Building And Stopping Next Generation Xss Worms

  • Published on
    24-Jan-2015

  • View
    4.152

  • Download
    0

DESCRIPTION

Slides from the OWASP NYC 2008 talk.

Transcript

  • 1. building and stopping next generation xss worms arshan dabirsiaghi director of research aspect security
  • 2. who am i?
    • Name Arshan Dabirsiaghi (gesundheit)
    • Trade Security hobbyist & developer
    • Job Director of Research at
    • Side Job Liverpool fan (go gerrard!)
    • Political Affiliation Plutocrat
    • Quote poor people are crazy; im eccentric
  • 3. talk agenda
    • the past
      • formally define xss worms
      • brief look at past worms
    • the present
      • analyze current worm capabilities
      • look at current options for recovery
    • the future
      • next generation attack techniques
      • next generation countermeasures/recovery
  • 4. The Past
  • 5. 1 st : is an xss worm really a worm?
    • 5 components of worm (Nazario, et. al.):
      • reconnaissance [the worm] has to hunt out other network nodes to infect
      • attack [components] used to launch an attack against an identified target system
      • communication nodes in the network can talk to each other
      • command nodes in the worm network can be issued operation commands
      • intelligence the worm network needs to know the location of the nodes as well as characteristics about them
    • short answer: 3/5 - probably
  • 6. how xss worms are different from traditional
    • infection model
    • payload capability
    • target shift
    • penetration
  • 7. what about an xss virus?
    • fundamental difference between virus and worm is propagation requirements
    • a self-contained attachment XSS virus is possible in this era
    • rich data passed everywhere
    • rich data isnt data
    • rich data is code
    • your browser executes it
  • 8. infection model
    • Requires user interaction
    • Worm strictly contained within web application
    • Passive and localized
    • No Warhol worms
    innocent girl on myspace myspace.com WORM NODE n / 2,872,341 profiles are worm nodes n+1 / 2,872,341 profiles are worm nodes
  • 9. how xss worms are different from traditional
    • infection model
    • payload capability
    • target shift
    • penetration
    • Perform any application function (money transfer, close account)
    • XSSProxy/AttackAPI
    • Malware (yikes)
  • 10. how xss worms are different from traditional
    • infection model
    • payload capability
    • target shift
    • penetration
  • 11. target shift IIS 6.0 IIS 6.0 IIS 6.0 IIS 6.0 www.myspace.com www.facebook.com www.linkedin.com peoplesoft.internal
  • 12. how xss worms are different from traditional
    • infection model
    • payload capability
    • target shift
    • penetration
  • 13. penetration CSRF 3 rd Party Proxy www.facebook.com peoplesoft.internal www.myspace.com
  • 14. how xss worms are different from traditional
    • infection model
    • payload capability
    • target shift
    • penetration
    • Hard to jump across domain
    • Requires proxy
    • Can only island hop with CSRF
  • 15. The Present
  • 16. traits of current xss worms
    • static payloads
    • passive infection strategy
    • stay on the same domain (dont say nduja)
    • uncontrolled growth
    • no command and control
    • much like Tom Straceners parents, some of these are obviously related
  • 17. current incident response options
    • FIX THE VULNERABILITY , then
    • manual purging
      • can only be done by experts
      • doesnt scale
    • database snapshot restore
      • effectively removes all worm data from tainted columns
      • forces loss of other application data
    • search & destroy
      • works now
      • tricky in the future but possible
  • 18. The Future
  • 19. next gen xss worm RECONNAISSANCE (1 of 5)
    • a reconnaissance component will be added to the client side to find more web apps to infect
      • nodes can use HTML5 Workers / Google Gears WorkerPool /
      • what about SOP?
        • old and busted : utilize 3 rd party proxy (a la jikto circa 2007)
        • what attackers should be doing now : malware no SOP! (sigh)
        • next gen hotness : cross-site XHR, XDR, postMessage
          • allows cross-site bidirectional communication
          • servers must opt in , like Flash, so absolutely no security issues there, ever, dont even look, seriously alex/sirdarkcat/stefano di paolo/amit klein, dont bother
  • 20. cross-site communication in HTML5
    • postMessage()
      • cross-domain communication based on strings
      • what do developers do with strings?
