8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 1/27

Financial Cyber-Threat Briefng

“Planning or Attack-Resilient WebApplications”

11th !ly "#1$

%(ponsore& By

(teano )i PaolaCT* +in&e& (ec!rity

Pre,enting n-Bro.ser +alicio!s C/0ec!tion

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 2/27

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 3/27

Agen&a

 Introdu!tion Im"a!ts Con!erns

 A""roa!) Pro"osed Solutions

7

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 4/27

ntro&!ction

8

OWASP To" Ten 69:7

A list o* t)e :9 Most Criti!al Web A""li!ation Se!u#is;s

 A: In<e!tion

 A6 &ro;en Aut)enti!ation and Session Manageme

 A7 Cross-Site S!ri"ting (=SS%

 A8 Inse!ure Dire!t Ob<e!t #e*eren!es A> Se!urity Mis!on?guration

 A@ Sensitie Data $,"osure

 A Missing Fun!tion 1eel A!!ess Control

 AB Cross-Site #euest Forgery (CS#F%

 A/ +sing Com"onents 5it) no5n Eulnerabilities

OWASP To" Ten 69:7

A list o* t)e :9 Most Criti!al Web A""li!ation Se!#is;s

 A: In<e!tion

 A6 &ro;en Aut)enti!ation and Session Manag

 A2 Cross-(ite (cripting 34((5

 A8 Inse!ure Dire!t Ob<e!t #e*eren!es A> Se!urity Mis!on?guration

 A@ Sensitie Data $,"osure

 A Missing Fun!tion 1eel A!!ess Control

 AB Cross-Site #euest Forgery (CS#F%

 A/ +sing Com"onents 5it) no5n Eulnerabi

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 5/27

ntro&!ction - Cross (ite (cripting Analy

>

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 6/27

Cross (ite (cripting 6 &entifcation an&)etection

@

“7htl899:taintedInput :”997;htl

7htl8997script8e,ils7;script8997;htl8

tainte&np!t<7script8e,ils7;script8

Se!urity S!anners3Sensors

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 7/27

Re=ecte& Cross (ite (cripting - &entifcan& )etection

“7htl899:taintedInput :”997;htl

7htl8997script8e,ils7;script8997;htl8

tainte&np!t<7script8e,ils7;script8

Se!urity S!anners3

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 8/27

(tore& Cross (ite (cripting - &entifcatan& )etection

B

“7htl899:taintedInput :”997;htl

7htl8997script8e,ils7;script8997;htl8

tainte&np!t<7script8e,ils7;script8

Se!urity S!anners3Sensors

Se!urityS!anners

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 9/27

)*+ Base& Cross (ite (cripting 6&entifcation an& )etection

/

7htl8997script8e,ils7;script8997;htl8

“7htl899:taintedInput :”997

;htl8”

tainte&np!t<7script8e,ils7;script8

Se!urity S!anners3Sensors

>>>

>>>

n Bro.ser Attacks

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 10/27

)*+ Base& 4(( )eo on ?ahoo@ +ail -

:9

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 11/27

Agen&a

 Introdu!tion Im"a!ts Con!erns

 A""roa!) Pro"osed Solutions

::

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 12/27

ntro&!ction - Cross (ite (cripting Analy

:6

Does the Risk Analysis ft the DOM Based Cross Site Sc

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 13/27

)*+ Base& Cross (ite (cripting - Analys

 

:7

 Im"a!ts3#is;s are identi!al

 Dete!tability is Lower *or DOM-&ased =SS as its ha*or de*enders to ?nd (no Network In/Out Observation

 et DOM &ased =SS is still "art o* t)e OAS! "op

)oes the Risk Analysis ft the )*+ Base& Cross (ite (c

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 14/27

Client (i&e ss!es An& pacts

:8

Vulnerability Impact

JS Execution (DOM Based Cross SiteScripting)

Complete Control Over User's Page (

!"M# $n%ection&Content Spooing

 ritrar* !"M# $nsertion ttac+er cancompletel* spoo t,e content Cannot ccess Coo+ies and ot,er JS Data (C

Client Side S-# $n%ection Data exiltration (CI)

U.# .edirect U.# Spooing (C)

CSS $n%ection Extract Sensitive $normation (C)

.esource Manipulation C,ange t,e location o a resourcere/uested * a page (CI)

