Download ppt - Building And Stopping Next Generation Xss Worms

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP Europe Conference 2008

building and stopping next generation xss worms

arshan dabirsiaghidirector of researchaspect security

OWASP

who am i?

Name Arshan Dabirsiaghi (gesundheit)Trade Security hobbyist & developerJob Director of Research atSide Job Liverpool fan (go gerrard!)Political Affiliation PlutocratQuote “poor people are crazy; i’m eccentric”

OWASP

talk agenda

the past formally define xss wormsbrief look at past worms

the presentanalyze current worm capabilities look at current options for “recovery”

the futurenext generation attack techniquesnext generation countermeasures/recovery

OWASP

The Past

OWASP

1st: is an xss worm really a worm?

5 components of worm (Nazario, et. al.): reconnaissance – “[the worm] has to hunt out

other network nodes to infect”attack – “[components] used to launch an attack

against an identified target system”communication – “nodes in the network can talk

to each other” command – “nodes in the worm network can be

issued operation commands” intelligence – “the worm network needs to know

the location of the nodes as well as characteristics about them”

short answer: 3/5 - probably

OWASP

how xss worms are different from traditional

1. infection model

2. payload capability

3. target shift

4. penetration

OWASP

what about an xss virus?

fundamental difference between virus and worm is propagation requirements

a self-contained “attachment” XSS virus is possible in this era

1.rich data passed everywhere 2.rich data isn’t data3.rich data is code4.your browser executes it

OWASP

innocent girl on myspace

infection model

myspace.com

WORM NODE

n / 2,872,341 profiles are worm nodesn+1 / 2,872,341 profiles are worm nodes

1. Requires user interaction

2. Worm strictly contained within web application

3. Passive and localized

4. No Warhol worms

OWASP


1. infection model


3. target shift

4. penetration

a) Perform any application function (money transfer, close account)

b) XSSProxy/AttackAPI

c) Malware (yikes)

OWASP


1. infection model


3. target shift

4. penetration

OWASP

target shift

IIS 6.0

IIS 6.0

IIS 6.0

IIS 6.0www.myspace.com

www.facebook.com

www.linkedin.com

peoplesoft.internal

OWASP


1. infection model


3. target shift

4. penetration

OWASP

CS

RF

3rd Party Proxy

www.facebook.com

peoplesoft.internalwww.myspace.com

penetration

OWASP


1. infection model


3. target shift

4. penetration

a) Hard to jump across domain

b) Requires proxyc) Can only

“island hop” with CSRF

OWASP

The Present

OWASP

traits of current xss worms

static payloads passive infection strategy stay on the same domain (don’t say nduja) uncontrolled growth no command and control

much like Tom Stracener’s parents, some of these are obviously related

OWASP

current incident response options

FIX THE VULNERABILITY, then…

manual purging can only be done by experts doesn’t scale

database snapshot restore effectively removes all worm data from tainted

columns forces loss of other application data

search & destroy works now tricky in the future but possible

OWASP

The Future

OWASP

next gen xss worm RECONNAISSANCE (1 of 5)

a reconnaissance component will be added to the client side to find more web apps to infectnodes can use HTML5 Workers/Google Gears

WorkerPool/<insert tomorrow’s new RIA technology>what about SOP?

old and busted: utilize 3rd party proxy (a la jikto – circa 2007) what attackers should be doing now: malware – no SOP! (sigh) next gen hotness: cross-site XHR, XDR, postMessage

– allows cross-site bidirectional communication– servers must opt in, like Flash, so absolutely no security

issues there, ever, don’t even look, seriously alex/sirdarkcat/stefano di paolo/amit klein, don’t bother

OWASP

cross-site communication in HTML5

postMessage()cross-domain

communication based on strings

what do developers do with strings?

JSON/ eval()Site A + JSON +

Site B = Shared Security = really…?

OWASP

(gulp)

window.addEventListener("message", receiveMessage, false);

function receiveMessage(event)

{

if (event.origin !== "http://example.org:8080")

return;

// ...

}

OWASP

staniford, paxson & weaver’s RECONNAISANCE techniques

“hit list scanning” (how sexy is that term? answer: mega)

permutation scanning

topological scanningnot without malware, cross-site XHR

OWASP

next gen xss worm ATTACK (2 of 5)

an attack component will be added to the client sidenew client side piece delivered with

reconnaissance piece to attack other off-domain web apps

85% of websites have XSS (how much is reflected vs. stored?)

how likely is it to find a stored XSS in another web app with a blackbox scan? not likely, but with 1,000,000 nodes, our chances go

way up once we find one - push patches out to the worm

nodes for targeting

OWASP

polymorphic javascript

b. hoffman & j. terrill at BH2007 demonstrated: javascript, like any language, can be highly

mutated Before Mutation After Mutation Mutation Effects

doEvil1() zDx/*fdSa*/() symbol renaming, random comment introduction

xhr.open(“GET”,url,true);

xhr.open(“G”+”ET”,\turl, true);

string fragmentation, whitespace randomization

countless encodings, block re-structuring, JIT eval compilation

OWASP

next gen xss worm COMMUNICATION (3 of 5)

a communication component will NEVER occur in a XSS wormcan’t communicate directly from victim

browser to another victim browser“centralization” in worms is just another word

for weaknesseven if you could have node-to-node

communication, no way to mutually authenticate no way to avoid c&c poisoning (good guy sends worm

a message: self-destruct plz)

OWASP

next gen xss worm COMMAND (4 of 5)

a command component will be added to the worm payloadcommunication w/ operator necessary for

command-and-control structure, data delivery (new target information, source updates, etc)

old and busted: centralized source updates worm calls http://www.evil.com/evil.js attacker keeps evil.js the latest greatest copy of worm easy for large worm network to overload (DoS) easy to call registrar/ISP and get it taken down

new hotness: introducing… Distributed XSS Worm Node C&C Structure!

OWASP

MyFaceNovel.com Attacker quietly posts signed payloads Victim creates token

www.evil.com

Google (JSON)

www.geocities.com/evil1

www.myspace.com/evil2

www.sharedhost.net/evil3

www.goodguys.com/poison

remote scripting

Victim queries Google for token using JSON

Victim finds a signed result

Executes the signed payload

OWASP

wait… signing in javascript?

http://home.versatel.nl/MAvanEverdingen/Code/

RSA, AES, everything

… in javascript

OWASP

next gen xss worm INTELLIGENCE (5 of 5)

an intelligence component will be usedafter initial worm stages, it can’t be trusted

(adversaries can poison)xss worms probably don’t need this – they

typically follow this pattern First 24 hours: reach massive infections through epic

growth rate After that: gone and never seen again

OWASP

The Defense

OWASP

search+destroying polymorphed javascript

martin johns: “sure you can polymorph javascript to absurd levels, but the vector can’t vary greatly”

OWASP

on demand exploit egress filters

popular sites need agile response techniques

doSomethingEvil();xhr.onreadystatechange=handleIt;xhr.open(“GET”,url,true);xhr.send(null);

doSomethingEvil();xhr.onreadystatechange=handleIt;//xhr.open(“GET”,url,true);xhr.send(null);

OWASP

OWASP AntiSamy – safe rich input validation

AntiSamyUses a positive security model for rich input

validationHigh assurance mechanism for stopping XSS

(and phishing) attacks

(samy)

http://www.owasp.org/index.php/AntiSamy

OWASP

utilizing cross-domain workflows

letting the browser SOP protection prevent cookie disclosure + sensitive application information rsnake’s anti-iframe solution, iframes for in-

house apps

OWASP

browser content restrictions

<jail secret=“OJE3foiwse”>

dangerous user content

</jail secret=“OJE3foiwse”>

<jail secret=“OJE3foiwse”>


</jail secret=“OJE3foiwse”>

<start-jail secret=“FASj325s”/>


<end-jail secret=“FASj325s”/>

<start-jail secret=“FASj325s”/>


<end-jail secret=“FASj325s”/>

Book Reviews

ThiefBook

Thief1

Thief2

Buy

Find

Policy----------------------------------------

Policy----------------------------------------Ads

• doesn’t make sense in a DOM• reqs parsers to honor end tag attributes

• my idea• way better

OWASP

questions and answers