Tracing User Input Through JS is for Tools Jake Heath and Michael - - PowerPoint PPT Presentation

Tracing User Input Through JS is for Tools

Jake Heath and Michael Roberts

bio

Jake Heath

• Penetration Tester @ NCC Group
• San Francisco, CA
• Beard
• Bread

Michael Roberts

• Penetration Tester @ NCC Group
• San Francisco, CA
• Can’t grow a beard
• Less bread

goal tools tracy

• verview

...to eliminate all XSS goal

...to eliminate all XSS goal ...with the DOM ...with human interaction

...to eliminate all XSS anti-goals ...with AI ...with automated scanning ...with static analysis ...with blockchain$$

existing tools

manual testing & intercepting proxies static analysis

• ther

• Burp Suite
• spray app with payloads

○ <script>alert(n)</script>

• navigate app until alert fires
• identify which input triggered the alert
• document the bug

manual testing - a shotgun approach

manual testing - a shotgun approach

• pros

○ super easy ○ requires very little setup or knowledge ○ fast

• cons

○ simple input validation can slow down testing ○ no easy way to track origin ○ can get annoying ○ potentially poor coverage ○ Burp has no concept of the DOM

static analysis

• Burp Active Scanner or Checkmarx
• attempts to map sinks to sources

○ input field value -> dangerouslySetHTML()

• uses an AST to try to resolve paths

static analysis

• pros

○ very little user interaction ○ could find hidden logic ○ non-intrusive ○ low learning curve

• cons

○

• ften cost $$$

○ >> false positive/false negatives ○ time intensive ○ no DOM context ○ misses server side logic

• ther
• browser forks

○ has the ability to monitor call stack of potential input sources ○ follow all sources to potential sinks

• headless browser

• ther
• pros

○ has a deep understanding of the JavaScript and DOM ○ can understand how to unlock new paths ○ complete tracing of input

• cons

○ hard to keep up to date ○ $$ ○ learning curve

tracy

MutationObserver browser extension proxy

How is this possible?

Tracy Workflow

Tracy Workflow

Using DOM Mutations to Detect XSS

demo!

What can tracy do?

• eliminates all XSS...well, at least the easy XSS for now.
• maps all inputs to outputs.
• automatically discover vulnerable cases of XSS.
• automatically generate reproduction steps for XSS...soon

future work

• stability
• automatic generation of reproduction steps (NEXT COMMIT!)
• verification of XSS (NEXT COMMIT!)

○ PhantomJS - replay recorded flows

• js method hooking

○ granular view of different functions that execute with tainted sources ○ capturing events for eval, setTimeout, setInterval, etc.

• frontend fuzzing (NEXT COMMIT!)

○

• ffline bruteforcing

○ 0 network requests

https://github.com/nccgroup/tracy Questions @JacobRHeath

• https://chrome.google.com/webstore/detail/tracy/lcgbimfijafcjjijgjoodgpblgmkckhn
• https://addons.mozilla.org/en-US/firefox/addon/tracyplugin/
• https://portswigger.net/burp
• https://www.checkmarx.com/
• http://phantomjs.org/

Sources