client side cross site scripting - information security side cross site scripting. ... injection...

27.9.2013 - Venezia - ISACA VENICE Chapter1

Client Side XSS - S. Di Paola

Client Side Cross Site Scripting

27.9.2013 - Venezia - ISACA VENICE Chapter 2

CLIENT SIDE XSS - DI PAOLA

Client Side

Cross Site

Scripting

27.9.2013 - Venezia - ISACA VENICE Chapter 3

CLIENT SIDE XSS - DI PAOLA

Soluzioni e sicurezza per applicazioni mobile e payments

Consorzio Triveneto, azienda leader nei sistemi di pagamento a livello italiano da sempre all’avanguardia nello studio e nella speri-mentazione di nuove tecnologie nell’ambito dei pagamenti, è una realtà del Gruppo Bassilichi che opera prevalentemente nei campi della Monetica – con la gestione dei servizi POS e di Commercio Elettronico – e del Corporate Banking a supporto delle imprese.

SPONSOR DELL’EVENTO

Sponsor e sostenitori di ISACA VENICE Chapter

Con il patrocinio di



Who Am I

● Stefano Di Paola @WisecWisec● Research

● OWASP-Italy Senior Member● Testing Guide Contributor● OWASP SWFIntruder● Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)● Security Since '99

● Work● CTO @ Minded Security Application Security Consulting● Director of Minded Security Research Labs● Lead of WAPT & Code Review Activities● Blog: http://blog.mindedsecurity.com

http://blog.mindedsecurity.com/



Agenda

● XSS ● Client Side XSS (aka DOM Based XSS)● Examples● Tools and Expertise● Some Stats● Conclusions



XSS... The Flaw that Keeps Being Hacked



Image Courtesy of John Wilander

taintedInput=<script>evilJs</script>

User-Victim

“<html>..+taintedInput+”..</html>”Three kinds:

● Reflected

● Stored

● DOM Based

<html>..<script>evilJs</script>..</html>




“<html>..+taintedInput+”..</html>”


User-Victim






User-Victim



Courtesy of John Wilander

User-Victim

Injection Happens at Client Side Level!+ Sometimes no server roundtripEg.http://host/#XXX=Inject..location.hash

http://host/#XXX=Inject



DOM Based XSS...The Elephant in the XSS Room



Courtesy of Dave Wichers

DOM XSS – Page Application Perspective

3rd Party JS (?)



Traditional XSS Vs DOM Based

XSS Risk from OWASP Top 10

● Impacts/Risks are identical

● Detectability is lower for DOM-Based XSS as its harder for defenders to find



From Server to Client



3rd Party JS

Script used to extract: http://pastebin.com/N3pkxbzd

● Experiment take the first top 100 Sites from Alexa:

● Extract all script sources and count how many external scripts are used.

Result: ~70% contained 3rd Party Js.

● Do you trust 3rd Party Code in your site?

… Let me rephrase it:

Have you ever tested your 3rd Party JS?



Client Side Vulnerabilities

Vulnerability Impact

JS Execution Complete Control Over User's Page. (CI)

HTML Injection/Content Spoofing

Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI)

Client Side SQL Injection Data exfiltration (CI)

URL Redirect URL Spoofing (C)

CSS Injection Extract Sensitive Information (C)

Resource Manipulation Change the location of a resource requested by a page. (CI)

... ...



....<script>var nextlink=getParameterFromLocation('nextid');

document.write('<a href="page'+nextlink+'.html">Next Step</a>');

</script>.....

Client Side HTML Injection

http://www.vic.tim.com/page.html?nextId=2

http://www.vic.tim.com/page.html?nextId=2 ”><img src='a' onerror=alert(1)>

http://www.vic.tim.com/page.html?nextId=2



A Client Side XSS Example – Twitter 2010

( function(g){ var a=location.href.split("#!")[1]; if(a){ g.location=g.HBR=a; }})(window);




( function(g){ var a=location.href.split("#!")[1]; if(a){ g.location=g.HBR=a; }})(window);

'http://twitter.com#!/WisecWisec'.split('#!')[1]

Returns “/WisecWisec” →

g.location=”/WisecWisec” →

http://twitter.com/WisecWisec




Pseudo-Protocol

'http://twitter.com#!javascript:ICanHasCookies()'.split('#!')[1]

Returns “javascript:ICanHasCookies()”

window.location= 'javascript:ICanHasCookies()'




Pseudo-Protocol



Client Side Issues - Examples

DEMO



Code Analysis - Manual

Minimized Client Side JavaScript Server Side Java/C#/Whatever

Spot the Difference!

But Automated Static Analysis can do it.. doesn't it?



Code Analysis – Automated static analysis

● Problems with Minimizers|Obfuscators AND JavaScript● Rigid langs – Ie. Java: request.getQueryString() ;

Ok.. some coverage can be performed (according to Static Analysis limits)

● Flexible/Dynamic langs - JavaScript:location.searchwindow.location.searchdocument.location.search

window[“location”]['search']

window[“l”+”o”+”\x63”+”ation”][atob('c2VhcmNo')] window[arr[43]][obj['theSearch']]

Very poor coverage.

OK so … What About Runtime ?



Runtime Analysis

● Runtime Fuzzing:● BlackBox Scanning, fault injection with patterns, hoping to

reach the sink (dangerous function). ● Poor coverage, Lot of False Negatives

● Real Time Taint Propagation with Instrumentation: ● While executing it propagates the "taint" flag.● In the JavaScript case if the Browser is "instrumented" there

are other Pros, like Real Client State emulation. (Use Selenium, JSUnits...)

● OWASP Project: DOMinator by Minded Security



Some Stats from 2010-2011

● Took first 100 from Top 1 Million Alexa list.

● Found several others in top 1 Million most of them advertising hosted as 3rd party scripts.

● For example Omniture, Google AdWords, or widgets, buttons etc.

● Using DOMinator + my brain I found that 56 out of 100 top Alexa sites where vulnerable to directly exploitable DOM Based Xss.

● Means, remote attacker with a reliable scenario.



Conclusions

● Client Side Issues are very hard to find.

● JavaScript is a language for tough people :)

● Strongly depends on both Client AND Server States.

● It's a quite untested topic.

● Even Google Microsoft and big companies have difficulties in identification.

● Only now, after 8 years scanners are starting to add some kind of identification technique in order to give. some coverage.

● We need more tools but, more important, we need more brains!



Tnx!^_^

Q&AMail:

[email protected]

Twitter: wisecwisec

client side cross site scripting - information security side cross site scripting. ... injection...

Documents