A Tale of the Weaknesses of Current Client-side XSS Filtering

Similar documents
A Tale of the Weaknesses of Current Client-Side XSS Filtering

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

A tale of the weaknesses of current client-side XSS filtering

Precise client-side protection against DOM-based Cross-Site Scripting

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Universal XSS via IE8s XSS Filters

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Advanced XSS. Nicolas Golubovic

Cross-Site Scripting

Project 2: Web Security Pitfalls

Analysis of Browser Defenses against XSS Attack Vectors

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Attacks on Clients: Dynamic Content & XSS

25 Million Flows Later - Large-scale Detection of DOM-based XSS

Relax Everybody: HTML5 Is Securer Than You Think

Protection, Usability and Improvements in Reflected XSS Filters

Finding XSS in Real World

Web Application Exploits

Secure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce.

Cross Site Scripting Prevention

Reliable Mitigation of DOM-based XSS

HTTPParameter Pollution. ChrysostomosDaniel

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Understanding Cross Site Scripting

Network Security Web Security

Next Generation Clickjacking

Complete Cross-site Scripting Walkthrough

Cyber Security Workshop Ethical Web Hacking

Phishing by data URI

Web Application Security

Web Application Guidelines

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Investigation Report Regarding Security Issues of Web Applications Using HTML5

Intrusion detection for web applications

Dynamic Web-Enabled Data Collection

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code

Uploaded images filter evasion for carrying out XSS attacks

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in

Cross-site site Scripting Attacks on Android WebView

Introduction. Buffer Overflow. SQL Injection. Cross-Site Scripting. Software Security I. Overview. Source: SearchsoftwareQuality.techtarget.

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Security Model for the Client-Side Web Application Environments

AJAX and JSON Lessons Learned. Jim Riecken, Senior Software Engineer, Blackboard Inc.

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Method of control. Lots of ways to architect C&C: Star topology; hierarchical; peer-to-peer Encrypted/stealthy communication.

A Survey on Threats and Vulnerabilities of Web Services

Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

HTML5. Eoin Keary CTO BCC Risk Advisory.

HTTP Response Splitting

Are AJAX Applications Vulnerable to Hack Attacks?

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 20

Web-Application Security

Introduction to Computer Security

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

JavaScript Basics & HTML DOM. Sang Shin Java Technology Architect Sun Microsystems, Inc. sang.shin@sun.com

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Check list for web developers

The Top Web Application Attacks: Are you vulnerable?

Security starts in the head(er)

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Chapter 1 Web Application (In)security 1

Client-side Web Engineering From HTML to AJAX

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Security features of ZK Framework

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Phishing with Super Bait

CTF Web Security Training. Engin Kirda

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

ECE458 Winter Web Security. Slides from John Mitchell and Vitaly Shmatikov (Modified by Vijay Ganesh)

SQL Injection for newbie

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Webapps Vulnerability Report

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Yandex.Widgets Quick start

JavaScript By: A. Mousavi & P. Broomhead SERG, School of Engineering Design, Brunel University, UK

Recent Advances in Web Application Security

Last update: February 23, 2004

Web Application Scan. Document Revision Initial Report Prepared By: AppCheck-NG Version: 1.0

EECS 398 Project 2: Classic Web Vulnerabilities

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Ethical Hacking Penetrating Web 2.0 Security

Bypassing Internet Explorer s XSS Filter

HTML Form Widgets. Review: HTML Forms. Review: CGI Programs

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Transcription:

A Tale of the Weaknesses of Current Client-side XSS Filtering Sebastian Lekies (@sebastianlekies), Ben Stock (@kcotsneb) and Martin Johns (@datenkeller) Attention hackers! These slides are preliminary! For updated material please check http://kittenpics.org Meow!

