Friday, September 24, 2010

DOM Hacking - Paper and Tools

DOM Hacking was presented at BlackHat and going to present at next HackInTheBox. Here is the paper and Tools (DOMScan and DOMTracer). It helps during scanning, assessments and pen-testing. Enjoy!

Paper on DOM Hacking

Download
PDF document from here [BlackHat site]
Presentation slides from here [BlackHat site]


DOMScan (Beta)
DOMScan - Scanning and Analyzing DOM

DOMScan is utility to drive IE and capture real time DOM from the browser. It gives access to active DOM context along with JavaScripts. One can observe the DOM in detail using this utility. It has predefined rules to scan DOM. One can run the scan on existing DOM and fetch interesting entry points and calls. It allows tracing through JavaScript variables as well. Using this utility one can identify following vulnerabilities.

• DOM based XSS
• DOM based vulnerable calls
• Source of abuse and external content loading methods
• Possible DOM logic and business layer calls
• Same Origin Bypass calls and usage
• Mashup usage inside DOM
• Widget Architecture review using the tool

Download

DOMTracer (Beta)
DOMTracer - Firefox Plugin (Trace DOM and JavaScript Calls)

The DOM as seen in all the aforementioned cases needs to be analyzed in many aspects. Run-time analysis of the DOM/JavaScript is vital and aids one to look at the calls made during the ‘dynamic DOM manipulation’. The DOMTracer is a Firefox Extension for this same purpose. It has been written using the standard method of writing extensions using the XUL platform and the JavaScript language in majority. This is in beta and we are working on new features.

Download

Thursday, September 23, 2010

HITB - Malaysia

Training - TT1 – Web 2.0 Hacking – Advanced Attacks and Defense (Ajax, RIA and SOA)

Hacking a Browser’s DOM – Exploiting Ajax and RIA

Web 2.0 applications are using dynamic DOM manipulations extensively for presenting JSON or XML streams in the browser. These DOM calls mixed with XMLHttpRequest (XHR) object are part of client side logic written in JavaScript or part of any other client side technology be it Flash or Silverlight. DOM driven XSS is a sleeping giant in the application code and it can be exploited by an attacker to gain access to the end user’s browser/desktop. This can become a root cause of following set of interesting vulnerabilities – Cross Widget Sniffing, RSS feed reader exploitation, XHR response stealing, Mashup hacking, Malicious code injection, Spreading Worm etc. This set of vulnerability needs innovative way of scanning the application and corresponding methodology needs to be tweaked. We have seen DOM driven XSS exploited in various different popular portals to spread worm or virus. This is a significant threat on the rise and should be mitigated by validating un-trusted content poisoning Ajax or Flash routines. DOM driven XSS, Cross Domain Bypass and CSRF can cause a deadly cocktail to exploit Web 2.0 applications across Internet. This presentation will be covering following important issues and concepts.
* Web 2.0 Architecture and DOM manipulation points
* JavaScript exploits by leveraging DOM
* Cross Domain Bypass and Hacks
* DOM hacking for controlling Widgets and Mashups
* Exploiting Ajax routines to gain feed readers
* Scanning and detecting DOM driven XSS in Web 2.0
* Tools for scanning the DOM calls
* Mitigation strategies for better security posture