Dom Flow - Untangling the DOM for More Easy-Juicy Bugs

Presented at Black Hat USA 2015, Aug. 6, 2015, 5 p.m. (60 minutes)

Modern day web applications are quite JavaScript heavy and its only going to get worse for pen-testers and scanners alike, because of the complexity involved. Client side attacks like DOM XSS, insecure usage of WebSockets, unwanted use of Global variables, insecure user-defined functions, and many other similar patterns are quite hard to detect for the pen-tester manually or even by static JavaScript analysers.

How about we hook onto all the JavaScript actions dynamically and transparently? The results are very useful to conduct more advanced penetration tests on web apps. Existing JS dynamic analysis tools only work if its built within the code, such as performance analysis. Moreover, the JS files are minified in production. To solve this problem enter Hookish!

Hookish! is an open-source chrome-extension which overrides most of the DOM properties and brings out the interesting stuff to the pen-tester. For instance, imagine a single page web-app with some complex JS code and you would like to know whether all the content being dynamically updated to the DOM are clean. Do they use a safe filter / encoder before pushing it to the DOM? Well, Hookish! can solve this problem for you. It hooks into all XHR responses, and matches those strings with DOM mutation events like DOMNodeInserted, DOMSubtreeModified etc. and also tries relevant payloads to check whether there are possible DOM XSS vulnerabilities and other such shenanigans. This is just scratching the surface, things can become more intuitive when a pen-tester uses Dom Flow.

Dom Flow is a feature where one can drag and drop the sources and sinks as he wishes to understand how data flows between them in the given app. This is something which brings out more understanding of the app and reveals hidden DOM based bugs and also helps the pen-tester to conduct further attacks.


Presenters:

  • Ahamed Nafeez
    Ahamed Nafeez is a security engineer with interest in browser and network security. In the past, he has been a speaker at Nullcon, Black Hat, and Hack-In-The-Box. He loves working on solutions to build defensive softwares and ways to detect attacks.

Links:

Similar Presentations: