Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Tool to Detect Vulnerabilities at Application Level Krishna Sai Mulpuri Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina.

Published byMelvyn Benson Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Tool to Detect Vulnerabilities at Application Level Krishna Sai Mulpuri Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina."— Presentation transcript:

1 Security Tool to Detect Vulnerabilities at Application Level Krishna Sai Mulpuri Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina Udaya Shyama Pallathadka Ganapathi Bhat [1] R Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin Johns: From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting, in 22th ACM Conference on Computer and Communications Security (ACM CCS'15), October 2015 [2] S. Lekies, B. Stock, and M. Johns. 25 Million Flows Later: Large-scale Detection of DOM-based XSS. In CCS, 2013

2 Outline  Introduction  What is Cross-Site Scripting(XSS)?  Client Side XSS  Problem Statement  Examples and Impact of XSS  Selenium Webdriver and its Usage  Proposed Approach to solve XSS attack  Questions and Discussion

3 Introduction :  1 st Website: August 6, 1991  1 Billion+ Counting……………………… Source: http://www.todayifoundout.com/index.php/2010/0 5/the-first-website-ever-made/ http://www.todayifoundout.com/index.php/2010/0 5/the-first-website-ever-made/ Source: http://intellavis.com/blog/?p=284http://intellavis.com/blog/?p=284

4 Introduction:  Different vulnerabilities that are present in web applications:  XSS – Cross-site scripting  CSRF – Cross-site request forgery  SQL Injection

5 What is Cross-Site Scripting? (CSS/XSS)  An attacker is able to inject his own JavaScript code into a web application, in such a way that the code is executed within a victim’s browser in the context of application.  Types:  Persistent XSS (Stored XSS)  Reflected XSS (Non-Persistent XSS)  DOM-based XSS (Local XSS)  Players Include:  An Attacker  Web Application  Client Server side Client side

6 Client Side Cross-Site Scripting  Client XSS occurs when untrusted user supplied data is used to update the DOM with an unsafe JavaScript call  A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM  Source of this data could be from the DOM, or it could have been sent by the server (via an AJAX call, or a page load or page submission).

7 Client Side Cross-Site Scripting  As per the authors of paper[1], studies have shown that one in ten websites are vulnerable to XSS attack  Authors discover that root causes of client side XSS range from unaware developers to incompatible first- and third- party codes  A set of 1273 vulnerabilities in Alexa Top 10k domains are analyzed and classified based on the complexity

8 Client Side Cross-Site Scripting  Based on the classifications, authors show that large number of flaws are comparatively simple  About two third of vulnerabilities fall into this category while others fall under high complexity or medium complexity vulnerabilities  However, few vulnerabilities were due to first- or third- party code due to use of outdated and vulnerable libraries  Authors state that there is no single reason for existence of Client side XSS

9 Cross-Site Scripting: Problem statement ● Main problem: attacker‘s content ends in document and is not properly filtered/encoded ● common for server- and client-side flaws ● Flow of data: from attacker-controllable source to security- sensitive sink ● Authors Focus: client side JavaScript code ● Sources: e.g. the URL ● Sinks: e.g. document.write

10 Examples of XSS Vulnerabilities alert(“Hacked..!!”)

11 <img src=x onerror="alert('Pop-up window via stored XSS');“

12 Source : https://isc.sans.edu/diaryimages/youtube.png

13 Examples of DOM-based XSS Vulnerabilities 1. alert('xss'); 2. <img src=x onerror="alert('Pop-up window via stored XSS');“ 3. Document.write(“ ”);

14 DOM XSS will appear when a source that can be controlled by the user is used in a dangerous sink. Popular Sources  document.URL  document.documentURI  location.href  location.search  location.*  window.name  document.referrer Popular Sinks  HTML Modification sinks  document.write  (element).innerHTML  HTML modification to behaviour change  (element).src (in certain elements)  Execution Related sinks  eval  setTimout / setInterval  execScript

15 Impacts of XSS  Denial-of-Service  Crash Users`Browser, Pop-Up-Flodding, Redirection  attacker can hijack a logged in user’s session. Access to authentication credentials for Web application  Cookies, Username and Password  Spoil public image of company

16 Contributions:  System designed consists of two components:  Vulnerability detection - Automated system to dynamically detect the suspicious flows  Automated vulnerability validation mechanism: System allows unambiguous vulnerability validation through verification that our injected Javascript was indeed executed.

