[WEB SECURITY] Close Encounters of the Third Kind - A look at the prevalence of client-side JavaScript vulnerabilities (new whitepaper)

Tasos Laskos tasos.laskos at gmail.com
Fri Jan 7 19:16:28 EST 2011 

On Fri, 2011-01-07 at 13:49 -1000, James Manico wrote:
> You missed the context under which the term "dynamic" was used.
> Your scope is as generalized as can be, Ory just refereed to the JS
> part.
> 
> No, I was just over-loading the term, sorry.
> 
> The point I'm making here is that a tool crawling public portions of
popular
> sites and slamming canned attack data against static JavaScript
> files/functions does not make for real dynamic analysis, nor is it a
> comprehensive review.
> 
Then yeah I agree with you.
This should be run during the audit process whenever there are changes
in the JS code otherwise it's a waste of a very helpful feature.

DOM XSS is a critical threat and it's going to get a lot worse. I'd like
to
> see more honest and technical discussion around how to discover this
threat
> via automation. Arian gets a gold star, I appreciate your level of
honestly
> and detail.
> 
Me too but I doubt that that's the reason they published this
"whitepaper".
I agree with Michal that it was more of a promo leaflet than anything
else.

And yes, we should start a thread about how one would go about
automating detection of DOM based vulnerabilities, that'd be really
interesting.


And frankly, I've been impressed with AppSec Source Edition. It's a
solid
> tool and stacks up well against others in the space. There is no need
to
> sensationalize it...
> 
Never used it myself but I think that the IBM guys just got a bit
carried away at their shiny new toy so I can understand their
over-excitement.
(Unless the "sensationalism" comment was towards my replies in which
case I don't really see it.)

Anyways, unfortunately I don't think that we can expect technical
details from Ory since he's legally tied.

- Tasos.

