SlideShare a Scribd company logo

Script Fragmentation - Stephan Chenette - OWASP/RSA 2008

Stephan Chenette
Stephan Chenette

ERA 2008 - Stephan Chenette, Presentation on Script Fragmentation attack Abstract: This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content. This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit. Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits.

1 of 50
Script Fragmentation Attacks OWASP November 2008 Stephan Chenette, Security Researcher Websense Security Labs
Agenda  What  Web Developer 101  Web 1.0 versus Web 2.0  Malicious Web 1.0  Malicious Web 2.0 + Script Fragmentation  Possible Solutions 2
What am I talking about today The success of any exploit depends on some basic assumptions: The vulnerable service or application is: 1) Active 2) Accessible The exploit is: 1) Reliable 2) Undetected 3
What am I talking about today This presentation will focus on:  Evading detection of the exploit Specifically:  A new evasion technique to avoid detection of client-side web exploitation (Browser, ActiveX control, etc bugs) 4
Basic Web Developer 101  HTML  Browser Document Object Model (DOM)  JavaScript/JSON  Remote Requests - XMLHTTPRequest (XHR)  Cross-Domains Requests - XDomainRequest (XDR)  Available in: – Internet Explorer, Firefox – Safari, Opera and Konqeror, etc. 5
Basic HTML document and DOM <html> <body> <div id=“target” /> HTML </body> </html> <html> <body> <div id=“target” /> DOM </body> </html> 6
JavaScript can change DOM <script> var d = document.getElementById(“target”); var n = document.createElement(“script”); n.text = “alert(„test‟);” d.appendChild(n); </script> 7
New DOM <html> <body> <div id=“target”> <script> alert(‘test’); DOM </script> </div> </body> </html> 8
Basic HTML document <html> <body> </body> </html> 9
JavaScript can execute directly var text = “alert(„test‟);” eval(text); 10
DOM stays the same <html> <body> </body> </html> 11
The power of scripting var text=“ale” + “rt(“ + “„te” + “st‟” + “);” eval(text); 12
JSON Basics var text = { "firstName" : "John", "lastName" : "Doe" }; var JSONObj = eval(text); // Outputs John document.writeln(JSONObj.firstName); // Outputs Doe document.writeln(JSONObj.lastName); 13
XHR basics var client = new XMLHttpRequest(); client.onreadystatechange = handler; client.open("GET", "test.cgi"); client.send(); var client = new XMLHttpRequest(); client.open("POST", "/log"); client.setRequestHeader("Content-Type", "text/plain;charset=UTF-8"); client.send(message); 14
XDR requests (Cross-site requests) var xdr= new XDomainRequest(); Xdr.onload= handler; xdr.open("GET",“http://test.com/test.cgi"); xdr.send(); var xdr= new XMLHTTPRequest(); xdr.onload = handler; xdr.open("GET",“http://test.com/test.cgi"); xdr.send(); 15
Web 1.0 client/server communication •GET / HTTP/1.1 •Client Browser •Web Server 16
Web 2.0 Websites Client fetching content from multiple Servers + Servers receiving content from Client  Benign JavaScript/HTTPXMLRequest technologies: – Gadgets – Widgets – Mashups  Gmail, orkut, facebook, hi5.com, etc use JavaScript and XMLHTTPRequest. 17
Web 2.0 Websites •Client Browser •Web Server 18
Web attacks and defense  Attack trends have shifted over the years. Intruders are focusing more prominently on the Web  Most companies/users don‟t block HTTP at the firewall  ALL Malicious client-side web attacks are assumed to be protected by desktop or gateway AV/IDS. 19
HTTP client/server communication •GET / HTTP/1.1 •Client Browser •Web Server 20
Current desktop/gateway protection  Looking at initial content 21
Current evasion techniques  Obfuscated JS code 22
REGEX for Deobfuscation routine for (fubatifi = 0; fubatifi < 1445; fubatifi++) fepab += String.fromCharCode(mosetib[fubatifi] ^ fedene); fors{0,5}(w{0,10}s{0,5}=s{0,5}0;s{0,5}w{0,10}s{0,5}<s{0 ,5}d{0,10};s{0,5}w{0,10}++)s{0,5}w{0,10}s{0,5}+=s{0,5 }String.fromCharCode(w{0,10}[w{0,10}]s{0,2}^s{0,2}w{ 0,10}); 23
Successful Evasion…  Passing malicious content over the network has a higher chance of evading detection the indistinguishable it is from benign traffic.  A.K.A. Make malicious web 2.0 traffic look like good web 2.0 traffic. 24
Malicious Web 2.0/Script Fragmentation  Script Active Content e.g. JavaScript, VBscript, etc.  Fragmentation Little chunks of data Note: The use of AJAX for malicious use was mentioned at Toorcon 2007, but not in the detail I‟m about to go in… 25
Dynamic retrieval of data <script> xmlhttp.open(“GET”, “/index.php?q=2+2”, true); var response = xmlhttp.responseText; </script> •GET /index.php?q=2+2 “4” •Client Browser •Web Server 26
Steps for script fragmentation attack 1. Store malicious content on server 2. SERVER: Serve client webpage with script fragmentation decoder routine. 3. CLIENT: Use XMLHTTPRequest object to request only small chunk of malicious content from server 4. SERVER: respond with requested chunk of malicious content 5. CLIENT: Use JavaScript variable to save chunks of data and continue to use JavaScript and XMLHTTPRequest object to request new chunk of data until there is no more data 6. CLIENT: Execute resulting code once all data is received 27
Steps in action  Step 1) Store malicious content on server •Web Server 28
Steps in action  Step 1) Store malicious content on server •Web Server 29
Steps in action  Step 2) SERVER: Serve client webpage with script fragmentation decoder routine. •<DECODER> •Client Browser •Web Server 30
Script Fragmentation decoder routine 31
Steps in action  Step 2) CLIENT: use XMLHTTPRequest object to request only small chunk of malicious content from server •GET /index.cgi?o=0&rl=3 •Client Browser •Web Server 32
Steps in action  Step 3) SERVER: respond with requested chunk of malicious content •“var” •Client Browser •Web Server 33
Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=3&rl=3 •“ he” •Client Browser •Web Server •var text = “var he”; 34
Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=6&rl=3 •“apS” •Client Browser •Web Server •var text = “var heapS”; 35
Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=9&rl=3 •“pra” •Client Browser •Web Server •var text = “var heapSpra”; 36
Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=12&rl=3 •“yTo ” •Client Browser •Web Server •var text = “var heapSprayTo”; 37
Steps in action  Step 5) CLIENT: execute resulting code once all data is received. •Client Browser •// Method 1 •// Method 2 •eval(text); •var div = GetElementById(„target‟); var n = document.CreateElement(“script”); n.text = text; div.appendChild(n); 38
The possibilities Beyond the basic script fragmentation attacks:  Randomize sequence of offsets  xor/encrypt data  Spread data across multiple web servers (botnet) (XDR)  In memory keep string encrypted until the last minute 39
Options for data transfer XMLHttpRequest is the object to make dynamic remote HTTP request, but there are multiple data formats that may be used for data transfer:  RAW  XML  JSON  etc.… 40
RAW data format •GET /index.cgi?o=0&rl=3&u=guid •Client Browser “var” •Web Server 41
XML data format •GET /index.cgi?o=0&rl=3 •Client Browser “<Data eof=“0” text=“var” />” •Web Server 42
JSON data format •GET /index.cgi?o=0&rl=3 “{ •Client Browser •Web Server eof : “0”, // S = server resp. text : “var” var data = eval(S); }” var text = data.text; 43
Flawlessly works on all major browsers  Proof of concept (POC) exploited within 10-20s 44
AV won’t detect Script Fragmentations  Initial page will hold decoder routine in script tag and then blank body.  The file on disk will never change  DOM in memory will never change  NO SUBSTANTIAL CONTENT TO SCAN AS MALICIOUS! 45
HTML file on disk  File on disk is the same before and after  C:Documents and Settings<USER>Local SettingsTemporary Internet Files 46
Victory!  Script Fragmentation is a very successful evasion attack that current desktop and gateway AV do not detect. 47
Ending remarks  Reality: This attack is still a few years away  We haven‟t seen this in the wild  Possible Reasons: Dealing with scripting and obfuscation are still the biggest problems 48
Possible solutions  Detecting the decoder routine  Detecting network anomalies  Using a “feedback loop” and executing in remote location.  Dis-allow execution of content that comes from XMLHTTPRequest, hard to implement and would break functionality – so no go.  Post-detection  Hooking Browser internals  Install security add-ons – NoScript, Flashblock, SafeHistory, Adblock Plus, LocalRodeo, CustomizeGoogle, etc. 49
Thank you.  Any questions? Stephan Chenette, Websense Security Labs schenette@websense.com  Check out our website and blogs  http://securitylabs.websense.com/content/blogs.aspx  http://securitylabs.websense.com/ 50

