I was originally planning on going upstairs for the SaaS Security presentation, but I had to come downstairs again to get my lunch and this topic seemed interesting, especially given the prevalence of cross site scripting in websites (see OWASP Top 10).  The presentation was by Arshan Dabirsiaghi, the director of research at Aspect Security.  He actually began by talking about Clickjacking and said that Jeremiah  Grossman and RSnake gave up enough clues for him to figure out the exploit as far as Adobe flash goes and says that he’d rate the vulnerability a 7/10 in flash and an overall 10/10.  Example non-weaponized exploit at http://i8jesus.com/stuff/clickjacking/test1.html using iframes and CSS.  Suggested fix is to apply framebreakers to your page.

Is an XSS worm really a worm?

5 components of a worm:

  • Reconnaissance – “[the worm] has to hunt out other network nodes to infect”
  • Attack – “[components] used to launch an attack against an identified target system”
  • Communication – “nodes in the network can talk to each other”
  • Command – “nodes in the worm network can be issued operation commands”
  • Intelligence – “the worm network needs to know the location of the nodes as well as characteristics about them”

Short answer: 3/5 – probably

How are XSS worms different from traditional?

  1. Infection model – Current model requires user interaction, worm strictly contained within web application, passive and localized, no Warhol worms (15 mins of fame).
  2. Payload capability – Perform any application function (money transfer, close account).  XSSProxy/Attack API.  Malware (yikes)
  3. Target shift – Internet worms can own everything both in front of and behind a firewall (island hopping).
  4. Penetration – Need to trick the user into spreading between sites using a 3rd party proxy.

Traits of Current XSS Worms

  • Static payloads
  • Passive infection strategy
  • Staty on the same domain (don’t say nduja)
  • Uncontrolled growth
  • No command and control

Current Incident Response Options

  • Fix the vulnerability
  • Manual purging – can only be done by experts and doesn’t scale
  • Database snapshot restore – effectively removes all worm data from tained columns, but forces loss of other application data
  • Search & Destory – works now.  Tricky in the future, but possible.

Next Gen XSS Worm Reconnaissance: A reconnaissance component will be added to the client side to find more web applications to infect.  Nodes can use HTML5 Workers/Google Gears WorkerPool/<insert tomorrow’s new RIA technology>.  What about SOP?  Old and busted: utilize 3rd party proxy (a la jikto ~2007).  What attackers should be doing now: malware – no SOP!  Next gen hotness: cross-site XHR, XDR, postMessage.  Allows cross-site bidirectional communication.  Servers must opt in, like Flash, so absolutely no security issues there (kidding)

Cross-site communication in HTML5

  • postMessage(): Cross-domain communication based on strings.  What do developers do with strings?    JSON/eval()  SiteA + JSON + SiteB = Shared Security

Staniford, Paxson & Weaver’s Reconnaisance Techniques

  • “hit list scanning”
  • Permutation Scanning
  • Topological Scanning (not without malware, cross-site XHR)

Next Gen XSS Worm Attack: An attack component will be added to the client side.  New client side piece delivered with reconnaissance piece to attack other off-domain web apps.  85% of websites have XSS (how much is reflected vs stored?)  How likely is it to fnd a stored XSS in another web app

Polymorphic Javascript: javascript can be highly mutated

Next Gen XSS Worm Communication: A communication component will never occur in a XSS worm.  Can’t communicate directly from victim browser to another victim browser.  “centralization” in worms is just another word for weakness.

Next Gen XSS Worm Command: A command component will be added to the worm payload.  Communicationw ith operator necessary for command-and-control structure, data delivery (new target info, soruce updates, etc)

  1. Attacker quietly posts signed payloads
  2. Victim creates token
  3. Victim queries Google form token using JSON
  4. Victim finds a signed result
  5. Executes the signed payload

Next Gen XSS Worm Intelligence: An intelligence component will be used after initial worm stages, it can’t be trusted (adversaries can poison).  XSS worms probably don’t need this, they typically follow a pattern where the first 24 hours it reaches massive infections through epic growth rate.  After that, gone and never seen again.

Ways to Prevent Next Gen XSS Worms

  • search+destroying polymorphed javascript
  • on demand exploit egress filters: popular sites need agile response techniques
  • OWASP AntiSamy – safe rich input validation.  Uses a positive security model for rich input validation.  High assurance mechanism for stopping XSS (and phishing) attacks
  • utilizing cross-domain workflows: letting the browser SOP protection prevent cookie disclosure + sensitive application information
  • browser content restrictions: Doesn’t make sense in a DOM.  Requires parsers to honor end tag attributes.