This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Client-Side Disable JS. Noxes - a web proxy that fetches HTTP requests and
can either block or allow based on current security policy.
OWASP 14
Problems with current solutions
Escaping - Good practice ! But, Many web-application permit and return HTML
tags (<b>, <ul>…)What about URI scheme like javascript:
Blacklisting (negative logic) is difficult <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <IMG SRC="javascript:alert('XSS');"> <BODY ONLOAD=alert('XSS')> …and 100+ more attack vectors in RSnake’s XSS Cheatsheet. An effective filter must also ensure that is does not introduces
GET http://bank.com/main.php?uName=Jack”);alert(‘xss!’)
Main()• echo (“<SCRIPT>”)• echo (“Document.write(
“Hello” + $uName);”)• echo (“</SCRIPT>
Hello Jack
<script>
Document.write(“Hello” + “Jack”);
alert(‘xss’);
</script>
xss!
OWASP 1818
Our Approach
Positive security logicAnything is illegal unless known to be legal
Focus on HTTP responseModel – code-script elements in HTML web-
pagesAssumption: the set of all instances of code-
script elements is bounded and can be learned in a relative short period.
1st try – JavaScript code is static.2nd try – JavaScript code is static under some
transformation.
OWASP 1919
Detector Architecture
OWASP 2020
XSS Attack Detection
Learning modeFor each extracted JS:
Learn regular form. Learn canonicalized
form.
Three concerns Coverage Updating
– Deploy detector in testing environment.
– Perform deeper inspection.
Learning data-set should be with no malicious JS
Detection modeFor each unknown
JS do: Further inspection. Strip out Inform web-admin
OWASP 2121
Deployment options
Web proxyProtect a single web-application
Integration with the browser JS extraction is done by browser.Defend against DOM-based XSS. Improved performance.
Web Application
Web Proxy
Client
OWASP 2222
Evaluation Methodology
FP Choose top-ranked 40 web-application. Crawl each web application Learn each web-page & build code-elements DB Perform 2 tests:
Convergence test: #pages to needed to learn all JS. FP test: FP = (#pages causing alarm)/(#pages).
FN Test detector against RSnake’s cheat-sheet. Choose vulnerable application from xssed.com Generate benign-input and attack-input. Learn with benign. Detect with attack. Each result was also checked
manually.
OWASP 2323
Results
Zero FP
FN – all attacks were detected. Convergence Test
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 5 10 15 20 25 30 35 40 45
Number of pag es to learn till c onverg nenc e
CD
F
OWASP 2424
Conclusion
Zero FP under canonicalizationGeneric - targets all types of XSS
Even DOM-Based could be mitigated if web proxy is deployed on client side.
Fast convergence – short learning periodNumber of canonicalized JS nodes is bounded.Most JS nodes appear in every page (“building