Post on 01-Jun-2018
transcript
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 1/27
Financial Cyber-Threat Briefng
“Planning or Attack-Resilient WebApplications”
11th !ly "#1$
%(ponsore& By
(teano )i PaolaCT* +in&e& (ec!rity
Pre,enting n-Bro.ser +alicio!s C/0ec!tion
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 2/27
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 3/27
Agen&a
Introdu!tion Im"a!ts Con!erns
A""roa!) Pro"osed Solutions
7
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 4/27
ntro&!ction
8
OWASP To" Ten 69:7
A list o* t)e :9 Most Criti!al Web A""li!ation Se!u#is;s
A: In<e!tion
A6 &ro;en Aut)enti!ation and Session Manageme
A7 Cross-Site S!ri"ting (=SS%
A8 Inse!ure Dire!t Ob<e!t #e*eren!es A> Se!urity Mis!on?guration
A@ Sensitie Data $,"osure
A Missing Fun!tion 1eel A!!ess Control
AB Cross-Site #euest Forgery (CS#F%
A/ +sing Com"onents 5it) no5n Eulnerabilities
OWASP To" Ten 69:7
A list o* t)e :9 Most Criti!al Web A""li!ation Se!#is;s
A: In<e!tion
A6 &ro;en Aut)enti!ation and Session Manag
A2 Cross-(ite (cripting 34((5
A8 Inse!ure Dire!t Ob<e!t #e*eren!es A> Se!urity Mis!on?guration
A@ Sensitie Data $,"osure
A Missing Fun!tion 1eel A!!ess Control
AB Cross-Site #euest Forgery (CS#F%
A/ +sing Com"onents 5it) no5n Eulnerabi
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 5/27
ntro&!ction - Cross (ite (cripting Analy
>
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 6/27
Cross (ite (cripting 6 &entifcation an&)etection
@
“7htl899:taintedInput :”997;htl
7htl8997script8e,ils7;script8997;htl8
tainte&np!t<7script8e,ils7;script8
Se!urity S!anners3Sensors
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 7/27
Re=ecte& Cross (ite (cripting - &entifcan& )etection
“7htl899:taintedInput :”997;htl
7htl8997script8e,ils7;script8997;htl8
tainte&np!t<7script8e,ils7;script8
Se!urity S!anners3
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 8/27
(tore& Cross (ite (cripting - &entifcatan& )etection
B
“7htl899:taintedInput :”997;htl
7htl8997script8e,ils7;script8997;htl8
tainte&np!t<7script8e,ils7;script8
Se!urity S!anners3Sensors
Se!urityS!anners
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 9/27
)*+ Base& Cross (ite (cripting 6&entifcation an& )etection
/
7htl8997script8e,ils7;script8997;htl8
“7htl899:taintedInput :”997
;htl8”
tainte&np!t<7script8e,ils7;script8
Se!urity S!anners3Sensors
>>>
>>>
n Bro.ser Attacks
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 10/27
)*+ Base& 4(( )eo on ?ahoo@ +ail -
:9
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 11/27
Agen&a
Introdu!tion Im"a!ts Con!erns
A""roa!) Pro"osed Solutions
::
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 12/27
ntro&!ction - Cross (ite (cripting Analy
:6
Does the Risk Analysis ft the DOM Based Cross Site Sc
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 13/27
)*+ Base& Cross (ite (cripting - Analys
:7
Im"a!ts3#is;s are identi!al
Dete!tability is Lower *or DOM-&ased =SS as its ha*or de*enders to ?nd (no Network In/Out Observation
et DOM &ased =SS is still "art o* t)e OAS! "op
)oes the Risk Analysis ft the )*+ Base& Cross (ite (c
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 14/27
Client (i&e ss!es An& pacts
:8
Vulnerability Impact
JS Execution (DOM Based Cross SiteScripting)
Complete Control Over User's Page (
!"M# $n%ection&Content Spooing
ritrar* !"M# $nsertion ttac+er cancompletel* spoo t,e content Cannot ccess Coo+ies and ot,er JS Data (C
Client Side S-# $n%ection Data exiltration (CI)
U.# .edirect U.# Spooing (C)
CSS $n%ection Extract Sensitive $normation (C)
