Upload
llamakong
View
4.164
Download
0
Embed Size (px)
DESCRIPTION
Slides from the OWASP NYC 2008 talk.
Citation preview
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Europe Conference 2008
building and stopping next generation xss worms
arshan dabirsiaghidirector of researchaspect security
OWASP
who am i?
Name Arshan Dabirsiaghi (gesundheit)Trade Security hobbyist & developerJob Director of Research atSide Job Liverpool fan (go gerrard!)Political Affiliation PlutocratQuote “poor people are crazy; i’m eccentric”
OWASP
talk agenda
the past formally define xss wormsbrief look at past worms
the presentanalyze current worm capabilities look at current options for “recovery”
the futurenext generation attack techniquesnext generation countermeasures/recovery
OWASP
The Past
OWASP
1st: is an xss worm really a worm?
5 components of worm (Nazario, et. al.): reconnaissance – “[the worm] has to hunt out
other network nodes to infect”attack – “[components] used to launch an attack
against an identified target system”communication – “nodes in the network can talk
to each other” command – “nodes in the worm network can be
issued operation commands” intelligence – “the worm network needs to know
the location of the nodes as well as characteristics about them”
short answer: 3/5 - probably
OWASP
how xss worms are different from traditional
1. infection model
2. payload capability
3. target shift
4. penetration
OWASP
what about an xss virus?
fundamental difference between virus and worm is propagation requirements
a self-contained “attachment” XSS virus is possible in this era
1.rich data passed everywhere 2.rich data isn’t data3.rich data is code4.your browser executes it
OWASP
innocent girl on myspace
infection model
myspace.com
WORM NODE
n / 2,872,341 profiles are worm nodesn+1 / 2,872,341 profiles are worm nodes
1. Requires user interaction
2. Worm strictly contained within web application
3. Passive and localized
4. No Warhol worms
OWASP
how xss worms are different from traditional
1. infection model
2. payload capability
3. target shift
4. penetration
a) Perform any application function (money transfer, close account)
b) XSSProxy/AttackAPI
c) Malware (yikes)
OWASP
how xss worms are different from traditional
1. infection model
2. payload capability
3. target shift
4. penetration
OWASP
target shift
IIS 6.0
IIS 6.0
IIS 6.0
IIS 6.0www.myspace.com
www.facebook.com
www.linkedin.com
peoplesoft.internal
OWASP
how xss worms are different from traditional
1. infection model
2. payload capability
3. target shift
4. penetration
OWASP
CS
RF
3rd Party Proxy
www.facebook.com
peoplesoft.internalwww.myspace.com
penetration
OWASP
how xss worms are different from traditional
1. infection model
2. payload capability
3. target shift
4. penetration
a) Hard to jump across domain
b) Requires proxyc) Can only
“island hop” with CSRF
OWASP
The Present
OWASP
traits of current xss worms
static payloads passive infection strategy stay on the same domain (don’t say nduja) uncontrolled growth no command and control
much like Tom Stracener’s parents, some of these are obviously related
OWASP
current incident response options
FIX THE VULNERABILITY, then…
manual purging can only be done by experts doesn’t scale
database snapshot restore effectively removes all worm data from tainted
columns forces loss of other application data
search & destroy works now tricky in the future but possible
OWASP
The Future
OWASP
next gen xss worm RECONNAISSANCE (1 of 5)
a reconnaissance component will be added to the client side to find more web apps to infectnodes can use HTML5 Workers/Google Gears
WorkerPool/<insert tomorrow’s new RIA technology>what about SOP?
old and busted: utilize 3rd party proxy (a la jikto – circa 2007) what attackers should be doing now: malware – no SOP! (sigh) next gen hotness: cross-site XHR, XDR, postMessage
– allows cross-site bidirectional communication– servers must opt in, like Flash, so absolutely no security
issues there, ever, don’t even look, seriously alex/sirdarkcat/stefano di paolo/amit klein, don’t bother
OWASP
cross-site communication in HTML5
postMessage()cross-domain
communication based on strings
what do developers do with strings?
JSON/ eval()Site A + JSON +
Site B = Shared Security = really…?
OWASP
(gulp)
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
{
if (event.origin !== "http://example.org:8080")
return;
// ...
}
OWASP
staniford, paxson & weaver’s RECONNAISANCE techniques
“hit list scanning” (how sexy is that term? answer: mega)
permutation scanning
topological scanningnot without malware, cross-site XHR
OWASP
next gen xss worm ATTACK (2 of 5)
an attack component will be added to the client sidenew client side piece delivered with
reconnaissance piece to attack other off-domain web apps
85% of websites have XSS (how much is reflected vs. stored?)
how likely is it to find a stored XSS in another web app with a blackbox scan? not likely, but with 1,000,000 nodes, our chances go
way up once we find one - push patches out to the worm
nodes for targeting
OWASP
polymorphic javascript
b. hoffman & j. terrill at BH2007 demonstrated: javascript, like any language, can be highly
mutated Before Mutation After Mutation Mutation Effects
doEvil1() zDx/*fdSa*/() symbol renaming, random comment introduction
xhr.open(“GET”,url,true);
xhr.open(“G”+”ET”,\turl, true);
string fragmentation, whitespace randomization
countless encodings, block re-structuring, JIT eval compilation
OWASP
next gen xss worm COMMUNICATION (3 of 5)
a communication component will NEVER occur in a XSS wormcan’t communicate directly from victim
browser to another victim browser“centralization” in worms is just another word
for weaknesseven if you could have node-to-node
communication, no way to mutually authenticate no way to avoid c&c poisoning (good guy sends worm
a message: self-destruct plz)
OWASP
next gen xss worm COMMAND (4 of 5)
a command component will be added to the worm payloadcommunication w/ operator necessary for
command-and-control structure, data delivery (new target information, source updates, etc)
old and busted: centralized source updates worm calls http://www.evil.com/evil.js attacker keeps evil.js the latest greatest copy of worm easy for large worm network to overload (DoS) easy to call registrar/ISP and get it taken down
new hotness: introducing… Distributed XSS Worm Node C&C Structure!
OWASP
MyFaceNovel.com Attacker quietly posts signed payloads Victim creates token
www.evil.com
Google (JSON)
www.geocities.com/evil1
www.myspace.com/evil2
www.sharedhost.net/evil3
www.goodguys.com/poison
remote scripting
Victim queries Google for token using JSON
Victim finds a signed result
Executes the signed payload
OWASP
wait… signing in javascript?
http://home.versatel.nl/MAvanEverdingen/Code/
RSA, AES, everything
… in javascript
OWASP
next gen xss worm INTELLIGENCE (5 of 5)
an intelligence component will be usedafter initial worm stages, it can’t be trusted
(adversaries can poison)xss worms probably don’t need this – they
typically follow this pattern First 24 hours: reach massive infections through epic
growth rate After that: gone and never seen again
OWASP
The Defense
OWASP
search+destroying polymorphed javascript
martin johns: “sure you can polymorph javascript to absurd levels, but the vector can’t vary greatly”
OWASP
on demand exploit egress filters
popular sites need agile response techniques
doSomethingEvil();xhr.onreadystatechange=handleIt;xhr.open(“GET”,url,true);xhr.send(null);
doSomethingEvil();xhr.onreadystatechange=handleIt;//xhr.open(“GET”,url,true);xhr.send(null);
OWASP
OWASP AntiSamy – safe rich input validation
AntiSamyUses a positive security model for rich input
validationHigh assurance mechanism for stopping XSS
(and phishing) attacks
(samy)
http://www.owasp.org/index.php/AntiSamy
OWASP
utilizing cross-domain workflows
letting the browser SOP protection prevent cookie disclosure + sensitive application information rsnake’s anti-iframe solution, iframes for in-
house apps
OWASP
browser content restrictions
<jail secret=“OJE3foiwse”>
dangerous user content
</jail secret=“OJE3foiwse”>
<jail secret=“OJE3foiwse”>
dangerous user content
</jail secret=“OJE3foiwse”>
<start-jail secret=“FASj325s”/>
dangerous user content
<end-jail secret=“FASj325s”/>
<start-jail secret=“FASj325s”/>
dangerous user content
<end-jail secret=“FASj325s”/>
Book Reviews
ThiefBook
Thief1
Thief2
Buy
Find
Policy----------------------------------------
Policy----------------------------------------Ads
• doesn’t make sense in a DOM• reqs parsers to honor end tag attributes
• my idea• way better
OWASP
questions and answers