SlideShare a Scribd company logo

VSA: The Virtual Scripted Attacker, Brucon 2012

Abraham Aranguren, profile picture
Abraham Aranguren

This document discusses DOM cross-site scripting (XSS) vulnerabilities and a new tool called VSA that aims to automatically find such vulnerabilities. It notes that DOM XSS is difficult to detect as it occurs client-side, but that VSA claims to find many more vulnerabilities than traditional tools through running entirely on the browser where JavaScript executes. The document provides examples of top companies that have had DOM XSS issues found via bug bounty programs. It also includes a question about whether readers want VSA to scan their sites.

1 of 9
Downloaded 42 times
1
2
3
4
5
6
7
8
9
27th September 2012 Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de
VSA: The Virtual Scripted Attacker, Brucon 2012
Review JavaScript code on the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
Top security aware companies … with DOM XSS reported via bug bounty programs: • Google • PayPal • Facebook • Etsy • Yandex •…
Are they searching for DOM XSS without pants like this? this? Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
The Problem Websites have a LOT of JavaScript and DOM XSS is hard to find because: because: • DOM XSS happens on the client-side client- • Traditional HTTP fuzzing does not work for DOM XSS • Traditional tools are unaware of client-side logic client- • Most tools cannot verify the DOM XSS exploit worked • Most tools cannot find DOM XSS in a 100% automated way • Even DOMINATOR Pro is only a manual testing tool for the Pro DOM XSS often requires: requires: • User interaction: Click buttons, drag items, etc • Timing constraints A HARD problem to SOLVE
Created by • Mario Heiderich (XSS PhD!) • Gareth Heyes • Abraham Aranguren • Alfred Farrugia • Frederik Braun What are we doing differently? differently? • VSA is 100% automated • We have tested we find MANY more DOM XSS vulnerabilities • We can verify that the DOM XSS payload worked • We are finding DOM XSS on the BROWSER -where JavaScript runs- • We are verifying DOM XSS on the BROWSER -where JavaScript runs- • We can tell you the line of code that is vulnerable • We can tell you the JavaScript file where the vulnerability is • We have the means to implement VIRTUAL PATCHING Do you want us to scan YOUR site? ☺ site?
Demo Time
Q&A Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de

More Related Content

PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
PDF
DEfcon15 XXE XXS
pentest pentest
 
PPTX
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
PDF
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
PDF
Hacking sites for fun and profit
David Stockton
 
PPT
Front end-security
Miao Siyu
 
PDF
Hacking sites for fun and profit
David Stockton
 
PPTX
Web Application Security in front end
Erlend Oftedal
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
DEfcon15 XXE XXS
pentest pentest
 
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Hacking sites for fun and profit
David Stockton
 
Front end-security
Miao Siyu
 
Hacking sites for fun and profit
David Stockton
 
Web Application Security in front end
Erlend Oftedal
 

What's hot (20)

PDF
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
PPTX
Dom based xss
Lê Giáp
 
PDF
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
PPTX
Browser Internals-Same Origin Policy
Krishna T
 
PPTX
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
PDF
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
PPTX
JSFoo Chennai 2012
Krishna T
 
PPTX
Secure web messaging in HTML5
Krishna T
 
PPTX
Clickjacking DevCon2011
Krishna T
 
PPT
Xss is more than a simple threat
Avădănei Andrei
 
PPTX
Html5 security
Krishna T
 
PDF
JavaScript Security
Jason Harwig
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PPTX
Javascript Security
jgrahamc
 
PPT
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
PDF
WebView security on iOS (EN)
lpilorz
 
PDF
Breaking AngularJS Javascript sandbox
Mathias Karlsson
 
PDF
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Dom based xss
Lê Giáp
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Browser Internals-Same Origin Policy
Krishna T
 
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
JSFoo Chennai 2012
Krishna T
 
Secure web messaging in HTML5
Krishna T
 
Clickjacking DevCon2011
Krishna T
 
Xss is more than a simple threat
Avădănei Andrei
 
Html5 security
Krishna T
 
JavaScript Security
Jason Harwig
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Building Secure User Interfaces With JWTs
robertjd
 
