SlideShare ist ein Scribd-Unternehmen logo

Dom XSS: Encounters of the3rd kind

Als PPTX, PDF herunterladen
Bishan Singh
Bishan Singh

This document discusses DOM-based cross-site scripting (XSS) vulnerabilities. It provides examples of DOM XSS issues that tools like DOMinator fail to detect. The key points are: - DOM XSS arises due to client-side coding practices and the complex browser context, not just server-side issues. - Examples show how input can be injected into the DOM without appearing in the page source, bypassing detection. - Frameworks like YUI and jQuery are not inherently unsafe - it is insecure coding practices like insecure templating and lack of input sanitization that cause vulnerabilities. - Browser behaviors like automatic decoding can also facilitate DOM XSS unless coding accounts for context changes. - Def

Technologie
1 von 17
DOM XSS: ENCOUNTERS OF THE 3RD KIND http://www.flickr.com/photos/8407953@N03/5990642198/
OBJECTIVES http://www.w3schools.com/htmldom/default.asp http://www.flickr.com/photos/spaceodissey/2580085025/sizes/z/in/photostream/ http://www.flickr.com/photos/22841448@N08/2337148051/ http://www.flickr.com/photos/jesse_sneed/2383953694/ http://www.flickr.com/photos/diavolo/5870934960/
UNDERSTANDING DOM
COMPLEX BROWSER CONTEXTS JavaScript URI XSS HTML->DOM->HTML Auto Decoding (to be covered in Demo#7) JavaScript Auto Decoding (not covered. Similar to Demo#7) Ref: http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
WHY WORRY? Who is safe? Those who write quality code – DOM Construction and Input Sanitization But, could they (YUI/jQuery/Browsers) do better? Yes, MY WISHLIST - make it easier to do the right thing - Warn on unsafe & abuse-able APIs - Provide in-function sanitization capability Predicted to be one of the top 5 (Aah, context-sensitive auto-sanitization would be security issues for 2011 great, but let’s not be too optimistic ATM) http://jeremiahgrossman.blogspot .com/2011/02/top-ten-web- Native APIs & Frameworks do no protect. hacking-techniques-of-2011.html Context, performance & security after thought. IBM found 2370 vulnerabilities on 92 sites out of Minded Security found 56 out of 850 Fortune 500 Alexa top 100 sites vulnerable http://public.dhe.ibm.com/common/ssi/ecm/en/raw http://blog.mindedsecurity.com/20 14252usen/RAW14252USEN.PDF 11/05/dominator-project.html (They released a commercial add-on to AppScan (They also released a free tool - called JSA. Not available for eval yet) DOMinator, we will eval that)
SAMPLE #1: DOM XSS (WITH DOMINATOR) Q#1: New? No, first discovered by Amit Klein in 2005 www.webappsec.org/projects/articles/071105.shtml Q#2: Then why now? Because code shifted client side - RIA, AJAX, Web2.0 Q#3; What are the tools? - Do you think they solve the problem? - Clever people solve, wise avoid. Code Defensively - Anyways DOMinator and AppScan appear to do a bit but not enough - Besides DOMinator false negatives, I found it quite unstable on RIA with lots of YUI and jQuery. It crashed repeatedly.
SAMPLE #1: WHAT WENT WRONG? WHAT WOULD HAVE SAVED THE DAY? Taint Sources (Direct or Indirect) Taint Sinks (eval, location.replace) Defensive Coding Taint Sources & Sinks: http://code.google.com/p/domxsswiki/wiki/Introduction
SAMPLE #2: NOT IN VIEW SOURCE Myth#1 : we have default framework auto-sanitization at the server – Sever-side auto-sanitization like PHP Filter will not protect – They has no way of intercepting DOM
SAMPLE #2: GENERATED SOURCE DOES SHOW
SAMPLE #2: DOMINATOR FALSE NEGATIVE
SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
SAMPLE #4: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS! (DOMINATOR DIDN’T CATCH THIS ONE TOO)
SAMPLE #5: YOU DON’T NECESSARILY NEED FILTERING. YUI / NATIVE JS API (INNERTEXT) / OTHERS LET YOU PLAY SAFE. THIS IS CALLED DOM CONSTRUCTION
SAMPLE #5: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
SAMPLE #6: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
SAMPLE #7: BEWARE OF AUTO-DECODING. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. INSECURE CODING / INSUFFICIENT FILTERING IS! (ANOTHER THING DOMINATOR DIDN’T CATCH) Myth#2 : I encoded server-side right? – Exception. When DOM and HTML are mixed they tend to explode – HTML->DOM->HTML means switching of context and browser auto decoding
THANKS FOLKS… bish@route13.in yukinying@gmail.com twitter:b1shan twitter: yukinying

Empfohlen

iCrocco
iCroccoiCrocco
iCroccoDario Violi
 
Mobile Learning Safari (slide deck) v1
Mobile Learning Safari (slide deck) v1Mobile Learning Safari (slide deck) v1
Mobile Learning Safari (slide deck) v1Darren Kuropatwa
 
Google Wave: Ripple or Tsunami for Research
Google Wave: Ripple or Tsunami for ResearchGoogle Wave: Ripple or Tsunami for Research
Google Wave: Ripple or Tsunami for ResearchCameron Neylon
 
The iPad Learning Studio v1
The iPad Learning Studio v1The iPad Learning Studio v1
The iPad Learning Studio v1Darren Kuropatwa
 
Think Like An Entrepreneur (for GoToWebinar)
Think Like An Entrepreneur (for GoToWebinar)Think Like An Entrepreneur (for GoToWebinar)
Think Like An Entrepreneur (for GoToWebinar)Lane Becker
 
Mobile Learning v3 Master Deck
Mobile Learning v3 Master DeckMobile Learning v3 Master Deck
Mobile Learning v3 Master DeckDarren Kuropatwa
 
Mobile Learning v3.1 Student Workshop
Mobile Learning v3.1 Student WorkshopMobile Learning v3.1 Student Workshop
Mobile Learning v3.1 Student WorkshopDarren Kuropatwa
 
Mobile learning v3 students deck
Mobile learning v3 students deckMobile learning v3 students deck
Mobile learning v3 students deckSchool District of Mystery Lake
 

Empfohlen

iCrocco
iCroccoiCrocco
iCroccoDario Violi
 
Mobile Learning Safari (slide deck) v1
Mobile Learning Safari (slide deck) v1Mobile Learning Safari (slide deck) v1
Mobile Learning Safari (slide deck) v1Darren Kuropatwa
 
Google Wave: Ripple or Tsunami for Research
Google Wave: Ripple or Tsunami for ResearchGoogle Wave: Ripple or Tsunami for Research
Google Wave: Ripple or Tsunami for ResearchCameron Neylon
 
The iPad Learning Studio v1
The iPad Learning Studio v1The iPad Learning Studio v1
The iPad Learning Studio v1Darren Kuropatwa
 
Think Like An Entrepreneur (for GoToWebinar)
Think Like An Entrepreneur (for GoToWebinar)Think Like An Entrepreneur (for GoToWebinar)
Think Like An Entrepreneur (for GoToWebinar)Lane Becker
 
Mobile Learning v3 Master Deck
Mobile Learning v3 Master DeckMobile Learning v3 Master Deck
Mobile Learning v3 Master DeckDarren Kuropatwa
 
Mobile Learning v3.1 Student Workshop
Mobile Learning v3.1 Student WorkshopMobile Learning v3.1 Student Workshop
Mobile Learning v3.1 Student WorkshopDarren Kuropatwa
 
Mobile learning v3 students deck
Mobile learning v3 students deckMobile learning v3 students deck
Mobile learning v3 students deckSchool District of Mystery Lake
 
Mobile Learning v3.5
Mobile Learning v3.5Mobile Learning v3.5
Mobile Learning v3.5Darren Kuropatwa
 
Holiday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingHoliday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingCate Huston
 
Mantendo e mails sobre controle
Mantendo e mails sobre controleMantendo e mails sobre controle
Mantendo e mails sobre controlem Peixoto
 
Owen wallace week two
Owen wallace week twoOwen wallace week two
Owen wallace week twoowwallace
 
Our students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didOur students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didNate Kogan
 
Professional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimProfessional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimLevi Jardim
 
Photoshop's New Groove
Photoshop's New GroovePhotoshop's New Groove
Photoshop's New GrooveDan Rose
 
How To Blog Like A Rock Star
How To Blog Like A Rock StarHow To Blog Like A Rock Star
How To Blog Like A Rock StarCarina Novarese
 
Barcamp du Clair2013
Barcamp du Clair2013Barcamp du Clair2013
Barcamp du Clair2013Darren Kuropatwa
 
Pecha kucha
Pecha kuchaPecha kucha
Pecha kuchaaem1178
 
Animals 1
Animals 1Animals 1
Animals 1caroline miles
 
Tools for Self-Awareness
Tools for Self-AwarenessTools for Self-Awareness
Tools for Self-AwarenessLori Cotten
 
JavaScript as a First Class Language
JavaScript as a First Class LanguageJavaScript as a First Class Language
JavaScript as a First Class Languagefabiopereirame
 
Act as
Act asAct as
Act asAndré Tagliati
 
Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gabriel White
 
dunia mistik
dunia mistikdunia mistik
dunia mistikaris purwanto
 
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.jsAlex Liu
 
OpenPOWER Foundation Overview
OpenPOWER Foundation OverviewOpenPOWER Foundation Overview
OpenPOWER Foundation Overviewinside-BigData.com
 
OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)David Bosschaert
 
SXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSeth Priebatsch
 
eMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matterDawid Weiss
 

Weitere ähnliche Inhalte

Was ist angesagt?

Holiday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingHoliday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingCate Huston
 
Mantendo e mails sobre controle
Mantendo e mails sobre controleMantendo e mails sobre controle
Mantendo e mails sobre controlem Peixoto
 
Owen wallace week two
Owen wallace week twoOwen wallace week two
Owen wallace week twoowwallace
 
Our students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didOur students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didNate Kogan
 
Professional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimProfessional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimLevi Jardim
 
Photoshop's New Groove
Photoshop's New GroovePhotoshop's New Groove
Photoshop's New GrooveDan Rose
 
How To Blog Like A Rock Star
How To Blog Like A Rock StarHow To Blog Like A Rock Star
How To Blog Like A Rock StarCarina Novarese
 
Pecha kucha
Pecha kuchaPecha kucha
Pecha kuchaaem1178
 
Tools for Self-Awareness
Tools for Self-AwarenessTools for Self-Awareness
Tools for Self-AwarenessLori Cotten
 
JavaScript as a First Class Language
JavaScript as a First Class LanguageJavaScript as a First Class Language
JavaScript as a First Class Languagefabiopereirame
 
Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gabriel White
 

Was ist angesagt? (16)

Mobile Learning v3.5
Mobile Learning v3.5Mobile Learning v3.5
Mobile Learning v3.5
 
Holiday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingHoliday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and Programming
 
Mantendo e mails sobre controle
Mantendo e mails sobre controleMantendo e mails sobre controle
Mantendo e mails sobre controle
 
Owen wallace week two
Owen wallace week twoOwen wallace week two
Owen wallace week two
 
Our students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didOur students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_did
 
Professional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimProfessional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi Jardim
 
Photoshop's New Groove
Photoshop's New GroovePhotoshop's New Groove
Photoshop's New Groove
 
How To Blog Like A Rock Star
How To Blog Like A Rock StarHow To Blog Like A Rock Star
How To Blog Like A Rock Star
 
Barcamp du Clair2013
Barcamp du Clair2013Barcamp du Clair2013
Barcamp du Clair2013
 
Pecha kucha
Pecha kuchaPecha kucha
Pecha kucha
 
Animals 1
Animals 1Animals 1
Animals 1
 
Tools for Self-Awareness
Tools for Self-AwarenessTools for Self-Awareness
Tools for Self-Awareness
 
JavaScript as a First Class Language
JavaScript as a First Class LanguageJavaScript as a First Class Language
JavaScript as a First Class Language
 
Act as
Act asAct as
Act as
 
Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?
 
dunia mistik
dunia mistikdunia mistik
dunia mistik
 

Andere mochten auch

[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.jsAlex Liu
 
OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)David Bosschaert
 
SXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSeth Priebatsch
 
eMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matterDawid Weiss
 
UX e Fontes de Tráfego
UX e Fontes de TráfegoUX e Fontes de Tráfego
UX e Fontes de TráfegoNeue Labs
 
Corporate Open Source Anti-patterns
Corporate Open Source Anti-patternsCorporate Open Source Anti-patterns
Corporate Open Source Anti-patternsbcantrill
 
Yahoo Connected TV Developer Pulse Event
Yahoo Connected TV Developer Pulse EventYahoo Connected TV Developer Pulse Event
Yahoo Connected TV Developer Pulse EventYahooConnectedTV
 
Introduction to Metro Applications
Introduction to Metro ApplicationsIntroduction to Metro Applications
Introduction to Metro ApplicationsMichael Collins
 
Lessons from the new sales model
Lessons from the new sales modelLessons from the new sales model
Lessons from the new sales modelJames Cham
 
Linux and H/W optimizations for MySQL
Linux and H/W optimizations for MySQLLinux and H/W optimizations for MySQL
Linux and H/W optimizations for MySQLYoshinori Matsunobu
 
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive DataSpark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive DataJetlore
 
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDBBig Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDBBigDataCloud
 
Scala Data Pipelines for Music Recommendations
Scala Data Pipelines for Music RecommendationsScala Data Pipelines for Music Recommendations
Scala Data Pipelines for Music RecommendationsChris Johnson
 
DefCore: The Interoperability Standard for OpenStack
DefCore: The Interoperability Standard for OpenStackDefCore: The Interoperability Standard for OpenStack
DefCore: The Interoperability Standard for OpenStackMark Voelker
 
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...Tathagat Varma
 
讓數字說話:資料的公益責信應用
讓數字說話:資料的公益責信應用讓數字說話:資料的公益責信應用
讓數字說話:資料的公益責信應用台灣資料科學年會
 
Measuring Agility: Top 5 Metrics And Myths
Measuring Agility: Top 5 Metrics And MythsMeasuring Agility: Top 5 Metrics And Myths
Measuring Agility: Top 5 Metrics And MythsPete Behrens
 

Andere mochten auch (20)

[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
 
OpenPOWER Foundation Overview
OpenPOWER Foundation OverviewOpenPOWER Foundation Overview
OpenPOWER Foundation Overview
 
OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)
 
SXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The World
 
eMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matter
 
UX e Fontes de Tráfego
UX e Fontes de TráfegoUX e Fontes de Tráfego
UX e Fontes de Tráfego
 
Corporate Open Source Anti-patterns
Corporate Open Source Anti-patternsCorporate Open Source Anti-patterns
Corporate Open Source Anti-patterns
 
Yahoo Connected TV Developer Pulse Event
Yahoo Connected TV Developer Pulse EventYahoo Connected TV Developer Pulse Event
Yahoo Connected TV Developer Pulse Event
 
Introduction to Metro Applications
Introduction to Metro ApplicationsIntroduction to Metro Applications
Introduction to Metro Applications
 
JWT: Meet the New Family (September 2014)
JWT: Meet the New Family (September 2014)JWT: Meet the New Family (September 2014)
JWT: Meet the New Family (September 2014)
 
Lessons from the new sales model
Lessons from the new sales modelLessons from the new sales model
Lessons from the new sales model
 
Linux and H/W optimizations for MySQL
Linux and H/W optimizations for MySQLLinux and H/W optimizations for MySQL
Linux and H/W optimizations for MySQL
 
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive DataSpark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
 
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDBBig Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
 
Scala Data Pipelines for Music Recommendations
Scala Data Pipelines for Music RecommendationsScala Data Pipelines for Music Recommendations
Scala Data Pipelines for Music Recommendations
 
DefCore: The Interoperability Standard for OpenStack
DefCore: The Interoperability Standard for OpenStackDefCore: The Interoperability Standard for OpenStack
DefCore: The Interoperability Standard for OpenStack
 
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
 
讓數字說話:資料的公益責信應用
讓數字說話:資料的公益責信應用讓數字說話:資料的公益責信應用
讓數字說話:資料的公益責信應用
 
Measuring Agility: Top 5 Metrics And Myths
Measuring Agility: Top 5 Metrics And MythsMeasuring Agility: Top 5 Metrics And Myths
Measuring Agility: Top 5 Metrics And Myths
 

Ähnlich wie Dom XSS: Encounters of the3rd kind

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScriptd0nn9n
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at FlickrJohn Allspaw
 
The Enemy On The Web
The Enemy On The WebThe Enemy On The Web
The Enemy On The WebBishan Singh
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyBishan Singh
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines José Ignacio
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Apt presso good to learn
Apt presso good to learnApt presso good to learn
Apt presso good to learnFajar Isnanto
 
Reliability & Scale in AWS while letting you sleep through the night
Reliability & Scale in AWS while letting you sleep through the night Reliability & Scale in AWS while letting you sleep through the night
Reliability & Scale in AWS while letting you sleep through the night Jos Boumans
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise ApplicationsDaniel Oh
 
Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013Jon Arne Sæterås
 
Angular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 mayAngular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 mayLuciano Amodio
 

Ähnlich wie Dom XSS: Encounters of the3rd kind (20)

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshop
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
 
