4MMSR-Network Security-2012-2013-taint assisted dom xss fuzzing : Différence entre versions
De Ensiwiki
| Ligne 42 : | Ligne 42 : | ||
|github_repo_name=dom_xss_fuzzer | |github_repo_name=dom_xss_fuzzer | ||
| + | |results= | ||
| + | * [http://car-online.fr/files/teaching/2013-Ensimag-4MMSR-Network_Security/research_projects/DOM-XSS%20Evolutionary%20Fuzzing/duchene-2013-DOM_XSS_Fuzzing-Al_Safwi-Le_Queau_Peyard_Scanu.pdf Evolutionary DOM-XSS Fuzzing, Duchene Al_Safwi, Le_Queau, Peyard, Scanu] | ||
}} | }} | ||
Version actuelle en date du 19 février 2014 à 21:35
Deuxième Année 
Informatique 
Sécurité 
4MMSR-mini research project
Sommaire
Taint Assisted DOM-XSS Fuzzing with Dominator Pro
This is a "mini" research project for the course 4MMSR-Network Security
Keywords
fuzzing,DOM/type-0 XSS,data tainting
Description
DOM XSS is an injection vulnerability for which few attack grammars do exist. The problem formalization can be derived from [1]. There exist a fuzzer integrated in the penetration testing tool Dominator Pro [2]. It is not clear how this fuzzing module does perform: it is likely that this module iteratively submits all values from a dictionary and keeps iterating until a given test verdict is obtained. In this mini research exercise, we want to address this fuzzing process in the following ways:
- how to generate an input sequence knowing previously submitted sequences?
- which input parameters to choose?
- which values to provide on those?
- how to assess if a given input sequence is promising towards triggering this bug?
Expected output
- formalize the DOM XSS problem
- explain how the DOMinator Pro fuzzer does work
- list and content of existing DOM XSS attack grammars
- write a DOM-XSS attack grammar
- interface with Dominator Pro to programmatically obtain:
- the number of tainted nodes
- the list of performed transformations on sources
- if a DOM XSS attack did occur or not (test verdict)
- write a fitness function for directing DOM XSS fuzzing
- write an evolutionary fuzzer
Research Questions
- propose a methodology for producing a DOM-XSS grammar
- what are the intuitions for writing the most relevant fitness function dimensions?
- compare the built-in DOMinator Pro fuzzer with the one you wrote (criteria to be defined)
References
- DOM Based Cross Site Scripting or XSS of the Third Kind, Amit Klein, 2005
- Finding DOM XSS with Dominator Pro, Stefano di Paola, 2011
- XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing, Fabien Duchene & Sanjay Rawat & Roland Groz & Jean-Luc Richier, 2012
- SPaCIoS, D3.3 "Methodology and technology for vulnerability-driven security testing", section "An Evolutionary Smart-Fuzzing Approach for Detecting XSS Injections Attacks", 2013
- DOM XSS on Google.com Page using DOMinatorPro Fuzzer, 2012
Tools
Results
Get Started!
- create an archive on the ensimag server, so that only your team members and I have access to it.
- Créer_une_archive_partagée_avec_Git
- obviously, do not forget to send me the path afterwards
