{"id":117,"date":"2008-09-25T11:47:49","date_gmt":"2008-09-25T16:47:49","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=117"},"modified":"2008-09-25T11:47:49","modified_gmt":"2008-09-25T16:47:49","slug":"buildng-and-stopping-next-generation-xss-worms-owasp-appsec-nyc-2008","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2008\/09\/25\/buildng-and-stopping-next-generation-xss-worms-owasp-appsec-nyc-2008\/","title":{"rendered":"Buildng and Stopping Next Generation XSS Worms &#8211; OWASP AppSec NYC 2008"},"content":{"rendered":"<p>I was originally planning on going upstairs for the SaaS Security presentation, but I had to come downstairs again to get my lunch and this topic seemed interesting, especially given the prevalence of cross site scripting in websites (see OWASP Top 10).\u00a0 The presentation was by Arshan Dabirsiaghi, the director of research at Aspect Security.\u00a0 He actually began by talking about Clickjacking and said that Jeremiah\u00a0 Grossman and RSnake gave up enough clues for him to figure out the exploit as far as Adobe flash goes and says that he&#8217;d rate the vulnerability a 7\/10 in flash and an overall 10\/10.\u00a0 Example non-weaponized exploit at http:\/\/i8jesus.com\/stuff\/clickjacking\/test1.html using iframes and CSS.\u00a0 Suggested fix is to apply framebreakers to your page.<\/p>\n<p>Is an XSS worm really a worm?<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>5 components of a worm:<\/strong><\/span><\/p>\n<ul>\n<li>Reconnaissance &#8211; &#8220;[the worm] has to hunt out other network nodes to infect&#8221;<\/li>\n<li>Attack &#8211; &#8220;[components] used to launch an attack against an identified target system&#8221;<\/li>\n<li>Communication &#8211; &#8220;nodes in the network can talk to each other&#8221;<\/li>\n<li>Command &#8211; &#8220;nodes in the worm network can be issued operation commands&#8221;<\/li>\n<li>Intelligence &#8211; &#8220;the worm network needs to know the location of the nodes as well as characteristics about them&#8221;<\/li>\n<\/ul>\n<p>Short answer: 3\/5 &#8211; probably<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>How are XSS worms different from traditional?<\/strong><\/span><\/p>\n<ol>\n<li>Infection model &#8211; Current model requires user interaction, worm strictly contained within web application, passive and localized, no Warhol worms (15 mins of fame).<\/li>\n<li>Payload capability &#8211; Perform any application function (money transfer, close account).\u00a0 XSSProxy\/Attack API.\u00a0 Malware (yikes)<\/li>\n<li>Target shift &#8211; Internet worms can own everything both in front of and behind a firewall (island hopping).<\/li>\n<li>Penetration &#8211; Need to trick the user into spreading between sites using a 3rd party proxy.<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>Traits of Current XSS Worms<\/strong><\/span><\/p>\n<ul>\n<li>Static payloads<\/li>\n<li>Passive infection strategy<\/li>\n<li>Staty on the same domain (don&#8217;t say nduja)<\/li>\n<li>Uncontrolled growth<\/li>\n<li>No command and control<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Current Incident Response Options<\/strong><\/span><\/p>\n<ul>\n<li>Fix the vulnerability<\/li>\n<li>Manual purging &#8211; can only be done by experts and doesn&#8217;t scale<\/li>\n<li>Database snapshot restore &#8211; effectively removes all worm data from tained columns, but forces loss of other application data<\/li>\n<li>Search &amp; Destory &#8211; works now.\u00a0 Tricky in the future, but possible.<\/li>\n<\/ul>\n<p><strong>Next Gen XSS Worm Reconnaissance:<\/strong> A reconnaissance component will be added to the client side to find more web applications to infect.\u00a0 Nodes can use HTML5 Workers\/Google Gears WorkerPool\/&lt;insert tomorrow&#8217;s new RIA technology&gt;.\u00a0 What about SOP?\u00a0 Old and busted: utilize 3rd party proxy (a la jikto ~2007).\u00a0 What attackers should be doing now: malware &#8211; no SOP!\u00a0 Next gen hotness: cross-site XHR, XDR, postMessage.