Bypassing Internet Explorer s XSS Filter



Similar documents
Carlos Muñoz Application Security Engineer WhiteHat

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Phishing by data URI

Recent Advances in Web Application Security

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Administrator s Guide

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence

Webapps Vulnerability Report

Next Generation Clickjacking

Secure development and the SDLC. Presented By Jerry

Cross-Site Scripting

Web Application Attacks And WAF Evasion

Thomas Röthlisberger IT Security Analyst

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft


Universal XSS via IE8s XSS Filters

Pwning Intranets with HTML5

A Tale of the Weaknesses of Current Client-side XSS Filtering

Protection, Usability and Improvements in Reflected XSS Filters

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Finding XSS in Real World

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

A Tale of the Weaknesses of Current Client-Side XSS Filtering

Web Application Worms & Browser Insecurity

XSS Lightsabre techniques. using Hackvertor

HTML5. Eoin Keary CTO BCC Risk Advisory.

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Module 6 Web Page Concept and Design: Getting a Web Page Up and Running

Check list for web developers

Browser tools that make web development easier. Alan Seiden Consulting alanseiden.com

Web Application Security: Exercise Development Approaches

Criteria for web application security check. Version

The Top Web Application Attacks: Are you vulnerable?

The Prevalence of Flash Vulnerabilities on the Web

If you are the recipient of an encrypted message, the following instructions will help you to decrypt your message. The California State University

Preparing for the Cross Site Request Forgery Defense

Web-Application Security

Security starts in the head(er)

Security features of ZK Framework

Security Testing with Selenium

Hatco Lead Management System:

CTF Web Security Training. Engin Kirda

TCP/IP Networking, Part 2: Web-Based Control

Understanding Cross Site Scripting

The Image that called me

Sichere Webanwendungen mit Java

Relax Everybody: HTML5 Is Securer Than You Think

Cross Site Scripting in Joomla Acajoom Component

Developing ASP.NET MVC 4 Web Applications MOC 20486

Avaya Inventory Management System

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

Analysis of Browser Defenses against XSS Attack Vectors

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Gateway Apps - Security Summary SECURITY SUMMARY

Web Application Security

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Hack Yourself First. Troy troyhunt.com

Customising Your Mobile Payment Pages

Introduction to Ingeniux Forms Builder. 90 minute Course CMSFB-V6 P

Project 2: Web Security Pitfalls

How To Use Mugeda Content

Edwin Analytics Getting Started Guide

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Short notes on webpage programming languages

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Web Browsing Examples. How Web Browsing and HTTP Works

Esigate Module Documentation

Cross Site Scripting Prevention

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM)

Intrusion detection for web applications

Hack Proof Your Webapps

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

1. TURN OFF UAC SETTINGS

Botnet-Powered SQL Injection Attacks A Deeper Look Within (VB, Sep. 2009) David Maciejak Guillaume Lovet

DeltaPAY v2 Merchant Integration Specifications (HTML - v1.9)

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Portal Recipient Guide

Penetration Test Report

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

(WAPT) Web Application Penetration Testing

Browser Performance Tests We put the latest web browsers head-to-head to try to find out which one is best!

Developing ASP.NET MVC 4 Web Applications

Exploits: XSS, SQLI, Buffer Overflow

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

WompMobile Technical FAQ

Abusing HTML5. DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA

Weird New Tricks for Browser Fingerprinting. yan ToorCon 2015

Transcription:

Bypassing Internet Explorer s XSS Filter Or: Oops, that s not supposed to happen. Carlos @RTWaysea

About Me Mechanical Drafting Background Engine parts, Architectural fixtures, etc. Friend said Try This Three years at WhiteHat Sec.

Agenda Bypass: IE Anti-Reflective XSS Filter Explanation: Do Not Rely On Browsers Process: Security Test Tooling Demos Re-Engineering: Content Security Policy End Notes

BYPASS

Bypass Just over 1 year ago Late Friday, August 23rd, 2013 Finishing Webapp Assessment Visi;ng Site in Different Browsers Already Tried: Firefox, Chrome, Opera, & Safari On Deck: Internet Explorer

Bypass Earlier I Had Found A Reflective XSS Vulnerability Page Reflects Injection JavaScript Block Before Execute Check page rendered within iframe from specific page ( self!= parent )

Bypass Earlier I Had Found A Reflective XSS Vulnerability If: Page not rendered within the context of the parent page Then: JavaScript redirects to parent page Vulnerable page reloaded in iframe without injection However...