Agenda Technical Background XSS 101 Chrome s XSS Auditor Bypassing the XSS Auditor Scope-related Issues String-matching-based Issues Empirical Study Conclusion 2013 SAP AG or an SAP affiliate company. All rights reserved. 2

Technical Background

Cross-Site Scripting 101 What is XSS? Underlying Problem Web applications process data that was passed to them via GET or POST requests User input such as: Form fields, parts of the URL, HTTP headers, etc. Often this data is included / echoed somewhere in the application s UI E.g. within HTML: 2013 SAP AG or an SAP affiliate company. All rights reserved. 4

Cross-Site Scripting 101 Types of Cross-Site Scripting I Caused by server-side code (Java, PHP, etc.) 1. Reflected Traditional XSS 2. Persistent Caused by client-side code (JavaScript, VB, Flash) 3. Reflected DOM-based XSS 4. Persistent Caused by the infrastructure 5. Client-side infrastructure (e.g. Universal XSS) 6. Server-side infrastructure (e.g. Response Splitting) 7. Network (e.g. Off-path Attacks, Active Network Attacker) Application-specific Application-independent Caused by the user 8. Self-XSS 2013 SAP AG or an SAP affiliate company. All rights reserved. 5

Cross-Site Scripting 101 Types of Cross-Site Scripting II Reflected Persistent Server <?php echo "Hello.$_GET['name'];?> <?php $res = mysql_query( INSERT.$_GET['message']); [ ] $res = mysql_query( SELECT "); $row = mysql_fetch_assoc($res); echo $row['message'];?> Client <script> var name = location.hash.slice(1)); document.write("hello " + name); </script> <script> var html= location.hash.slice(1); localstorage.setitem( message, html); [ ] var message = localstorage.getitem( message ); document.write(message); </script> 2013 SAP AG or an SAP affiliate company. All rights reserved. 6

Cross-Site Scripting 101 Exploitation (Reflected XSS) Reflected Cross-Site Scripting 1. Craft malicious link 2. Embed link with payload within a innocent looking page http://kittenpics.org Source: http://www.hd-gbpics.de/gbbilder/katzen/katzen2.jpg 2013 SAP AG or an SAP affiliate company. All rights reserved. 7 7

Cross-Site Scripting 101 Exploitation (Persistent XSS) Persistent Cross-Site Scripting The web application permanently stores user provided data This data is included in the website Every time the vulnerable web page is visited, the malicious code gets executed 2013 SAP AG or an SAP affiliate company. All rights reserved. 8

Cross-Site Scripting 101 Exploitation (Persistent XSS) Persistent Cross-Site Scripting The web application permanently stores user provided data This data is included in the website Every time the vulnerable web page is visited, the malicious code gets executed Example: Guestbook 2013 SAP AG or an SAP affiliate company. All rights reserved. 9

Cross-Site Scripting 101 Exploitation (Persistent XSS) Persistent Cross-Site Scripting The web application permanently stores user provided data This data is included in the website Every time the vulnerable web page is visited, the malicious code gets executed Example: Guestbook After injecting the attack code the adversary only has to sit back and wait 2013 SAP AG or an SAP affiliate company. All rights reserved. 10

Technical Background Cross-Site Scripting - Exploitation The effects of a successful attack: An attacker includes malicious JavaScript code into a webpage This code is executed in the victim s browser session. In the context of the application Browser http://example.net HTML Cookies JavaScript JavaScript XSS Attacker 2013 SAP AG or an SAP affiliate company. All rights reserved. 11

Cross-Site Scripting 101 Example 2013 SAP AG or an SAP affiliate company. All rights reserved. 12

Cross-Site Scripting 101 Attacker Capabilities Malicious Capabilities Web content alteration Displaying faked content Spoofing of login dialogues» Phishing of Username / Password Session Hijacking Cookie Theft Session Hijacking Browser Hijacking Creating HTTP requests Impersonating the user (towards the server) Impersonating the server (towards the user) 2013 SAP AG or an SAP affiliate company. All rights reserved. 13

Chrome s XSS Auditor

Chrome s XSS Auditor Best protection against XSS is to avoid vulnerabilities But: XSS vulnerabilities are omnipresent in the Web NoScript and Microsoft introduced first client-side countermeasures Google introduced the XSS Auditor in 2010. Client-side system to prevent exploitation of existing XSS vulnerabilities Primarily aims at reflected XSS Goals: Low false positive rate, low performance impact 2013 SAP AG or an SAP affiliate company. All rights reserved. 15

Chrome s XSS Auditor Attacker Model http://example.org Browser http://example.org/?text=a ><script>alert(1)</script> <html> <input type= text value= a > <script>alert(1)</script>> </html> 2013 SAP AG or an SAP affiliate company. All rights reserved. 16