\u00a0 Allows cross-site bidirectional communication.\u00a0 Servers must opt in, like Flash, so absolutely no security issues there (kidding)<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Cross-site communication in HTML5<\/strong><\/span><\/p>\n<ul>\n<li>postMessage(): Cross-domain communication based on strings.\u00a0 What do developers do with strings?\u00a0\u00a0\u00a0 JSON\/eval()\u00a0 SiteA + JSON + SiteB = Shared Security<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Staniford, Paxson &amp; Weaver&#8217;s Reconnaisance Techniques<\/strong><\/span><\/p>\n<ul>\n<li>&#8220;hit list scanning&#8221;<\/li>\n<li>Permutation Scanning<\/li>\n<li>Topological Scanning (not without malware, cross-site XHR)<\/li>\n<\/ul>\n<p><strong>Next Gen XSS Worm Attack:<\/strong> An attack component will be added to the client side.\u00a0 New client side piece delivered with reconnaissance piece to attack other off-domain web apps.\u00a0 85% of websites have XSS (how much is reflected vs stored?)\u00a0 How likely is it to fnd a stored XSS in another web app<\/p>\n<p>Polymorphic Javascript: javascript can be highly mutated<\/p>\n<p><strong>Next Gen XSS Worm Communication:<\/strong> A communication component will never occur in a XSS worm.\u00a0 Can&#8217;t communicate directly from victim browser to another victim browser.\u00a0 &#8220;centralization&#8221; in worms is just another word for weakness.<\/p>\n<p><strong>Next Gen XSS Worm Command:<\/strong> A command component will be added to the worm payload.\u00a0 Communicationw ith operator necessary for command-and-control structure, data delivery (new target info, soruce updates, etc)<\/p>\n<ol>\n<li>Attacker quietly posts signed payloads<\/li>\n<li>Victim creates token<\/li>\n<li>Victim queries Google form token using JSON<\/li>\n<li>Victim finds a signed result<\/li>\n<li>Executes the signed payload<\/li>\n<\/ol>\n<p><strong>Next Gen XSS Worm Intelligence:<\/strong> An intelligence component will be used after initial worm stages, it can&#8217;t be trusted (adversaries can poison).\u00a0 XSS worms probably don&#8217;t need this, they typically follow a pattern where the first 24 hours it reaches massive infections through epic growth rate.\u00a0 After that, gone and never seen again.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Ways to Prevent Next Gen XSS Worms<\/strong><\/span><\/p>\n<ul>\n<li>search+destroying polymorphed javascript<\/li>\n<li>on demand exploit egress filters: popular sites need agile response techniques<\/li>\n<li>OWASP AntiSamy &#8211; safe rich input validation.\u00a0 Uses a positive security model for rich input validation.\u00a0 High assurance mechanism for stopping XSS (and phishing) attacks<\/li>\n<li>utilizing cross-domain workflows: letting the browser SOP protection prevent cookie disclosure + sensitive application information<\/li>\n<li>browser content restrictions: Doesn&#8217;t make sense in a DOM.\u00a0 Requires parsers to honor end tag attributes.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I was originally planning on going upstairs for the SaaS Security presentation, but I had to come downstairs again to get my lunch and this topic seemed interesting, especially given the prevalence of cross site scripting in websites (see OWASP Top 10).\u00a0 The presentation was by Arshan Dabirsiaghi, the director of research at Aspect Security.\u00a0 [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127,4],"tags":[76,128,175,12,177,622,176,178,174],"class_list":["post-117","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","category-web-app-sec","tag-application","tag-appsec","tag-cross","tag-owasp","tag-scripting","tag-security","tag-site","tag-worms","tag-xss"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-1T","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=117"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/117\/revisions"}],"predecessor-version":[{"id":119,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/117\/revisions\/119"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}