consulting  Director of Minded Security Research Labs  Blog: http://blog.mindedsecurity.com  Twitter: @wisecwisec 2
Agenda  Introduction  Impacts & Concerns  Approach & Proposed Solutions 3
Introduction 4 OWASP Top Ten 2013 A list of the 10 Most Critical Web Application Security Risks  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Unvalidated Redirects and Forwards  OWASP Top Ten 2013  A list of the 10 Most Critical Web Application Security Risks  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Unvalidated Redirects and Forwards
Introduction - Cross Site Scripting Analysis 5
Cross Site Scripting – Identification and Detection 6 “<html>..+ taintedInput+”..</html>” <html>.. <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script> Security Scanners/Sensors
Reflected Cross Site Scripting - Identification and Detection 7 “<html>..+ taintedInput+”..</html>” <html>.. <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script> Security Scanners/Sensors
Stored Cross Site Scripting - Identification and Detection 8 “<html>..+ taintedInput+”..</html>” <html>.. <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script> Security Scanners/Sensors Security Scanners
DOM Based Cross Site Scripting – Identification and Detection 9 <html>.. <script>evilJs</script> ..</html> “<html>..+ taintedInput+”..</html>” taintedInput=<script>evilJs</script> Security Scanners/Sensors ??? ??? In Browser Attacks
DOM Based XSS Demo on Yahoo! Mail - Video 10
Agenda  Introduction  Impacts & Concerns  Approach & Proposed Solutions 11
Introduction - Cross Site Scripting Analysis 12 Does the Risk Analysis fit the DOM Based Cross Site Scripting?
DOM Based Cross Site Scripting - Analysis  13  Impacts/Risks are identical  Detectability is Lower for DOM-Based XSS as its harder for defenders to find (no Network In/Out Observation)  Yet DOM Based XSS is still part of the OWASP Top Ten. Does the Risk Analysis fit the DOM Based Cross Site Scripting?
Client Side Issues And Impacts 14 Vulnerability Impact JS Execution (DOM Based Cross Site Scripting) Complete Control Over User's Page. (CI) HTML Injection/ Content Spoofing Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI) Client Side SQL Injection Data exfiltration (CI) URL Redirect URL Spoofing (C) CSS Injection Extract Sensitive Information (C) Resource Manipulation Change the location of a resource requested by a page. (CI) ... ... C=Confidentiality, I=Integrity
Trends 2005 – 2014 . From Server To Client Usage of JavaScript Over the Years 15
3rd Party JavaScript Usage  Experiment take the first top 100 Sites from Alexa: Extract all script sources and count how many external scripts are used.  Result: ~70% contained 3rd Party Js. Do you trust 3rd Party Code in your site? … Let me rephrase it: Have you ever tested your 3rd Party JS? 16
Agenda  Introduction  Impacts & Concerns  Approach & Proposed Solutions 17
Identification Approach  Static Analysis  Blind Fuzzing  Runtime Taint Analysis 18
Approach & Solutions 19 Minimized Client Side JavaScript Server Side Java/C#/Whatever But Automated Static Analysis can do it.. doesn't it? Spot the Difference!
Static Analysis On Structured Languages like Java or C# some good coverage can be performed (according to Static Analysis limits)  On Flexible/Dynamic languages like JavaScript: location.search window.location.search document.location.search window[“location”]['search'] window[“l”+”o”+”x63”+”ation”][atob('c2VhcmNo')] window[arr[43]][obj['theSearch']] very poor coverage! Runtime ? 20
Runtime Approach  Runtime Blind Fuzzing:  BlackBox Scanning, fault injection with patterns, hoping to reach the sink (dangerous function).  Poor coverage, Lot of False Negatives  Real Time Taint Propagation with Instrumentation:  Propagates the "taint" flag during Real Time execution.  Real Client State emulation. (In-browser test cases)  OWASP Project: DOMinator by Minded Security 21
Minded Security DOMinatorPro  First experiment in 2010 we took the first Alexa top 100.  Analyzed them using DOMinatorPro  We found 56 to be vulnerable to DOM Based XSS Attacks 22
Minded Security DOMinatorPro Enterprise  The Automation Suite:  Browser Based Crawler  Web Management  Selenium Based Connector with DOMinatorPro  Remote Alert Collector (Local Web Server)  Cli Interactive Interface to Selenium  Management by Project  Scripting possibilities DEMO Time 23
Minded Security DOMinatorPro Enterprise  Developers:  Unit and Functional Testing.  Test their own code.  Identify the issue and fix it QA Testers: Unit and Functional Testing. Alerts while QA testing  Security Testers: Black Box browsing Details about operations without encodings  3rd Party JavaScript 24
DOMinatorPro Helps Companies Around The World 25
26 Thank you! Q&A https://dominator.mindedsecurity.com @mindedsecurity Mail: stefano.dipaola@mindedsecurity.com @wisecwisec Commercial support: info@mindedsecurity.com
Software Actors  Internal Client Side Developers  Contractors  3rd Party JavaScript (Libraries, Adv, Analytics, Social.. ) Security Testing Actors  Quality Assurance / Test Cases (In house process)  Internal Manual Security Audits  Internal Automatic Security Audits  External Manual Security Audits  External Automatic Security Audits 27

Recommended

(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 

Recommended

(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
DOM-based XSS
DOM-based XSSDOM-based XSS
DOM-based XSSKrassen Deltchev
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developersn|u - The Open Security Community
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpsF _
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Brute force
Brute forceBrute force
Brute forcePrajwal Panchmahalkar
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 

More Related Content

What's hot

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpsF _
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 

What's hot (20)

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
DOM-based XSS
DOM-based XSSDOM-based XSS
DOM-based XSS
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurps
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Brute force
Brute forceBrute force
Brute force
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 

Similar to Preventing In-Browser Malicious Code Execution

XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Olivier Dony
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Dan BerghJohnsson
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraCarlo Bonamico
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 

Similar to Preventing In-Browser Malicious Code Execution (20)

XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014
 
Project Presentation
Project Presentation Project Presentation
Project Presentation
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 
Staying above a rising security waterline.
Staying above a rising security waterline.Staying above a rising security waterline.
Staying above a rising security waterline.
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 

Recently uploaded

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 

Recently uploaded (20)

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 

Preventing In-Browser Malicious Code Execution

  • 1. Financial Cyber-Threat Briefing “Planning for Attack-Resilient Web Applications” 11th July 2014 Hosted @Sponsored By Stefano Di Paola CTO Minded Security Preventing In-Browser Malicious Code Execution
  • 2. Who Am I  Stefano Di Paola  Research  OWASP-Italy Senior Member  Testing Guide Contributor  OWASP SWFIntruder  DOMinator (JavaScript Runtime Taint Engine)  Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)  Security Since '99  Work  CTO @ Minded Security Application Security Consulting  Director of Minded Security Research Labs  Blog: http://blog.mindedsecurity.com  Twitter: @wisecwisec 2
  • 3. Agenda  Introduction  Impacts & Concerns  Approach & Proposed Solutions 3
  • 4. Introduction 4 OWASP Top Ten 2013 A list of the 10 Most Critical Web Application Security Risks  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Unvalidated Redirects and Forwards  OWASP Top Ten 2013  A list of the 10 Most Critical Web Application Security Risks  A1 Injection  A2 Broken Authentication and Session Management  A3 Cross-Site Scripting (XSS)  A4 Insecure Direct Object References  A5 Security Misconfiguration  A6 Sensitive Data Exposure  A7 Missing Function Level Access Control  A8 Cross-Site Request Forgery (CSRF)  A9 Using Components with Known Vulnerabilities  A10 Unvalidated Redirects and Forwards
  • 5. Introduction - Cross Site Scripting Analysis 5
  • 6. Cross Site Scripting – Identification and Detection 6 “<html>..+ taintedInput+”..</html>” <html>.. <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script> Security Scanners/Sensors
  • 7. Reflected Cross Site Scripting - Identification and Detection 7 “<html>..+ taintedInput+”..</html>” <html>.. <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script> Security Scanners/Sensors
  • 8. Stored Cross Site Scripting - Identification and Detection 8 “<html>..+ taintedInput+”..</html>” <html>.. <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script> Security Scanners/Sensors Security Scanners
