![Page 1: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/1.jpg)
Financial Cyber-Threat Briefing
“Planning for Attack-Resilient Web Applications”
11th July 2014
Hosted @Sponsored By
Stefano Di PaolaCTO Minded Security
Preventing In-Browser Malicious Code Execution
![Page 2: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/2.jpg)
Who Am I Stefano Di Paola Research
OWASP-Italy Senior Member Testing Guide Contributor OWASP SWFIntruder DOMinator (JavaScript Runtime Taint Engine) Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) Security Since '99
Work CTO @ Minded Security Application Security Consulting Director of Minded Security Research Labs Blog: http://blog.mindedsecurity.com Twitter: @wisecwisec
2
![Page 3: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/3.jpg)
Agenda
Introduction Impacts & Concerns Approach & Proposed Solutions
3
![Page 4: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/4.jpg)
Introduction
4
OWASP Top Ten 2013A list of the 10 Most Critical Web Application Security Risks
A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
OWASP Top Ten 2013 A list of the 10 Most Critical Web Application Security Risks
A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
![Page 5: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/5.jpg)
Introduction - Cross Site Scripting Analysis
5
![Page 6: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/6.jpg)
Cross Site Scripting – Identification and Detection
6
“<html>..+taintedInput+”..</html>”
<html>..<script>evilJs</script>..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
![Page 7: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/7.jpg)
Reflected Cross Site Scripting - Identification and Detection
7
“<html>..+taintedInput+”..</html>”
<html>..<script>evilJs</script>..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
![Page 8: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/8.jpg)
Stored Cross Site Scripting - Identification and Detection
8
“<html>..+taintedInput+”..</html>”
<html>..<script>evilJs</script>..</html>
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
Security Scanners
![Page 9: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/9.jpg)
DOM Based Cross Site Scripting – Identification and Detection
9
<html>..<script>evilJs</script>..</html> “<html>..+
taintedInput+”..</html>”
taintedInput=<script>evilJs</script>
Security Scanners/Sensors
???
???
In Browser Attacks
![Page 10: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/10.jpg)
DOM Based XSS Demo on Yahoo! Mail - Video
10
![Page 11: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/11.jpg)
Agenda
Introduction Impacts & Concerns Approach & Proposed Solutions
11
![Page 12: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/12.jpg)
Introduction - Cross Site Scripting Analysis
12
Does the Risk Analysis fit the DOM Based Cross Site Scripting?
![Page 13: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/13.jpg)
DOM Based Cross Site Scripting - Analysis
13
Impacts/Risks are identical
Detectability is Lower for DOM-Based XSS as its harder for defenders to find (no Network In/Out Observation)
Yet DOM Based XSS is still part of the OWASP Top Ten.
Does the Risk Analysis fit the DOM Based Cross Site Scripting?
![Page 14: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/14.jpg)
Client Side Issues And Impacts
14
Vulnerability Impact
JS Execution (DOM Based Cross Site Scripting)
Complete Control Over User's Page. (CI)
HTML Injection/Content Spoofing
Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI)
Client Side SQL Injection Data exfiltration (CI)
URL Redirect URL Spoofing (C)
CSS Injection Extract Sensitive Information (C)
Resource Manipulation Change the location of a resource requested by a page. (CI)
... ...
C=Confidentiality, I=Integrity
![Page 15: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/15.jpg)
Trends 2005 – 2014 . From Server To Client
Usage of JavaScript Over the Years
15
![Page 16: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/16.jpg)
3rd Party JavaScript Usage
Experiment take the first top 100 Sites from Alexa:Extract all script sources and count how many external scripts are used.
Result: ~70% contained 3rd Party Js.Do you trust 3rd Party Code in your site?
… Let me rephrase it:Have you ever tested your 3rd Party JS?
16
![Page 17: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/17.jpg)
Agenda
Introduction Impacts & Concerns Approach & Proposed Solutions
17
![Page 18: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/18.jpg)
Identification Approach
Static Analysis
Blind Fuzzing
Runtime Taint Analysis
18
![Page 19: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/19.jpg)
Approach & Solutions
19
Minimized Client Side JavaScript Server Side Java/C#/Whatever
But Automated Static Analysis can do it.. doesn't it?
Spot the Difference!
![Page 20: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/20.jpg)
Static Analysis
On Structured Languages like Java or C# some good coverage can be performed (according to Static Analysis limits)
On Flexible/Dynamic languages like JavaScript:location.searchwindow.location.searchdocument.location.search
window[“location”]['search']window[“l”+”o”+”\x63”+”ation”][atob('c2VhcmNo')]
window[arr[43]][obj['theSearch']]
very poor coverage!
Runtime ?20
![Page 21: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/21.jpg)
Runtime Approach
Runtime Blind Fuzzing: BlackBox Scanning, fault injection with patterns, hoping to reach
the sink (dangerous function). Poor coverage, Lot of False Negatives
Real Time Taint Propagation with Instrumentation: Propagates the "taint" flag during Real Time execution. Real Client State emulation. (In-browser test cases)
OWASP Project: DOMinator by Minded Security
21
![Page 22: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/22.jpg)
Minded Security DOMinatorPro First experiment in 2010 we took the first Alexa top 100. Analyzed them using DOMinatorPro We found 56 to be vulnerable to DOM Based XSS Attacks
22
![Page 23: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/23.jpg)
Minded Security DOMinatorPro Enterprise The Automation Suite:
Browser Based Crawler Web Management Selenium Based Connector with DOMinatorPro Remote Alert Collector (Local Web Server) Cli Interactive Interface to Selenium Management by Project Scripting possibilities
DEMO Time23
![Page 24: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/24.jpg)
Minded Security DOMinatorPro Enterprise Developers:
Unit and Functional Testing. Test their own code. Identify the issue and fix it
QA Testers:Unit and Functional Testing.Alerts while QA testing
Security Testers:Black Box browsingDetails about operations without encodings 3rd Party JavaScript
24
![Page 25: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/25.jpg)
DOMinatorPro Helps Companies Around The World
25
![Page 26: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/26.jpg)
26
Thank you!
Q&A
https://dominator.mindedsecurity.com@mindedsecurity
Mail: [email protected]@wisecwisec
Commercial support:[email protected]
![Page 27: Preventing In-Browser Malicious Code Execution](https://reader035.vdocument.in/reader035/viewer/2022062617/54d1e0504a79596d078b4567/html5/thumbnails/27.jpg)
Software Actors Internal Client Side Developers Contractors 3rd Party JavaScript (Libraries, Adv, Analytics, Social.. )
Security Testing Actors Quality Assurance / Test Cases (In house process) Internal Manual Security Audits Internal Automatic Security Audits External Manual Security Audits External Automatic Security Audits
27