Tracing User Input Through JS is for Tools Jake Heath and Michael - PowerPoint PPT Presentation

Tracing User Input Through JS is for Tools Jake Heath and Michael Roberts

bio Jake Heath ● Penetration Tester @ NCC Group ● San Francisco, CA ● Beard ● Bread Michael Roberts ● Penetration Tester @ NCC Group ● San Francisco, CA ● Can’t grow a beard ● Less bread

overview goal tools tracy

goal ...to eliminate all XSS

goal ...to eliminate all XSS ...with the DOM ...with human interaction

anti-goals ...to eliminate all XSS ...with AI ...with automated scanning ...with static analysis ...with blockchain$$

existing tools manual testing & intercepting proxies static analysis other

manual testing - a shotgun approach ● Burp Suite ● spray app with payloads ○ <script>alert(n)</script> ● navigate app until alert fires ● identify which input triggered the alert ● document the bug

manual testing - a shotgun approach ● pros ○ super easy ○ requires very little setup or knowledge ○ fast ● cons ○ simple input validation can slow down testing ○ no easy way to track origin ○ can get annoying ○ potentially poor coverage ○ Burp has no concept of the DOM

static analysis ● Burp Active Scanner or Checkmarx ● attempts to map sinks to sources ○ input field value -> dangerouslySetHTML() ● uses an AST to try to resolve paths

static analysis ● pros ○ very little user interaction ○ could find hidden logic ○ non-intrusive ○ low learning curve ● cons ○ often cost $$$ ○ >> false positive/false negatives ○ time intensive ○ no DOM context ○ misses server side logic

other ● browser forks ○ has the ability to monitor call stack of potential input sources ○ follow all sources to potential sinks ● headless browser

other ● pros ○ has a deep understanding of the JavaScript and DOM ○ can understand how to unlock new paths ○ complete tracing of input ● cons ○ hard to keep up to date ○ $$ ○ learning curve

tracy MutationObserver browser extension proxy

How is this possible?

Tracy Workflow

Tracy Workflow

Using DOM Mutations to Detect XSS

demo!

What can tracy do? ● eliminates all XSS ... well, at least the easy XSS for now. ● maps all inputs to outputs. ● automatically discover vulnerable cases of XSS. ● automatically generate reproduction steps for XSS ...soon

future work ● stability ● automatic generation of reproduction steps (NEXT COMMIT!) ● verification of XSS (NEXT COMMIT!) ○ PhantomJS - replay recorded flows ● js method hooking ○ granular view of different functions that execute with tainted sources ○ capturing events for eval, setTimeout, setInterval, etc. ● frontend fuzzing (NEXT COMMIT!) ○ offline bruteforcing ○ 0 network requests

Questions https://github.com/nccgroup/tracy @JacobRHeath

Sources ● https://chrome.google.com/webstore/detail/tracy/lcgbimfijafcjjijgjoodgpblgmkckhn ● https://addons.mozilla.org/en-US/firefox/addon/tracyplugin/ ● https://portswigger.net/burp ● https://www.checkmarx.com/ ● http://phantomjs.org/