.esource Manipulation C,ange t,e location o a resourcere/uested * a page (CI)
CConf&entiality Int
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 15/27
Tren&s "## 6 "#1$ 9 Fro (er,er To Clie
+sage o* JaaS!ri"t Oer t)e ears
:>
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 16/27
2r& Party a,a(cript sage
$,"eriment ta;e t)e ?rst to" :99 Sit
*rom Ale,a2$,tra!t all s!ri"t sour!es and !oun)o5 many e,ternal s!ri"ts are used4
#esult2 #$%& !ontained 7rd Party JsDo you trust 7rd Party Code in your s
1et me re")rase it2
'ae you eer tested your 7rd Party J:@
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 17/27
Agen&a
Introdu!tion Im"a!ts Con!erns
A""roa!) Pro"osed Solutions
:
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 18/27
&entifcation Approach
Stati! Analysis
&lind Fuing
#untime Taint Analysis:B
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 19/27
Approach D (ol!tions
:/
Minimied Client Side JaaS!ri"t Serer Side Jaa3CK
But Automated Static Analysis can do it.. doesn
Spot the Difference
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 20/27
(tatic Analysis
On Stru!tured 1anguages li;e a,a or CE some goo& co,!an be "er*ormed (a!!ording to Stati! Analysis limits%
On Fle0ible;)ynaic languages li;e a,a(cript2
lo!ation4sear!)
5indo54lo!ation4sear!)
do!ument4lo!ation4sear!)
5indo5Llo!ationNL.sear!).
window[“l”+”o”+”\x63”+”ation”][atob('c2VhcmNo')]
window[arr [43]][obj['th!arch']]
very poor coverage!
"#ntim $69
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 21/27
R!ntie Approach
.untime Blind 0u11ing2 Blac+Box Scanning3 ault in%ection 4it, patterns3 ,oping to
t,e sin+ (dangerous unction) Poor coverage3 #ot o 0alse 5egatives
.eal "ime "aint Propagation 4it, $nstrumentation Propagates t,e 6taint6 lag during .eal "ime execution
.eal Client State emulation ($n7ro4ser test cases)
O8SP Pro%ect2 DOMinator * Minded Securit*
6:
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 22/27
+in&e& (ec!rity )*+inatorPro
First e,"eriment in 69:9 5e too; t)e ?rst Ato" :994
Analyed t)em using DOMinatorPro We *ound '( to be ulnerable to DOM &ase=SS Atta!;s
66
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 23/27
+in&e& (ec!rity )*+inatorPro /nterpris
T)e Automation Suite2 &ro5ser &ased Cra.ler
Web Management Selenium &ased Conne!tor 5it) DOMina
#emote Alert Colle!tor (1o!al Web Sere
Cli Intera!tie Inter*a!e to Selenium
Management by Pro<e!t S!ri"ting "ossibilities
D$MO Time67
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 24/27
+in&e& (ec!rity )*+inatorPro /nterpris )e,elopers
+nit and Fun!tional Testing4
Test t)eir o5n !ode4
Identi*y t)e issue and ?, it
GA Testers
+nit and Fun!tional Testing4
Alerts 5)ile A testing
(ec!rity Testers&la!; &o, bro5sing
Details about o"erations 5it)out en!odings
7rd Party JaaS!ri"t
68
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 25/27
)*+inatorPro %elps Copanies Aro!n& Worl&
6>
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 26/27
Thank yo!@
GDA
https;;&oinator9in&e&sec!rity9co
'in&e&sec!rity
+ail steano9&ipaola'in&e&sec!rity9'.isec.isec
Coercial s!pport
ino'in&e&sec!rity9co
(ot.are Actors
8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01
http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 27/27
(ot.are Actors
Internal Client Side Deelo"ers
Contra!tors
7rd Party JaaS!ri"t (1ibraries AdAnalyti!s So!ial44 %(ec!rity Testing Actors uality Assuran!e 3 Test Cases (In )ouse"ro!ess%
Internal Manual Se!urity Audits
Internal Automatic Se!urity Audits
$,ternal Manual Se!urity Audits
$,ternal Automatic Se!urity Audits6