17 Vulnerability Detection:  Reporting functions are called each time a tainted string is passed to sink.  Chrome extension that injects JavaScript reporting function into DOM was implemented to pass the report the user interface.

18 Vulnerability Validation:  Taint tracking engine delivers suspicious flows, but all suspicious flows cannot be vulnerabilities.  Anotomy of an XSS exploit: HTML Context Vulnerability: document.write(“ ”); Exploit: alert(1) JavaScript Context Vulnerability: eval(“var x=‘ “ + location.hash + “ ’;”); Exploit: ‘; alert(1);’’

19 Securing a site against XSS attacks  By performing “in-house” input filtering (input sanitation)  By performing “output filtering

20 Selenium WebDriver  What is Selenium?  Selenium is a cross-platform solution to perform automated testing of web applications.  Open source framework  Successor to Selenium RC  Fully implemented and supported in Python, Ruby, Java, and C#

21 Selenium WebDriver API  Interaction with page DOM elements (Finding Elements)  Operations on DOM elements (Click, Sendkeys, Drag&Drop etc)  Multi-Window handling and switching between frames  WebDriver Waits to handle AJAX based operations

22 Driving Web browsers  Selenium helps to interact with Web applications through web browsers.  It has web drivers that are supported  Internet Explorer driver  Opera Driver  Chrome Driver  Firefox Driver  iPhone Driver  Android Driver  HtmlUnit Driver  Interactions with the web page and DOM elements can be commanded through these drivers using a programming language

23 Ways to find elements  Elements on page can be found using DOM properties of the element  Ways to find  By.Id(“id”);  By.CssSelector(“Selector”);  By.Xpath(“//xpath’’);  By.ClassName(“name”);  By.LinkText(“linktext”);  By.TagName(“tagname”);

24 WebDriver and Injection of Scripts  Can be used interact an input text into fields on web page.  Steps to inject scripts  Find element  Send keys (input script in form of text)  Submit script (click submit element on the page)  Post injection validation  Changes to the page can be analyzed by validation  Test cases are built based on scripts and respective validations

25 Intended approach  Windows Form application  Exporting vulnerabilities to remote Database  Chrome Extension

26 Windows Form application  Tool that handles test cases which can be built by developers  Test cases can be developed specific to the vulnerability  Specific to vulnerability, test cases can be used to more than one website  Test cases can be shared among developer groups – scope to open source  Each test case includes script injection and post-validation  Scripts can be fed to the tool in a conventional data format like Excel  Failed test case detection  Post injection validation on the page

27 Exporting vulnerabilities to remote Database  Vulnerable URL and selectors of corresponding elements are exported to remote MySQL Database  If failed the tool exports  URL of the website  Selector of Input text field  Selector of element that submits the page data.

28 Chrome Extension  Communicates with latest updated vulnerabilities recorded  Presents the vulnerabilities to end users when they arrive to vulnerable website.  Can be presented visually to end user with the help of selectors

29 Recap..  One in Ten websites are infected with XSS vulnerability  With growing security concerns at application level, it is important to focus on XSS vulnerability  There is no single reason for XSS vulnerability, reasons include developers unaware of vulnerability, use of first- and third party outdated libraries  We discussed examples and impact of XSS  We build windows form application to help developers build test cases  Give users of chrome with an extension that would help them block sites vulnerable to XSS

30 Questions and Discussion Image source: http://en.hdyo.org/http://en.hdyo.org/

Download ppt "Security Tool to Detect Vulnerabilities at Application Level Krishna Sai Mulpuri Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
PHP I.

PHP I.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.
Chapter 11 ASP.NET JavaScript, Third Edition. 2 Objectives Learn about client/server architecture Study server-side scripting Create ASP.NET applications.

Chapter 11 ASP.NET JavaScript, Third Edition. 2 Objectives Learn about client/server architecture Study server-side scripting Create ASP.NET applications.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Similar presentations

Ads by Google