IMQ Minded Security Blog

Tuesday, October 9, 2012

Stored DOM Based Cross Site Scripting

Since the very first release of DOMinatorPro, there is an 'S' little button in the right down corner:


Q: What does it mean?
A: First of all, I'd say, it actually means that there's another feature that makes DOMinatorPro a bleeding edge tool for finding DOM Based XSS :).

The Stored Strings tainting is a very interesting feature that DOMinatorPro implements for tracking stored DOM Based Cross Site Scripting issues.

Think about the following scenery.

Pseudo code:
  setName.do

String name=getFromParameter("name");
   saveOnDB(name);
  getName.do

String name = getNameFromDB();
// escape the source (name) from DB so no stored XSS is there
   String jsEscape=encodeForJavaScript(name); 
   print "<script>\n";
// No problem here since it's escaped.
   print "var aname='({\"aName\":\""+jsEscape+"\"})';";
   print "eval(aname);\n";
   print "</script>";
So we'll get in the getName.do page : 

..
<script>
 var aname='({"aName":"PATTERN"})'; 
 eval(aname);
</script>
..
At this point you surely understand the issue in the flow:

Step 1. Attacker sends name=PATTERN

  

Step 2. Victim visits a page with the flawed Js.




The attacker can't directly get out from the string since it's supposed to be correctly escaped, so that a payload like name=testPATTERN"'> will become:


var aName="testPATTERN\x22\x27\x3c";
..
Which is not directly exploitable, but if that same variable is used as argument for a Function or eval, or innerHTML or some of the sinks described on DOMXSS Wiki (contribute please), then it's an exploitable issue.

No existing tool is able to trace patterns like that during JavaScript execution but DOMinatorPro.
What the tester has to do is to turn on tainting on Stored Strings and set the pattern which has to be traced using the settings:


Finally, the user will just have to create the scenario by browsing the application with DOMinatorPro.
And she'll get some output like the following:


Where StoredTainted is the constant string transformed as tainted on the fly.

There are several interesting possibilities by using the tainted stored strings, like applying the same checks on responses from XMLHttpRequests.
But that's food for another blog post.

Feedbacks  are, as usual really welcome!

Ps. If you're a licensed user remember to update the DOMinatorPro Extension to the latest one from your dominator downloads page.
By at No comments :
Labels: , , , , ,

Monday, October 8, 2012

Two updates for DOMinatorPro Suite


As some of you already knows DOMinatorPro Suite consists in two parts, one opensource named DOMinatorCore,based on Mozilla Firefox, hosted on GitHub and a commercial, proprietary AddOn named DOMinatorPro Extension.

Before all words and phrases, here's a MacOs screenshot anticipation of the fully updated DOMinatorPro Suite:



Some very interesting new features have been added, I really hope you'll be interested in trying them.
Bottom line: new versions of both pieces of the suite are out and here is the list of changes.

DOMinatorCore 

Product: DOMinatorCore
Date: 06/10/2012
Version: 0.9.6
  • Finally a MacOs version is available for download!Register or go to your DOMinatorPro personal page and download it!
  • A small but significant improvement in taint propagation  about the creation on the fly of objects via JSON or eval result in tainted values or key name.
var TaintedString='{"k1":"V1PATTERN","k2PATTERN":"V2"}';
var newObj = eval('('+TaintedString+')');
//Obj.keys(newObj)[1].tainted & newObj.k1.tainted are now true; 
Object.keys(newObj).map(
    function(a,b) {
     console.log(a,a.tainted,newObj[a],newObj[a].tainted)
    }
  )
Where PATTERN is a customizable RegEx pattern that triggers the creation of Tainted Stored Strings. We'll blog about the so called Tainted Stored Strings in the next days.
Previously, it would have been triggered only the eval alert on the Stored String if the PATTERN matched.

DOMinatorPro Extension

DOMinatorPro Extension on the other hand has important changes.

Product: DOMinatorPro Extension
Date: 06/10/2012
Version: 0.9.1.2

Tainting

  • ResponseText can be now set as tainted according to Stored Taint functionality.
  • Fixed Firefox bug about location.pathname
  • Added checks for uncontrollable inputElements like checkbox or radio buttons.
  • Fixed jQuery double log for some sink
  • jQuery alerts are shown with jQuery version used, since it can make the difference.
  • Improved jQuery tests and noconflict wrap.
  • location.pathname now returns the pathinfo part with ';'.
  • Hidden and unusable input tag values are now exluded from sources (radio buttons, textbox)

Analysis Engine

  • Improved url building algo in the fuzzer.
  • Experimental Regular Expression check for False Negative / False Positives.

User Interface

  • Now DOMinatorPro has a starting page about:dominator.
  • DOMinatorPro Settings UI are now exposed.
  • We are now able to remove selected results from the log.
  • Removed StackTrace Button since it's handled automatically by sink events.

Automation

  • Added first support to selenium.
  • Remote Alerting send Native JSON.

Knowledge base

  • Knowledge base improvements. 

Most of the changes in the code probably should require a blog post and a video. I'll try to cover some of the more interesting parts about them in the next days!

For any question or request feel free to drop us a line at dominator at mindedsecurity dot com.

Ps. Maybe some already registered trial user will complain about the impossibility to download the addon update, you can download the full suite which comes with a version close to the up to date.


By at No comments :
Labels: , , , ,

Thursday, October 4, 2012

OWASP Italy Day 2012: CFP and is open!


Thanks to the collaboration with the University of Rome La Sapienza, we are pleased to announce that the OWASP Italy chapter will host the OWASP Italy Day 2012 conference in Rome, Italy next 23rd November 2012.

Call For Paper is now open:

OWASP solicits contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the OWASP-Italy Board by email at: OWASP Italy
The email subject must be "OWASP Italy Day 2012: CFP" and the email body must contains the following information/sections:

- Name and Surname
- Email address
- Telephone number
- Company name and role
- Short biography(max 100 words)
- List of the author's previous papers/articles/speeches on the same topics
- Title of the contribution
- Type of contribution: Technical or Informative
- Abstract
- Why the contribution is relevant for OWASP-Italy Day 2012

Areas of interest: - Mobile Security: testing, developing, threats - Malware Security and Mobile - New researches on Application Security

The submission will be reviewed by the OWASP-Italy Board and the 8-9. most interesting ones will be selected and invited for presentation (30 minutes for slot).

Important dates:

Contributions submission deadline: 30th October 2012

Additional information:

OWASP Speaker Agreement
About OWASP

Official site and more information here.


By at No comments :
Labels: ,
Subscribe to: Posts ( Atom )