SlideShare une entreprise Scribd logo

Dom XSS: Encounters of the3rd kind

Télécharger en tant que PPTX, PDF
Bishan Singh
Bishan Singh

This document discusses DOM-based cross-site scripting (XSS) vulnerabilities. It provides examples of DOM XSS issues that tools like DOMinator fail to detect. The key points are: - DOM XSS arises due to client-side coding practices and the complex browser context, not just server-side issues. - Examples show how input can be injected into the DOM without appearing in the page source, bypassing detection. - Frameworks like YUI and jQuery are not inherently unsafe - it is insecure coding practices like insecure templating and lack of input sanitization that cause vulnerabilities. - Browser behaviors like automatic decoding can also facilitate DOM XSS unless coding accounts for context changes. - Def

Technologie
1  sur  17
DOM XSS: ENCOUNTERS OF THE 3RD KIND http://www.flickr.com/photos/8407953@N03/5990642198/
OBJECTIVES http://www.w3schools.com/htmldom/default.asp http://www.flickr.com/photos/spaceodissey/2580085025/sizes/z/in/photostream/ http://www.flickr.com/photos/22841448@N08/2337148051/ http://www.flickr.com/photos/jesse_sneed/2383953694/ http://www.flickr.com/photos/diavolo/5870934960/
UNDERSTANDING DOM
COMPLEX BROWSER CONTEXTS JavaScript URI XSS HTML->DOM->HTML Auto Decoding (to be covered in Demo#7) JavaScript Auto Decoding (not covered. Similar to Demo#7) Ref: http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
WHY WORRY? Who is safe? Those who write quality code – DOM Construction and Input Sanitization But, could they (YUI/jQuery/Browsers) do better? Yes, MY WISHLIST - make it easier to do the right thing - Warn on unsafe & abuse-able APIs - Provide in-function sanitization capability Predicted to be one of the top 5 (Aah, context-sensitive auto-sanitization would be security issues for 2011 great, but let’s not be too optimistic ATM) http://jeremiahgrossman.blogspot .com/2011/02/top-ten-web- Native APIs & Frameworks do no protect. hacking-techniques-of-2011.html Context, performance & security after thought. IBM found 2370 vulnerabilities on 92 sites out of Minded Security found 56 out of 850 Fortune 500 Alexa top 100 sites vulnerable http://public.dhe.ibm.com/common/ssi/ecm/en/raw http://blog.mindedsecurity.com/20 14252usen/RAW14252USEN.PDF 11/05/dominator-project.html (They released a commercial add-on to AppScan (They also released a free tool - called JSA. Not available for eval yet) DOMinator, we will eval that)
SAMPLE #1: DOM XSS (WITH DOMINATOR) Q#1: New? No, first discovered by Amit Klein in 2005 www.webappsec.org/projects/articles/071105.shtml Q#2: Then why now? Because code shifted client side - RIA, AJAX, Web2.0 Q#3; What are the tools? - Do you think they solve the problem? - Clever people solve, wise avoid. Code Defensively - Anyways DOMinator and AppScan appear to do a bit but not enough - Besides DOMinator false negatives, I found it quite unstable on RIA with lots of YUI and jQuery. It crashed repeatedly.
SAMPLE #1: WHAT WENT WRONG? WHAT WOULD HAVE SAVED THE DAY? Taint Sources (Direct or Indirect) Taint Sinks (eval, location.replace) Defensive Coding Taint Sources & Sinks: http://code.google.com/p/domxsswiki/wiki/Introduction
SAMPLE #2: NOT IN VIEW SOURCE Myth#1 : we have default framework auto-sanitization at the server – Sever-side auto-sanitization like PHP Filter will not protect – They has no way of intercepting DOM
SAMPLE #2: GENERATED SOURCE DOES SHOW
SAMPLE #2: DOMINATOR FALSE NEGATIVE
SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
SAMPLE #4: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS! (DOMINATOR DIDN’T CATCH THIS ONE TOO)
SAMPLE #5: YOU DON’T NECESSARILY NEED FILTERING. YUI / NATIVE JS API (INNERTEXT) / OTHERS LET YOU PLAY SAFE. THIS IS CALLED DOM CONSTRUCTION
SAMPLE #5: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
SAMPLE #6: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
SAMPLE #7: BEWARE OF AUTO-DECODING. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. INSECURE CODING / INSUFFICIENT FILTERING IS! (ANOTHER THING DOMINATOR DIDN’T CATCH) Myth#2 : I encoded server-side right? – Exception. When DOM and HTML are mixed they tend to explode – HTML->DOM->HTML means switching of context and browser auto decoding
THANKS FOLKS… bish@route13.in yukinying@gmail.com twitter:b1shan twitter: yukinying

