Blog

Tuesday, 12 September 2017

JavaScript Security Awareness - BlueClosure

1. Introduction


With a biweekly article’s publication we are going to cover as much possible of the JavaScript security theme. We’ll talk about the possible threats that a vulnerable JavaScript code could lead, the detection techniques and some real scenarios.

The logical line that we will follow starts from the “beginning” with the simplest exploitation and attack possible and, basing on that, we’ll expand the coverage to increasingly difficult attacks. Doing this we’ll show the main sources and sink tainting techniques, covering all kind of attacks documented by the OWASP Testing Guide in the Client Side Testing chapter. The purpose of the JavaScript Security Awareness is to inform the users how easily is to find some vulnerable JavaScript showing how and when an issue could occur.

Furthermore we want to present an all new tool, BlueClosure, that can automate the security analysis process testing the JavaScript.

The structure of the each article is the following: introduction to a vulnerability (of a security issue), explanation and detection of the vulnerability with BlueClosure and, in the end, a real world scenario where the particular vulnerability that we are talking about created a security breach. We have decided to start from the DOM XSS because it’s a very important issue (listed in the OWASP top 10) and XSS is the most prevalent web application security flaw.



1.1 Introduction to DOM Based XSS


DOM Based XSS is an attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.


That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

This is in contrast to other XSS attacks (Stored or Reflected), wherein the attack payload is placed in the response page (due to a server side flaw).

In the following OWASP code example, the “document.location.href” or “document.write” aren’t malicious, as the rest of the code.


document.location.href and document.write are sinks because theirs behaviour is legit but with a tainted input theirs becomes malicious.
Indeed with the following input is possible to exploit a DOMXSS:

      http://www.example.tld/page.html?lang=<script>alert(document.cookie)</script>

When the victim clicks on this link, the browser sends a request for:

    /page.html?lang=<script>alert(document.cookie)</script>

to www.some.site. The server responds with the page containing the above JavaScript code. The browser creates a DOM object for the page, in which the document.location object contains the string:

       http://www.example.tld/page.html?lang=<script>alert(document.cookie)</script> 

The original JavaScript code in the page does not expect the “lang” parameter to contain HTML markup, and as such it simply echoes it into the page (DOM) at runtime.
The browser then renders the resulting page and executes the attacker’s script:

    alert(document.cookie)

Note that the HTTP response sent from the server does not contain the attacker’s payload.
This payload manifests itself at the Client-side script at runtime, when a flawed script accesses the DOM variable "document.location" and assumes it is not malicious.


2. BlueClosure in Pills (A brief introduction to BC functionalities)


The BlueClosure platform provides the elements needed to execute the JavaScript analysis in real time (then while browsing the selected web target) and search for possible vulnerabilities such as HTML Injection, JS Execution, HTTP Parameter Pollution and others.

The main features of BlueClosure are:

  • JS Frameworks supports: Where BlueClosure can analyse any codebase written with JavaScript frameworks like Angular.js, jQuery, Meteor.js, React.js and many more. 
  • Realtime Dynamic Data Tainting: Where BlueClosure uses an advanced JavaScript instrumentation engine to understand the code. By leveraging our proprietary technology the BC engine can inspect any code, no matter how obfuscated it is. 
  • Scanning Automation: BlueClosure technology can automatically scan an entire website. This is the fastest way to scan and analyse BIG enterprise portals with rich JavaScript content as a tester would with his browser. 
  • Near-Zero False Positives: Data Validation and Context Awareness makes the use of a dynamic runtime tainting model on strings even more powerful, as it understands if a client side vulnerability is actually exploitable.

As mentioned earlier, BlueClosure provides accurate and careful analysis of the code in real time by reporting to the user the possible Findings that are categorized into Alerts, Warnings and Infos. Through these alerts, the user can quickly access the related vulnerability information by tracing the steps that led to the identification of the vulnerability in a highly detailed way.

The following example shows an issue identified by BlueClosure engine:



As you can see from the image above, BlueClosure indicates the main vulnerability information, like the Typology, the Source and finally the Sink (then, the Taint Propagation) that led to malicious code execution and its user-controlled Value (in the described case, the value is an HTML data).


The user can access more detailed information by clicking the Link in the vulnerability box, adding two more boxes.

  • The first box describes the History of the vulnerability, then the user-controlable value, if the vulnerability is Exploitable, whether the data is Encoded / Not Encoded, and by clicking on Show operations you can access the list of operations JavaScript that led to vulnerability execution; 
  • The second one, Vulnerable Code that will show the user the part of malicious code that was executed by exploiting the vulnerability.

The following example shows an example of History and Vulnerable Code in relation to the HTML Injection vulnerability described above:




20 comments :

  1. He keeps his understudies refreshed about the new improvements in this part and wouldn't fret going past the consistent syllabus to instruct them totally with pertinent and current subjects phonegap

    ReplyDelete
    Replies
    1. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. The critical thinking given is commendable.
    paypal hack

    ReplyDelete
    Replies
    1. Hey, Action lover, do you want to play the most popular action game Nulls Brawl in your mobile, then try this out with unlimited money?

      Delete
  3. This is an awesome post. Really very informative and creative contents. This concept is a good way to enhance knowledge. I like it and help me to development very well. Thank you for this brief explanation and very nice information. Well, got good knowledge.
    WordPress development company in Chennai

    ReplyDelete
  4. This is an awesome post. Really very informative and creative contents.
    WordPress website development Chennai

    ReplyDelete
  5. The best defense against common JavaScript security vulnerabilities is to be aware of them and implement the proper controls.
    ProWeb365 web design

    ReplyDelete
  6. These malicious scripts then execute on the client side in a manner determined by the attacker. Hardwood Floor Refinishing Minneapolis

    ReplyDelete
  7. I am happy to be here and this wonderful blog. I have found here lots of important information for my knowledge I need. Thanks for sharing this amazing post.

    ReplyDelete
  8. thanks for sharing these information with all of us. Kinemaster Gold

    ReplyDelete
  9. I am in one of the most best site to know the details, which are different from what I expected but still its good enough the way information has been displayed looks very unique and refreshing, I may need to settle a site which logo stitching services, can someone here please do this for me.

    ReplyDelete
  10. Hey guys! Our platform https://essaysrescue.com/essay-typer-review/ guarantee good results and personal information privacy which is not offered by many custom essay writing companies these days. Return policies and re-writing is also refurbished upon the client’s request.

    ReplyDelete
  11. The greatest protection against common JavaScript security flaws is to be aware of them and put appropriate safeguards in place.

    ReplyDelete
  12. This is moreover a by and large brilliant post which I genuinely thoroughly enjoyed scrutinizing. It isn't every day that I have the probability to see something like this..http://marcokrta829.image-perth.org/15-things-your-boss-wishes-you-knew-about-email-marketing-b2b

    ReplyDelete
  13. JavaScript Security is a great tool to keep your computer safe from harm. It is a very user-friendly program that is easy to use and understand. I highly recommend it to anyone who is looking for a good way to keep their computer safe.

    ReplyDelete
  14. I like reading your writings, and this one about JavaScript Security Awareness - Blue Closure is quite interesting. Because of how unique this truth is, I am grateful that I came across your website today when seeking for an accounting thesis topics service, as I am a student who values this type of information. If you are a student and need assistance with your homework, go to this website.

    ReplyDelete
  15. Playstar is a more moderen|a extra recent} casino that provides unique and enjoyable expertise. Handpicked, high-RTP jackpot games and one of the best software providers are variety of the} reasons to sign-up now. Another big difference to Clash of Clans-style village building is that in Coin Master, players’ villages are not persistent. Instead, there’s a world map with 260+ levels and 배당 토토 gamers progress to the following stage after using coins to complete a village. This method fits higher with the predominantly feminine audience that could be very acquainted with saga-based puzzle games.

    ReplyDelete
  16. Slotomania is a pioneer within the slot industry - with over 11 years of refining the game, it is a pioneer within the slot game industry. Many of its opponents have adopted related features and techniques to Slotomania, similar to collectibles and group play. To simplify the hundreds of mixtures into discrete slots on reels, each random quantity within the combination is split by a set value . The computer records the rest of this quotient, which by mathematical regulation can not exceed the set value . The the 헤븐카지노 rest is mapped to a sure image that is bodily distributed among the variety of slots the reel contains.

    ReplyDelete
  17. It’s also true, nonetheless, that the statistical knowledge collected in the business pinpoints which the most effective payout slots are in practice. This timeless video slot has an animal-meets-luxury theme, filled with cats and diamonds. During the bonus round, an extra wild symbol is added to the reels, and should you land them, you can to|you probably can} transform up to as} 4 additional symbols into further wilds. Bitcoin slots are quick changing into ever extra in style with gamers that respect the 카지노 사이트 security and anonymity that comes with depositing using the cryptocurrency. However, extra operators are starting to assist the fee methodology.

    ReplyDelete