Hunting Cross-Site Scripting Attacks in the Network

Slide Note
Embed
Share

Detect suspicious URLs and prevent XSS attacks with xHunter, a tool by Elias Athanasopoulos and team at FORTH-ICS, Greece. Explore the motivation, current status, targets, and orchestration of XSS incidents. Learn about the anatomy of XSS exploits and the operation of xHunter in identifying JavaScript-containing URLs.

brto534
brto534 Follow

Uploaded on Oct 03, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Hunting Cross-Site Scripting Attacks in the Network Elias Athanasopoulos, Antonis Krithinakis, and Evangelos P. Markatos FORTH-ICS, Greece

  2. xHunter a tool for the detection of suspicious URLs xHunter Elias Athanasopoulos, FORTH-ICS 2

  3. URL URL URL URL xHunter URL URL URL URL xHunter Elias Athanasopoulos, FORTH-ICS 3

  4. Motivation xHunter Elias Athanasopoulos, FORTH-ICS 4

  5. Current Status real incidents related to XSS exploitation are recorded and reported by large IT vendors Symantec, McAfee no tools for academia/research xHunter Elias Athanasopoulos, FORTH-ICS 5

  6. XSS frequency how often web sites are targeted with XSS attacks? are XSS attacks a frequent phenomenon in every-day web traffic? xHunter Elias Athanasopoulos, FORTH-ICS 6

  7. XSS targets which web sites are the targets? xHunter Elias Athanasopoulos, FORTH-ICS 7

  8. XSS orchestration are there any orchestrated XSS campaigns in world-wide scale? xHunter Elias Athanasopoulos, FORTH-ICS 8

  9. XSS anatomy alert(/XSS/); how do the real XSS exploits look like? xHunter Elias Athanasopoulos, FORTH-ICS 9

  10. Operation xHunter Elias Athanasopoulos, FORTH-ICS 10

  11. Assumptions URLs containing JavaScript are suspicious a large fraction of XSS is mounted through URLs xHunter Elias Athanasopoulos, FORTH-ICS 12

  12. Main idea identify all URLs that contain JavaScript xHunter Elias Athanasopoulos, FORTH-ICS 13

  13. xHunter cannot deal with iframe injection, Flash parameters pollution, Phishing, XCS, CSV, SQL injection xHunter Elias Athanasopoulos, FORTH-ICS 14

  14. xHunter can deal with JavaScript injections (XSS/CSRF) xHunter Elias Athanasopoulos, FORTH-ICS 15

  15. How JavaScript is spotted? a JavaScript program produces a JavaScript syntax tree of high depth xHunter Elias Athanasopoulos, FORTH-ICS 16

  16. xHunter operation scan a URL for fragments that produce a valid JavaScript syntax tree mark as suspicious any URL that contains a fragment that produces a valid JavaScript syntax tree with a high depth xHunter Elias Athanasopoulos, FORTH-ICS 17

  17. http://www.economie.gouv.fr/recherche/lance_recherche.php?mot=http://www.economie.gouv.fr/recherche/lance_recherche.php?mot= ";alert(document.cookie)//&search_go=ok search_go=ok mot=";alert(document.cookie)// search_go ok mot ";alert(document.cookie)// Attempt to parse every query element as if it was a JavaScript program xHunter Elias Athanasopoulos, FORTH-ICS 18

  18. mot search_go ok LC: SEMI: NAME: LC: SEMI: NAME: LC: SEMI: NAME: 2 2 2 xHunter Elias Athanasopoulos, FORTH-ICS 19

  19. ;alert(document.cookie)// LC: SEMI: SEMI: LP: NAME: DOT: NAME: 6 xHunter Elias Athanasopoulos, FORTH-ICS 20

  20. How is the score calculated? score = SUM(JS_TOKEN[i] * TW[i]) xHunter Elias Athanasopoulos, FORTH-ICS 21

  21. ;alert(document.cookie)// 1 1 1 3 LC: SEMI: ; SEMI: alert LP: ( NAME: document DOT: . NAME: cookie 0 0 0 6 xHunter Elias Athanasopoulos, FORTH-ICS 22

  22. How are the weights and the threshold calculated? empirically xHunter Elias Athanasopoulos, FORTH-ICS 23

  23. xHunter decision http://www.economie.gouv.fr/recherche/lance_ recherche.php? mot=";alert(document.cookie)//&search_go= ok xHunter Elias Athanasopoulos, FORTH-ICS 24

  24. Challenges xHunter Elias Athanasopoulos, FORTH-ICS 25

  25. (1) Web Applications Quirks applications use their own encoding schemes and semantics xHunter Elias Athanasopoulos, FORTH-ICS 26

  26. XSSed, 64043 http://www.turktelekom.com.tr/tt/ portal/!ut/p/c0/XYzBCoJAFEX_RQhq 9Z5aOoEI..RshwIQj/ xHunter Elias Athanasopoulos, FORTH-ICS 27

  27. (2) JavaScript Relaxed Syntax everything produces a valid syntax tree xHunter Elias Athanasopoulos, FORTH-ICS 28

  28. foo;1,2,3,4,5 LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: 9 xHunter Elias Athanasopoulos, FORTH-ICS 29

  29. Reverse Code Heuristic valid JavaScript code does not parse from right to left xHunter Elias Athanasopoulos, FORTH-ICS 30

  30. foo;1,2,3,4,5 5,4,3,2,1;oof LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: 9 LC: SEMI: DOT: STRING: 3 xHunter Elias Athanasopoulos, FORTH-ICS 31

