The Web IS Vulnerable: XSS Defense on the BattleFront

Presented at Black Hat USA 2013, July 31, 2013, 5 p.m. (30 minutes)

Cross-site scripting issues remain a big problem of the web: using a combination of big data mining and relatively simple detection methods, we have identified attackers successfully exploiting XSS flaws on over 1,000 vulnerable pages on hundreds of websites, spanning multiple countries, types of organizations, all major TLDs, and well known international companies. We also found numerous malicious attacks of different severity leveraging existing XSS vulnerabilities.

In this talk first we summarize our findings, presenting both unusual cases and various statistics, and then we follow up with present state-of-the art methods of protection from probing for XSS vulnerabilities and XSS attacks, showing that they are capable of intercepting over 95% of the real-world malicious samples. We will also introduce a new research tool called detectXSSlib, which is a lightweight module for nginx server dedicated to real-time detection of XSS attacks.

Presenters:

• Ryan Barnett - Trustwave
  Ryan C. Barnett is a Lead Security Researcher on Trustwave's SpiderLabs Research Team where his focus is web application defense. In addition to working with Trustwave, he is a Web Application Security Consortium (WASC) Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects. He also serves as the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett is a frequent speaker at security industry conferences such as Blackhat and has also authored two Web security books including the Web Application Defender's Cookbook: Battling Hackers and Protecting Users.
• Greg Wroblewski - Microsoft
  Greg Wroblewski, PhD, CISSP, is a senior security researcher at Microsoft's Trustworthy Computing Security group. Over the last 9 years he worked in many areas of security response, presenting at Black Hat USA 2007 and 2012. At Microsoft he focuses on security problems in on-line services, detection of attacks and pentesting. In the past he was responsible for the technical side of patches in over 50 Patch Tuesday bulletins as well as hardening of products like Windows and Office. Recently he lead development effort to port ModSecurity module to IIS and nginx servers.

Links:

• https://www.blackhat.com/us-13/archives.html#Wroblewski
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - The Web IS Vulnerable - XSS Defense on the BattleFront.mp4
• https://www.youtube.com/watch?v=PyZxoSwTyxc
• https://media.blackhat.com/us-13/US-13-Wroblewski-The-Web-IS-Vulnerable-XSS-Defense-on-the-Battle-Front-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Wroblewski-The-Web-IS-Vulnerable-XSS-Defense-on-the-BattleFront-Code.zip

Similar Presentations:

• Black Hat Asia 2015 / Client-Side Protection Against DOM-Based XSS Done Right (tm)
• Black Hat USA 2014 / Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering
• AppSec USA 2015 / New Methods in Automated XSS Detection: Dynamic XSS Testing without Using Static Payloads