Bypass Earlier I Had Found A Reflective XSS Vulnerability Page in iframe defined from URL parameter Reflective XSS 1. Attacker sends URL 2. Victim visits URL 3. URL camouflages malicious site within trusted one 4. Attacker gathers input (e.g. victim credentials)

Bypass Tools From Training Vuln initially found with Firefox Looked for other browser-specific functionality Tested Internet Explorer last Decided to poke at vuln that looked interesting

Bypass Tools From Training Standard XSS training Hex entities decoded in attribute space param= value part of html tag Try an injection that doesn t look like <script>alert(1)</script> Encode a few characters, enter injection into IE

Bypass

Bypass Confirmation And Repeatability User Error Was First Thought (Setting turned off?) Restarted VM, Restarted Computer Showed to Coworker Sent Report to Management Went Home for Weekend

Bypass Confirmation And Repeatability Weekend Built Deliberately Vulnerable PHP Clearly Recreated Bypass Reported to Microsoft: Aug 26, 2013 (Case #15412) Response from Microsoft: No Fix (Oct 4, 2013)

EXPLANATION

Explanation Browser-Defined Trust Abuse Trust Bypass Filter Internet Explorer s Trust Decision Requests that are subject to filtering Requests that are not subject to filtering

Explanation How To Abuse The Browser-Defined Trust Primary request with injection is made Primary request doesn t cause IMMEDIATE JavaScript code execution Primary Request is subject to the filter Secondary request within the same domain is induced with data from Primary request Secondary request does cause JavaScript code execution Secondary request trusted and not filtered

PROCESS

Process Your Toolkit: Look For Iframes, frames Form submissions href attributes JavaScript redirects Places where both <a> and </a> can be injected

Process Your Toolkit: Try Using Hexadecimal Encodings This is Not a Drill

Process Hexadecimal Encodings HTML 4.0 Specification Section 3.2.3 Character references 1998 &#xyy; http://www.w3.org/tr/1998/rec-html40-19980424/ intro/sgmltut.html#h-3.2.3

Process Your Toolkit: Try Using Hexadecimal Encodings This is Not a Drill &#xyy; - 1998 Decimal Encodings

Process Decimal Encodings HTML 2.0 Specification ISO Latin Character Set 1995 &#YY; http://www.w3.org/markup/html-spec/htmlspec_9.html#sec9.7.2

Process Your Toolkit: Try Using Hexadecimal Encodings This is Not a Drill &#xyy; - 1998 Decimal Encodings &#YY; - 1995 Named Entity Encodings

Process Named Entity Encodings HTML 2.0 Specification Named Entities 1995 &ZZZ; http://www.w3.org/markup/html-spec/htmlspec_9.html#sec9.7.1

Process Your Toolkit: Try Using Hexadecimal Encodings This is Not a Drill &#xyy; - 1998 Decimal Encodings &#YY; - 1995 Named Entity Encodings &ZZZ; - 1995 URL/URI Encodings

Process URL/URI Encodings RFC 1630 1994 %WW http://www.ietf.org/rfc/rfc1630.txt (page 7)

Process Your Toolkit: Standard Elements Hexadecimal Encodings This is Not a Drill &#xyy; - 1998 Decimal Encodings &#YY; - 1995 Named Entity Encodings &ZZZ; - 1995 URL/URI Encodings %WW - 1994

Process Your Toolkit: Add This Filter doesn t like:. Periods <form>, <frame>, <iframe> Filter sometimes permits, sometimes doesn t () [] {} Parenthesis, Square Brackets, Curly Brackets The word style

DEMOs Turning The Parts Into An Assembly

RE-ENGINEERING Content Security Policy

Re-Engineering Content Security Policy A policy language used to declare a set of content restrictions for a web resource, and a mechanism for transmitting the policy from a server to a client where the policy is enforced. Content Security Policy 1.0 http://www.w3.org/tr/csp/ Maybe no more XSS (if done correctly)??? However...

Re-Engineering Content Security Policy Only Internet Explorer 10 & 11 have any support for Content Security Policy Content Security Policy support in Internet Explorer 10 & 11 is limited Uses older X-Content-Security-Policy HTTP Response Header instead of official Content-Security-Policy Header Source: http://content-security-policy.com... Does it actually work?

DEMOs Re-Engineering: Content Security Policy

nd Notes Microsoft s No Fix Response Two different reasons were given: First reason was given at the time that MS officially notified me that there would be No Fix Second (different) reason was given several months later when I was interviewed for this bypass by ThreatPost hnp://threatpost.com/bypass- of- internet- explorer- cross- site- scrip;ng- filter- possible/103106

nd Notes Microsoft s No Fix Response The first reason I was given for No Fix : It requires Special Functionality Category 3 on: hnp://blogs.msdn.com/b/dross/archive/2008/07/03/ie8- xss- filter- design- philosophy- in- depth.aspx Not actually true: everything used is standard functionality that has been part of the official HTML specification since at least 1998

nd Notes Microsoft s No Fix Response The second reason I was given for No Fix : It requires user interaction This is partially true, but not fully true Cases that require user interaction Form submission, link clicking Cases that do not require user interaction frame/iframe elements, JavaScript redirects

But Wait, There s More Surprise Engineering Change Order Four weeks ago (August 29 th ), I stumbled upon another way to bypass Internet Explorer s XSS filter: Pages that perform Double-URL-Decoding can be used to bypass the filter

DEMO Surprise Engineering Change Order

End Notes Pulling It All Together The website will have the demos up for at least the next week. Please don t break it. http://gazebelwerks.net/derbycon4.0/ Also:.pdf of slides The deliberately vulnerable PHP code can be downloaded from my GitHub page: hnps://github.com/rtwaysea/ie- xss- filter- bypass- 2.0

Questions? