25 million flows later large scale detection of dom based
play

25 Million Flows Later Large-scale Detection of DOM-based XSS CCS - PowerPoint PPT Presentation

Nov 26, 2022 •263 likes •619 views

25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian Lekies, Ben Stock , Martin Johns Agenda XSS & Attacker Scenario WebSec guys: wake up once you see a cat Motivation Our contributions

  1. 25 Million Flows Later – Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian Lekies, Ben Stock , Martin Johns

  2. Agenda ● XSS & Attacker Scenario ● WebSec guys: wake up once you see a cat ● Motivation ● Our contributions ● Summary 2

  3. Cross-Site Scripting ● Execution of attacker-controlled code on the client in the context of the vulnerable app ● Three kinds: ● Persistent XSS: guestbook, ... Server side ● Reflected XSS: search forms, ... ● DOM-based XSS: also called local XSS Client side ● content dynamically added by JS (e.g. like button), .. 3

  4. Cross-Site Scripting: attacker model ● Attacker wants to inject own code into vuln. app ● steal cookie ● take abritrary action in the name of the user ● pretend to be the server towards the user ● ... Source: http://blogs.sfweekly.com/thesnitch/ cookie_monster.jpg 4

  5. Cross-Site Scripting: problem statement ● Main problem: attacker‘s content ends in document and is not properly filtered/encoded ● common for server- and client-side flaws ● Flow of data: from attacker-controllable source to security- sensitive sink ● Our Focus: client side JavaScript code ● Sources : e.g. the URL ● Sinks : e.g. document.write 5

  6. Example of a DOMXSS vulnerability document.write("<img src='//adve.rt/ise?hash=" + location.hash.slice(1)+ "'/>"); � ● Source: location.hash , Sink: document.write ● Intended usage: ● http://example.org/#mypage ● <img src='//adve.rt/ise?hash=mypage'/> � ● Exploiting the vuln: ● http://example.org/#'/><script>alert(1)</script> ● <img src='//adve.rt/ise?hash='/> 
 <script>alert(1)</script> 
 '/> 6

  7. How does the attacker exploit this? a. Send a crafted link to the victim b. Embed vulnerable page with payload into his own page h"p://ki"enpics.org ¡ Source: http://www.hd-gbpics.de/gbbilder/katzen/katzen2.jpg 7

  8. Our motivation and contribution ● Perform Large-scale analysis of DOMXSS vulnerabilities ● Automated, dynamic detection of suspicious flows ● Automated validation of vulnerabilities ● Our key components ● Taint-aware browsing engine ● Crawling infrastructure ● Context-specific exploit generator ● Exploit verification using the crawler 8

  9. Building a taint-aware browsing engine to find suspicious flows

  10. Our approach: use dynamic taint tracking ● Taint tracking : Track the flow of marked data from source to sink ● Implementation : into Chromium (Blink+V8) ● Requirements for taint tracking ● Taint all relevent values / propagate taints ● Report all sinks accesses ● be as precise as possible ● taint details on EVERY character 10

  11. Representing sources ● In terms of DOMXSS, we have 14 sources ● additionally, three relevant, built-in encoding functions ● escape, encodeURI and encodeURIComponent ● .. may prevent XSS vulnerabilites if used properly ● Goal: store source + bitmask of encoding functions for each character 11

  12. Representing sources (cntd) ● 14 sources è 4 bits sufficient ● 3 relevant built-in functions è 3 bits sufficient 7 bits < 1 byte ● è 1 Byte sufficient to store source + encoding functions ● encoding functions and counterparts set/unset bits ● hard-coded characters have source 0 enconding functions Source 12

  13. Representing sources (cntd) ● Each source API (e.g. URL or cookie) attaches taint bytes ● identifing the source of a char ● var x = location.hash.slice(1); � t ¡ e ¡ s ¡ ' ¡ 1 ¡ 1 ¡ 1 ¡ 1 ¡ ● x = escape(x); � t ¡ e ¡ s ¡ % ¡ 2 ¡ 7 ¡ 65 ¡ 65 ¡ 65 ¡ 65 ¡ 65 ¡ 65 ¡ 0 ¡ 1 ¡ 0 ¡ 0 ¡ 0 ¡ 0 ¡ 0 ¡ 1 ¡ 13

  14. Detecting sink access ● Taint propagated through all relevant functions ● Security-sensitive sinks report flow and details ● such as text, taint information, source code location ● Chrome extension to handle reporting ● keep core changes as small as possible Extension ● repack information in JavaScript V8 JS eval report ● stub function directly inside V8 WebKit document.write 14

  15. Empirical study on suspicious flows

  16. Crawling the Web (at University scale) ● Crawler infrastructure constisting of ● modified, taint-aware Browser'1' Browser'm' Tab'1' Tab'n' Tab'1' Tab'n' browsing engine Web' Web' Web' Web' page' page' page' page' ● browser extension ' ' ' ' &' &' &' &' ' ' ' ' user' user' user' user' …' …' …' to direct the engine script' script' script' script' content'' content'' ● Dispatching and content'' content'' script' script' script' script' reporting backend Background'script' Background'script' ● In total, we ran 6 machines Control'backend' 16

  17. Empirical study ● Shallow crawl of Alexa Top 5000 Web Sites ● Main page + first level of links ● 504,275 URLs scanned in roughly 5 days ● on average containing ~8,64 frames ● total of 4,358,031 analyzed documents ● Step 1: Flow detection ● 24,474,306 data flows from possibly attacker-controllable input to security-sensitive sinks 17

  18. Context-Sensitive Generation of Cross-Site Scripting Payloads

  19. Validating vulnerabilities ● Current Situation: ● Taint-tracking engine delivers suspicious flows ● Suspicious flow != Vulnerability ● Why may suspicious flows not be exploitable? ● e.g. custom filter, validation or encoding function <script> � if (/^[a-z][0-9]+$/.test(location.hash.slice(1)) { � document.write(location.hash.slice(1)); � } � </script> ● Validation needed: working exploit 19

  20. Anatomy of an XSS Exploit ● Cross-Site Scripting exploits are context-specific: ● HTML Context ● Vulnerability: document.write("<img src='pic.jpg?hash=" � � + location.hash.slice(1) + "'>"); ● Exploit: '><script>alert(1)</script><textarea> ● JavaScript Context ● Vulnerability: eval("var x = '" + location.hash + "';"); ● Exploit: '; alert(1); // 20

  21. Anatomy of an XSS Exploit '><script> alert(1); </script><textarea> '; alert(1); // Break-out Sequence Payload Break-in / Comment Sequence ● Context-Sensitivity ● Breakout-Sequence: Highly context sensitive (generation is difficult) ● Payload: Not context sensitive (arbitrary JavaScript code) ● Comment Sequence: Very easy to generate (choose from a handful of options) 21

  22. Breaking out of JavaScript contexts ● JavaScript Context <script> � var code = 'function test(){' � � + 'var x = "' + location.href + '";' � � //inside function test � � + 'doSomething(x);' � � + '}'; � //top level � eval(code); � </script> ● Visiting http://example.org/ in our engine eval(' 
 function test() { � var x = "http://example.org"; � doSomething(x); � } 
 '); 22

  23. Syntax tree to working exploit function test() { � ● Two options here: var x = "http://example.org"; � doSomething(x); � } ● break out of string ● break out of function definition ● Latter is more reliable ● function test not necessarily called automatically on „normal“ execution Tainted ¡value ¡aka ¡ injecAon ¡point ¡ 23

  24. Generating a valid exploit } ; “ ● Traverse the AST upwards and “end” the branches ● Breakout Sequence: “;} function test() { � ● Comment: // var x = "http://example.org"; � } � ● Exploit: ";}alert(1);// alert(1);//“; doSomething(x); } ● Visit: http://example.org/#";}alert(1);// 24

  25. Validating vulnerabilities ● Our focus: directly controllable exploits ● Sinks : direct execution sinks ● HTML sinks (document.write, innerHTML ,...) ● JavaScript sinks (eval, ...) ● Sources : location and referrer ● Only unencoded strings ● Not in the focus (yet): second-order vulnerabilities ● to cookie and from cookie to eval ● ... 25

