Coder Social home page Coder Social logo

soheilkhodayari / thething Goto Github PK

View Code? Open in Web Editor NEW
38.0 1.0 1.0 10.96 MB

TheThing: an open-source tool to detect DOM Clobbering vulnerabilities

Home Page: https://domclob.xyz

License: GNU Affero General Public License v3.0

Python 99.87% Shell 0.13%
jaw neo4j vulnerability-analysis dom-clobbering

thething's Introduction

TheThing

TheThing

Website | Docs | Quick Start | DOM Clobbering

TheThing

Node made-with-python Open Source?Yes! Tweet

A static-dynamic security analysis tool for DOM clobbering vulnerabilities based on JAW-v1 and Iroh. TheThing can be used for analyzing the client-side of web applications.

Note: The source code of TheThing has been merged with JAW, resulting in JAW-v2. Accordingly, this repository now uses JAW-v2 as a git submodule.

This project is available as open source under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE V3.0. See LICENSE for more information.

TheThing has a website available at https://soheilkhodayari.github.io/DOMClobbering.

Table of Contents

✨ What is DOM Clobbering?

DOM Clobbering is an attack technique where the attacker achieves arbitrary client-side code execution by injecting a non-script HTML markup into a vulnerable webpage and transform the initially secure markup into executable code.

DOM Clobbering originates from a naming collision between JavaScript variables and named HTML markups, where attackers confuse the web application by injecting HTML elements whose id or name attribute matches the name of security-sensitive variables, such as variables used for fetching remote content (e.g., script src).

For more information, See here.

➰ Overview

TheThing comprises three building block components:

  • Web Crawler: given a single seed URL of a webapp under test, collects its webpages' resources (e.g., scripts).
  • Static Analyzer: detects DOM Clobbering sources and sinks and potential data flows among them.
  • Dynamic Analyzer: checks the clobberability of the identified sources, and the data flows.

The architecture of the TheThing is shown below.

🏭 Installation

The source code of TheThing has been merged with JAW, resulting in JAW-v2. As such, this repository now uses JAW-v2 as a git submodule.

To clone TheThing and its submodule JAW-v2.x, you can do:

$ git clone --recurse-submodules https://github.com/SoheilKhodayari/TheThing

Alternatively, do:

$ git clone https://github.com/SoheilKhodayari/TheThing
$ cd TheThing
$ git clone https://github.com/SoheilKhodayari/JAW --branch v2.0.4  

Then, copy the JAW's content into the root directory:

$ cp -rf ./JAW/* ./

Finally, get the necessary dependencies via:

$ ./install.sh

This will install the required npm and python libraries, and the chromium driver.

Note: You can also download the pre-packaged code from the releases section or the stable branch.

🚀 Running

You can run an instance of the pipeline in a background screen via:

$ screen -dmS s1 bash -c 'python3 -m run_domclobbering --conf=config.domclobbering.yaml; exec sh'

The CLI provides the following options:

$ python3 -m run_domclobbering -h

usage: run_domclobbering.py [-h] [--conf FILE] [--site SITE] [--list LIST] [--from FROM] [--to TO]

This script runs the tool pipeline.

optional arguments:
  -h, --help            show this help message and exit
  --conf FILE, -C FILE  pipeline configuration file. (default: config.domclobbering.yaml)
  --site SITE, -S SITE  website to test; overrides config file (default: None)
  --list LIST, -L LIST  site list to test; overrides config file (default: None)
  --from FROM, -F FROM  the first entry to consider when a site list is provided; overrides config file (default: -1)
  --to TO, -T TO        the last entry to consider when a site list is provided; overrides config file (default: -1)

Configuration: TheThing expects a .yaml config file as input. See config.domclobbering.yaml for an example.

Running Building Blocks: For documentation on how to run each building block of the tool individually, see here.

🙋 Questions

For any questions, suggestions, feedback or concerns, please raise an issue in the repository.

🎃 Contribution and Code Of Conduct

Bug reports and pull requests are more than welcomed on GitHub. For more information, please refer to contribution guidelines.

This project is intended to be a safe, welcoming space, and contributors are expected to adhere to the contributor code of conduct.

📚 Documentation

Please refer to the complete documentation in docs.

📝 Academic Publication

If you use the TheThing for academic research, we encourage you to cite the following paper:

@inproceedings {SKhodayariSP23TheThing,
  author = {Soheil Khodayari and Giancarlo Pellegrino},
  title = {It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses,
  booktitle = {To Appear at proceedings of the 44th IEEE Symposium on Security and Privacy},
  year = {2023},
}

thething's People

Contributors

dependabot[bot] avatar soheilkhodayari avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar

Forkers

bevennyamande

thething's Issues

How to analyze a site as an authenticated user?

Hello,

First off, amazing project. Thank you a ton for making this available.

I'm trying to analyze a website that redirects if you're not authenticated. What are my options here? I've looked through all of the documentation, but did not see an option.

Side question: Is there any documentation on interpreting the results? They're not quite clear at first glance.

Thanks!

Operational issues with await

Hello author, sorry to disturb you, I am a student and interested in your dom-clobbering project, and have been learning and trying to use your theting recently, but there is a problem running the Dynamic Analyzer of the third module, and after running it says that line 493 there is "await is only valid in async functions and the top level bodies of." modules"I checked the relevant information to show whether the await keyword is placed in the function declared by async, but it seems that there is no asyns in the 484 lines in the "force-execution" code, can you tell me which step or compiler version is the problem, thank you very much
issue

Clobbering document.x through iframe tags with id=x attribute

Hi,

Thank you for the detailed work on DOM clobbering across different browsers. However, in the section 4.2.2 and table 2 of your Oakland paper, you mention that an iframe with id=x can affect document.x which has been list as your new findings.

"Named Access Window and DOM Tree Accessors. We discovered that any custom HTML tag (e.g., customtag) can be used to clobber a target variable x and window.x in all web browsers. Also, iframe tags with id=x can clobber document.x and named applet elements can clobber both window.x and document.x. In total, we found five new instances across four out of the 14 classes that rely on the Window Named Access and DOM Accessors techniques."

I ran some tests using BrowserStack and found that the iframe id attribute doesn't seem to clobber the DOM Tree Accessors in the a few listed versions of Chrome, Firefox, and Edge (which is contradicted to table 2):

Chrome: Tested from version 86 to 123
Firefox: Tested from version 80 to 124
Edge: Tested from version 80 to 123

Could there have been updates or changes in browser behavior not covered in the paper? I believe the iframe tag with id attribute cannot clobber the lookup on the document in the column listed in table 2. If I'm missing something, could you point me to the specific browser versions where the iframe clobbers document.x as described?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.