      • JSON/ eval()
      • Site A + JSON + Site B = Shared Security = really?
  • 21. (gulp)
    • window.addEventListener("message", receiveMessage, false);
    • function receiveMessage(event)
    • {
    • if (event.origin !== "http://example.org:8080")
    • return;
    • // ...
    • }
  • 22. staniford, paxson & weavers RECONNAISANCE techniques
    • hit list scanning (how sexy is that term? answer: mega )
    • permutation scanning
    • topological scanning
      • not without malware, cross-site XHR
  • 23. next gen xss worm ATTACK (2 of 5)
    • an attack component will be added to the client side
      • new client side piece delivered with reconnaissance piece to attack other off-domain web apps
      • 85% of websites have XSS (how much is reflected vs. stored?)
      • how likely is it to find a stored XSS in another web app with a blackbox scan?
        • not likely, but with 1,000,000 nodes, our chances go way up
        • once we find one - push patches out to the worm nodes for targeting
  • 24. polymorphic javascript
    • b. hoffman & j. terrill at BH2007 demonstrated:
      • javascript, like any language, can be highly mutated
    Before Mutation After Mutation Mutation Effects doEvil1() zDx/*fdSa*/() symbol renaming, random comment introduction xhr.open(GET,url,true); xhr.open(G+ET,url, true); string fragmentation, whitespace randomization countless encodings, block re-structuring, JIT eval compilation
  • 25. next gen xss worm COMMUNICATION (3 of 5)
    • a communication component will NEVER occur in a XSS worm
      • cant communicate directly from victim browser to another victim browser
      • centralization in worms is just another word for weakness
      • even if you could have node-to-node communication,
        • no way to mutually authenticate
        • no way to avoid c&c poisoning (good guy sends worm a message: self-destruct plz)
  • 26. next gen xss worm COMMAND (4 of 5)
    • a command component will be added to the worm payload
      • communication w/ operator necessary for command-and-control structure, data delivery (new target information, source updates, etc)
      • old and busted : centralized source updates
        • worm calls http://www.evil.com/evil.js
        • attacker keeps evil.js the latest greatest copy of worm
        • easy for large worm network to overload (DoS)
        • easy to call registrar/ISP and get it taken down
      • new hotness : introducing Distributed XSS Worm Node C&C Structure !
  • 27. MyFaceNovel.com Attacker quietly posts signed payloads Victim creates token www.evil.com Google (JSON) www.geocities.com/evil1 www.myspace.com/evil2 www.sharedhost.net/evil3 www.goodguys.com/poison remote scripting Victim queries Google for token using JSON Victim finds a signed result Executes the signed payload
  • 28. wait signing in javascript?
    • http://home.versatel.nl/MAvanEverdingen/Code/
    • RSA, AES, everything
    • in javascript
  • 29. next gen xss worm INTELLIGENCE (5 of 5)
    • an intelligence component will be used
      • after initial worm stages, it cant be trusted (adversaries can poison)
      • xss worms probably dont need this they typically follow this pattern
        • First 24 hours: reach massive infections through epic growth rate
        • After that: gone and never seen again
  • 30. The Defense
  • 31. search+destroying polymorphed javascript
    • martin johns: sure you can polymorph javascript to absurd levels, but the vector cant vary greatly
  • 32. on demand exploit egress filters
    • popular sites need agile response techniques
    doSomethingEvil(); xhr.onreadystatechange=handleIt; xhr.open(GET,url,true); xhr.send(null); doSomethingEvil(); xhr.onreadystatechange=handleIt; //xhr.open(GET,url,true); xhr.send(null);
  • 33. OWASP AntiSamy safe rich input validation
    • AntiSamy
      • Uses a positive security model for rich input validation
      • High assurance mechanism for stopping XSS (and phishing) attacks
    (samy)
      • http://www.owasp.org/index.php/AntiSamy
  • 34. utilizing cross-domain workflows
    • letting the browser SOP protection prevent cookie disclosure + sensitive application information
      • rsnakes anti-iframe solution, iframes for in-house apps
  • 35. browser content restrictions
    • dangerous user content
    • secret=OJE3foiwse>
    • dangerous user content
    Book Reviews ThiefBook Thief1 Thief2 Buy Find Policy -------- -------- -------- -------- -------- Ads
    • doesnt make sense in a DOM
    • reqs parsers to honor end tag attributes
    • my idea
    • way better
  • 36. questions and answers