AppSec Europe 2014

JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language? 

Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal. 

In this talk we explore the vulnerabilities behind Javascript, including: 
• A new class of vulnerabilities unique only to JavaScript 
• Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code 
• HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities 

In recent years, the Web witnessed a move towards sophisticated client-side functionality. This shift caused a significant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnerabilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues.

In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOM- based XSS problem.

This presentation will introduce ActiveScan++ and demonstrate how it can be used to easily identify complex vulnerabilities in real world applications. ActiveScan++ is an open source Python plugin that builds upon Burp Suite's basic active scanning functionality. This talk will cover the classic and exotic vulnerabilities it can detect, as well as the pros and pitfalls that can be found with the proxy-plugin approach to automated vulnerability hunting.

ActiveScan++ uses heuristic probes to efficiently assess the susceptibility of the target to a range of cutting edge attack techniques, such as host header poisoning and relative path overwrites. In addition, ActiveScan++ provides robust identification of blind attack issues, helping to locate rare but critical vulnerabilities such as code injection that pentesters can't afford to miss. Demonstrations of the underlying mechanics of these attacks, how they can be automatically detected, and how we can actively exploit them once they have been identified will be performed throughout the presentation.

The presentation will finish with a discussion of current research into automated detection of 'suspicious' behaviour, in a manner similar to the initial stages of manual testing. These new techniques allow generic detection of entire vulnerability classes by combining platform-independent payload sets with fuzzy pattern matching.

This presentation will host the first public release of this open source tool.

This presentation will cover “Metro”, “Modern” or (more correctly) “Windows Store” Apps and how to perform security reviews on them. Like it or not, this is the direction Microsoft are going in, and it seems likely that this style of centrally controlled, sandboxed application is the future for at least some types of Windows programs. The focus of the talk will be Store Apps developed in HTML and JavaScript (although other types of app will be mentioned). I will explain what a Store App is, and how it differs from a normal Windows application, and also from a web site. 

In the first section I cover the architecture and theory of Store apps. I go over the different types of development frameworks which can be used to create them, and how they get from a developer’s PC to the Windows Store, including what Microsoft do (and don’t do) as far as security testing is concerned. I’ll also compare and contrast this type of apps with ones from other architectures (Win32 and mobile). 

The second section of the presentation then explains (and shows) how to set up an environment (Windows 8.1, a web proxy of choice and Visual Studio) to test a Store application – there are some tricks to this which are not well publicised. I’ll point out where apps are stored, how you get access to them, and how to go about testing them including code review examples (focusing on secure and insecure JavaScript). I’ll show the use of a web service in an app and how this technology can present a security hole in the app sandbox. 

In conclusion I will make some comments on where the move to a Store based system in the Windows environment (over 90% of PC class devices) is taking us from a security perspective, and how this fits (in my opinion) with the future development of Windows Phone and RT. 

The presentation as a whole gives an introduction to an area of application testing which is not well known but is likely to become more critical as time advances and the Store system becomes more mature. 

This presentation shares the results of a yearlong survey of nearly 600 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements.

The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Gaps in the enforcement of access control policy of a software system can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. We describe a novel technique to automatically detect missing and inconsistent authorization checks in web applications with static analysis and conclude with empirical results of using our approach on real-world applications. 

The concept of granting different users different privileges dates back to early software systems. Gaps in the enforcement of access control policies can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. As software becomes more ubiquitous and is used for tasks ranging from shopping to scheduling doctor’s appointments, providing bulletproof access control remains an imperative. 

Correct placement of authorization checks is a non-trivial task for developers that requires intimate knowledge of the system, its users, and their roles. These challenges are evidenced by the fact that missing authorization checks—like the one that allowed Bloomberg News to leak NetApps’s earnings results in 2010—are still among the most widespread and impactful vulnerabilities. Manually weeding out access control violations is cumbersome and requires a lot of expertise. Existing automated techniques are also inadequate and require either substantial human intervention or are effective only on very targeted code bases, such as operating systems. 

This talk focuses on ensuring well-placed authorization checks in web applications. We discuss different ways access control requirements are specified in web applications, including configuration- and annotation-based approaches. Next, we describe a novel technique to automatically detect missing and inconsistent authorization checks. Our approach lets us detect missing checks statically rather than at runtime and allows us to provide remediation suggestions that allow developers to fix code before it goes to production. 

We conclude with empirical results of our successful application of this approach to a number of real-world web applications. We discuss the classes of issues we found and review specific examples to shed light on the kinds of authorization mistakes developers are making today.