introducing msd
Post on 16-Apr-2017
3.270 Views
Preview:
TRANSCRIPT
Introducing The Malware Script Detector
(MSD)By
d0ubl3_h3lixhttp://yehg.net
Tue Feb 19 2008
Agenda• Counter Strategy• Overview• XSS Coverage• Versioning Info• Standalone MSD• Detection Screenshots • Why MSD?• Weaknesses
Counter Strategy
• Using the Power of JavaScript,
Malware Script Detector detects JavaScript Malwares which use the Power of JavaScript
Overview
• Run on Gecko browsers (Firefox, Flock, Netscape, …etc)
• GreaseMonkey addon needed• Acted as Browser IDS• Intended for Web Client Security• Recommended for every web surfer• Please don’t underestimate MSD by
looking its simplest source code
Overview (Cont.)
• Coded mainly to detect today’s popular powerfully malicious JavaScript attack frameworks: XSS-Proxy, XSS-Shell, AttackAPI, BeEF
• Version 2 was enhanced to prevent most XSS threats and includes XSS Attack Blacklists based on Firefox XSS-Warning addon
XSS Coverage
MSD was coded to detect the following XSS exploitation areas:
• data: protocol exploitation like - data:image/gif - data:text/javascript - data:text/html
• jar: protocol exploitation• file: protocol exploitation by locally
saved malicious web pages
XSS Coverage
• Other protocol exploitation such as vbscript:, livescript:, mocha:, ftp:, mocha:, telnet:, ftp:, res:, x-gadget(MS-Vista), call (VOIP), aim: …etc
• unicode injection• utf-7,null-byte (\00), black slash injection
(u\r\l), comments star slash injection (/* */),injection like \u00, \x00....etc
XSS Coverage
• MSD was thoroughly tested with:
- RSnake’s XSS CheatSheet - XSS-ME Addon Attack List - Dabbledb.com’s Xssdb list - CAL9000 XSS List
Versioning Info
GreaseMonkey Version
• Main Objective: Alert XSS Attacks to users• Must be Installed by users• Requires Gecko Browser + GreaseMonkey
Addon• Version 1 – Detect Malware Scripts• Version 2 – Detect Malware Scripts +• Prevailing XSS
Versioning InfoStandalone Version
• Main Objective: Alert XSS Attacks to users & webmaster
• Must be Deployed by web developers• Browser-Independent• No Checking if users have GreaseMonkey
version• Version 1 – Detect Malware Scripts +
Prevailing XSS
Standalone MSD• Standalone version was created as
single .js file for web developers • To embed in their footer files • To notify both visitors and webmasters
of XSS injection attempts & attacks• Browser-independent unlike
GreaseMonkey Script version• Intended for web application security as
a portable lightweight solution
Detection Screenshots
Why MSD?• XSS Payloads like
• http://victim/?q=“><script>eval(location.hash.substr(1))</script>#xxxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxMaliciousxxxxxPayloadsxxxxxxxMaliciousxxxxxPayloadsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…..etc
Why MSD? (Cont.)
• Never get DETECTED by
Web Server-level Firewall/IDS/IPS
• Because the code is Totally Executed at Client’s Browser
Why MSD? (Cont.)
• Malicious sites intentionally embed malicious JavaScript attack frameworks
• Bad guys 0wn web server boxes, and secretly install those attack frameworks as web backdoors or trojans to abuse users
Why MSD? (Cont.)
• No ways to detect such Malware scripts unless we check HTML source codes
• Disabling JavaScript, Using NoScript/VMware, Always Checking source codes are not effective solutions for most cases
• According to above scenarios,MSD becomes a nice solution for us
Oh, But …
Weaknesses
• Doesn’t check POSTS/COOKIES variables
• No guarantee for full protection of XSS• Many ways to bypass MSD• XSS Filtering needs to be updated
regularly where extensive filtering may cause false alerts and much annoyance to users
Where Can I get it ? Check Under Tools Sectionhttp://yehg.net/lab/#tools.greasemonkey
If you wish to contribute, there is a smoketest page.
Insert your own XSS payload to defeat MSD.
Notify me of whenever new Attack frameworks are created
Special Thanks
Goes to
Mario, http://php-ids.orgSecgeek, http://www.secgeeks.comAndres Riancho, http://w3af.sf.net
For encouragements and suggestions
Reference
• XSS Attacks & Defenses by PDP, RSnake, Jeremiah, Aton Rager, Seth FogieSyngress PublishingISBN-13:987-1-59749-154-9
Thank you!
top related