BruCon 2011 Lightning talk winner: Web app testing without attack traffic
VSA: The Virtual Scripted Attacker, Brucon 2012
9
-
Upload
abraham-aranguren -
Category
Documents
-
view
886 -
download
0
description
http://blog.7-a.org/2013/02/vsa-virtual-scripted-attacker-slides.html
Transcript of VSA: The Virtual Scripted Attacker, Brucon 2012
Review JavaScript code on the page:
<script> document.write("Site is at: " + document.location.href + "."); </script>
Sometimes active testing possible in your browser(no trip to server = not an attack = not logged):http://target.com/...####vulnerable_param=xss
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
TopTopTopTop securitysecuritysecuritysecurity awareawareawareaware companiescompaniescompaniescompanies …with DOM XSSDOM XSSDOM XSSDOM XSS reported via bug bounty programs:
• Google• PayPal• Facebook• Etsy• Yandex• …
Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
Are Are Are Are theytheytheythey searchingsearchingsearchingsearching forforforfor DOM XSS DOM XSS DOM XSS DOM XSS withoutwithoutwithoutwithout pantspantspantspants likelikelikelike thisthisthisthis????
WebsitesWebsitesWebsitesWebsites havehavehavehave a a a a LOTLOTLOTLOT ofofofof JavaScript JavaScript JavaScript JavaScript andandandand DOM XSS DOM XSS DOM XSS DOM XSS isisisis hardhardhardhard totototo findfindfindfind becausebecausebecausebecause::::
• DOM XSS happens onononon thethethethe clientclientclientclient----sidesidesideside• Traditional HTTP HTTP HTTP HTTP fuzzingfuzzingfuzzingfuzzing doesdoesdoesdoes notnotnotnot workworkworkwork for DOM XSS• Traditional tools are unawareunawareunawareunaware ofofofof clientclientclientclient----sidesidesideside logiclogiclogiclogic• Most tools cannotcannotcannotcannot verifyverifyverifyverify the DOM XSS exploit workedworkedworkedworked• Most tools cannotcannotcannotcannot findfindfindfind DOM XSS in a 100% automated way• Even DOMINATOR ProDOMINATOR ProDOMINATOR ProDOMINATOR Pro is onlyonlyonlyonly aaaa manualmanualmanualmanual testingtestingtestingtesting tooltooltooltool for the Pro
DOM XSS DOM XSS DOM XSS DOM XSS oftenoftenoftenoften requiresrequiresrequiresrequires::::• User interaction: Click buttons, drag items, etc• Timing constraints
A A A A HARDHARDHARDHARD problemproblemproblemproblem totototo SOLVESOLVESOLVESOLVE
TheTheTheThe ProblemProblemProblemProblem
CreatedCreatedCreatedCreated bybybyby• Mario Heiderich (XSS PhD!)• Gareth Heyes• Abraham Aranguren• Alfred Farrugia• Frederik BraunWhatWhatWhatWhat are are are are wewewewe doingdoingdoingdoing differentlydifferentlydifferentlydifferently????• VSA is 100% 100% 100% 100% automatedautomatedautomatedautomated• We have testedtestedtestedtested we findfindfindfind MANY moremoremoremore DOM XSS vulnerabilitiesvulnerabilitiesvulnerabilitiesvulnerabilities• We can can can can verifyverifyverifyverify that the DOM XSS payload workedworkedworkedworked• We are findingfindingfindingfinding DOM XSS on the BROWSER BROWSER BROWSER BROWSER -where JavaScript runs-• We are verifyingverifyingverifyingverifying DOM XSS on the BROWSERBROWSERBROWSERBROWSER -where JavaScript runs-• We can tell you thethethethe linelinelineline ofofofof codecodecodecode that is vulnerable• We can tell you thethethethe JavaScript fileJavaScript fileJavaScript fileJavaScript file where the vulnerability is• We have the meansmeansmeansmeans to implement VIRTUAL PATCHINGVIRTUAL PATCHINGVIRTUAL PATCHINGVIRTUAL PATCHING
Do Do Do Do youyouyouyou wantwantwantwant usususus totototo scanscanscanscan YOUR YOUR YOUR YOUR sitesitesitesite? ? ? ? ☺☺☺☺
Demo Time
![Brucon Top5 Ways to Destroy a Company [Brucon]](https://static.fdocuments.net/doc/165x107/546df774b4af9fa57b8b46e6/brucon-top5-ways-to-destroy-a-company-brucon.jpg)
![Cyber[Crime|War] - Brucon](https://static.fdocuments.net/doc/165x107/554bd1a5b4c905ac708b4b0a/cybercrimewar-brucon.jpg)