  26. Empirical study ● Step 2: Flow reduction ● Only JavaScript and HTML sinks: 24,474,306 è 4,948,264 ● Only directly controllable sources: 4,948,264 è 1,825,598 ● Only unencoded flows: 1,825,598 è 313,794 ● Step 3: Precise exploit generation ● Generated a total of 181,238 unique test cases ● rest were duplicates (same URL and payload) ● basically same vuln twice in same page 26

  27. Empirical study ● Step 4: Exploit validation ● 69,987 out of 181,238 unique test cases triggered a vulnerability ● Step 5: Further analysis ● 8,163 unique vulnerabilities affecting 701 domains ● … of all loaded frames (i.e. also from outside Top 5000) ● 6,167 unique vulnerabilities affecting 480 Alexa top 5000 domains ● At least, 9.6 % of the top 5000 Web pages contain one or more XSS problems ● This number only represents the lower bound (!) 27

  28. Limitations ● No assured code coverage ● e.g. debug GET-param needed? ● also, not all pages visited (esp. stateful applications) ● Fuzzing might get better results ● does not scale as well ● Not yet looking at the „harder“ flows ● found one URL è Cookie è eval „by accident“ 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
Large-Scale Numerical Simulation of Fluid Structure Interactions in Low Reynolds Number Flows APS

Large-Scale Numerical Simulation of Fluid Structure Interactions in Low Reynolds Number Flows APS

Large-Scale Numerical Simulation of Fluid Structure Interactions in Low Reynolds Number Flows APS 64 rd Annual Meeting Division of Fluid Dynamics Ali EKEN &amp; Mehmet SAHIN 20 November 2011 Baltimore, Maryland, USA Astronautical Engineering

590 views • 36 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
Evaluation of Amplification attacks in large-scale networks to improve detection performance

Evaluation of Amplification attacks in large-scale networks to improve detection performance

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluation of Amplification attacks in large-scale networks to improve detection performance Michael Kpferl Interdisciplinary Project Final

517 views • 49 slides
A Domain Decomposition Method for Large Scale Simulations of Two-phase Flows with Moving Contact

A Domain Decomposition Method for Large Scale Simulations of Two-phase Flows with Moving Contact

Introduction Model Numerical scheme Domain decomposition Numerical experiments Parallel performance Conclusion A Domain Decomposition Method for Large Scale Simulations of Two-phase Flows with Moving Contact Lines Li Luo 1 , Qian Zhang 1 ,

981 views • 41 slides
DNS of Multiphase Flows Simple Front Tracking DNS of Multiphase Flows Direct Numerical

DNS of Multiphase Flows Simple Front Tracking DNS of Multiphase Flows Direct Numerical

DNS of Multiphase Flows Simple Front Tracking DNS of Multiphase Flows Direct Numerical Software is needed for a variety of purposes. Simulations of In addition to large scale somewhat general purpose codes that represent close

179 views • 4 slides
Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy

Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy

Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy Ganguly Bivas Mitra, Subhendu Khatuya Also in collaboration with NetApp Department of Computer Science and Engineering Indian Institute of

689 views • 53 slides
Data Analysis, Estimation, and Fault detection of Large-Scale Autonomous System of Vehicles Using

Data Analysis, Estimation, and Fault detection of Large-Scale Autonomous System of Vehicles Using

Data Analysis, Estimation, and Fault detection of Large-Scale Autonomous System of Vehicles Using Neural Networks Presented by: Parsa Yousefi Supervisors: Dr. M. Jamshidi, Dr. P. Benavidez June 23 rd , 2017 The University of Texas at San

571 views • 33 slides
Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut fr Telematik, Universitt Karlsruhe (TH), Germany Why Attack Detection still is important Distributed Denial-of-Service problem persists Attack

366 views • 19 slides
Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in Production Julien Desfossez Michel Dagenais Dcembre 2014 cole Polytechnique de Montreal Latency-tracker Kernel module to track down

524 views • 17 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han , Byunggil Joe, Byoungyoung Lee * , Chengyu Song , Insik Shin KAIST, * Purdue, UCR 1 Memory error glibc: getaddrinfo Heartbleed Shellshock

659 views • 47 slides
Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

375 views • 35 slides
Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale electronic voting protocol: Primarily Internet-based Users voting from their own devices (such as home PC/laptop) Aimed toward actual

721 views • 21 slides
Large-Scale API Protocol Mining for Automated Bug Detection Michael Pradel Department of

Large-Scale API Protocol Mining for Automated Bug Detection Michael Pradel Department of

Large-Scale API Protocol Mining for Automated Bug Detection Michael Pradel Department of Computer Science ETH Zurich 1 Motivation LinkedList pinConnections = ...; Iterator i = pinConnections.iterator (); while ( i.hasNext () ) { PinLink

1.55k views • 127 slides
Schema Matching in a Large Scale Schema Matching in a Large Scale Personal Schema Based Querying

Schema Matching in a Large Scale Schema Matching in a Large Scale Personal Schema Based Querying

Schema Matching in a Large Scale Schema Matching in a Large Scale Personal Schema Based Querying Personal Schema Based Querying Marko Smiljani , Maurice van Keulen, Willem Jonker Dutch Dutch-Belgian Database Day Belgian Database Day -

442 views • 25 slides
4 Creeping Flow Equation 4 Creeping Flow Equation 4 Stream Function 4 Stream Function 4

4 Creeping Flow Equation 4 Creeping Flow Equation 4 Stream Function 4 Stream Function 4

4 Creeping Flow Equation 4 Creeping Flow Equation 4 Stream Function 4 Stream Function 4 Boundary Conditions 4 Boundary Conditions 4 Pressure Variations 4 Pressure Variations 4 Stokes Drag 4 Stokes Drag 4 Oseen 4 Oseen Drag Drag 4 4

383 views • 5 slides
Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a

Data-flow Analysis Idea Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Example How many registers do we need a := 0 1 for the program on the right? L1: b := a + 1 2

408 views • 12 slides
SESSION 3: CASH FLOW CLAIMS Cash Flows versus Earnings When asked to assess the financial

SESSION 3: CASH FLOW CLAIMS Cash Flows versus Earnings When asked to assess the financial

Aswath Damodaran 0 SESSION 3: CASH FLOW CLAIMS Cash Flows versus Earnings When asked to assess the financial health of a company, we almost invariably look at the accounting bottom line, i.e., earnings. There are two reasons why

111 views • 7 slides
7. Dual flows and algorithms Duality review Minimum-cost flow dual Specialized flow

7. Dual flows and algorithms Duality review Minimum-cost flow dual Specialized flow

CS/ECE/ISyE 524 Introduction to Optimization Spring 201718 7. Dual flows and algorithms Duality review Minimum-cost flow dual Specialized flow duals Max-flow problems LP solvers Wrap-up Laurent Lessard

341 views • 30 slides
Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1

Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1

Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1 Conditionals and Control Flow Familiar C constructs l if else l while l do while l for l break l continue Two key pieces 1. Comparisons and tests:

809 views • 50 slides
Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong

Enforcing Un Unique Code Target Property for Control-Flow Integrity Ho Hong Hu Hu, Chenxiong Qian, Carter Yagmann, Simon Pak Ho Chung, William R. Harris , Taesoo Kim, Wenke Lee * 1 Control-flow attack Control-flow: the order of

692 views • 31 slides
Ohio AAP Brush, Book, Bed: Program Implementation Guidance CME Disclaimer I have no personal

Ohio AAP Brush, Book, Bed: Program Implementation Guidance CME Disclaimer I have no personal

Ohio AAP Brush, Book, Bed: Program Implementation Guidance CME Disclaimer I have no personal financial relationships in any commercial interest related to this CME. I do not plan to reference off label/unapproved uses of drugs or devices.

221 views • 19 slides
Magic Fluorine Chemistry for Medicinal Chemistry Applications Wei Zhang University of

Magic Fluorine Chemistry for Medicinal Chemistry Applications Wei Zhang University of

NEACT 72 nd Annual Summer Conference St. Josephs College, Maine. August 1-4, 2011 Magic Fluorine Chemistry for Medicinal Chemistry Applications Wei Zhang University of Massachusetts Boston wei2.zhang@umb.edu Presentation Outline

3.48k views • 57 slides

More recommend