4MMSR-Network Security-2012-2013-taint assisted dom xss fuzzing : Différence entre versions

De Ensiwiki
Aller à : navigation, rechercher
 
(9 révisions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
 
{{4MMSR-2012-2013-project_template
 
{{4MMSR-2012-2013-project_template
  
|title=Taint Assisted DOM-XSS Fuzzing
+
|title=Taint Assisted DOM-XSS Fuzzing with Dominator Pro
  
 
|references=
 
|references=
Ligne 8 : Ligne 8 :
 
* [http://car-online.fr/en/spaces/fabien_duchene/publications/2012-04-SecTest-ICST/ XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing, Fabien Duchene & Sanjay Rawat & Roland Groz & Jean-Luc Richier, 2012]
 
* [http://car-online.fr/en/spaces/fabien_duchene/publications/2012-04-SecTest-ICST/ XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing, Fabien Duchene & Sanjay Rawat & Roland Groz & Jean-Luc Richier, 2012]
 
* [http://www.spacios.eu/deliverables.php SPaCIoS, D3.3 "Methodology and technology for vulnerability-driven security testing", section "An Evolutionary Smart-Fuzzing Approach for Detecting XSS Injections Attacks", 2013]
 
* [http://www.spacios.eu/deliverables.php SPaCIoS, D3.3 "Methodology and technology for vulnerability-driven security testing", section "An Evolutionary Smart-Fuzzing Approach for Detecting XSS Injections Attacks", 2013]
 +
* [http://www.youtube.com/watch?v=fh21ly5LNkg DOM XSS on Google.com Page using DOMinatorPro Fuzzer, 2012]
  
 
|keywords=fuzzing,DOM/type-0 XSS,data tainting
 
|keywords=fuzzing,DOM/type-0 XSS,data tainting
  
|description=DOM XSS is an injection vulnerability for which few attack grammars do exist. The problem formalization can be derived from [http://car-online.fr/en/spaces/fabien_duchene/publications/2012-04-SecTest-ICST/]. There exist a fuzzer integrated in the penetration testing tool Dominator Pro [https://dominator.mindedsecurity.com/]. It is not clear how this module does perform: it is likely that this module iteratively submits all values from a dictionary and keeps iterating until a given test verdict is obtained. In this mini research exercise we want to address this fuzzing process in two ways:  
+
|description=DOM XSS is an injection vulnerability for which few attack grammars do exist. The problem formalization can be derived from [http://car-online.fr/en/spaces/fabien_duchene/publications/2012-04-SecTest-ICST/]. There exist a fuzzer integrated in the penetration testing tool Dominator Pro [https://dominator.mindedsecurity.com/]. It is not clear how this fuzzing module does perform: it is likely that this module iteratively submits all values from a dictionary and keeps iterating until a given test verdict is obtained. In this mini research exercise, we want to address this fuzzing process in the following ways:  
* how to generate an input sequence knowing previously submitted sequences?
+
* how to generate an input sequence knowing previously submitted sequences?
 +
** which input parameters to choose?
 +
** which values to provide on those?
 
* how to assess if a given input sequence is promising towards triggering this bug?
 
* how to assess if a given input sequence is promising towards triggering this bug?
  
Ligne 18 : Ligne 21 :
  
 
* formalize the DOM XSS problem
 
* formalize the DOM XSS problem
 +
* explain how the DOMinator Pro fuzzer does work
 +
* list and content of existing DOM XSS attack grammars
 
* write a DOM-XSS attack grammar
 
* write a DOM-XSS attack grammar
* interface with Dominator Pro to obtain:  
+
* interface with Dominator Pro to programmatically obtain:  
 
** the number of tainted nodes
 
** the number of tainted nodes
 +
** the list of performed transformations on sources
 
** if a DOM XSS attack did occur or not (test verdict)
 
** if a DOM XSS attack did occur or not (test verdict)
 
* write a fitness function for directing DOM XSS fuzzing
 
* write a fitness function for directing DOM XSS fuzzing
Ligne 34 : Ligne 40 :
 
* [https://dominator.mindedsecurity.com/ dominator pro]
 
* [https://dominator.mindedsecurity.com/ dominator pro]
  
 +
|github_repo_name=dom_xss_fuzzer
  
 
+
|results=
 +
* [http://car-online.fr/files/teaching/2013-Ensimag-4MMSR-Network_Security/research_projects/DOM-XSS%20Evolutionary%20Fuzzing/duchene-2013-DOM_XSS_Fuzzing-Al_Safwi-Le_Queau_Peyard_Scanu.pdf Evolutionary DOM-XSS Fuzzing, Duchene Al_Safwi, Le_Queau, Peyard, Scanu]
  
 
}}
 
}}

Version actuelle en date du 19 février 2014 à 21:35

Mycomputer.png  Deuxième Année  CDROM.png  Informatique  Security logo.png  Sécurité  4MMSR-mini research logo.jpg  4MMSR-mini research project 

Taint Assisted DOM-XSS Fuzzing with Dominator Pro

This is a "mini" research project for the course 4MMSR-Network Security

Keywords

fuzzing,DOM/type-0 XSS,data tainting

Description

DOM XSS is an injection vulnerability for which few attack grammars do exist. The problem formalization can be derived from [1]. There exist a fuzzer integrated in the penetration testing tool Dominator Pro [2]. It is not clear how this fuzzing module does perform: it is likely that this module iteratively submits all values from a dictionary and keeps iterating until a given test verdict is obtained. In this mini research exercise, we want to address this fuzzing process in the following ways:

  • how to generate an input sequence knowing previously submitted sequences?
    • which input parameters to choose?
    • which values to provide on those?
  • how to assess if a given input sequence is promising towards triggering this bug?

Expected output

  • formalize the DOM XSS problem
  • explain how the DOMinator Pro fuzzer does work
  • list and content of existing DOM XSS attack grammars
  • write a DOM-XSS attack grammar
  • interface with Dominator Pro to programmatically obtain:
    • the number of tainted nodes
    • the list of performed transformations on sources
    • if a DOM XSS attack did occur or not (test verdict)
  • write a fitness function for directing DOM XSS fuzzing
  • write an evolutionary fuzzer

Research Questions

  • propose a methodology for producing a DOM-XSS grammar
  • what are the intuitions for writing the most relevant fitness function dimensions?
  • compare the built-in DOMinator Pro fuzzer with the one you wrote (criteria to be defined)

References

Tools

Results

Get Started!

  • create an archive on the ensimag server, so that only your team members and I have access to it.
  • Créer_une_archive_partagée_avec_Git
  • obviously, do not forget to send me the path afterwards

Contacts

Fabien Duchene