The Enemy On The Web
The Enemy On The WebThe Enemy On The Web
The Enemy On The Web
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & Ugly
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Introduction to YUI
Introduction to YUIIntroduction to YUI
Introduction to YUI
 
Apt presso good to learn
Apt presso good to learnApt presso good to learn
Apt presso good to learn
 
Reliability & Scale in AWS while letting you sleep through the night
Reliability & Scale in AWS while letting you sleep through the night Reliability & Scale in AWS while letting you sleep through the night
Reliability & Scale in AWS while letting you sleep through the night
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
 
Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013
 
Angular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 mayAngular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 may
 

Kürzlich hochgeladen

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Kürzlich hochgeladen (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Dom XSS: Encounters of the3rd kind

  • 1. DOM XSS: ENCOUNTERS OF THE 3RD KIND http://www.flickr.com/photos/8407953@N03/5990642198/
  • 4. COMPLEX BROWSER CONTEXTS JavaScript URI XSS HTML->DOM->HTML Auto Decoding (to be covered in Demo#7) JavaScript Auto Decoding (not covered. Similar to Demo#7) Ref: http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
  • 5. WHY WORRY? Who is safe? Those who write quality code – DOM Construction and Input Sanitization But, could they (YUI/jQuery/Browsers) do better? Yes, MY WISHLIST - make it easier to do the right thing - Warn on unsafe & abuse-able APIs - Provide in-function sanitization capability Predicted to be one of the top 5 (Aah, context-sensitive auto-sanitization would be security issues for 2011 great, but let’s not be too optimistic ATM) http://jeremiahgrossman.blogspot .com/2011/02/top-ten-web- Native APIs & Frameworks do no protect. hacking-techniques-of-2011.html Context, performance & security after thought. IBM found 2370 vulnerabilities on 92 sites out of Minded Security found 56 out of 850 Fortune 500 Alexa top 100 sites vulnerable http://public.dhe.ibm.com/common/ssi/ecm/en/raw http://blog.mindedsecurity.com/20 14252usen/RAW14252USEN.PDF 11/05/dominator-project.html (They released a commercial add-on to AppScan (They also released a free tool - called JSA. Not available for eval yet) DOMinator, we will eval that)
  • 6. SAMPLE #1: DOM XSS (WITH DOMINATOR) Q#1: New? No, first discovered by Amit Klein in 2005 www.webappsec.org/projects/articles/071105.shtml Q#2: Then why now? Because code shifted client side - RIA, AJAX, Web2.0 Q#3; What are the tools? - Do you think they solve the problem? - Clever people solve, wise avoid. Code Defensively - Anyways DOMinator and AppScan appear to do a bit but not enough - Besides DOMinator false negatives, I found it quite unstable on RIA with lots of YUI and jQuery. It crashed repeatedly.
  • 7. SAMPLE #1: WHAT WENT WRONG? WHAT WOULD HAVE SAVED THE DAY? Taint Sources (Direct or Indirect) Taint Sinks (eval, location.replace) Defensive Coding Taint Sources & Sinks: http://code.google.com/p/domxsswiki/wiki/Introduction
  • 8. SAMPLE #2: NOT IN VIEW SOURCE Myth#1 : we have default framework auto-sanitization at the server – Sever-side auto-sanitization like PHP Filter will not protect – They has no way of intercepting DOM
  • 9. SAMPLE #2: GENERATED SOURCE DOES SHOW
  • 10. SAMPLE #2: DOMINATOR FALSE NEGATIVE
  • 11. SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
  • 12. SAMPLE #4: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS! (DOMINATOR DIDN’T CATCH THIS ONE TOO)
  • 13. SAMPLE #5: YOU DON’T NECESSARILY NEED FILTERING. YUI / NATIVE JS API (INNERTEXT) / OTHERS LET YOU PLAY SAFE. THIS IS CALLED DOM CONSTRUCTION
  • 14. SAMPLE #5: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  • 15. SAMPLE #6: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  • 16. SAMPLE #7: BEWARE OF AUTO-DECODING. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. INSECURE CODING / INSUFFICIENT FILTERING IS! (ANOTHER THING DOMINATOR DIDN’T CATCH) Myth#2 : I encoded server-side right? – Exception. When DOM and HTML are mixed they tend to explode – HTML->DOM->HTML means switching of context and browser auto decoding
  • 17. THANKS FOLKS… bish@route13.in yukinying@gmail.com twitter:b1shan twitter: yukinying