Recommended

Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 

Recommended

Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websitesshehab najjar
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
Hidden-Web Induced by Client-Side Scripting: An Empirical Study
Hidden-Web Induced by Client-Side Scripting: An Empirical StudyHidden-Web Induced by Client-Side Scripting: An Empirical Study
Hidden-Web Induced by Client-Side Scripting: An Empirical StudySALT Lab @ UBC
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 

More Related Content

What's hot

Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websitesshehab najjar
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 

What's hot (20)

Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websites
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
 

Similar to Script Fragmentation - Stephan Chenette - OWASP/RSA 2008

Hidden-Web Induced by Client-Side Scripting: An Empirical Study
Hidden-Web Induced by Client-Side Scripting: An Empirical StudyHidden-Web Induced by Client-Side Scripting: An Empirical Study
Hidden-Web Induced by Client-Side Scripting: An Empirical StudySALT Lab @ UBC
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDoris Chen
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP TutorialLorna Mitchell
 
25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSSBen Stock
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Comet from JavaOne 2008
Comet from JavaOne 2008Comet from JavaOne 2008
Comet from JavaOne 2008Joe Walker
 
Groovy & Grails eXchange 2012 vert.x presentation
Groovy & Grails eXchange 2012 vert.x presentationGroovy & Grails eXchange 2012 vert.x presentation
Groovy & Grails eXchange 2012 vert.x presentationStuart (Pid) Williams
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Week 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. WuWeek 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. WuAppUniverz Org
 
Notes on SF W3Conf
Notes on SF W3ConfNotes on SF W3Conf
Notes on SF W3ConfEdy Dawson
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in schoolMichael Galpin
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Disrupting the application eco system with progressive web applications
Disrupting the application eco system with progressive web applicationsDisrupting the application eco system with progressive web applications
Disrupting the application eco system with progressive web applicationsChris Love
 
Comunicando nuestras apps con el mundo exterior
Comunicando nuestras apps con el mundo exteriorComunicando nuestras apps con el mundo exterior
Comunicando nuestras apps con el mundo exteriorRoberto Luis Bisbé
 
Building dynamic applications with the share point client object model
Building dynamic applications with the share point client object modelBuilding dynamic applications with the share point client object model
Building dynamic applications with the share point client object modelEric Shupps
 
Yogesh kumar kushwah represent’s
Yogesh kumar kushwah represent’sYogesh kumar kushwah represent’s
Yogesh kumar kushwah represent’sYogesh Kushwah
 

Similar to Script Fragmentation - Stephan Chenette - OWASP/RSA 2008 (20)

Hidden-Web Induced by Client-Side Scripting: An Empirical Study
Hidden-Web Induced by Client-Side Scripting: An Empirical StudyHidden-Web Induced by Client-Side Scripting: An Empirical Study
Hidden-Web Induced by Client-Side Scripting: An Empirical Study
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smuggling
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smuggling
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax Push
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
 
25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Comet from JavaOne 2008
Comet from JavaOne 2008Comet from JavaOne 2008
Comet from JavaOne 2008
 
Groovy & Grails eXchange 2012 vert.x presentation
Groovy & Grails eXchange 2012 vert.x presentationGroovy & Grails eXchange 2012 vert.x presentation
Groovy & Grails eXchange 2012 vert.x presentation
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Week 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. WuWeek 05 Web, App and Javascript_Brandon, S.H. Wu
Week 05 Web, App and Javascript_Brandon, S.H. Wu
 
Notes on SF W3Conf
Notes on SF W3ConfNotes on SF W3Conf
Notes on SF W3Conf
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Disrupting the application eco system with progressive web applications
Disrupting the application eco system with progressive web applicationsDisrupting the application eco system with progressive web applications
Disrupting the application eco system with progressive web applications
 
Comunicando nuestras apps con el mundo exterior
Comunicando nuestras apps con el mundo exteriorComunicando nuestras apps con el mundo exterior
Comunicando nuestras apps con el mundo exterior
 
Building dynamic applications with the share point client object model
Building dynamic applications with the share point client object modelBuilding dynamic applications with the share point client object model
Building dynamic applications with the share point client object model
 
Yogesh kumar kushwah represent’s
Yogesh kumar kushwah represent’sYogesh kumar kushwah represent’s
Yogesh kumar kushwah represent’s
 

More from Stephan Chenette

2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Stephan Chenette
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 

More from Stephan Chenette (9)

Landing on Jupyter
Landing on JupyterLanding on Jupyter
Landing on Jupyter
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 