- Jim
> 
> 
> -----Original Message-----
> From: Tasos Laskos [mailto:tasos.laskos at gmail.com]
> Sent: Friday, January 07, 2011 1:25 PM
> To: James Manico
> Cc: Ory Segal; Stefano Di Paola; websecurity at webappsec.org
> Subject: RE: [WEB SECURITY] Close Encounters of the Third Kind - A
look at
> the prevalence of client-side JavaScript vulnerabilities (new
whitepaper)
> 
> Hi James,
> 
> On Fri, 2011-01-07 at 13:02 -1000, James Manico wrote:
> > Ory,
> >
> >
> >
> > What do you mean my “dynamic analysis”? In particular, do you *run*
> > the entire application, with database interaction, and analyze it
> > during runtime?  Your paper calls your JavaScript engine “static
taint
> > analysis” which IMO is just fancy static analysis, so I’m confused
at
> > your “dynamic analysis” claim. I think you are just sending canned
> > attack data into a few JavaScript functions. This is not real
dynamic
> > analysis, IMO.
> 
> Dynamic analysis involves code execution, in this case the JS code.
> Static analysis does not, you just parse the code into an AST[1] and
do
> your thing.
> 
> My guess is that their system executes/evaluates the code while linked
> to a DOM, in essence acting exactly like a browser.
> Which is important because they can actually verify the vulnerability.
> 
> Then they do static analysis to find the flow of the vulnerable vector
> to produce the pretty highlighted affected flow Ory showed us in the
> screenshots.
> 
> Granted I'm just guessing here but that's what I would have done.
> 
> > A great deal of web 2.0 apps (where DOM based XSS is even more of a
> > critical threat) dynamically create portions of JavaScript code
based
> > on input, roles, data flow, etc – which is why real dynamic runtime
> > analysis is so critical.
> 
> You missed the context under which the term "dynamic" was used.
> Your scope is as generalized as can be, Ory just refereed to the JS
> part.
> 
> But point taken, since they didn't fondle with the web application at
> all, the JS code they analyzed may not have represented a great
sample.
> 
> But as stated, that wasn't the point of the "paper".
> >
> > You also mention that “as it includes the entire JavaScript codebase
> > in its natural environment” – but which one? Every browser has a
> > different JS engine. Do you provide the ability to swap these out?
> 
> Yeah but we do have standards....
> 
> > Ory, I’m going to have to agree with Michal Zalewski – I think you
are
> > over-reaching here. ESPECIALLY since you emailed the very technical
> > WebAppSec community email list with your paper and thoughts. Your
> > product is pretty solid and it’s getting better. I would highly
> > recommend you communicate to this list with more technical
information
> > and less marketing information.
> >
> I'm with you there...
> Hell half the active members are scanner devs themselves but there's
> also the issue of the NDA...
> 
> 
> Cheers,
> Tasos.
> 
> [1] http://en.wikipedia.org/wiki/Abstract_syntax_tree
> 
> 
> > - Jim
> >
> >
> >
> > From: Ory Segal [mailto:SEGALORY at il.ibm.com]
> > Sent: Friday, January 07, 2011 3:34 AM
> > To: Stefano Di Paola
> > Cc: websecurity at webappsec.org
> > Subject: Re: [WEB SECURITY] Close Encounters of the Third Kind - A
> > look at the prevalence of client-side JavaScript vulnerabilities
(new
> > whitepaper)
> >
> >
> >
> >
> > Hi,
> >
> > 1) You forgot to mention that your project is using dynamic analysis
> > and not static-hybrid-dynamic. Since we already talked this morning,
I
> > felt it was important to mention this.
> >
> > 2) You said  "What we really need is a helper tool..." - I think it
is
> > safe to say that we need both approaches and not only one. So, I
> > disagree that what we really need is a helper tool.
> >
> > -Ory
> >
> >
> > -------------------------------------------------------------
> > Ory Segal
> > Security Products Architect
> > AppScan Product Manager
> > Rational, Application Security
> > IBM Corporation
> > Tel: +972-9-962-9836
> > Mobile: +972-54-773-9359
> > e-mail: segalory at il.ibm.com
> >
> >
> >
> >
> > From:        Stefano Di Paola <stefano.dipaola at mindedsecurity.com>
> > To:        Ory Segal/Haifa/IBM at IBMIL
> > Cc:        websecurity at webappsec.org
> > Date:        07/01/2011 02:31 PM
> > Subject:        Re: [WEB SECURITY] Close Encounters of the Third
Kind
> > - A look at the prevalence of client-side JavaScript vulnerabilities
> > (new whitepaper)
> >
> >
> >
______________________________________________________________________
> >
> >
> >
> > Ory,
> > very interesting work, I've been working on something similar, but -
I
> > hope - different at the same time, since last year, we'll probably
> > release a beta version at the end of January and it'll be presented
> > with
> > more technical details in may at Swiss Cyber Storm Conference
> > (https://www.swisscyberstorm.com/speakers/dipaola )
> >
> > Imho automatic analysis is a good start but it is not the Solution
> > even
> > when using a hybrid approach.
> > What we really need is a helper tool for sec testers using
> > their skills while testing sites without wasting time on analyzing
> > useless code which would take nowhere.
> > The Tool, with capital T, is our brain, and nothing in 10 years, at
> > least it's going to replace it <prediction based on last 50 years of
> > AI research> :).
> >
> > That said I'm very curious to see the testbed you used for the
paper,
> > and see what are the difference between the tools.
> >
> > Cheers
> > Stefano
> >
> >
> >
> > Il giorno gio, 06/01/2011 alle 16.38 +0200, Ory Segal ha scritto:
> > > Hello,
> > >
> > > IBM has recently published a new whitepaper on the subject of
> > > client-side JavaScript vulnerabilities.
> > >
> > > Below you can find a short excerpt from the whitepaper:
> > >
> > > "In the past 10 years, many whitepapers, research articles, and
> > blogs
> > > have been published on the subject of server-side web application
> > > vulnerabilities such as SQL Injection, Cross-Site Scripting, and
> > HTTP
> > > response splitting. In addition, several projects such as the WASC
> > Web
> > > Hacking Incident Database or the WASC Statistics project have
tried
> > to
> > > estimate the incidence of such issues in the real world. On the
> > other
> > > hand, there is a dearth of information and statistics on the
> > incidence
> > > of client-side JavaScript vulnerabilities in web applications,
even
> > > though these vulnerabilities are just as severe as their
server-side
> > > counterparts. We suspect that the main reason for this lack of
> > > information is simply because client-side vulnerabilities are
harder
> > > to locate, and require deep knowledge of JavaScript and the
ability
> > to
> > > perform code review for HTML pages and JavaScript files. As Web
2.0,
> > > AJAX applications and rich internet applications (RIAs) become
more
> > > common, client-side JavaScript vulnerabilities will probably
become
> > > more relevant, and we foresee a rise in the amount of such issues
> > > being exploited by malicious hackers. This whitepaper presents the
> > > results of a research recently performed by the IBM Rational
> > > Application Security group into the prevalence of client-side
> > > JavaScript vulnerabilities. For this research, we used a new IBM
> > > technology called JavaScript Security Analyzer (JSA), which
performs
> > > static taint analysis on JavaScript code that was collected from
web
> > > pages extracted by an automated deep web crawl process. This kind
of
> > > analysis is superior to and more accurate than regular static
taint
> > > analysis of JavaScript code, as it includes the entire JavaScript
> > > codebase in its natural environment: fully rendered HTML pages and
> > the
> > > browser’s Document Object Model (DOM).The research used a sample
> > group
> > > of approximately 675 websites, consisting of all the Fortune 500
> > > companies and another 175 handpicked web sites, including IT, Web
> > > application security vendors, and social networking sites."
> > >
> > > The whitepaper can be downloaded at the following address:
> > >
> > >
> >
http://www.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_RA_USEN&htmlfid=RAW14252USEN&attachment=RAW14252USEN.PDF
> > >
> > >
> > > * I would like to thank Amit Klein & Jeremiah Grossman for
reviewing
> > > the whitepaper and sending me their feedback
> > >
> > >
> > >
> > > -------------------------------------------------------------
> > > Ory Segal
> > > Security Products Architect
> > > AppScan Product Manager
> > > Rational, Application Security
> > > IBM Corporation
> > > Tel: +972-9-962-9836
> > > Mobile: +972-54-773-9359
> > > e-mail: segalory[at]il.ibm.com
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Stefano Di Paola
> > Chief Technology Officer, Lead Auditor ISO 27001
> > Minded Security - Application Security Consulting
> >
> > Email: stefano.dipaola [at] mindedsecurity.com
> >
> > Minded Security S.r.l.
> > Via Duca D'Aosta, n.20 50129 Firenze (FI)
> > www.mindedsecurity.com
> >
> >
_________________________________________________________________________________________________
> >
> > Pay attention, this email is confidential. If you are not
authorized,
> > or if you have received this message by mistake,please not read,
> > use or spread any piece of the information above.
> >
> >
> >
> >
> >
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

More information about the websecurity mailing list