  31. alert(/XSS/); ;)/SSX/(trela LC: SEMI: LP: NAME: OBJECT: syntax error 7 xHunter Elias Athanasopoulos, FORTH-ICS 32

  32. Weighted Parse Nodes some JavaScript tokens contribute more xHunter Elias Athanasopoulos, FORTH-ICS 33

  33. foo;1,2,3,4,5 alert(/XSS/); LC: SEMI: NAME: SEMI: COMMA: NUMBER: NUMBER: NUMBER: NUMBER: NUMBER: LC: SEMI: LP: NAME: OBJECT: xHunter Elias Athanasopoulos, FORTH-ICS 34

  34. (3) Exploit Isolation some exploits are partially injected xHunter Elias Athanasopoulos, FORTH-ICS 35

  35. ";alert(document.cookie)// syntax error ;alert(document.cookie)// 6 xHunter Elias Athanasopoulos, FORTH-ICS 36

  36. Parse all possible fragments dramatic performance overhead xHunter is not an on-line tool xHunter Elias Athanasopoulos, FORTH-ICS 37

  37. Evaluation xHunter Elias Athanasopoulos, FORTH-ICS 38

  38. Trace 1: XSSed.com ~11,000 URLs containing XSS xHunter Elias Athanasopoulos, FORTH-ICS 39

  39. Trace 2: sensor ~1K Users 1,000 (sampled) possible benign URLs xHunter Elias Athanasopoulos, FORTH-ICS 40

  40. Trace 1 remove redirections, iframe injections, etc. 268 XSS exploits marked as clean xHunter Elias Athanasopoulos, FORTH-ICS 41

  41. Trace 2 20 benign URLs marked as suspicious xHunter Elias Athanasopoulos, FORTH-ICS 42

  42. Overall less than 3.2% false negatives about 2% false positives xHunter Elias Athanasopoulos, FORTH-ICS 43

  43. Future Work xHunter Elias Athanasopoulos, FORTH-ICS 44

  44. xHunter training use machine learning to teach xHunter which parse nodes contribute more to XSS exploits xHunter Elias Athanasopoulos, FORTH-ICS 45

  45. Invent more heuristics reduce false positives xHunter Elias Athanasopoulos, FORTH-ICS 46

  46. Optimizations make it faster xHunter Elias Athanasopoulos, FORTH-ICS 47

  47. Collaboration - Deployment! run xHunter to your network! xHunter Elias Athanasopoulos, FORTH-ICS 48

  48. Thank You! Elias Athanasopoulos FORTH-ICS elathan@ics.forth.gr xHunter Elias Athanasopoulos, FORTH-ICS 49

Related


Understanding Network Security Vulnerabilities and Attacks

Understanding Network Security Vulnerabilities and Attacks

leyo_5
Investigating Add-On Cross Site Scripting Attacks: Abusing Browser Address Bar

Investigating Add-On Cross Site Scripting Attacks: Abusing Browser Address Bar

bla_c
Understanding Network Denial of Service (DoS) Attacks

Understanding Network Denial of Service (DoS) Attacks

zahra
Types Cyber Attacks: Cyber Security Training Workshop

Types Cyber Attacks: Cyber Security Training Workshop

anara
Understanding Network Interference in CS590B/690B Lecture

Understanding Network Interference in CS590B/690B Lecture

runk_ara
Introduction to Linux Shell Scripting

Introduction to Linux Shell Scripting

mariyah
Comprehensive Guide on XSS Attacks and Defense Strategies

Comprehensive Guide on XSS Attacks and Defense Strategies

analilias
Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses

Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses

jmora
Understanding Network Security Fundamentals and Common Web Application Attacks

Understanding Network Security Fundamentals and Common Web Application Attacks

amalthea
Hunting as a green investment

Hunting as a green investment

giles
Red Cross Shelter Partnership Initiative in Missouri

Red Cross Shelter Partnership Initiative in Missouri

anoo_62
Web Application Vulnerabilities: A Growing Concern

Web Application Vulnerabilities: A Growing Concern

lilliau
Understanding Shell Variables and Scripting in Bash

Understanding Shell Variables and Scripting in Bash

sheikh
Essential Rules and Syntax for Naming and Using Variables in Bash Scripting

Essential Rules and Syntax for Naming and Using Variables in Bash Scripting

burhanud
Introduction to PHP Scripting Language and Operators

Introduction to PHP Scripting Language and Operators

keleigh
Introduction to Scripting Techniques and Process

Introduction to Scripting Techniques and Process

anh_323
Introduction to Scripting Workshop Highlights

Introduction to Scripting Workshop Highlights

hlise
Managing Covid-19 Cyber and Data Protection Risks

Managing Covid-19 Cyber and Data Protection Risks

kaisen
Mitigation of DMA-based Rowhammer Attacks on ARM

Mitigation of DMA-based Rowhammer Attacks on ARM

baylee
Understanding Denial-of-Service Attacks and Defense Strategies

Understanding Denial-of-Service Attacks and Defense Strategies

delphi
Preventing Active Timing Attacks in Low-Latency Anonymous Communication

Preventing Active Timing Attacks in Low-Latency Anonymous Communication

kmike
Strategies to Protect School Systems from Cyber Attacks

Strategies to Protect School Systems from Cyber Attacks

alins
Automated Signature Extraction for High Volume Attacks in Cybersecurity

Automated Signature Extraction for High Volume Attacks in Cybersecurity

klos_k
Monster Hunter Double Cross Review

Monster Hunter Double Cross Review

jburr

More Related Content