Preventing In-Browser Malicious Code Execution

Financial Cyber-Threat Briefing

“Planning for Attack-Resilient Web Applications”

11th July 2014

Hosted @Sponsored By

Stefano Di PaolaCTO Minded Security

Preventing In-Browser Malicious Code Execution

Who Am I Stefano Di Paola Research

OWASP-Italy Senior Member Testing Guide Contributor OWASP SWFIntruder DOMinator (JavaScript Runtime Taint Engine) Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) Security Since '99

Work CTO @ Minded Security Application Security Consulting Director of Minded Security Research Labs Blog: http://blog.mindedsecurity.com Twitter: @wisecwisec

2

Agenda

Introduction Impacts & Concerns Approach & Proposed Solutions

3

Introduction

4

OWASP Top Ten 2013A list of the 10 Most Critical Web Application Security Risks

A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards

OWASP Top Ten 2013 A list of the 10 Most Critical Web Application Security Risks

A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards

Introduction - Cross Site Scripting Analysis

5

Cross Site Scripting – Identification and Detection

6

“<html>..+taintedInput+”..</html>”

<html>..<script>evilJs</script>..</html>

taintedInput=<script>evilJs</script>

Security Scanners/Sensors

Reflected Cross Site Scripting - Identification and Detection

7





Stored Cross Site Scripting - Identification and Detection

8





Security Scanners

DOM Based Cross Site Scripting – Identification and Detection

9

<html>..<script>evilJs</script>..</html> “<html>..+

taintedInput+”..</html>”



???

???

In Browser Attacks

DOM Based XSS Demo on Yahoo! Mail - Video

10

Agenda


11

Introduction - Cross Site Scripting Analysis

12

Does the Risk Analysis fit the DOM Based Cross Site Scripting?

DOM Based Cross Site Scripting - Analysis

13

Impacts/Risks are identical

Detectability is Lower for DOM-Based XSS as its harder for defenders to find (no Network In/Out Observation)

Yet DOM Based XSS is still part of the OWASP Top Ten.

Does the Risk Analysis fit the DOM Based Cross Site Scripting?

Client Side Issues And Impacts

14

Vulnerability Impact

JS Execution (DOM Based Cross Site Scripting)

Complete Control Over User's Page. (CI)

HTML Injection/Content Spoofing

Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI)

Client Side SQL Injection Data exfiltration (CI)

URL Redirect URL Spoofing (C)

CSS Injection Extract Sensitive Information (C)

Resource Manipulation Change the location of a resource requested by a page. (CI)

... ...

C=Confidentiality, I=Integrity

Trends 2005 – 2014 . From Server To Client

Usage of JavaScript Over the Years

15

3rd Party JavaScript Usage

Experiment take the first top 100 Sites from Alexa:Extract all script sources and count how many external scripts are used.

Result: ~70% contained 3rd Party Js.Do you trust 3rd Party Code in your site?

… Let me rephrase it:Have you ever tested your 3rd Party JS?

16

Agenda


17

Identification Approach

Static Analysis

Blind Fuzzing

Runtime Taint Analysis

18

Approach & Solutions

19

Minimized Client Side JavaScript Server Side Java/C#/Whatever

But Automated Static Analysis can do it.. doesn't it?

Spot the Difference!

Static Analysis

On Structured Languages like Java or C# some good coverage can be performed (according to Static Analysis limits)

On Flexible/Dynamic languages like JavaScript:location.searchwindow.location.searchdocument.location.search

window[“location”]['search']window[“l”+”o”+”\x63”+”ation”][atob('c2VhcmNo')]

window[arr[43]][obj['theSearch']]

very poor coverage!

Runtime ?20

Runtime Approach

Runtime Blind Fuzzing: BlackBox Scanning, fault injection with patterns, hoping to reach

the sink (dangerous function). Poor coverage, Lot of False Negatives

Real Time Taint Propagation with Instrumentation: Propagates the "taint" flag during Real Time execution. Real Client State emulation. (In-browser test cases)

OWASP Project: DOMinator by Minded Security

21

Minded Security DOMinatorPro First experiment in 2010 we took the first Alexa top 100. Analyzed them using DOMinatorPro We found 56 to be vulnerable to DOM Based XSS Attacks

22

Minded Security DOMinatorPro Enterprise The Automation Suite:

Browser Based Crawler Web Management Selenium Based Connector with DOMinatorPro Remote Alert Collector (Local Web Server) Cli Interactive Interface to Selenium Management by Project Scripting possibilities

DEMO Time23

Minded Security DOMinatorPro Enterprise Developers:

Unit and Functional Testing. Test their own code. Identify the issue and fix it

QA Testers:Unit and Functional Testing.Alerts while QA testing

Security Testers:Black Box browsingDetails about operations without encodings 3rd Party JavaScript

24

DOMinatorPro Helps Companies Around The World

25

26

Thank you!

Q&A

https://dominator.mindedsecurity.com@mindedsecurity

Mail: [email protected]@wisecwisec

Commercial support:[email protected]

mailto:[email protected]

Software Actors Internal Client Side Developers Contractors 3rd Party JavaScript (Libraries, Adv, Analytics, Social.. )

Security Testing Actors Quality Assurance / Test Cases (In house process) Internal Manual Security Audits Internal Automatic Security Audits External Manual Security Audits External Automatic Security Audits

27

Preventing In-Browser Malicious Code Execution

Internet

Transcript of Preventing In-Browser Malicious Code Execution