Bypassing Internet Explorer s XSS Filter

Size: px

Start display at page:

Download "Bypassing Internet Explorer s XSS Filter"

Molly Hart
10 years ago
Views:

1 Bypassing Internet Explorer s XSS Filter Or: Oops, that s not supposed to happen.

2 About Me Mechanical Drafting Background Engine parts, Architectural fixtures, etc. Friend said Try This Three years at WhiteHat Sec.

3 Agenda Bypass: IE Anti-Reflective XSS Filter Explanation: Do Not Rely On Browsers Process: Security Test Tooling Demos Re-Engineering: Content Security Policy End Notes

4 BYPASS

5 Bypass Just over 1 year ago Late Friday, August 23rd, 2013 Finishing Webapp Assessment Visi;ng Site in Different Browsers Already Tried: Firefox, Chrome, Opera, & Safari On Deck: Internet Explorer

6 Bypass Earlier I Had Found A Reflective XSS Vulnerability Page Reflects Injection JavaScript Block Before Execute Check page rendered within iframe from specific page ( self!= parent )

7 Bypass Earlier I Had Found A Reflective XSS Vulnerability If: Page not rendered within the context of the parent page Then: JavaScript redirects to parent page Vulnerable page reloaded in iframe without injection However...

of the parent page Then: JavaScript redirects to parent

8 Bypass Earlier I Had Found A Reflective XSS Vulnerability Page in iframe defined from URL parameter Reflective XSS 1. Attacker sends URL 2. Victim visits URL 3. URL camouflages malicious site within trusted one 4. Attacker gathers input (e.g. victim credentials)

Attacker sends URL 2. Victim visits URL 3.

9 Bypass Tools From Training Vuln initially found with Firefox Looked for other browser-specific functionality Tested Internet Explorer last Decided to poke at vuln that looked interesting

10 Bypass Tools From Training Standard XSS training Hex entities decoded in attribute space param= value part of html tag Try an injection that doesn t look like <script>alert(1)</script> Encode a few characters, enter injection into IE

html tag Try an injection that doesn t look like

11 Bypass

12 Bypass Confirmation And Repeatability User Error Was First Thought (Setting turned off?) Restarted VM, Restarted Computer Showed to Coworker Sent Report to Management Went Home for Weekend

13 Bypass Confirmation And Repeatability Weekend Built Deliberately Vulnerable PHP Clearly Recreated Bypass Reported to Microsoft: Aug 26, 2013 (Case #15412) Response from Microsoft: No Fix (Oct 4, 2013)

14 EXPLANATION

15 Explanation Browser-Defined Trust Abuse Trust Bypass Filter Internet Explorer s Trust Decision Requests that are subject to filtering Requests that are not subject to filtering

16 Explanation How To Abuse The Browser-Defined Trust Primary request with injection is made Primary request doesn t cause IMMEDIATE JavaScript code execution Primary Request is subject to the filter Secondary request within the same domain is induced with data from Primary request Secondary request does cause JavaScript code execution Secondary request trusted and not filtered

to the filter Secondary request within the same domain is induced with data from Primary

17 PROCESS

18 Process Your Toolkit: Look For Iframes, frames Form submissions href attributes JavaScript redirects Places where both <a> and </a> can be injected

19 Process Your Toolkit: Try Using Hexadecimal Encodings This is Not a Drill

20 Process Hexadecimal Encodings HTML 4.0 Specification Section Character references 1998 &#xyy; intro/sgmltut.html#h-3.2.3

21 Process Your Toolkit: Try Using Hexadecimal Encodings This is Not a Drill &#xyy; Decimal Encodings

22 Process Decimal Encodings HTML 2.0 Specification ISO Latin Character Set 1995 &#YY;

23 Process Your Toolkit: Try Using Hexadecimal Encodings This is Not a Drill &#xyy; Decimal Encodings &#YY; Named Entity Encodings

24 Process Named Entity Encodings HTML 2.0 Specification Named Entities 1995 &ZZZ;

25 Process Your Toolkit: Try Using Hexadecimal Encodings This is Not a Drill &#xyy; Decimal Encodings &#YY; Named Entity Encodings &ZZZ; URL/URI Encodings

26 Process URL/URI Encodings RFC %WW (page 7)

27 Process Your Toolkit: Standard Elements Hexadecimal Encodings This is Not a Drill &#xyy; Decimal Encodings &#YY; Named Entity Encodings &ZZZ; URL/URI Encodings %WW

28 Process Your Toolkit: Add This Filter doesn t like:. Periods <form>, <frame>, <iframe> Filter sometimes permits, sometimes doesn t () [] {} Parenthesis, Square Brackets, Curly Brackets The word style

29 DEMOs Turning The Parts Into An Assembly

30 RE-ENGINEERING Content Security Policy

31 Re-Engineering Content Security Policy A policy language used to declare a set of content restrictions for a web resource, and a mechanism for transmitting the policy from a server to a client where the policy is enforced. Content Security Policy Maybe no more XSS (if done correctly)??? However...

32 Re-Engineering Content Security Policy Only Internet Explorer 10 & 11 have any support for Content Security Policy Content Security Policy support in Internet Explorer 10 & 11 is limited Uses older X-Content-Security-Policy HTTP Response Header instead of official Content-Security-Policy Header Source: Does it actually work?

33 DEMOs Re-Engineering: Content Security Policy

34 nd Notes Microsoft s No Fix Response Two different reasons were given: First reason was given at the time that MS officially notified me that there would be No Fix Second (different) reason was given several months later when I was interviewed for this bypass by ThreatPost hnp://threatpost.com/bypass- of- internet- explorer- cross- site- scrip;ng- filter- possible/103106

35 nd Notes Microsoft s No Fix Response The first reason I was given for No Fix : It requires Special Functionality Category 3 on: hnp://blogs.msdn.com/b/dross/archive/2008/07/03/ie8- xss- filter- design- philosophy- in- depth.aspx Not actually true: everything used is standard functionality that has been part of the official HTML specification since at least 1998

36 nd Notes Microsoft s No Fix Response The second reason I was given for No Fix : It requires user interaction This is partially true, but not fully true Cases that require user interaction Form submission, link clicking Cases that do not require user interaction frame/iframe elements, JavaScript redirects

37 But Wait, There s More Surprise Engineering Change Order Four weeks ago (August 29 th ), I stumbled upon another way to bypass Internet Explorer s XSS filter: Pages that perform Double-URL-Decoding can be used to bypass the filter

38 DEMO Surprise Engineering Change Order

39 End Notes Pulling It All Together The website will have the demos up for at least the next week. Please don t break it. Also:.pdf of slides The deliberately vulnerable PHP code can be downloaded from my GitHub page: hnps://github.com/rtwaysea/ie- xss- filter- bypass- 2.0

40 Questions? Thank You DerbyCon! Can t think of a question? Ask me about injections into a VBScript block

Carlos Muñoz Application Security Engineer WhiteHat Security @RTWaysea

Carlos Muñoz Application Security Engineer WhiteHat Security @RTWaysea Bypass: History Explanation: What Is Going On Process: Things To Look For Demos: alert(1) Done Live (hopefully) CSP: Content Security