  • 9. DOM Based Cross Site Scripting – Identification and Detection 9 <html>.. <script>evilJs</script> ..</html> “<html>..+ taintedInput+”..</html>” taintedInput=<script>evilJs</script> Security Scanners/Sensors ??? ??? In Browser Attacks
  • 10. DOM Based XSS Demo on Yahoo! Mail - Video 10
  • 11. Agenda  Introduction  Impacts & Concerns  Approach & Proposed Solutions 11
  • 12. Introduction - Cross Site Scripting Analysis 12 Does the Risk Analysis fit the DOM Based Cross Site Scripting?
  • 13. DOM Based Cross Site Scripting - Analysis  13  Impacts/Risks are identical  Detectability is Lower for DOM-Based XSS as its harder for defenders to find (no Network In/Out Observation)  Yet DOM Based XSS is still part of the OWASP Top Ten. Does the Risk Analysis fit the DOM Based Cross Site Scripting?
  • 14. Client Side Issues And Impacts 14 Vulnerability Impact JS Execution (DOM Based Cross Site Scripting) Complete Control Over User's Page. (CI) HTML Injection/ Content Spoofing Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI) Client Side SQL Injection Data exfiltration (CI) URL Redirect URL Spoofing (C) CSS Injection Extract Sensitive Information (C) Resource Manipulation Change the location of a resource requested by a page. (CI) ... ... C=Confidentiality, I=Integrity
  • 15. Trends 2005 – 2014 . From Server To Client Usage of JavaScript Over the Years 15
  • 16. 3rd Party JavaScript Usage  Experiment take the first top 100 Sites from Alexa: Extract all script sources and count how many external scripts are used.  Result: ~70% contained 3rd Party Js. Do you trust 3rd Party Code in your site? … Let me rephrase it: Have you ever tested your 3rd Party JS? 16
  • 17. Agenda  Introduction  Impacts & Concerns  Approach & Proposed Solutions 17
  • 18. Identification Approach  Static Analysis  Blind Fuzzing  Runtime Taint Analysis 18
  • 19. Approach & Solutions 19 Minimized Client Side JavaScript Server Side Java/C#/Whatever But Automated Static Analysis can do it.. doesn't it? Spot the Difference!
  • 20. Static Analysis On Structured Languages like Java or C# some good coverage can be performed (according to Static Analysis limits)  On Flexible/Dynamic languages like JavaScript: location.search window.location.search document.location.search window[“location”]['search'] window[“l”+”o”+”x63”+”ation”][atob('c2VhcmNo')] window[arr[43]][obj['theSearch']] very poor coverage! Runtime ? 20
  • 21. Runtime Approach  Runtime Blind Fuzzing:  BlackBox Scanning, fault injection with patterns, hoping to reach the sink (dangerous function).  Poor coverage, Lot of False Negatives  Real Time Taint Propagation with Instrumentation:  Propagates the "taint" flag during Real Time execution.  Real Client State emulation. (In-browser test cases)  OWASP Project: DOMinator by Minded Security 21
  • 22. Minded Security DOMinatorPro  First experiment in 2010 we took the first Alexa top 100.  Analyzed them using DOMinatorPro  We found 56 to be vulnerable to DOM Based XSS Attacks 22
  • 23. Minded Security DOMinatorPro Enterprise  The Automation Suite:  Browser Based Crawler  Web Management  Selenium Based Connector with DOMinatorPro  Remote Alert Collector (Local Web Server)  Cli Interactive Interface to Selenium  Management by Project  Scripting possibilities DEMO Time 23
  • 24. Minded Security DOMinatorPro Enterprise  Developers:  Unit and Functional Testing.  Test their own code.  Identify the issue and fix it QA Testers: Unit and Functional Testing. Alerts while QA testing  Security Testers: Black Box browsing Details about operations without encodings  3rd Party JavaScript 24
  • 25. DOMinatorPro Helps Companies Around The World 25
  • 27. Software Actors  Internal Client Side Developers  Contractors  3rd Party JavaScript (Libraries, Adv, Analytics, Social.. ) Security Testing Actors  Quality Assurance / Test Cases (In house process)  Internal Manual Security Audits  Internal Automatic Security Audits  External Manual Security Audits  External Automatic Security Audits 27

Editor's Notes

  1. Briefly, everything I present or say represents my views, positions and opinion on the topics and not my employer