Chrome s XSS Auditor Placement Webkit / Blink Rendering Engine V8 JavaScript Engine GET /?text=a ><script>alert(1)</script> Host: example.org User-Agent: <Browser> Accept: text/html HTTP/1.1 200 OK Content-Type: text/html Server: ECS (iad/19ab) Content-Length: 1270 DOM-bindings HTML-Parser <html> <input type= text value= a > <script>alert(1)</script>> </html> XSS-Auditor 2013 SAP AG or an SAP affiliate company. All rights reserved. 17

Chrome s XSS Auditor Decision Logic Ways to Invoke JavaScript Engine: Inline Scripts <script>alert(1);</script> Event handler onload, onerror, onclick, oncut, onunload, onfocus, onblur e.g.: <img src= foo onload= alert(1) ></img> Attributes with JavaScript URLs frame.src, a.href e.g.: <iframe src= javascript:alert(1) ></iframe> External Content e.g.: <script src= http://evil.com/script.js ></script> e.g.: <embed src= http://evil.com/flash.swf ></embed> e.g.: <applet code= http://evil.com/java.class ></applet> FilterCharacterToken EraseDangerousAttributes FilterTagSpecificAttributes e.g.: <object><param name= source value= http://evil.com/silverlight.xap ></object> 2013 SAP AG or an SAP affiliate company. All rights reserved. 18

Chrome s XSS Auditor Matching Rules (Simplified) If one of these situations is present, the Auditor performs its checks For Inline Scripts (e.g. <script>alert(1)//test</script>) the Auditor checks whether the content of the script is contained within the request For each attribute (e.g. <div onclick= alert(1) >) the Auditor checks whether the attribute contains a JavaScript URL or whether the attribute is an event handler and if the complete attribute is contained in the request For special attributes (e.g. <script foo= bar src= http://evil.com/evil.js ></script>) the Auditor checks whether the tag name is contained within the request and if the complete attribute is contained in the request 2013 SAP AG or an SAP affiliate company. All rights reserved. 19

Bypassing Chrome s XSS Auditor

Chrome s XSS Auditor Decision Logic Filter Character Token Matching Rule <script>/* some comment */ eval("\x61\x6c\x65\x72\x74\x28\x31\x29 ) /* [ ] */ var foo= bar ; </script> Skip initial comments and whitespaces Use any character until the next comment, opening script tag or comma eval("\x61\x6c\x65\x72\x74\x28\x31\x29 ) Fully decode the string eval( alert(1) ) Fully decode the URL 2013 SAP AG or an SAP affiliate company. All rights reserved. 21

Bypassing the XSS Auditor Scope Related Issues Webkit / Blink Rendering Engine DOMbindings V8 JavaScript Engine XSS-Auditor 2013 SAP AG or an SAP affiliate company. All rights reserved. 22

Bypassing the XSS Auditor String-matching-related Issues GET /?text=a ; alert(1);// ; Host: example.org User-Agent: <Browser> Accept: text/html HTTP/1.1 200 OK Content-Type: text/html Server: ECS (iad/19ab) Content-Length: 1270 <html> <script> var x = a ; alert(1);// ;</script> </html> 2013 SAP AG or an SAP affiliate company. All rights reserved. 23

Chrome s XSS Auditor Scope Related Issues Eval Webkit / Blink V8 JavaScript Engine GET /index.php#alert(1) Host: example.org User-Agent: <Browser> Accept: text/html DOM-bindings var x = location.hash.slice(1); eval(x); [ ] HTML-Parser XSS-Auditor 2013 SAP AG or an SAP affiliate company. All rights reserved. 24

Chrome s XSS Auditor Scope Related Issues InnerHTML, outterhtml, insertadjacenthtml Webkit / Blink V8 JavaScript Engine GET /index.php#<img src= onerror="alert(1) > Host: example.org User-Agent: <Browser> Accept: text/html DOM-bindings var code = location.hash.slice(1); var el = document.getelementbyid( foo ) el.innerhtml = code; [ ] HTML-Parser XSS-Auditor 2013 SAP AG or an SAP affiliate company. All rights reserved. 25

Chrome s XSS Auditor Scope Related Issues Access via DOM-bindings Webkit / Blink V8 JavaScript Engine GET /index.php#alert(1) Host: example.org User-Agent: <Browser> Accept: text/html DOM-bindings var url= location.hash.slice(1); var f = document.getelementsbytagname; var el = f( script )[0].src = url; [ ] HTML-Parser XSS-Auditor 2013 SAP AG or an SAP affiliate company. All rights reserved. 26

Chrome s XSS Auditor Scope Related Issues Second Order Flows Webkit / Blink GET /index.php#<script>alert(1)</script> /index.php Host: example.org User-Agent: <Browser> Accept: text/html DOM-bindings V8 JavaScript Engine var code = location.hash.slice(1); localstorage.getitem( foo ); localstorage.setitem( foo, document.write(code); code); [ ] HTML-Parser XSS-Auditor 2013 SAP AG or an SAP affiliate company. All rights reserved. 27

Chrome s XSS Auditor Scope Related Issues Alternative Attack Vectors Webkit / Blink GET /index.php Host: example.org User-Agent: <Browser> Accept: text/html DOM-bindings V8 JavaScript Engine function cb (event){ var code = event.data; document.write(code); } var w = window; w.addeventlistener( message, cb, false) [ ] HTML-Parser XSS-Auditor 2013 SAP AG or an SAP affiliate company. All rights reserved. 28

Chrome s XSS Auditor Scope Related Issues Unquoted Attribute Webkit / Blink GET /index.php Host: example.org User-Agent: <Browser> Accept: text/html DOM-bindings V8 JavaScript Engine var code = <iframe src= name= + location.hash + ></iframe> document.write(code); [ ] HTML-Parser XSS-Auditor 2013 SAP AG or an SAP affiliate company. All rights reserved. 29

String-Matching-based Issues 1. Partial Injections Tag Hijacking Attribute Hijacking In-script Injections 2013 SAP AG or an SAP affiliate company. All rights reserved. 30

String-Matching-based Issues 1. Partial Injections Tag Hijacking Attribute Hijacking In-script Injections 2013 SAP AG or an SAP affiliate company. All rights reserved. 31

String-Matching-based Issues 1. Trailing Content Trailing Content within Attributes Trailing Content and SVG Trailing Content of tags 2013 SAP AG or an SAP affiliate company. All rights reserved. 32

String-Matching-based Issues 1. Trailing Content Trailing Content within Attributes Trailing Content and SVG Trailing Content of tags 2013 SAP AG or an SAP affiliate company. All rights reserved. 33

String-Matching-based Issues 1. Double Injections Multiple inputs, multiple injection points, single sink Single input, multiple injection points, single sink Multiple injection points, multiple sinks 2013 SAP AG or an SAP affiliate company. All rights reserved. 34

String-Matching-based Issues 1. Double Injections Multiple inputs, multiple injection points, single sink Single input, multiple injection points, single sink Multiple injection points, multiple sinks 2013 SAP AG or an SAP affiliate company. All rights reserved. 35

String-Matching-based Issues Application-specific input mutation 2013 SAP AG or an SAP affiliate company. All rights reserved. 36

String-Matching-based Issues Application-specific input mutation 2013 SAP AG or an SAP affiliate company. All rights reserved. 37

Empirical Study In a previous study we collected 1,602 DOM-based XSS vulnerabilities on 958 domains We built a tool to generate bypasses for these vulnerabilities Results We successfully exploited 73% of the 1602 vulnerabilities despite of the Auditor We exploited vulnerabilities on 81% of all vulnerable applications 2013 SAP AG or an SAP affiliate company. All rights reserved. 38

Conclusion

Conclusion XSS is a wide-spread problem Many different types of XSS exist DOM-based XSS is one serious subclass of XSS Browser-vendors introduced client-side XSS filters to protect users from being exploited successfully All major browsers offer XSS filter We conducted a security analysis of Chrome s XSS Auditor and found 18 bypasses 7 scope-related Issues 9 string-matching-related issues allowing us to bypass XSS vulnerabilities on about 80% of all vulnerable applications 2013 SAP AG or an SAP affiliate company. All rights reserved. 40

Thank you Contact information: Sebastian Lekies Ben Stock Martin Johns SAP AG FAU Erlangen SAP AG @sebastianlekies @kcotsneb @datenkeller

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information