![Page 1: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/1.jpg)
Hunting Cross-Site Scripting Attacks in the Network
Elias Athanasopoulos, Antonis Krithinakis, and Evangelos P.
MarkatosFORTH-ICS, Greece
![Page 2: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/2.jpg)
Elias Athanasopoulos, FORTH-ICS 2
xHuntera tool for the detection of suspicious URLs
xHunter
![Page 3: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/3.jpg)
Elias Athanasopoulos, FORTH-ICS 3xHunter
xHunter
URL
URL
URL
URL
URL
URL
URL
URL
SUSPICIOUS
![Page 4: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/4.jpg)
Elias Athanasopoulos, FORTH-ICS 4
Motivation
xHunter
![Page 5: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/5.jpg)
Elias Athanasopoulos, FORTH-ICS 5
Current Statusreal incidents related to XSS exploitation are recorded and reported by large IT vendorsSymantec, McAfeeno tools for academia/research
xHunter
![Page 6: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/6.jpg)
Elias Athanasopoulos, FORTH-ICS 6
XSS frequencyhow often web sites are targeted with XSS attacks? are XSS attacks a frequent phenomenon in every-day web traffic?
xHunter
![Page 7: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/7.jpg)
Elias Athanasopoulos, FORTH-ICS 7
XSS targetswhich web sites are the targets?
xHunter
![Page 8: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/8.jpg)
Elias Athanasopoulos, FORTH-ICS 8
XSS orchestrationare there any orchestrated XSS campaigns in world-wide scale?
xHunter
![Page 9: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/9.jpg)
Elias Athanasopoulos, FORTH-ICS 9
XSS anatomy alert(/XSS/);
how do the real XSS exploits look like?
xHunter
http://ucjep
s.berkley.ed
u/cgi-bin/ge
t_consort.pl
?
sugg=%3Cscri
pt%3Ealert('
Xssed By
Infam0us')%3
C/script%3Eu
cjeps.berkel
ey
![Page 10: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/10.jpg)
Elias Athanasopoulos, FORTH-ICS 10
Operation
xHunter
![Page 11: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/11.jpg)
Elias Athanasopoulos, FORTH-ICS 12
AssumptionsURLs containing JavaScript are suspicious
a large fraction of XSS is mounted through URLs
xHunter
![Page 12: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/12.jpg)
Elias Athanasopoulos, FORTH-ICS 13
Main ideaidentify all URLs that contain JavaScript
xHunter
![Page 13: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/13.jpg)
Elias Athanasopoulos, FORTH-ICS 14
xHunter cannot deal withiframe injection, Flash parameters pollution, Phishing, XCS, CSV, SQL injection
xHunter
![Page 14: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/14.jpg)
Elias Athanasopoulos, FORTH-ICS 15
xHunter can deal withJavaScript injections (XSS/CSRF)
xHunter
![Page 15: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/15.jpg)
Elias Athanasopoulos, FORTH-ICS 16
How JavaScript is spotted?a JavaScript program produces a JavaScript syntax tree of high depth
xHunter
![Page 16: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/16.jpg)
Elias Athanasopoulos, FORTH-ICS 17
xHunter operationscan a URL for fragments that produce a valid JavaScript syntax tree
mark as suspicious any URL that contains a fragment that produces a valid JavaScript syntax tree with a high depth
xHunter
![Page 17: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/17.jpg)
Elias Athanasopoulos, FORTH-ICS 18xHunter
http://www.economie.gouv.fr/recherche/lance_recherche.php?mot=";alert(document.cookie)//&search_go=ok
mot=";alert(document.cookie)// search_go=ok
mot ";alert(document.cookie)// search_go ok
Attempt to parse every query element as if it was a JavaScript program
![Page 18: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/18.jpg)
Elias Athanasopoulos, FORTH-ICS 19xHunter
mot
LC: SEMI: NAME:
2
search_go
LC: SEMI: NAME:
2
ok
LC: SEMI: NAME:
2
![Page 19: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/19.jpg)
Elias Athanasopoulos, FORTH-ICS 20xHunter
;alert(document.cookie)//
LC: SEMI: SEMI: LP: NAME: DOT: NAME:
6
![Page 20: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/20.jpg)
Elias Athanasopoulos, FORTH-ICS 21
How is the score calculated?
score = SUM(JS_TOKEN[i] * TW[i])
xHunter
![Page 21: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/21.jpg)
Elias Athanasopoulos, FORTH-ICS 22xHunter
;alert(document.cookie)//
LC: SEMI: ; SEMI: alert LP: ( NAME: document DOT: . NAME: cookie
6
1113000
![Page 22: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/22.jpg)
Elias Athanasopoulos, FORTH-ICS 23
How are the weights and the threshold calculated?
empirically
xHunter
![Page 23: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/23.jpg)
Elias Athanasopoulos, FORTH-ICS 24
xHunter decisionhttp://www.economie.gouv.fr/
recherche/lance_recherche.php?mot=";alert(document.cookie)//&search_go=ok
xHunter
SUSPICIOUS
![Page 24: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/24.jpg)
Elias Athanasopoulos, FORTH-ICS 25
Challenges
xHunter
![Page 25: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/25.jpg)
Elias Athanasopoulos, FORTH-ICS 26
(1) Web Applications Quirksapplications use their own encoding schemes and semantics
xHunter
![Page 26: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/26.jpg)
Elias Athanasopoulos, FORTH-ICS 27
XSSed, 64043http://www.turktelekom.com.tr/tt/portal/!ut/p/c0/XYzBCoJAFEX_RQhq9Z5aOoEI..RshwIQj/
xHunter
![Page 27: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/27.jpg)
Elias Athanasopoulos, FORTH-ICS 28
(2) JavaScript Relaxed Syntax
everything produces a valid syntax tree
xHunter
![Page 28: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/28.jpg)
Elias Athanasopoulos, FORTH-ICS 29xHunter
foo;1,2,3,4,5
LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: 9
![Page 29: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/29.jpg)
Elias Athanasopoulos, FORTH-ICS 30
Reverse Code Heuristicvalid JavaScript code does not parse from right to left
xHunter
![Page 30: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/30.jpg)
Elias Athanasopoulos, FORTH-ICS 31xHunter
foo;1,2,3,4,5
LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: 9
5,4,3,2,1;oof
LC: SEMI: DOT: STRING:
3
![Page 31: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/31.jpg)
Elias Athanasopoulos, FORTH-ICS 32xHunter
alert(/XSS/);
LC: SEMI: LP: NAME: OBJECT:
7
;)/SSX/(trela
syntax error
SUSPICIOUS
![Page 32: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/32.jpg)
Elias Athanasopoulos, FORTH-ICS 33
Weighted Parse Nodessome JavaScript tokens contribute more
xHunter
![Page 33: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/33.jpg)
Elias Athanasopoulos, FORTH-ICS 34xHunter
foo;1,2,3,4,5
LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER:
alert(/XSS/);
LC: SEMI: LP: NAME: OBJECT:
![Page 34: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/34.jpg)
Elias Athanasopoulos, FORTH-ICS 35
(3) Exploit Isolationsome exploits are partially injected
xHunter
![Page 35: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/35.jpg)
Elias Athanasopoulos, FORTH-ICS 36xHunter
";alert(document.cookie)//
syntax error
;alert(document.cookie)//
6
![Page 36: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/36.jpg)
Elias Athanasopoulos, FORTH-ICS 37
Parse all possible fragmentsdramatic performance overhead
xHunter is not an on-line tool
xHunter
![Page 37: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/37.jpg)
Elias Athanasopoulos, FORTH-ICS 38
Evaluation
xHunter
![Page 38: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/38.jpg)
Elias Athanasopoulos, FORTH-ICS 39
Trace 1: XSSed.com~11,000 URLs containing XSS
xHunter
![Page 39: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/39.jpg)
Elias Athanasopoulos, FORTH-ICS 40
Trace 2: sensor ~1K Users1,000 (sampled) possible benign URLs
xHunter
![Page 40: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/40.jpg)
Elias Athanasopoulos, FORTH-ICS 41
Trace 1remove redirections, iframe injections, etc.
268 XSS exploits marked as clean
xHunter
![Page 41: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/41.jpg)
Elias Athanasopoulos, FORTH-ICS 42
Trace 220 benign URLs marked as suspicious
xHunter
![Page 42: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/42.jpg)
Elias Athanasopoulos, FORTH-ICS 43
Overallless than 3.2% false negatives
about 2% false positives
xHunter
![Page 43: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/43.jpg)
Elias Athanasopoulos, FORTH-ICS 44
Future Work
xHunter
![Page 44: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/44.jpg)
Elias Athanasopoulos, FORTH-ICS 45
xHunter traininguse machine learning to teach xHunter which parse nodes contribute more to XSS exploits
xHunter
![Page 45: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/45.jpg)
Elias Athanasopoulos, FORTH-ICS 46
Invent more heuristicsreduce false positives
xHunter
![Page 46: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/46.jpg)
Elias Athanasopoulos, FORTH-ICS 47
Optimizationsmake it faster
xHunter
![Page 47: Hunting Cross-Site Scripting Attacks in the Network](https://reader036.vdocuments.us/reader036/viewer/2022062501/56816134550346895dd08dc8/html5/thumbnails/47.jpg)
Elias Athanasopoulos, FORTH-ICS 48
Collaboration - Deployment!run xHunter to your network!
xHunter