© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities...
-
Upload
taniya-farabee -
Category
Documents
-
view
223 -
download
2
Transcript of © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities...
![Page 1: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/1.jpg)
© 2009 IBM Corporation
IBM Rational Application Security
The Bank JobUtilizing XSS Vulnerabilities
Adi SharabaniIBM Rational Application SecurityResearch Group Manager
OWASP IL
![Page 2: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/2.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Agenda
Theoretical part:
– Same Origin Policy 101
– Cross-Site Scripting 101
– HTTP sessions
Practical part:
– Trivial robbery
– Advanced robbery
![Page 3: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/3.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Browser Scripting Capabilities
What can scripts do:
– Scripts can perform user interactions with the site
– Scripts can seamlessly interact with the web site
– Can perform any action that is related to the site
– Can launch signed and safe ActiveX control
![Page 4: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/4.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Scripting Restrictions – Same Origin Policy
What scripts can not do:
– Scripts can only interact with the domain they came from
– Scripts can see send and receive responses only from their domain
– Scripts can access other browser’s frames only from same domain
– Scripts can issue requests to other domains (but not view the corresponding responses)
![Page 5: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/5.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
XSS 101
XSS occurs when user input (JavaScript) is returned by the web application:
String data = request.getParameter(“param”);
out.println(data)
Simple exploit:
– http://www.thebank.site/action?param=<payload>
XSS breaks Same-Origin Policy
– Vulnerable domain may now return arbitrary JavaScripts.
![Page 6: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/6.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Cross Site Scripting – The Exploit Process
Evil.orgEvil.org
TheBank.siteTheBank.siteUserUser
Script returned, executed by browser
3
User sends script embedded as data
2
1Link to bank.com sent to user via E-mail or HTTP
![Page 7: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/7.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
The session cookie
HTTP is stateless
Session id makes your application stateful
Session id = your identification
Should not be guessable
JavaScript access: document.cookie
![Page 8: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/8.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Cross Site Scripting – The Exploit Process
Evil.orgEvil.org
TheBank.siteTheBank.siteUserUser
Evil.org uses stolen session information to impersonate user
5
Script returned, executed by browser
3
User sends script embedded as data
2
1Link to bank.com sent to user via E-mail or HTTP
4
Script sends user’s cookie and session information without the user’s consent or knowledge
![Page 9: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/9.jpg)
© 2009 IBM Corporation
IBM Rational Application Security
Trivial Robbery
Demo
![Page 10: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/10.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Demo
Build payload
Send malicious link to victim
Retrieve the cookie and extract the session id
Manually add session cookie to local browser
Make a transaction
![Page 11: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/11.jpg)
© 2009 IBM Corporation
IBM Rational Application Security
Advanced Robbery
Demo
![Page 12: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/12.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Problems: The session id cookie is not enough
HTTPOnly– Set-Cookie: <name>=<value>[; <name>=<value>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
Pre-logon XSS
![Page 13: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/13.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Problems: Key-logging is not enough
Second factor authentication– Dongles
– Client certificates
Challenge on transaction– Security questions: “What is your mom’s maiden name?”
– Time-based challenge
![Page 14: © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.](https://reader036.fdocuments.net/reader036/viewer/2022062511/5517f65a550346c1568b4ddb/html5/thumbnails/14.jpg)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
?http://blog.watchfire.com