CConf&entiality Int

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 15/27

Tren&s "## 6 "#1$ 9 Fro (er,er To Clie

+sage o* JaaS!ri"t Oer t)e ears

:>

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 16/27

2r& Party a,a(cript sage

 $,"eriment ta;e t)e ?rst to" :99 Sit

*rom Ale,a2$,tra!t all s!ri"t sour!es and !oun)o5 many e,ternal s!ri"ts are used4

 #esult2 #$%& !ontained 7rd Party JsDo you trust 7rd Party Code in your s

1et me re")rase it2

'ae you eer tested your 7rd Party J:@

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 17/27

Agen&a

 Introdu!tion Im"a!ts Con!erns

 A""roa!) Pro"osed Solutions

:

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 18/27

&entifcation Approach

  Stati! Analysis

 &lind Fuing

 #untime Taint Analysis:B

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 19/27

Approach D (ol!tions

:/

Minimied Client Side JaaS!ri"t Serer Side Jaa3CK

But Automated Static Analysis can do it.. doesn

Spot the Difference

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 20/27

(tatic Analysis

On Stru!tured 1anguages li;e a,a or CE some goo& co,!an be "er*ormed (a!!ording to Stati! Analysis limits%

 On Fle0ible;)ynaic languages li;e a,a(cript2

lo!ation4sear!)

5indo54lo!ation4sear!)

do!ument4lo!ation4sear!)

  5indo5Llo!ationNL.sear!).

window[“l”+”o”+”\x63”+”ation”][atob('c2VhcmNo')]

  window[arr [43]][obj['th!arch']]

very poor coverage!

"#ntim $69

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 21/27

R!ntie Approach

 .untime Blind 0u11ing2 Blac+Box Scanning3 ault in%ection 4it, patterns3 ,oping to

t,e sin+ (dangerous unction)  Poor coverage3 #ot o 0alse 5egatives

 .eal "ime "aint Propagation 4it, $nstrumentation Propagates t,e 6taint6 lag during .eal "ime execution

 .eal Client State emulation ($n7ro4ser test cases)

 O8SP Pro%ect2 DOMinator  * Minded Securit*

6:

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 22/27

+in&e& (ec!rity )*+inatorPro

 First e,"eriment in 69:9 5e too; t)e ?rst Ato" :994

 Analyed t)em using DOMinatorPro We *ound '( to be ulnerable to DOM &ase=SS Atta!;s

66

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 23/27

+in&e& (ec!rity )*+inatorPro /nterpris

 T)e Automation Suite2 &ro5ser &ased Cra.ler

 Web Management Selenium &ased Conne!tor 5it) DOMina

 #emote Alert Colle!tor (1o!al Web Sere

 Cli Intera!tie Inter*a!e to Selenium

 Management by Pro<e!t S!ri"ting "ossibilities

D$MO Time67

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 24/27

+in&e& (ec!rity )*+inatorPro /nterpris )e,elopers

 +nit and Fun!tional Testing4

 Test t)eir o5n !ode4

 Identi*y t)e issue and ?, it

GA Testers

+nit and Fun!tional Testing4

Alerts 5)ile A testing

 (ec!rity Testers&la!; &o, bro5sing

Details about o"erations 5it)out en!odings

 7rd Party JaaS!ri"t

68

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 25/27

)*+inatorPro %elps Copanies Aro!n& Worl&

6>

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 26/27

 Thank yo!@

GDA

https;;&oinator9in&e&sec!rity9co

'in&e&sec!rity

+ail steano9&ipaola'in&e&sec!rity9'.isec.isec

Coercial s!pport

ino'in&e&sec!rity9co

(ot.are Actors

8/9/2019 Cyber Threatl39briefingdipaola169ok 140801072159 Phpapp01

http://slidepdf.com/reader/full/cyber-threatl39briefingdipaola169ok-140801072159-phpapp01 27/27

(ot.are Actors

 Internal Client Side Deelo"ers

 Contra!tors

 7rd Party JaaS!ri"t (1ibraries AdAnalyti!s So!ial44 %(ec!rity Testing Actors uality Assuran!e 3 Test Cases (In )ouse"ro!ess%

 Internal Manual Se!urity Audits

 Internal Automatic Se!urity Audits

 $,ternal Manual Se!urity Audits

 $,ternal Automatic Se!urity Audits6