Saturday, November 2, 2013

JavaScript static analysis meets your HTTP proxy

I recently use Zed Attack Proxy (ZAP) for the first time. While using the tool, I notice ZAP had passive scanning capabilities. With few examples (built-in passive rules), I started to build a plugin that scan JavaScript for both ZAP and Burp Pro.

The idea


Most modern applications (ab)use JavaScript to build client-side logic. The code is spread in JavaScript files and inline scripts tag. It can totalise thousands of lines of code.
The idea is to do static analysis on all JavaScript files intercepted by the proxy to mark security sensitive code sections.

Developing the rules


Doing a grep like scanner would have limited value. For this reason, Mozilla Rhino was chosen to do JavaScript parsing. By having a real parser, it will be possible to do more intelligent rules that eliminate some false positives. For example, the identification of innerHTML usage was the first rule developed.

The following line could be an exploitable XSS
element.innerHTML = "XSS here ->" + value + "";

While the following line doesn't need to be review.
element.innerHTML += "Static content";

The first example will trigger an alert while the second one is ignore because it is safe.

Screenshots



ZAP plugin

Burp Pro plugin

Try it yourself


The respective plugins are available to download at https://github.com/h3xstream/rhinauditor#downloads.
Note : The plugins are in an alpha stage.

Doing your own passive rules


With ZAP, the implementation of a PluginPassiveScanner is needed to analyse response content. [sample]

In Burp api, you need to implement IScannerCheck. [sample]

No comments:

Post a Comment