Call To Arms A Tale of the Weaknesses of Current Client Side XSS Filtering

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=U1LI5Jp4xJY


Duration: 54:42
2 views
0

Cross-Site Scripting (XSS) is one of the most severe security vulnerabilities of the web. With the introduction of HTML5, the complexity of web applications is ever increasing and despite the existence of robust protection libraries, Cross-Site Scripting vulnerabilities are nowadays omnipresent on the web.

In order to protect end users from being exploited, browser vendors reacted to this serious threat by outfitting their browsers with client-side XSS filters. Unfortunately, as we had to notice, the currently provided protection is severely limited, leaving end-users vulnerable to exploits in the majority of cases.

In this talk, we present an analysis of Chrome's XSS Auditor, in which we discovered 17 flaws that enable us to bypass the Auditor's filtering capabilities. We will demonstrate the bypasses and present a tool to automatically generated XSS attacks utilizing the bypasses.

Furthermore, we will report on a practical, empirical study of the Auditor's protection capabilities in which we ran our generated attacks against a set of several thousand DOM-based zero-day XSS vulnerabilities in the Alexa Top 10.000 (we will also briefly cover, how we were able to find these vulnerabilities using a taint-aware browser engine). In our experiments, we were able to successfully bypass the XSS filter on first try in over 80% of all vulnerable web applications.

We will conclude the talk with an outlook on potential future improvements to client-side XSS filtering, based our analysis and experiences in bypass generation.

PRESENTED BY
Martin Johns, Ben Stock, Sebastian Lekies
Black Hat - USA - 2014 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-02Contemporary Automatic Program Analysis
2022-01-02Android FakeID Vulnerability Walkthrough
2022-01-02Full System Emulation Achieving Successful Automated Dynamic Analysis of Evasive Malware
2022-01-02Breaking the Security of Physical Devices by Silvio Cesare
2022-01-02A Practical Attack Against VDI Solutions
2022-01-02Bringing Software Defined Radio to the Penetration Testing Community
2022-01-02Building Safe Systems at Scale Lessons from Six Months at Yahoo
2022-01-02A Scalable, Ensemble Approach for Building and Visualizing Deep Code Sharing Networks
2022-01-02GRR Find All the Badness, Collect All the Things
2022-01-02A Survey of Remote Automotive Attack Surfaces
2022-01-02Call To Arms A Tale of the Weaknesses of Current Client Side XSS Filtering
2022-01-02Hacking the Wireless World with Software Defined Radio 2 0
2022-01-02Abuse of CPE Devices and Recommended Fixes
2022-01-02Abusing Microsoft Kerberos Sorry You Guys Don't Get It
2022-01-02Capstone Next Generation Disassembly Framework
2022-01-02Digging for IE11 Sandbox Escapes Part 1
2022-01-02Catching Malware En Masse DNS and IP Style
2022-01-02Abusing Performance Optimization Weaknesses to Bypass ASLR
2022-01-02Digging for IE11 Sandbox Escapes Part 2
2022-01-02Dynamic Flash Instrumentation for Fun and Profit
2022-01-02Cellular Exploitation on a Global Scale The Rise and Fall of the Control Protocol


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
password
code
concept
thief
protection
network
malware
secure
identity
criminal
phishing
software
access
safety
theft
system
firewall
privacy
binary
account
spy
programmer
spyware
hacked
hacking conference
conference
learn
how to
2022
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Martin Johns
Ben Stock
Sebastian Lekies
XSS
DOMXSS