logging in or signing up Cross-Site Scripting Attacks aSGuest45922 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 744 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: May 27, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Hunting Cross-Site Scripting Attacks in the Network : Hunting Cross-Site Scripting Attacks in the Network Elias Athanasopoulos, AntonisKrithinakis, and Evangelos P. Markatos FORTH-ICS, Greece xHunter : xHunter a tool for the detection of suspicious URLs 2 Elias Athanasopoulos, FORTH-ICS xHunter Slide 3: xHunter Elias Athanasopoulos, FORTH-ICS 3 xHunter URL URL URL URL URL URL URL URL SUSPICIOUS Motivation : Motivation xHunter Elias Athanasopoulos, FORTH-ICS 4 Current Status : Current Status real incidents related to XSS exploitation are recorded and reported by large IT vendors Symantec, McAfee no tools for academia/research xHunter Elias Athanasopoulos, FORTH-ICS 5 XSS frequency : XSS frequency how often web sites are targeted with XSS attacks? are XSS attacks a frequent phenomenon in every-day web traffic? xHunter Elias Athanasopoulos, FORTH-ICS 6 XSS targets : XSS targets which web sites are the targets? xHunter Elias Athanasopoulos, FORTH-ICS 7 XSS orchestration : XSS orchestration are there any orchestrated XSS campaigns in world-wide scale? xHunter Elias Athanasopoulos, FORTH-ICS 8 XSS anatomy alert(/XSS/); : XSS anatomy alert(/XSS/); how do the real XSS exploits look like? xHunter Elias Athanasopoulos, FORTH-ICS 9 http://ucjeps.berkley.edu/cgi-bin/get_consort.pl?sugg=%3Cscript%3Ealert('Xssed By Infam0us')%3C/script%3Eucjeps.berkeley Operation : Operation xHunter Elias Athanasopoulos, FORTH-ICS 10 Slide 11: xHunter Elias Athanasopoulos, FORTH-ICS 11 xHunter URL URL URL URL URL URL URL URL SUSPICIOUS Assumptions : Assumptions URLs containing JavaScript are suspicious a large fraction of XSS is mounted through URLs xHunter Elias Athanasopoulos, FORTH-ICS 12 Main idea : Main idea identify all URLs that contain JavaScript xHunter Elias Athanasopoulos, FORTH-ICS 13 xHunter cannot deal with : xHunter cannot deal with iframe injection, Flash parameters pollution, Phishing, XCS, CSV, SQL injection xHunter Elias Athanasopoulos, FORTH-ICS 14 xHunter can deal with : xHunter can deal with JavaScript injections (XSS/CSRF) xHunter Elias Athanasopoulos, FORTH-ICS 15 How JavaScript is spotted? : How JavaScript is spotted? a JavaScript program produces a JavaScript syntax tree of high depth xHunter Elias Athanasopoulos, FORTH-ICS 16 xHunter operation : xHunter operation scan a URL for fragments that produce a valid JavaScript syntax tree mark as suspicious any URL that contains a fragment that produces a valid JavaScript syntax tree with a high depth xHunter Elias Athanasopoulos, FORTH-ICS 17 Slide 18: xHunter Elias Athanasopoulos, FORTH-ICS 18 http://www.economie.gouv.fr/recherche/lance_recherche.php?mot=";alert(document.cookie)//&search_go=ok mot=";alert(document.cookie)// search_go=ok mot ";alert(document.cookie)// search_go ok Attempt to parse every query element as if it was a JavaScript program Slide 19: xHunter Elias Athanasopoulos, FORTH-ICS 19 mot LC: SEMI: NAME: 2 search_go LC: SEMI: NAME: 2 ok LC: SEMI: NAME: 2 Slide 20: xHunter Elias Athanasopoulos, FORTH-ICS 20 ;alert(document.cookie)// LC: SEMI: SEMI: LP: NAME: DOT: NAME: 6 How is the score calculated? : How is the score calculated? score = SUM(JS_TOKEN[i] * TW[i]) xHunter Elias Athanasopoulos, FORTH-ICS 21 Slide 22: xHunter Elias Athanasopoulos, FORTH-ICS 22 ;alert(document.cookie)// LC: SEMI: ; SEMI: alert LP: ( NAME: document DOT: . NAME: cookie 6 1 1 1 3 0 0 0 How are the weights and the threshold calculated? : How are the weights and the threshold calculated? empirically xHunter Elias Athanasopoulos, FORTH-ICS 23 xHunter decision : xHunter decision http://www.economie.gouv.fr/recherche/lance_recherche.php?mot=";alert(document.cookie)//&search_go=ok xHunter Elias Athanasopoulos, FORTH-ICS 24 SUSPICIOUS Challenges : Challenges xHunter Elias Athanasopoulos, FORTH-ICS 25 (1) Web Applications Quirks : (1) Web Applications Quirks applications use their own encoding schemes and semantics xHunter Elias Athanasopoulos, FORTH-ICS 26 XSSed, 64043 : XSSed, 64043 http://www.turktelekom.com.tr/tt/ portal/!ut/p/c0/XYzBCoJAFEX_RQhq 9Z5aOoEI..RshwIQj/ xHunter Elias Athanasopoulos, FORTH-ICS 27 (2) JavaScript Relaxed Syntax : (2) JavaScript Relaxed Syntax everything produces a valid syntax tree xHunter Elias Athanasopoulos, FORTH-ICS 28 Slide 29: xHunter Elias Athanasopoulos, FORTH-ICS 29 foo;1,2,3,4,5 LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: 9 Reverse Code Heuristic : Reverse Code Heuristic valid JavaScript code does not parse from right to left xHunter Elias Athanasopoulos, FORTH-ICS 30 Slide 31: xHunter Elias Athanasopoulos, FORTH-ICS 31 foo;1,2,3,4,5 LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: 9 5,4,3,2,1;oof LC: SEMI: DOT: STRING: 3 Slide 32: xHunter Elias Athanasopoulos, FORTH-ICS 32 alert(/XSS/); LC: SEMI: LP: NAME: OBJECT: 7 ;)/SSX/(trela syntax error SUSPICIOUS Weighted Parse Nodes : Weighted Parse Nodes some JavaScript tokens contribute more xHunter Elias Athanasopoulos, FORTH-ICS 33 Slide 34: xHunter Elias Athanasopoulos, FORTH-ICS 34 foo;1,2,3,4,5 LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: alert(/XSS/); LC: SEMI: LP: NAME: OBJECT: (3) Exploit Isolation : (3) Exploit Isolation some exploits are partially injected xHunter Elias Athanasopoulos, FORTH-ICS 35 Slide 36: xHunter Elias Athanasopoulos, FORTH-ICS 36 ";alert(document.cookie)// syntax error ;alert(document.cookie)// 6 Parse all possible fragments : Parse all possible fragments dramatic performance overhead xHunter is not an on-line tool xHunter Elias Athanasopoulos, FORTH-ICS 37 Evaluation : Evaluation xHunter Elias Athanasopoulos, FORTH-ICS 38 Trace 1: XSSed.com : Trace 1: XSSed.com ~11,000 URLs containing XSS xHunter Elias Athanasopoulos, FORTH-ICS 39 Trace 2: sensor ~1K Users : Trace 2: sensor ~1K Users 1,000 (sampled) possible benign URLs xHunter Elias Athanasopoulos, FORTH-ICS 40 Trace 1 : Trace 1 remove redirections, iframe injections, etc. 268 XSS exploits marked as clean xHunter Elias Athanasopoulos, FORTH-ICS 41 Trace 2 : Trace 2 20 benign URLs marked as suspicious xHunter Elias Athanasopoulos, FORTH-ICS 42 Overall : Overall less than 3.2% false negatives about 2% false positives xHunter Elias Athanasopoulos, FORTH-ICS 43 Future Work : Future Work xHunter Elias Athanasopoulos, FORTH-ICS 44 xHunter training : xHunter training use machine learning to teach xHunter which parse nodes contribute more to XSS exploits xHunter Elias Athanasopoulos, FORTH-ICS 45 Invent more heuristics : Invent more heuristics reduce false positives xHunter Elias Athanasopoulos, FORTH-ICS 46 Optimizations : Optimizations make it faster xHunter Elias Athanasopoulos, FORTH-ICS 47 Collaboration - Deployment! : Collaboration - Deployment! run xHunter to your network! xHunter Elias Athanasopoulos, FORTH-ICS 48 Thank You! : Thank You! Elias Athanasopoulos FORTH-ICS elathan@ics.forth.gr xHunter Elias Athanasopoulos, FORTH-ICS 49 You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Cross-Site Scripting Attacks aSGuest45922 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 744 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: May 27, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Hunting Cross-Site Scripting Attacks in the Network : Hunting Cross-Site Scripting Attacks in the Network Elias Athanasopoulos, AntonisKrithinakis, and Evangelos P. Markatos FORTH-ICS, Greece xHunter : xHunter a tool for the detection of suspicious URLs 2 Elias Athanasopoulos, FORTH-ICS xHunter Slide 3: xHunter Elias Athanasopoulos, FORTH-ICS 3 xHunter URL URL URL URL URL URL URL URL SUSPICIOUS Motivation : Motivation xHunter Elias Athanasopoulos, FORTH-ICS 4 Current Status : Current Status real incidents related to XSS exploitation are recorded and reported by large IT vendors Symantec, McAfee no tools for academia/research xHunter Elias Athanasopoulos, FORTH-ICS 5 XSS frequency : XSS frequency how often web sites are targeted with XSS attacks? are XSS attacks a frequent phenomenon in every-day web traffic? xHunter Elias Athanasopoulos, FORTH-ICS 6 XSS targets : XSS targets which web sites are the targets? xHunter Elias Athanasopoulos, FORTH-ICS 7 XSS orchestration : XSS orchestration are there any orchestrated XSS campaigns in world-wide scale? xHunter Elias Athanasopoulos, FORTH-ICS 8 XSS anatomy alert(/XSS/); : XSS anatomy alert(/XSS/); how do the real XSS exploits look like? xHunter Elias Athanasopoulos, FORTH-ICS 9 http://ucjeps.berkley.edu/cgi-bin/get_consort.pl?sugg=%3Cscript%3Ealert('Xssed By Infam0us')%3C/script%3Eucjeps.berkeley Operation : Operation xHunter Elias Athanasopoulos, FORTH-ICS 10 Slide 11: xHunter Elias Athanasopoulos, FORTH-ICS 11 xHunter URL URL URL URL URL URL URL URL SUSPICIOUS Assumptions : Assumptions URLs containing JavaScript are suspicious a large fraction of XSS is mounted through URLs xHunter Elias Athanasopoulos, FORTH-ICS 12 Main idea : Main idea identify all URLs that contain JavaScript xHunter Elias Athanasopoulos, FORTH-ICS 13 xHunter cannot deal with : xHunter cannot deal with iframe injection, Flash parameters pollution, Phishing, XCS, CSV, SQL injection xHunter Elias Athanasopoulos, FORTH-ICS 14 xHunter can deal with : xHunter can deal with JavaScript injections (XSS/CSRF) xHunter Elias Athanasopoulos, FORTH-ICS 15 How JavaScript is spotted? : How JavaScript is spotted? a JavaScript program produces a JavaScript syntax tree of high depth xHunter Elias Athanasopoulos, FORTH-ICS 16 xHunter operation : xHunter operation scan a URL for fragments that produce a valid JavaScript syntax tree mark as suspicious any URL that contains a fragment that produces a valid JavaScript syntax tree with a high depth xHunter Elias Athanasopoulos, FORTH-ICS 17 Slide 18: xHunter Elias Athanasopoulos, FORTH-ICS 18 http://www.economie.gouv.fr/recherche/lance_recherche.php?mot=";alert(document.cookie)//&search_go=ok mot=";alert(document.cookie)// search_go=ok mot ";alert(document.cookie)// search_go ok Attempt to parse every query element as if it was a JavaScript program Slide 19: xHunter Elias Athanasopoulos, FORTH-ICS 19 mot LC: SEMI: NAME: 2 search_go LC: SEMI: NAME: 2 ok LC: SEMI: NAME: 2 Slide 20: xHunter Elias Athanasopoulos, FORTH-ICS 20 ;alert(document.cookie)// LC: SEMI: SEMI: LP: NAME: DOT: NAME: 6 How is the score calculated? : How is the score calculated? score = SUM(JS_TOKEN[i] * TW[i]) xHunter Elias Athanasopoulos, FORTH-ICS 21 Slide 22: xHunter Elias Athanasopoulos, FORTH-ICS 22 ;alert(document.cookie)// LC: SEMI: ; SEMI: alert LP: ( NAME: document DOT: . NAME: cookie 6 1 1 1 3 0 0 0 How are the weights and the threshold calculated? : How are the weights and the threshold calculated? empirically xHunter Elias Athanasopoulos, FORTH-ICS 23 xHunter decision : xHunter decision http://www.economie.gouv.fr/recherche/lance_recherche.php?mot=";alert(document.cookie)//&search_go=ok xHunter Elias Athanasopoulos, FORTH-ICS 24 SUSPICIOUS Challenges : Challenges xHunter Elias Athanasopoulos, FORTH-ICS 25 (1) Web Applications Quirks : (1) Web Applications Quirks applications use their own encoding schemes and semantics xHunter Elias Athanasopoulos, FORTH-ICS 26 XSSed, 64043 : XSSed, 64043 http://www.turktelekom.com.tr/tt/ portal/!ut/p/c0/XYzBCoJAFEX_RQhq 9Z5aOoEI..RshwIQj/ xHunter Elias Athanasopoulos, FORTH-ICS 27 (2) JavaScript Relaxed Syntax : (2) JavaScript Relaxed Syntax everything produces a valid syntax tree xHunter Elias Athanasopoulos, FORTH-ICS 28 Slide 29: xHunter Elias Athanasopoulos, FORTH-ICS 29 foo;1,2,3,4,5 LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: 9 Reverse Code Heuristic : Reverse Code Heuristic valid JavaScript code does not parse from right to left xHunter Elias Athanasopoulos, FORTH-ICS 30 Slide 31: xHunter Elias Athanasopoulos, FORTH-ICS 31 foo;1,2,3,4,5 LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: 9 5,4,3,2,1;oof LC: SEMI: DOT: STRING: 3 Slide 32: xHunter Elias Athanasopoulos, FORTH-ICS 32 alert(/XSS/); LC: SEMI: LP: NAME: OBJECT: 7 ;)/SSX/(trela syntax error SUSPICIOUS Weighted Parse Nodes : Weighted Parse Nodes some JavaScript tokens contribute more xHunter Elias Athanasopoulos, FORTH-ICS 33 Slide 34: xHunter Elias Athanasopoulos, FORTH-ICS 34 foo;1,2,3,4,5 LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: alert(/XSS/); LC: SEMI: LP: NAME: OBJECT: (3) Exploit Isolation : (3) Exploit Isolation some exploits are partially injected xHunter Elias Athanasopoulos, FORTH-ICS 35 Slide 36: xHunter Elias Athanasopoulos, FORTH-ICS 36 ";alert(document.cookie)// syntax error ;alert(document.cookie)// 6 Parse all possible fragments : Parse all possible fragments dramatic performance overhead xHunter is not an on-line tool xHunter Elias Athanasopoulos, FORTH-ICS 37 Evaluation : Evaluation xHunter Elias Athanasopoulos, FORTH-ICS 38 Trace 1: XSSed.com : Trace 1: XSSed.com ~11,000 URLs containing XSS xHunter Elias Athanasopoulos, FORTH-ICS 39 Trace 2: sensor ~1K Users : Trace 2: sensor ~1K Users 1,000 (sampled) possible benign URLs xHunter Elias Athanasopoulos, FORTH-ICS 40 Trace 1 : Trace 1 remove redirections, iframe injections, etc. 268 XSS exploits marked as clean xHunter Elias Athanasopoulos, FORTH-ICS 41 Trace 2 : Trace 2 20 benign URLs marked as suspicious xHunter Elias Athanasopoulos, FORTH-ICS 42 Overall : Overall less than 3.2% false negatives about 2% false positives xHunter Elias Athanasopoulos, FORTH-ICS 43 Future Work : Future Work xHunter Elias Athanasopoulos, FORTH-ICS 44 xHunter training : xHunter training use machine learning to teach xHunter which parse nodes contribute more to XSS exploits xHunter Elias Athanasopoulos, FORTH-ICS 45 Invent more heuristics : Invent more heuristics reduce false positives xHunter Elias Athanasopoulos, FORTH-ICS 46 Optimizations : Optimizations make it faster xHunter Elias Athanasopoulos, FORTH-ICS 47 Collaboration - Deployment! : Collaboration - Deployment! run xHunter to your network! xHunter Elias Athanasopoulos, FORTH-ICS 48 Thank You! : Thank You! Elias Athanasopoulos FORTH-ICS elathan@ics.forth.gr xHunter Elias Athanasopoulos, FORTH-ICS 49