Tracing User Input Through JS is for Tools Jake Heath and Michael Roberts
bio Jake Heath ● Penetration Tester @ NCC Group ● San Francisco, CA ● Beard ● Bread Michael Roberts ● Penetration Tester @ NCC Group ● San Francisco, CA ● Can’t grow a beard ● Less bread
overview goal tools tracy
goal ...to eliminate all XSS
goal ...to eliminate all XSS ...with the DOM ...with human interaction
anti-goals ...to eliminate all XSS ...with AI ...with automated scanning ...with static analysis ...with blockchain$$
existing tools manual testing & intercepting proxies static analysis other
manual testing - a shotgun approach ● Burp Suite ● spray app with payloads ○ <script>alert(n)</script> ● navigate app until alert fires ● identify which input triggered the alert ● document the bug
manual testing - a shotgun approach ● pros ○ super easy ○ requires very little setup or knowledge ○ fast ● cons ○ simple input validation can slow down testing ○ no easy way to track origin ○ can get annoying ○ potentially poor coverage ○ Burp has no concept of the DOM
static analysis ● Burp Active Scanner or Checkmarx ● attempts to map sinks to sources ○ input field value -> dangerouslySetHTML() ● uses an AST to try to resolve paths
static analysis ● pros ○ very little user interaction ○ could find hidden logic ○ non-intrusive ○ low learning curve ● cons ○ often cost $$$ ○ >> false positive/false negatives ○ time intensive ○ no DOM context ○ misses server side logic
other ● browser forks ○ has the ability to monitor call stack of potential input sources ○ follow all sources to potential sinks ● headless browser
other ● pros ○ has a deep understanding of the JavaScript and DOM ○ can understand how to unlock new paths ○ complete tracing of input ● cons ○ hard to keep up to date ○ $$ ○ learning curve
tracy MutationObserver browser extension proxy
How is this possible?
Tracy Workflow
Tracy Workflow
Using DOM Mutations to Detect XSS
demo!
What can tracy do? ● eliminates all XSS ... well, at least the easy XSS for now. ● maps all inputs to outputs. ● automatically discover vulnerable cases of XSS. ● automatically generate reproduction steps for XSS ...soon
future work ● stability ● automatic generation of reproduction steps (NEXT COMMIT!) ● verification of XSS (NEXT COMMIT!) ○ PhantomJS - replay recorded flows ● js method hooking ○ granular view of different functions that execute with tainted sources ○ capturing events for eval, setTimeout, setInterval, etc. ● frontend fuzzing (NEXT COMMIT!) ○ offline bruteforcing ○ 0 network requests
Questions https://github.com/nccgroup/tracy @JacobRHeath
Sources ● https://chrome.google.com/webstore/detail/tracy/lcgbimfijafcjjijgjoodgpblgmkckhn ● https://addons.mozilla.org/en-US/firefox/addon/tracyplugin/ ● https://portswigger.net/burp ● https://www.checkmarx.com/ ● http://phantomjs.org/
Recommend
More recommend