Javascript worms By Benjamin Mossé SecPro

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

WebGoat & WebScarab “What is computer security for $1000 Alex?”

EECS 354 Network Security Cross Site Scripting (XSS)

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

Cross-Site Attacks James Walden Northern Kentucky University.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Web Applications Testing By Jamie Rougvie Supported by.

1 The current lesson plans provided for in Webgoatv2 include Http Basics How to Perform Database Cross Site Scripting (XSS) How to Spoof an Authentication.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Cross Site Scripting and its Issues By Odion Oisamoje.

Crash Course in Web Hacking

An Intro to Webhackery Parisa Tabriz. How the web was born Stage 1 : Network Protocols Stage 2 : HTTP Stage 3 : Server Side Scripting Stage 4 : Client.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

 Samy (also known as JS.Spacehero)  XSS worm that was designed to propagate across the MySpace social-networking site. At the time of release, it.

Web Applications on the battlefield Alain Abou Tass.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

XSS 101 Jason Clark 12/20.

COMP9321 Web Application Engineering Semester 2, 2017

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Group 18: Chris Hood Brett Poche

Building Secure ColdFusion Applications

An Introduction to Web Application Security

Tonga Institute of Higher Education IT 141: Information Systems

World Wide Web policy.

Cross-Site Scripting Travis Deyarmin.

CS 371 Web Application Programming

Cross-Site Forgery

Cross Sight scripting: Type-2

Cross-Site Request Forgeries: Exploitation and Prevention

MIT GSL 2018 week 1 | day 4 Introduction to Web Development II.

Tonga Institute of Higher Education IT 141: Information Systems

Riding Someone Else’s Wave with CSRF

CSC 495/583 Topics of Software Security Intro to Web Security

Petko D. Petkov Senior IT Security Consultant

Web Security Advanced Network Security Peter Reiher August, 2014

Tonga Institute of Higher Education IT 141: Information Systems

Protecting Against Common Web Application Vulnerabilities

Exploring DOM-Based Cross Site Attacks

Cross-Site Scripting Attack (XSS)

Presentation transcript:

Javascript worms By Benjamin Mossé SecPro The next step in the evolution By Benjamin Mossé SecPro www.secpro.com.au

Synopsis Introduction to cross site scripting Permanent XSS Javascript worms up to now A fresh technique: remote request Profit of APIs to build worms Protecting yourself Conclusion www.secpro.com.au

Introduction to XSS The most common web vulnerability Allows client side script injection (html, javascript, vbscript, etc.)‏ The target executes the malicious code There isn't any “magic” solution against it www.secpro.com.au

Introduction to XSS (cont.)‏ Javascript is the language used to exploit this vulnerability Before 2005, the XSS wasn't considered critical Wrong idea: “you can only steal cookies with it” 2005: Ajax, possibility to create http requests - too many people though that the xss wasn't powerful because you can only steal a cookie with it; - the community had new requirements, ajax was born; - xss vulnerability is now critical. www.secpro.com.au

Introduction to XSS (cont.)‏ 3 different types: Non permanent Permanent Dom-based A JavaScript exploit would work the same with every of them www.secpro.com.au

Permanent XSS Stays on the website permanently Known also as Persistent The JavaScript exploit is stored (e.g Database, RSS)‏ Affects every person visiting the infected page www.secpro.com.au

Permanent XSS (cont.)‏ Vulnerable site Insert malicious code in a form Website saves the script into the database Hacker Infected site Users getting exploited Users Database www.secpro.com.au

“Samy is my Hero” Infected MySpace and took it down Most famous Javascript worm Spread through a permanent XSS Made users perform malicious commands using Ajax Users would re-infect their account www.secpro.com.au

Samy is my Hero (analyse)‏ MYSPACE.COM Worm site on MySpace Users The infected page makes the users infect other pages on the website: THE WORM IS SPREADING EVERYWHERE www.secpro.com.au

Javascript worms assets Very hard to detect Very stealth: runs in the background & don't modify your web page It's not the pirate who performs the attack but an exploited user Can spread very quickly Up to a certain point it's impossible to trace back the pirate www.secpro.com.au

Using Ajax Perform http requests on the infected website NO REMOTE REQUESTS, only works on the same domain Hacking possibilities: make target do request he didn't intend too (e.g. password modification, delete account, change email, change secret question, exploit SQL injection, exploit remote code execution, spread the worm, deface website ...)‏ www.secpro.com.au

A fresh technique: remote requests Is it really impossible to make remote http requests with Javascript? -> NO! GET request methodologies: - Append an image in the page (e.g. <img src=”http://www.target.com/page.php?var=value” />)‏ - Append a frame in the page (e.g. <iframe src=”http://www.target.com/page.php?var=value” />)‏ POST request methodologies: - Append a complete form on the page - submit the form with Javascript (e.g. page.form.submit();)‏ www.secpro.com.au

Processing POST requests var objBody = document.getElementsByTagName("body")[0]; var form = document.createElement("form"); var form_action = document.createAttribute("action"); form_action.value = "http://www.targetonotherdomain.com/page.php"; form.setAttributeNode(form_action); var input_username = document.createElement("input"); var attr_username_name = document.createAttribute("name"); input_username.setAttributeNode(attr_username_name); form.appendChild(input_username); objBody.appendChild(form); document.getElementsByTagName("form")[0].submit(); www.secpro.com.au

GNUCITIZEN: AttackAPI Hackers' API to build Javascript worms Uses Google's APIs to search for targets Makes the manipulation of web pages with Javascript easy as Other features: cookie stealing and modifying, do CSRF attacks, ports scanner, hijack forms and more! And much more to come in the next version. www.secpro.com.au

Future worms 1 2 3 Users visit web page infected with a worm OTHER Internet The worm looks for vulnerable targets on Internet using the Google API OTHER WEBSITES 3 worm The worms uses visitors to infect or attack a list of websites he found www.secpro.com.au

Risk? Consequences? Obviously very high! Imagine someone finding a permanent XSS on a website like MySpace and using the users to lunch a attack over others Internet websites? Imagine your company website getting target by millions of MySpace's users? Imagine that when security experts look who hack a website they don't found the pirate IP but yours? What will you do? www.secpro.com.au

Protecting your applications “Satisfaction remains a shape of resignation” Start by educating your programmers to secure programming Ask for regular security checking of your web applications to SecPro www.secpro.com.au

Conclusion It's now possible to massively attack Internet with a XSS vulnerability Never underestimate the cross site scripting vulnerability again! Protect your web application against it, not only for your personal security but for the entire Internet community www.secpro.com.au

Benjamin Mossé Security Specialist with SecPro (Melbourne, Australia)‏ Researcher & programmer benjamin.mosse@secpro.com.au SecPro specializes in penetration testing and consulting of web applications security. www.secpro.com.au