Recommandé

iCrocco
iCroccoiCrocco
iCroccoDario Violi
 
Mobile Learning Safari (slide deck) v1
Mobile Learning Safari (slide deck) v1Mobile Learning Safari (slide deck) v1
Mobile Learning Safari (slide deck) v1Darren Kuropatwa
 
Google Wave: Ripple or Tsunami for Research
Google Wave: Ripple or Tsunami for ResearchGoogle Wave: Ripple or Tsunami for Research
Google Wave: Ripple or Tsunami for ResearchCameron Neylon
 
The iPad Learning Studio v1
The iPad Learning Studio v1The iPad Learning Studio v1
The iPad Learning Studio v1Darren Kuropatwa
 
Think Like An Entrepreneur (for GoToWebinar)
Think Like An Entrepreneur (for GoToWebinar)Think Like An Entrepreneur (for GoToWebinar)
Think Like An Entrepreneur (for GoToWebinar)Lane Becker
 
Mobile Learning v3 Master Deck
Mobile Learning v3 Master DeckMobile Learning v3 Master Deck
Mobile Learning v3 Master DeckDarren Kuropatwa
 
Mobile Learning v3.1 Student Workshop
Mobile Learning v3.1 Student WorkshopMobile Learning v3.1 Student Workshop
Mobile Learning v3.1 Student WorkshopDarren Kuropatwa
 
Mobile learning v3 students deck
Mobile learning v3 students deckMobile learning v3 students deck
Mobile learning v3 students deckSchool District of Mystery Lake
 

Recommandé

iCrocco
iCroccoiCrocco
iCroccoDario Violi
 
Mobile Learning Safari (slide deck) v1
Mobile Learning Safari (slide deck) v1Mobile Learning Safari (slide deck) v1
Mobile Learning Safari (slide deck) v1Darren Kuropatwa
 
Google Wave: Ripple or Tsunami for Research
Google Wave: Ripple or Tsunami for ResearchGoogle Wave: Ripple or Tsunami for Research
Google Wave: Ripple or Tsunami for ResearchCameron Neylon
 
The iPad Learning Studio v1
The iPad Learning Studio v1The iPad Learning Studio v1
The iPad Learning Studio v1Darren Kuropatwa
 
Think Like An Entrepreneur (for GoToWebinar)
Think Like An Entrepreneur (for GoToWebinar)Think Like An Entrepreneur (for GoToWebinar)
Think Like An Entrepreneur (for GoToWebinar)Lane Becker
 
Mobile Learning v3 Master Deck
Mobile Learning v3 Master DeckMobile Learning v3 Master Deck
Mobile Learning v3 Master DeckDarren Kuropatwa
 
Mobile Learning v3.1 Student Workshop
Mobile Learning v3.1 Student WorkshopMobile Learning v3.1 Student Workshop
Mobile Learning v3.1 Student WorkshopDarren Kuropatwa
 
Mobile learning v3 students deck
Mobile learning v3 students deckMobile learning v3 students deck
Mobile learning v3 students deckSchool District of Mystery Lake
 
