preventing in-browser malicious code execution
Post on 04-Feb-2015
137 Views
Preview:
DESCRIPTION
TRANSCRIPT
Financial Cyber-Threat Briefing
“Planning for Attack-Resilient Web Applications”
11th July 2014
Hosted @Sponsored By
Stefano Di PaolaCTO Minded Security
Preventing In-Browser Malicious Code Execution
Who Am I Stefano Di Paola Research
OWASP-Italy Senior Member Testing Guide Contributor OWASP SWFIntruder DOMinator (JavaScript Runtime Taint Engine) Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) Security Since '99
Work CTO @ Minded Security Application Security Consulting Director of Minded Security Research Labs Blog: http://blog.mindedsecurity.com Twitter: @wisecwisec
2
Agenda
Introduction Impacts & Concerns Approach & Proposed Solutions
3
Introduction
4
OWASP Top Ten 2013A list of the 10 Most Critical Web Application Security Risks
A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
OWASP Top Ten 2013 A list of the 10 Most Critical Web Application Security Risks
A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
Introduction - Cross Site Scripting Analysis
5
Cross Site Scripting – Identification and Detection
6
“<html>..+taintedInput+”..</html>”
<html>..<script>evilJs</script>..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
Reflected Cross Site Scripting - Identification and Detection
7
“<html>..+taintedInput+”..</html>”
<html>..<script>evilJs</script>..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
Stored Cross Site Scripting - Identification and Detection
8
“<html>..+taintedInput+”..</html>”
<html>..<script>evilJs</script>..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
Security Scanners
DOM Based Cross Site Scripting – Identification and Detection
9
<html>..<script>evilJs</script>..</html> “<html>..+
taintedInput+”..</html>”
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
???
???
In Browser Attacks
DOM Based XSS Demo on Yahoo! Mail - Video
10
Agenda
Introduction Impacts & Concerns Approach & Proposed Solutions
11
Introduction - Cross Site Scripting Analysis
12
Does the Risk Analysis fit the DOM Based Cross Site Scripting?
DOM Based Cross Site Scripting - Analysis
13
Impacts/Risks are identical
Detectability is Lower for DOM-Based XSS as its harder for defenders to find (no Network In/Out Observation)
Yet DOM Based XSS is still part of the OWASP Top Ten.
Does the Risk Analysis fit the DOM Based Cross Site Scripting?
Client Side Issues And Impacts
14
Vulnerability Impact
JS Execution (DOM Based Cross Site Scripting)
Complete Control Over User's Page. (CI)
HTML Injection/Content Spoofing
Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI)
Client Side SQL Injection Data exfiltration (CI)
URL Redirect URL Spoofing (C)
CSS Injection Extract Sensitive Information (C)
Resource Manipulation Change the location of a resource requested by a page. (CI)
... ...
C=Confidentiality, I=Integrity
Trends 2005 – 2014 . From Server To Client
Usage of JavaScript Over the Years
15
3rd Party JavaScript Usage
Experiment take the first top 100 Sites from Alexa:Extract all script sources and count how many external scripts are used.
Result: ~70% contained 3rd Party Js.Do you trust 3rd Party Code in your site?
… Let me rephrase it:Have you ever tested your 3rd Party JS?
16
Agenda
Introduction Impacts & Concerns Approach & Proposed Solutions
17
Identification Approach
Static Analysis
Blind Fuzzing
Runtime Taint Analysis
18
Approach & Solutions
19
Minimized Client Side JavaScript Server Side Java/C#/Whatever
But Automated Static Analysis can do it.. doesn't it?
Spot the Difference!
Static Analysis
On Structured Languages like Java or C# some good coverage can be performed (according to Static Analysis limits)
On Flexible/Dynamic languages like JavaScript:location.searchwindow.location.searchdocument.location.search
window[“location”]['search']window[“l”+”o”+”\x63”+”ation”][atob('c2VhcmNo')]
window[arr[43]][obj['theSearch']]
very poor coverage!
Runtime ?20
Runtime Approach
Runtime Blind Fuzzing: BlackBox Scanning, fault injection with patterns, hoping to reach
the sink (dangerous function). Poor coverage, Lot of False Negatives
Real Time Taint Propagation with Instrumentation: Propagates the "taint" flag during Real Time execution. Real Client State emulation. (In-browser test cases)
OWASP Project: DOMinator by Minded Security
21
Minded Security DOMinatorPro First experiment in 2010 we took the first Alexa top 100. Analyzed them using DOMinatorPro We found 56 to be vulnerable to DOM Based XSS Attacks
22
Minded Security DOMinatorPro Enterprise The Automation Suite:
Browser Based Crawler Web Management Selenium Based Connector with DOMinatorPro Remote Alert Collector (Local Web Server) Cli Interactive Interface to Selenium Management by Project Scripting possibilities
DEMO Time23
Minded Security DOMinatorPro Enterprise Developers:
Unit and Functional Testing. Test their own code. Identify the issue and fix it
QA Testers:Unit and Functional Testing.Alerts while QA testing
Security Testers:Black Box browsingDetails about operations without encodings 3rd Party JavaScript
24
DOMinatorPro Helps Companies Around The World
25
26
Thank you!
Q&A
https://dominator.mindedsecurity.com@mindedsecurity
Mail: stefano.dipaola@mindedsecurity.com@wisecwisec
Commercial support:info@mindedsecurity.com
Software Actors Internal Client Side Developers Contractors 3rd Party JavaScript (Libraries, Adv, Analytics, Social.. )
Security Testing Actors Quality Assurance / Test Cases (In house process) Internal Manual Security Audits Internal Automatic Security Audits External Manual Security Audits External Automatic Security Audits
27
top related