Technical Overview

Dynamic Web Application Security Testing for Web Browsers is an emerging technology that will become a fundamental component of Web Application Security Testing Suites in 2013. Our technology automates the process of identifying Web Browser Exploits at runtime interacting with Web Applications, identifying the optimal payload(s) to trigger an attack.

Current Black-Box Security Scanners mostly target common points of injection contrasted with our technology that is an In-Bowser, DOM-based Scanner utilizing a DOM Inspection Script to analyze element modification(s).

The Virtual Scripted Attacker (VSA) consists of four distinct components, three of which are deployed in an actual browser to provide the desired functionality to test for XSS (Cross Site Scripting). VSA employs an instrumented Mozilla Firefox browser that is remotely controlled with a Selenium Web Driver implementation, running on a Linux Command Line Interface (CLI), utilizing a virtual display driver enabling VSA to run in multiple client environments.

Scans are integrated into existing Continuous Integration (CI) processes to ensure website quality and security. External tools can remotely control VSA and communicate with a JavaScript Object Notation (JSON) API or directly with the logger database connected to the VSA crawler and scanner engines.

VSA Business Logic

1. HTTP Crawler & Google Module VSA utilizes a classic HTTP as well as a Google Crawler Module. These crawlers are used to spot and log URLs related to a scanned domain. The spotted URLs will be logged to a database. Note that the combination of HTTP and Google-based crawler is unique and allows VSA to identify more potentially vulnerable URLs and resources than other crawler tool.

2. DOM Crawler The DOM crawler adds yet another layer of visibility for VSA. While the list of URLs found by HTTP and Google-based crawler is extended during the ongoing crawling process, the DOM crawler causes the instrumented Firefox browser to visit the stored URLs and scan the DOM for even more data sources. This way VSA can also spot requests caused by JavaScript actions and Ajax requests.

3. XHR Scanner The XHR Scanner works similarly to a classic HTTP scanner, but utilizes the XMLHttpRequest Object (XHR). VSA forces all used URLs to be available for Cross-Origin Resource Sharing (CORS), so the XHR scanner can reach and analyze URLs that would otherwise not be available. The scanning process involves a vector-prefix rotation system allowing combining common XSS test vectors with a set of prex-strings to increase the chance of actually triggering vulnerability. A JavaScript system injected into the scanned website ensures that no false positives will be reported.

4. DOM Scanner The DOM Scanner provides a maliciously prepared DOM, setting all possible sinks for DOMXSS injections to a value allowing clear determination of vulnerabilities. The website is then loaded into this prepared DOM and in case one of the sinks is being activated and code is being executed, vulnerability will be logged. Note that instrumenting a browser allows VSA to log the exact line of code where the vulnerability exists. This enables VSA to automatically feed auto-fix or JSA to patch vulnerabilities after they have been discovered and confirmed.

VSA User Agent Emulation

VSA is currently featuring Mozilla Firefox as the only instrumented user agent. Future development will instrument Internet Explorer, Chrome, Safari and Webkit as well. The system backend is developed in the Python scripting language and MySQL database.

Benefits

Using VSA in a corporate environment yields several benefits for customers and the users of the scanned and guarded websites:

1. VSA is an automated Dynamic Application Security Testing (DAST) technology designed to detect DOMXSS conditions and confirm security vulnerabilities in web applications during running states.
2. VSA automatically tests the exposed interfaces of Web-enabled applications using protocols and formats, such as Simple Object Access Protocol (SOAP), Representational State Transfer (REST), Extensible Markup Language (XML) and JavaScript Object Notation (JSON). Validating POST-Forms is no problem for VSA based on a value-prediction algorithm.
3. VSA utilizes experience and knowledge of human pen testers by instrumenting an actual browser, triggering actual DOM events & transactions (clicks, mouseover etc.). While classic scanners work with many HTTP requests and attack-permutations, VSA searches for a vulnerability as a human penetration tester would do
4. VSA doesn’t “torture” a tested web application, keeps the load-level low by using smart-caching. Why request the whole page over and over again if the DOM scanner can analyze it right in the browser cache?
5. VSA scales. It works straight from the console and doesn’t require special hardware - or custom compiled kernels. We run VSA for a standard Ubuntu 12 server. The more CPUs VSA gets, the faster it will scan. 100,000 URLs and more are not a problem.

Comparison Chart

To test how VSA performs compared to other commercial and open-source scanner software, a vulnerability-test-course was set up. Note that these vulnerabilities reflect actual website security problems we spotted over the past several years during manual penetration tests and audits.

As can be seen, the classic yet most advanced publicly available XSS scanners have no trouble finding the server-side XSS vulnerabilities. VSA nevertheless manages to spot and confirm server- and client-side XSS problems.

Autofix Feature (Alpha Stadium)

The currently designed Autofix feature will allow VSA to contribute not only to per-user defense and offensive vulnerability testing, but also to a page-specific fix generation allowing website administrators to employ an automated security and quality assurance system. VSA and JSAgent are both capable of logging attacks relating to a resource to a database table. A website using Autofix can now use this database to find out, whether a user is currently visiting one of the potentially affected URLs on that very website. If this is the case, identification happens via hash comparison and the aforementioned page-uniqueness algorithm  Autofix can generate an x and deploy it via JavaScript. Autofix can handle and automatically prevent classic XSS vulnerabilities, injected drive-by-download attacks and DOMXSS attacks. The user experience is not being affected by the minor protective changes Autofix is performing, since only very specific internal browser and DOM properties would be affected by the fix. Autofix will make use of a slim yet significantly important dataset delivered by VSA:

1. Vulnerable Property Knowing the DOM Property that causes a vulnerability allows Autofix to freeze the affected object and give it protection. Additionally, the object can be set to monitoring mode allowing a website to determine, whether actual attacks are happening and which IP addresses are affected. This significantly eases forensics  which are especially in case of DOMXSS attacks almost impossible to handle for unprepared websites.

2. Successful Attack Vector(s) Knowing the successful attack vector VSA spotted during scanning allows Autofix to be as precise as possible regarding the necessary filter and fix to be deployed. It further avoids impact on the use experience, since only specific characters and attack vectors need to be ltered. In case VSA is used in a Continuous Integration scenario, Autofix can use the frequently changing data to scale with potentially novel attack vectors and regularly update the code used to fix the vulnerability.

3. Exact Line of vulnerable Code Knowing the exact line of code where the vulnerability occurs allows Autofix to not only fix the vulnerability, but also to send out a very precise report to the website administrator allowing immediate check if the fix has been applied properly. In complex web applications such as GMail or Google Maps, a small code change might interfere with the user experience despite greatest care. To avoid the improbable, Autofix will notify the website administrator about every employed fix and suggest a manual review before the fix is either left as is or superseded by an actual fix in the website code. Either way, the priority of delivering security without harming user experience is preserved.

CloudScan Application Management Portal (AMP)

AMP enables staff to create and schedule tasks running on vulnerability detection and network administration tools. AMP manages the dispatch and processing the job results, delivering Proof of Concept execution and Defect Reports into existing log management and product life-cycle management tools. AMP enables enterprises to reduce administration and compliance costs by:

1. consolidating and automating tool management
2. freeing senior technical experts from routine tasks
3. using existing enterprise tools
4. linking vulnerability detection with product life-cycle management tools

Tool Automation Features

1. Management of vulnerability discovery tools such as Virtual Scripted Attacker, and Hoyt’s Proxy’Mun and interfaces to CoTS & OS Exploit Tools & Frameworks such as MetaSploit, Canvas, PWNPlug, XSSRIA, SQLSlammer, DOM_KRAKrz and other tools
2. Unified management via network management and monitoring tools

1. SNMP, WMI, RADIUS, LDAP, Perl Proxy, SQL, REST, API, CLI and others

3. Wizard style task creation and scheduling for Point-and-Shoot Exploitation
4. Customized Attack Platform managed by GreenHat Bug Hunters

Reporting Features

5. CVSS for standards-based prioritization
6. 3rd Party Providers – Ads, CDN’s, JS Providers, Analytics and more
7. Task results transformed into wide range of report formats including: html, pdf, xml, delimited text, SQL, CSV and more
8. Results formatted for inclusion in common log management and Big Data Mining tools
9. Issues identified and transformed for automated consumption by other product life-cycle management tools including: JIRA, Bugzilla
10. Administrative reports including change-logs and resource consumption

1. Typical Access, Authorization and Accounting model

Work Requests

1. One-click process for submitting a discovered issue to internal or external operations center for escalated support
2. Work requests integrate with existing billing systems

User Experience

11. Engaging and accessible user environments enabling junior and non-technical users
12. REST-API supports wide range clients including web browsers, iOS and Android mobile devices, Silverlight rich desktop

Big Data Mining

1. Search and correlate results aggregated from all implemented tools
2. Discover new vulnerability patterns

Enterprise Integration

1. Integrates with existing access-controls via Radius
2. Provides fine-grained role-based access-control configuration
3. Business logic will run in existing Java application containers
4. Support for wide range of database systems including: Oracle, DB2, MSSQL, PostgreSQL, MySQL
5. Support for wide range of proxying HTTP servers including: IIS, Apache, Nginx and Hoyt’s Proxy’Mun
6. Track usage in existing billing systems and remediation systems (JIRA)

Deployment Options

AMP's modular design enables a wide range of deployment scenarios from wholly outsourced to internal black-box appliance available for immediate deployment.

1. Outsourced Cloud: HTI will host and maintain your AMP instance while connecting to your enterprise through a private network or the public cloud.

2. Black-box Appliance: fully configured, rack-mountable appliance loaded with the desired vulnerability detection and network administration tools.

3. Modular Approach: Any combination of the above deployment options including incorporating existing enterprise resources such as database systems, application server containers, vulnerability detection tools and network administration tools.

4. Management, Updates and Support included in Click Wrap License Agreement

Pricing

$360/URL/Year

Contact:        CloudScan     xss@xss.cx