Mobile Learning v3.5
Mobile Learning v3.5Mobile Learning v3.5
Mobile Learning v3.5Darren Kuropatwa
 
Holiday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingHoliday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingCate Huston
 
Mantendo e mails sobre controle
Mantendo e mails sobre controleMantendo e mails sobre controle
Mantendo e mails sobre controlem Peixoto
 
Owen wallace week two
Owen wallace week twoOwen wallace week two
Owen wallace week twoowwallace
 
Our students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didOur students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didNate Kogan
 
Professional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimProfessional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimLevi Jardim
 
Photoshop's New Groove
Photoshop's New GroovePhotoshop's New Groove
Photoshop's New GrooveDan Rose
 
How To Blog Like A Rock Star
How To Blog Like A Rock StarHow To Blog Like A Rock Star
How To Blog Like A Rock StarCarina Novarese
 
Barcamp du Clair2013
Barcamp du Clair2013Barcamp du Clair2013
Barcamp du Clair2013Darren Kuropatwa
 
Pecha kucha
Pecha kuchaPecha kucha
Pecha kuchaaem1178
 
Animals 1
Animals 1Animals 1
Animals 1caroline miles
 
Tools for Self-Awareness
Tools for Self-AwarenessTools for Self-Awareness
Tools for Self-AwarenessLori Cotten
 
JavaScript as a First Class Language
JavaScript as a First Class LanguageJavaScript as a First Class Language
JavaScript as a First Class Languagefabiopereirame
 
Act as
Act asAct as
Act asAndré Tagliati
 
Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gabriel White
 
dunia mistik
dunia mistikdunia mistik
dunia mistikaris purwanto
 
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.jsAlex Liu
 
OpenPOWER Foundation Overview
OpenPOWER Foundation OverviewOpenPOWER Foundation Overview
OpenPOWER Foundation Overviewinside-BigData.com
 
OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)David Bosschaert
 
SXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSeth Priebatsch
 
eMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matterDawid Weiss
 

Contenu connexe

Tendances

Holiday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingHoliday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingCate Huston
 
Mantendo e mails sobre controle
Mantendo e mails sobre controleMantendo e mails sobre controle
Mantendo e mails sobre controlem Peixoto
 
Owen wallace week two
Owen wallace week twoOwen wallace week two
Owen wallace week twoowwallace
 
Our students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didOur students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didNate Kogan
 
Professional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimProfessional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimLevi Jardim
 
Photoshop's New Groove
Photoshop's New GroovePhotoshop's New Groove
Photoshop's New GrooveDan Rose
 
How To Blog Like A Rock Star
How To Blog Like A Rock StarHow To Blog Like A Rock Star
How To Blog Like A Rock StarCarina Novarese
 
Pecha kucha
Pecha kuchaPecha kucha
Pecha kuchaaem1178
 
Tools for Self-Awareness
Tools for Self-AwarenessTools for Self-Awareness
Tools for Self-AwarenessLori Cotten
 
JavaScript as a First Class Language
JavaScript as a First Class LanguageJavaScript as a First Class Language
JavaScript as a First Class Languagefabiopereirame
 
Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gabriel White
 

Tendances (16)

Mobile Learning v3.5
Mobile Learning v3.5Mobile Learning v3.5
Mobile Learning v3.5
 
Holiday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and ProgrammingHoliday Science Lecture: Art, Life and Programming
Holiday Science Lecture: Art, Life and Programming
 
Mantendo e mails sobre controle
Mantendo e mails sobre controleMantendo e mails sobre controle
Mantendo e mails sobre controle
 
Owen wallace week two
Owen wallace week twoOwen wallace week two
Owen wallace week two
 
Our students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_didOur students won_t_research_the_way_we_did
Our students won_t_research_the_way_we_did
 
Professional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi JardimProfessional Persona Presentation by Levi Jardim
Professional Persona Presentation by Levi Jardim
 
Photoshop's New Groove
Photoshop's New GroovePhotoshop's New Groove
Photoshop's New Groove
 
