tracing user input through js is for tools
play

Tracing User Input Through JS is for Tools Jake Heath and Michael - PowerPoint PPT Presentation

Tracing User Input Through JS is for Tools Jake Heath and Michael Roberts bio Jake Heath Penetration Tester @ NCC Group San Francisco, CA Beard Bread Michael Roberts Penetration Tester @ NCC Group San


  1. Tracing User Input Through JS is for Tools Jake Heath and Michael Roberts

  2. bio Jake Heath ● Penetration Tester @ NCC Group ● San Francisco, CA ● Beard ● Bread Michael Roberts ● Penetration Tester @ NCC Group ● San Francisco, CA ● Can’t grow a beard ● Less bread

  3. overview goal tools tracy

  4. goal ...to eliminate all XSS

  5. goal ...to eliminate all XSS ...with the DOM ...with human interaction

  6. anti-goals ...to eliminate all XSS ...with AI ...with automated scanning ...with static analysis ...with blockchain$$

  7. existing tools manual testing & intercepting proxies static analysis other

  8. manual testing - a shotgun approach ● Burp Suite ● spray app with payloads ○ <script>alert(n)</script> ● navigate app until alert fires ● identify which input triggered the alert ● document the bug

  9. manual testing - a shotgun approach ● pros ○ super easy ○ requires very little setup or knowledge ○ fast ● cons ○ simple input validation can slow down testing ○ no easy way to track origin ○ can get annoying ○ potentially poor coverage ○ Burp has no concept of the DOM

  10. static analysis ● Burp Active Scanner or Checkmarx ● attempts to map sinks to sources ○ input field value -> dangerouslySetHTML() ● uses an AST to try to resolve paths

  11. static analysis ● pros ○ very little user interaction ○ could find hidden logic ○ non-intrusive ○ low learning curve ● cons ○ often cost $$$ ○ >> false positive/false negatives ○ time intensive ○ no DOM context ○ misses server side logic

  12. other ● browser forks ○ has the ability to monitor call stack of potential input sources ○ follow all sources to potential sinks ● headless browser

  13. other ● pros ○ has a deep understanding of the JavaScript and DOM ○ can understand how to unlock new paths ○ complete tracing of input ● cons ○ hard to keep up to date ○ $$ ○ learning curve

  14. tracy MutationObserver browser extension proxy

  15. How is this possible?

  16. Tracy Workflow

  17. Tracy Workflow

  18. Using DOM Mutations to Detect XSS

  19. demo!

  20. What can tracy do? ● eliminates all XSS ... well, at least the easy XSS for now. ● maps all inputs to outputs. ● automatically discover vulnerable cases of XSS. ● automatically generate reproduction steps for XSS ...soon

  21. future work ● stability ● automatic generation of reproduction steps (NEXT COMMIT!) ● verification of XSS (NEXT COMMIT!) ○ PhantomJS - replay recorded flows ● js method hooking ○ granular view of different functions that execute with tainted sources ○ capturing events for eval, setTimeout, setInterval, etc. ● frontend fuzzing (NEXT COMMIT!) ○ offline bruteforcing ○ 0 network requests

  22. Questions https://github.com/nccgroup/tracy @JacobRHeath

  23. Sources ● https://chrome.google.com/webstore/detail/tracy/lcgbimfijafcjjijgjoodgpblgmkckhn ● https://addons.mozilla.org/en-US/firefox/addon/tracyplugin/ ● https://portswigger.net/burp ● https://www.checkmarx.com/ ● http://phantomjs.org/

Recommend


More recommend