Javascript Security
jgrahamc
 
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
WebView security on iOS (EN)
lpilorz
 
Breaking AngularJS Javascript sandbox
Mathias Karlsson
 
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Ad

Similar to VSA: The Virtual Scripted Attacker, Brucon 2012 (20)

PPTX
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
PDF
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
PDF
Complete xss walkthrough
Ahmed Elhady Mohamed
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
PDF
XSS.pdf
Okan YILDIZ
 
PDF
XSS.pdf
Okan YILDIZ
 
PPTX
Cross Site Scripting
Ali Mattash
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
PDF
The innerHTML Apocalypse
Mario Heiderich
 
PDF
XSS Injection Vulnerabilities
Mindfire Solutions
 
PDF
Ch 12 Attacking Users - XSS
Sam Bowne
 
PPTX
Cross Site Scripting (XSS)
Avi Aryan
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
PPT
Same Origin Policy Weaknesses
kuza55
 
PDF
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
MoscowJS
 
PPTX
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Gitam Gadtaula
 
PPTX
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
 
PDF
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
PROIDEA
 
PDF
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
Complete xss walkthrough
Ahmed Elhady Mohamed
 
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
XSS.pdf
Okan YILDIZ
 
XSS.pdf
Okan YILDIZ
 
Cross Site Scripting
Ali Mattash
 
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
The innerHTML Apocalypse
Mario Heiderich
 
XSS Injection Vulnerabilities
Mindfire Solutions
 
Ch 12 Attacking Users - XSS
Sam Bowne
 
Cross Site Scripting (XSS)
Avi Aryan
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Same Origin Policy Weaknesses
kuza55
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
MoscowJS
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
Gitam Gadtaula
 
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
PROIDEA
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
Ad

More from Abraham Aranguren (10)

PDF
Why should you do a pentest?
Abraham Aranguren
 
PDF
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
PDF
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
PDF
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
PDF
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
PDF
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
PDF
Legal and efficient web app testing without permission
Abraham Aranguren
 
PDF
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
PDF
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
PDF
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
Abraham Aranguren
 
Why should you do a pentest?
Abraham Aranguren
 
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
Legal and efficient web app testing without permission
Abraham Aranguren
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
Abraham Aranguren
 

VSA: The Virtual Scripted Attacker, Brucon 2012

  • 1. 27th September 2012 Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de
  • 3. Review JavaScript code on the page: <script> document.write("Site is at: " + document.location.href + "."); </script> Sometimes active testing possible in your browser (no trip to server = not an attack = not logged): http://target.com/...#vulnerable_param=xss http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  • 4. Top security aware companies … with DOM XSS reported via bug bounty programs: • Google • PayPal • Facebook • Etsy • Yandex •…
  • 5. Are they searching for DOM XSS without pants like this? this? Phil Stevens - http://www.strengthguild.com/ http://www.ironradio.org/
  • 6. The Problem Websites have a LOT of JavaScript and DOM XSS is hard to find because: because: • DOM XSS happens on the client-side client- • Traditional HTTP fuzzing does not work for DOM XSS • Traditional tools are unaware of client-side logic client- • Most tools cannot verify the DOM XSS exploit worked • Most tools cannot find DOM XSS in a 100% automated way • Even DOMINATOR Pro is only a manual testing tool for the Pro DOM XSS often requires: requires: • User interaction: Click buttons, drag items, etc • Timing constraints A HARD problem to SOLVE
  • 7. Created by • Mario Heiderich (XSS PhD!) • Gareth Heyes • Abraham Aranguren • Alfred Farrugia • Frederik Braun What are we doing differently? differently? • VSA is 100% automated • We have tested we find MANY more DOM XSS vulnerabilities • We can verify that the DOM XSS payload worked • We are finding DOM XSS on the BROWSER -where JavaScript runs- • We are verifying DOM XSS on the BROWSER -where JavaScript runs- • We can tell you the line of code that is vulnerable • We can tell you the JavaScript file where the vulnerability is • We have the means to implement VIRTUAL PATCHING Do you want us to scan YOUR site? ☺ site?
  • 9. Q&A Abraham Aranguren @7a_ abraham@cure53.de http://cure53.de