Script Fragmentation - Stephan Chenette - OWASP/RSA 2008

  • 1. Script Fragmentation Attacks OWASP November 2008 Stephan Chenette, Security Researcher Websense Security Labs
  • 2. Agenda  What  Web Developer 101  Web 1.0 versus Web 2.0  Malicious Web 1.0  Malicious Web 2.0 + Script Fragmentation  Possible Solutions 2
  • 3. What am I talking about today The success of any exploit depends on some basic assumptions: The vulnerable service or application is: 1) Active 2) Accessible The exploit is: 1) Reliable 2) Undetected 3
  • 4. What am I talking about today This presentation will focus on:  Evading detection of the exploit Specifically:  A new evasion technique to avoid detection of client-side web exploitation (Browser, ActiveX control, etc bugs) 4
  • 5. Basic Web Developer 101  HTML  Browser Document Object Model (DOM)  JavaScript/JSON  Remote Requests - XMLHTTPRequest (XHR)  Cross-Domains Requests - XDomainRequest (XDR)  Available in: – Internet Explorer, Firefox – Safari, Opera and Konqeror, etc. 5
  • 6. Basic HTML document and DOM <html> <body> <div id=“target” /> HTML </body> </html> <html> <body> <div id=“target” /> DOM </body> </html> 6
  • 7. JavaScript can change DOM <script> var d = document.getElementById(“target”); var n = document.createElement(“script”); n.text = “alert(„test‟);” d.appendChild(n); </script> 7
  • 8. New DOM <html> <body> <div id=“target”> <script> alert(‘test’); DOM </script> </div> </body> </html> 8
  • 9. Basic HTML document <html> <body> </body> </html> 9
  • 10. JavaScript can execute directly var text = “alert(„test‟);” eval(text); 10
  • 11. DOM stays the same <html> <body> </body> </html> 11
  • 12. The power of scripting var text=“ale” + “rt(“ + “„te” + “st‟” + “);” eval(text); 12
  • 13. JSON Basics var text = { "firstName" : "John", "lastName" : "Doe" }; var JSONObj = eval(text); // Outputs John document.writeln(JSONObj.firstName); // Outputs Doe document.writeln(JSONObj.lastName); 13
  • 14. XHR basics var client = new XMLHttpRequest(); client.onreadystatechange = handler; client.open("GET", "test.cgi"); client.send(); var client = new XMLHttpRequest(); client.open("POST", "/log"); client.setRequestHeader("Content-Type", "text/plain;charset=UTF-8"); client.send(message); 14
  • 15. XDR requests (Cross-site requests) var xdr= new XDomainRequest(); Xdr.onload= handler; xdr.open("GET",“http://test.com/test.cgi"); xdr.send(); var xdr= new XMLHTTPRequest(); xdr.onload = handler; xdr.open("GET",“http://test.com/test.cgi"); xdr.send(); 15
  • 16. Web 1.0 client/server communication •GET / HTTP/1.1 •Client Browser •Web Server 16
  • 17. Web 2.0 Websites Client fetching content from multiple Servers + Servers receiving content from Client  Benign JavaScript/HTTPXMLRequest technologies: – Gadgets – Widgets – Mashups  Gmail, orkut, facebook, hi5.com, etc use JavaScript and XMLHTTPRequest. 17
  • 18. Web 2.0 Websites •Client Browser •Web Server 18
  • 19. Web attacks and defense  Attack trends have shifted over the years. Intruders are focusing more prominently on the Web  Most companies/users don‟t block HTTP at the firewall  ALL Malicious client-side web attacks are assumed to be protected by desktop or gateway AV/IDS. 19
  • 20. HTTP client/server communication •GET / HTTP/1.1 •Client Browser •Web Server 20
  • 21. Current desktop/gateway protection  Looking at initial content 21
  • 22. Current evasion techniques  Obfuscated JS code 22
  • 23. REGEX for Deobfuscation routine for (fubatifi = 0; fubatifi < 1445; fubatifi++) fepab += String.fromCharCode(mosetib[fubatifi] ^ fedene); fors{0,5}(w{0,10}s{0,5}=s{0,5}0;s{0,5}w{0,10}s{0,5}<s{0 ,5}d{0,10};s{0,5}w{0,10}++)s{0,5}w{0,10}s{0,5}+=s{0,5 }String.fromCharCode(w{0,10}[w{0,10}]s{0,2}^s{0,2}w{ 0,10}); 23
  • 24. Successful Evasion…  Passing malicious content over the network has a higher chance of evading detection the indistinguishable it is from benign traffic.  A.K.A. Make malicious web 2.0 traffic look like good web 2.0 traffic. 24
  • 25. Malicious Web 2.0/Script Fragmentation  Script Active Content e.g. JavaScript, VBscript, etc.  Fragmentation Little chunks of data Note: The use of AJAX for malicious use was mentioned at Toorcon 2007, but not in the detail I‟m about to go in… 25
  • 26. Dynamic retrieval of data <script> xmlhttp.open(“GET”, “/index.php?q=2+2”, true); var response = xmlhttp.responseText; </script> •GET /index.php?q=2+2 “4” •Client Browser •Web Server 26
  • 27. Steps for script fragmentation attack 1. Store malicious content on server 2. SERVER: Serve client webpage with script fragmentation decoder routine. 3. CLIENT: Use XMLHTTPRequest object to request only small chunk of malicious content from server 4. SERVER: respond with requested chunk of malicious content 5. CLIENT: Use JavaScript variable to save chunks of data and continue to use JavaScript and XMLHTTPRequest object to request new chunk of data until there is no more data 6. CLIENT: Execute resulting code once all data is received 27
  • 28. Steps in action  Step 1) Store malicious content on server •Web Server 28
  • 29. Steps in action  Step 1) Store malicious content on server •Web Server 29
  • 30. Steps in action  Step 2) SERVER: Serve client webpage with script fragmentation decoder routine. •<DECODER> •Client Browser •Web Server 30
  • 32. Steps in action  Step 2) CLIENT: use XMLHTTPRequest object to request only small chunk of malicious content from server •GET /index.cgi?o=0&rl=3 •Client Browser •Web Server 32
  • 33. Steps in action  Step 3) SERVER: respond with requested chunk of malicious content •“var” •Client Browser •Web Server 33
  • 34. Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=3&rl=3 •“ he” •Client Browser •Web Server •var text = “var he”; 34
  • 35. Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=6&rl=3 •“apS” •Client Browser •Web Server •var text = “var heapS”; 35
  • 36. Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=9&rl=3 •“pra” •Client Browser •Web Server •var text = “var heapSpra”; 36
  • 37. Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=12&rl=3 •“yTo ” •Client Browser •Web Server •var text = “var heapSprayTo”; 37
  • 38. Steps in action  Step 5) CLIENT: execute resulting code once all data is received. •Client Browser •// Method 1 •// Method 2 •eval(text); •var div = GetElementById(„target‟); var n = document.CreateElement(“script”); n.text = text; div.appendChild(n); 38
  • 39. The possibilities Beyond the basic script fragmentation attacks:  Randomize sequence of offsets  xor/encrypt data  Spread data across multiple web servers (botnet) (XDR)  In memory keep string encrypted until the last minute 39
  • 40. Options for data transfer XMLHttpRequest is the object to make dynamic remote HTTP request, but there are multiple data formats that may be used for data transfer:  RAW  XML  JSON  etc.… 40
  • 41. RAW data format •GET /index.cgi?o=0&rl=3&u=guid •Client Browser “var” •Web Server 41
  • 42. XML data format •GET /index.cgi?o=0&rl=3 •Client Browser “<Data eof=“0” text=“var” />” •Web Server 42
  • 43. JSON data format •GET /index.cgi?o=0&rl=3 “{ •Client Browser •Web Server eof : “0”, // S = server resp. text : “var” var data = eval(S); }” var text = data.text; 43
  • 44. Flawlessly works on all major browsers  Proof of concept (POC) exploited within 10-20s 44
  • 45. AV won’t detect Script Fragmentations  Initial page will hold decoder routine in script tag and then blank body.  The file on disk will never change  DOM in memory will never change  NO SUBSTANTIAL CONTENT TO SCAN AS MALICIOUS! 45
  • 46. HTML file on disk  File on disk is the same before and after  C:Documents and Settings<USER>Local SettingsTemporary Internet Files 46
  • 47. Victory!  Script Fragmentation is a very successful evasion attack that current desktop and gateway AV do not detect. 47
  • 48. Ending remarks  Reality: This attack is still a few years away  We haven‟t seen this in the wild  Possible Reasons: Dealing with scripting and obfuscation are still the biggest problems 48
  • 49. Possible solutions  Detecting the decoder routine  Detecting network anomalies  Using a “feedback loop” and executing in remote location.  Dis-allow execution of content that comes from XMLHTTPRequest, hard to implement and would break functionality – so no go.  Post-detection  Hooking Browser internals  Install security add-ons – NoScript, Flashblock, SafeHistory, Adblock Plus, LocalRodeo, CustomizeGoogle, etc. 49
  • 50. Thank you.  Any questions? Stephan Chenette, Websense Security Labs schenette@websense.com  Check out our website and blogs  http://securitylabs.websense.com/content/blogs.aspx  http://securitylabs.websense.com/ 50