How To Blog Like A Rock Star
How To Blog Like A Rock StarHow To Blog Like A Rock Star
How To Blog Like A Rock Star
 
Barcamp du Clair2013
Barcamp du Clair2013Barcamp du Clair2013
Barcamp du Clair2013
 
Pecha kucha
Pecha kuchaPecha kucha
Pecha kucha
 
Animals 1
Animals 1Animals 1
Animals 1
 
Tools for Self-Awareness
Tools for Self-AwarenessTools for Self-Awareness
Tools for Self-Awareness
 
JavaScript as a First Class Language
JavaScript as a First Class LanguageJavaScript as a First Class Language
JavaScript as a First Class Language
 
Act as
Act asAct as
Act as
 
Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?Gestural UI: the iPhone taught us to flick and pinch, what's next?
Gestural UI: the iPhone taught us to flick and pinch, what's next?
 
dunia mistik
dunia mistikdunia mistik
dunia mistik
 

En vedette

[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.jsAlex Liu
 
OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)David Bosschaert
 
SXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSeth Priebatsch
 
eMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matterDawid Weiss
 
UX e Fontes de Tráfego
UX e Fontes de TráfegoUX e Fontes de Tráfego
UX e Fontes de TráfegoNeue Labs
 
Corporate Open Source Anti-patterns
Corporate Open Source Anti-patternsCorporate Open Source Anti-patterns
Corporate Open Source Anti-patternsbcantrill
 
Yahoo Connected TV Developer Pulse Event
Yahoo Connected TV Developer Pulse EventYahoo Connected TV Developer Pulse Event
Yahoo Connected TV Developer Pulse EventYahooConnectedTV
 
Introduction to Metro Applications
Introduction to Metro ApplicationsIntroduction to Metro Applications
Introduction to Metro ApplicationsMichael Collins
 
Lessons from the new sales model
Lessons from the new sales modelLessons from the new sales model
Lessons from the new sales modelJames Cham
 
Linux and H/W optimizations for MySQL
Linux and H/W optimizations for MySQLLinux and H/W optimizations for MySQL
Linux and H/W optimizations for MySQLYoshinori Matsunobu
 
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive DataSpark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive DataJetlore
 
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDBBig Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDBBigDataCloud
 
Scala Data Pipelines for Music Recommendations
Scala Data Pipelines for Music RecommendationsScala Data Pipelines for Music Recommendations
Scala Data Pipelines for Music RecommendationsChris Johnson
 
DefCore: The Interoperability Standard for OpenStack
DefCore: The Interoperability Standard for OpenStackDefCore: The Interoperability Standard for OpenStack
DefCore: The Interoperability Standard for OpenStackMark Voelker
 
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...Tathagat Varma
 
讓數字說話:資料的公益責信應用
讓數字說話:資料的公益責信應用讓數字說話:資料的公益責信應用
讓數字說話:資料的公益責信應用台灣資料科學年會
 
Measuring Agility: Top 5 Metrics And Myths
Measuring Agility: Top 5 Metrics And MythsMeasuring Agility: Top 5 Metrics And Myths
Measuring Agility: Top 5 Metrics And MythsPete Behrens
 

En vedette (20)

[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
[NodeConf.eu 2014] Scaling AB Testing on Netflix.com with Node.js
 
OpenPOWER Foundation Overview
OpenPOWER Foundation OverviewOpenPOWER Foundation Overview
OpenPOWER Foundation Overview
 
OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)OpenJDK Penrose Presentation (JavaOne 2012)
OpenJDK Penrose Presentation (JavaOne 2012)
 
SXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The WorldSXSW Keynote - The Game Layer On Top Of The World
SXSW Keynote - The Game Layer On Top Of The World
 
eMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best PracticeseMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
eMarketer Webinar: Mobile Marketing Trends, Insights and Best Practices
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matter
 
UX e Fontes de Tráfego
UX e Fontes de TráfegoUX e Fontes de Tráfego
UX e Fontes de Tráfego
 
Corporate Open Source Anti-patterns
Corporate Open Source Anti-patternsCorporate Open Source Anti-patterns
Corporate Open Source Anti-patterns
 
Yahoo Connected TV Developer Pulse Event
Yahoo Connected TV Developer Pulse EventYahoo Connected TV Developer Pulse Event
Yahoo Connected TV Developer Pulse Event
 
Introduction to Metro Applications
Introduction to Metro ApplicationsIntroduction to Metro Applications
Introduction to Metro Applications
 
JWT: Meet the New Family (September 2014)
JWT: Meet the New Family (September 2014)JWT: Meet the New Family (September 2014)
JWT: Meet the New Family (September 2014)
 
Lessons from the new sales model
Lessons from the new sales modelLessons from the new sales model
Lessons from the new sales model
 
Linux and H/W optimizations for MySQL
Linux and H/W optimizations for MySQLLinux and H/W optimizations for MySQL
Linux and H/W optimizations for MySQL
 
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive DataSpark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
Spark and Shark: Lightning-Fast Analytics over Hadoop and Hive Data
 
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDBBig Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
Big Data Cloud Meetup - Jan 29 2013 - Mike Stonebraker & Scott Jarr of VoltDB
 
Scala Data Pipelines for Music Recommendations
Scala Data Pipelines for Music RecommendationsScala Data Pipelines for Music Recommendations
Scala Data Pipelines for Music Recommendations
 
DefCore: The Interoperability Standard for OpenStack
DefCore: The Interoperability Standard for OpenStackDefCore: The Interoperability Standard for OpenStack
DefCore: The Interoperability Standard for OpenStack
 
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
Applying 'Kanban' in Enterprise-Class Products Sustaining Engineering - An Ex...
 
讓數字說話:資料的公益責信應用
讓數字說話:資料的公益責信應用讓數字說話:資料的公益責信應用
讓數字說話:資料的公益責信應用
 
Measuring Agility: Top 5 Metrics And Myths
Measuring Agility: Top 5 Metrics And MythsMeasuring Agility: Top 5 Metrics And Myths
Measuring Agility: Top 5 Metrics And Myths
 

Similaire à Dom XSS: Encounters of the3rd kind

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScriptd0nn9n
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at FlickrJohn Allspaw
 
The Enemy On The Web
The Enemy On The WebThe Enemy On The Web
The Enemy On The WebBishan Singh
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyBishan Singh
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines José Ignacio
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Apt presso good to learn
Apt presso good to learnApt presso good to learn
Apt presso good to learnFajar Isnanto
 
Reliability & Scale in AWS while letting you sleep through the night
Reliability & Scale in AWS while letting you sleep through the night Reliability & Scale in AWS while letting you sleep through the night
Reliability & Scale in AWS while letting you sleep through the night Jos Boumans
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise ApplicationsDaniel Oh
 
Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013Jon Arne Sæterås
 
Angular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 mayAngular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 mayLuciano Amodio
 

Similaire à Dom XSS: Encounters of the3rd kind (20)

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshop
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
 
The Enemy On The Web
The Enemy On The WebThe Enemy On The Web
The Enemy On The Web
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Node Security: The Good, Bad & Ugly
Node Security: The Good, Bad & UglyNode Security: The Good, Bad & Ugly
Node Security: The Good, Bad & Ugly
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Introduction to YUI
Introduction to YUIIntroduction to YUI
Introduction to YUI
 
Apt presso good to learn
Apt presso good to learnApt presso good to learn
Apt presso good to learn
 
Reliability & Scale in AWS while letting you sleep through the night
Reliability & Scale in AWS while letting you sleep through the night Reliability & Scale in AWS while letting you sleep through the night
Reliability & Scale in AWS while letting you sleep through the night
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
 
Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013Mobile is slow - Over the Air 2013
Mobile is slow - Over the Air 2013
 
Angular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 mayAngular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 may
 

Dernier

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Dernier (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Dom XSS: Encounters of the3rd kind

  • 1. DOM XSS: ENCOUNTERS OF THE 3RD KIND http://www.flickr.com/photos/8407953@N03/5990642198/
  • 4. COMPLEX BROWSER CONTEXTS JavaScript URI XSS HTML->DOM->HTML Auto Decoding (to be covered in Demo#7) JavaScript Auto Decoding (not covered. Similar to Demo#7) Ref: http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
  • 5. WHY WORRY? Who is safe? Those who write quality code – DOM Construction and Input Sanitization But, could they (YUI/jQuery/Browsers) do better? Yes, MY WISHLIST - make it easier to do the right thing - Warn on unsafe & abuse-able APIs - Provide in-function sanitization capability Predicted to be one of the top 5 (Aah, context-sensitive auto-sanitization would be security issues for 2011 great, but let’s not be too optimistic ATM) http://jeremiahgrossman.blogspot .com/2011/02/top-ten-web- Native APIs & Frameworks do no protect. hacking-techniques-of-2011.html Context, performance & security after thought. IBM found 2370 vulnerabilities on 92 sites out of Minded Security found 56 out of 850 Fortune 500 Alexa top 100 sites vulnerable http://public.dhe.ibm.com/common/ssi/ecm/en/raw http://blog.mindedsecurity.com/20 14252usen/RAW14252USEN.PDF 11/05/dominator-project.html (They released a commercial add-on to AppScan (They also released a free tool - called JSA. Not available for eval yet) DOMinator, we will eval that)
  • 6. SAMPLE #1: DOM XSS (WITH DOMINATOR) Q#1: New? No, first discovered by Amit Klein in 2005 www.webappsec.org/projects/articles/071105.shtml Q#2: Then why now? Because code shifted client side - RIA, AJAX, Web2.0 Q#3; What are the tools? - Do you think they solve the problem? - Clever people solve, wise avoid. Code Defensively - Anyways DOMinator and AppScan appear to do a bit but not enough - Besides DOMinator false negatives, I found it quite unstable on RIA with lots of YUI and jQuery. It crashed repeatedly.
  • 7. SAMPLE #1: WHAT WENT WRONG? WHAT WOULD HAVE SAVED THE DAY? Taint Sources (Direct or Indirect) Taint Sinks (eval, location.replace) Defensive Coding Taint Sources & Sinks: http://code.google.com/p/domxsswiki/wiki/Introduction
  • 8. SAMPLE #2: NOT IN VIEW SOURCE Myth#1 : we have default framework auto-sanitization at the server – Sever-side auto-sanitization like PHP Filter will not protect – They has no way of intercepting DOM
  • 9. SAMPLE #2: GENERATED SOURCE DOES SHOW
  • 10. SAMPLE #2: DOMINATOR FALSE NEGATIVE
  • 11. SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
  • 12. SAMPLE #4: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS! (DOMINATOR DIDN’T CATCH THIS ONE TOO)
  • 13. SAMPLE #5: YOU DON’T NECESSARILY NEED FILTERING. YUI / NATIVE JS API (INNERTEXT) / OTHERS LET YOU PLAY SAFE. THIS IS CALLED DOM CONSTRUCTION
  • 14. SAMPLE #5: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  • 15. SAMPLE #6: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  • 16. SAMPLE #7: BEWARE OF AUTO-DECODING. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. INSECURE CODING / INSUFFICIENT FILTERING IS! (ANOTHER THING DOMINATOR DIDN’T CATCH) Myth#2 : I encoded server-side right? – Exception. When DOM and HTML are mixed they tend to explode – HTML->DOM->HTML means switching of context and browser auto decoding
  • 17. THANKS FOLKS… bish@route13.in yukinying@gmail.com twitter:b1shan twitter: yukinying