Security Tool to Detect Vulnerabilities at Application Level Krishna Sai Mulpuri Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina Udaya Shyama Pallathadka Ganapathi Bhat [1] R Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin Johns: From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting, in 22th ACM Conference on Computer and Communications Security (ACM CCS'15), October 2015 [2] S. Lekies, B. Stock, and M. Johns. 25 Million Flows Later: Large-scale Detection of DOM-based XSS. In CCS, 2013
Outline Introduction What is Cross-Site Scripting(XSS)? Client Side XSS Problem Statement Examples and Impact of XSS Selenium Webdriver and its Usage Proposed Approach to solve XSS attack Questions and Discussion
Introduction : 1 st Website: August 6, 1991 1 Billion+ Counting……………………… Source: 5/the-first-website-ever-made/ 5/the-first-website-ever-made/ Source:
Introduction: Different vulnerabilities that are present in web applications: XSS – Cross-site scripting CSRF – Cross-site request forgery SQL Injection
What is Cross-Site Scripting? (CSS/XSS) An attacker is able to inject his own JavaScript code into a web application, in such a way that the code is executed within a victim’s browser in the context of application. Types: Persistent XSS (Stored XSS) Reflected XSS (Non-Persistent XSS) DOM-based XSS (Local XSS) Players Include: An Attacker Web Application Client Server side Client side
Client Side Cross-Site Scripting Client XSS occurs when untrusted user supplied data is used to update the DOM with an unsafe JavaScript call A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM Source of this data could be from the DOM, or it could have been sent by the server (via an AJAX call, or a page load or page submission).
Client Side Cross-Site Scripting As per the authors of paper[1], studies have shown that one in ten websites are vulnerable to XSS attack Authors discover that root causes of client side XSS range from unaware developers to incompatible first- and third- party codes A set of 1273 vulnerabilities in Alexa Top 10k domains are analyzed and classified based on the complexity
Client Side Cross-Site Scripting Based on the classifications, authors show that large number of flaws are comparatively simple About two third of vulnerabilities fall into this category while others fall under high complexity or medium complexity vulnerabilities However, few vulnerabilities were due to first- or third- party code due to use of outdated and vulnerable libraries Authors state that there is no single reason for existence of Client side XSS
Cross-Site Scripting: Problem statement ● Main problem: attacker‘s content ends in document and is not properly filtered/encoded ● common for server- and client-side flaws ● Flow of data: from attacker-controllable source to security- sensitive sink ● Authors Focus: client side JavaScript code ● Sources: e.g. the URL ● Sinks: e.g. document.write
Examples of XSS Vulnerabilities alert(“Hacked..!!”)
<img src=x onerror="alert('Pop-up window via stored XSS');“
Source :
Examples of DOM-based XSS Vulnerabilities 1. alert('xss'); 2. <img src=x onerror="alert('Pop-up window via stored XSS');“ 3. Document.write(“ ”);
DOM XSS will appear when a source that can be controlled by the user is used in a dangerous sink. Popular Sources document.URL document.documentURI location.href location.search location.* window.name document.referrer Popular Sinks HTML Modification sinks document.write (element).innerHTML HTML modification to behaviour change (element).src (in certain elements) Execution Related sinks eval setTimout / setInterval execScript
Impacts of XSS Denial-of-Service Crash Users`Browser, Pop-Up-Flodding, Redirection attacker can hijack a logged in user’s session. Access to authentication credentials for Web application Cookies, Username and Password Spoil public image of company
Contributions: System designed consists of two components: Vulnerability detection - Automated system to dynamically detect the suspicious flows Automated vulnerability validation mechanism: System allows unambiguous vulnerability validation through verification that our injected Javascript was indeed executed.
Vulnerability Detection: Reporting functions are called each time a tainted string is passed to sink. Chrome extension that injects JavaScript reporting function into DOM was implemented to pass the report the user interface.
Vulnerability Validation: Taint tracking engine delivers suspicious flows, but all suspicious flows cannot be vulnerabilities. Anotomy of an XSS exploit: HTML Context Vulnerability: document.write(“ ”); Exploit: alert(1) JavaScript Context Vulnerability: eval(“var x=‘ “ + location.hash + “ ’;”); Exploit: ‘; alert(1);’’
Securing a site against XSS attacks By performing “in-house” input filtering (input sanitation) By performing “output filtering
Selenium WebDriver What is Selenium? Selenium is a cross-platform solution to perform automated testing of web applications. Open source framework Successor to Selenium RC Fully implemented and supported in Python, Ruby, Java, and C#
Selenium WebDriver API Interaction with page DOM elements (Finding Elements) Operations on DOM elements (Click, Sendkeys, Drag&Drop etc) Multi-Window handling and switching between frames WebDriver Waits to handle AJAX based operations
Driving Web browsers Selenium helps to interact with Web applications through web browsers. It has web drivers that are supported Internet Explorer driver Opera Driver Chrome Driver Firefox Driver iPhone Driver Android Driver HtmlUnit Driver Interactions with the web page and DOM elements can be commanded through these drivers using a programming language
Ways to find elements Elements on page can be found using DOM properties of the element Ways to find By.Id(“id”); By.CssSelector(“Selector”); By.Xpath(“//xpath’’); By.ClassName(“name”); By.LinkText(“linktext”); By.TagName(“tagname”);
WebDriver and Injection of Scripts Can be used interact an input text into fields on web page. Steps to inject scripts Find element Send keys (input script in form of text) Submit script (click submit element on the page) Post injection validation Changes to the page can be analyzed by validation Test cases are built based on scripts and respective validations
Intended approach Windows Form application Exporting vulnerabilities to remote Database Chrome Extension
Windows Form application Tool that handles test cases which can be built by developers Test cases can be developed specific to the vulnerability Specific to vulnerability, test cases can be used to more than one website Test cases can be shared among developer groups – scope to open source Each test case includes script injection and post-validation Scripts can be fed to the tool in a conventional data format like Excel Failed test case detection Post injection validation on the page
Exporting vulnerabilities to remote Database Vulnerable URL and selectors of corresponding elements are exported to remote MySQL Database If failed the tool exports URL of the website Selector of Input text field Selector of element that submits the page data.
Chrome Extension Communicates with latest updated vulnerabilities recorded Presents the vulnerabilities to end users when they arrive to vulnerable website. Can be presented visually to end user with the help of selectors
Recap.. One in Ten websites are infected with XSS vulnerability With growing security concerns at application level, it is important to focus on XSS vulnerability There is no single reason for XSS vulnerability, reasons include developers unaware of vulnerability, use of first- and third party outdated libraries We discussed examples and impact of XSS We build windows form application to help developers build test cases Give users of chrome with an extension that would help them block sites vulnerable to XSS
Questions and Discussion Image source: