I titled this talk “A Computer in Every Pocket: Securing Mobile
Applications,” because I believe that mobile applications are
fundamentally changing the way that we interact with technology.
Furthermore, these devices contain lots of sensitive and personal
data, and keeping users safe and this data private is a goal of my
research.
On Wednesday, June 29th, 2016, I was privileged to give a talk at
OWASP Phoenix titled “Everything You’ve Ever Wanted
to Know About Black-Box Web Vulnerability Scanners (But Were Afraid to
Ask)”.
This was an exciting talk for me, as it was my first ever OWASP
meeting. I am a big fan of OWASP, and they have been instrumental to
helping shape my knowledge of security. I’m happy to start giving back
to the OWASP community.
On Wednesday, 11/18/15, I gave a guest lecture in
Partha Dasgupta’s CSE 466 class on
Cross-Site Scripting vulnerabilities. As this was an
undergrad class, I spent time covering the evolution of HTML, the role
of JavaScript on the web, the security model of JavaScript, the
browser’s Same Origin Policy, how XSS attacks are about
circumventing the Same Origin Policy, how XSS vulnerabilities result
from the server-side web application code concatenating string to
create HTML output that is sent to the user’s browser, how XSS
vulnerabilities can be exploits, and how XSS vulnerabilities can be
prevented.
Much of this material is derived from my CSE 591
class, which is a grad class on web security, compressed into a single
lecture targeted to undergrads. We did not get to cover client-side
XSS vulnerabilities (also called DOM-based XSS) or lots of other cool
stuff.
So you may or may not be familiar with the popular mobile game
DOTS. Well, if you haven’t checked it out, I urge
you to. It’s a lot of fun, and it’s available on both
Android and iOS.
Anyway, while playing this game, I discovered a stored XSS
vulnerability in DOTS. Here’s how it came about.
XSS in a Mobile Game?
So, while playing the multiplayer mode of DOTS, I noticed that there
was a “Share” feature. This feature allows you to share (or brag
about) your scores with a friend. What happens is that the app uploads
your scores and names to the web server (I haven’t looked into the
exact HTTP request that it makes), gets back a unique URL, then allows
you to send this URL to someone.
deDacota is my attempt to tackle the
Cross-Site Scripting (XSS) problem. I know what you’re
thinking, there’s been a ton of excellent research on this area. How
could this work possibly be new?
XSS
Previously, we as a research community have looked at XSS
vulnerabilities as a problem of lack of sanitization. Those pesky web
developers (I am one, so I can say this) just can’t seem to properly
sanitized the untrusted input that is output by their application.
You’d think that after all this time (at least a decade, if not more),
the XSS problem would be done and solved. Just sanitize those inputs!
This is a true story that recently happened, and I wanted to
share/document it here as a reminder to always backup your research
data.
Turns out I was so tired after the 24-hour coding blur that was the
2013 iCTF that I didn’t back up the database. Or if I
did, I didn’t check it into our SVN repo. Then, to make matters worse,
I didn’t make a note to backup the data later.
Here’s a quick Bash function that I whipped up to SSH into a server
and keep the same directory. The use case for me is that I have a
Dropbox shared between my laptop and server. Sometimes I need to run
something (experiment, code, whatever) on the server. It was becoming
annoying to ssh and then cd to the correct directory.
picoCTF is an awesome hacking competition aimed at High
School students. The great guys at CMU and PPP are
putting on this innovative competition. I had some High School
students ask for pointers to prepare for the picoCTF. I invited them
to our weekly hacking group and talked about the hacking mindset and
basic tools. They amazed me with their knowledge—I was cutting my
teeth on TI-83 BASIC programming in math class when I was
their age.
What follows are my notes on the lecture I gave and the discussion
that we had. I hope other young hackers find these resources useful
while preparing for picoCTF.
Hacker Mindset
First and foremost, we need to understand how the hacker thinks. How
should you think when you’re trying to break a program?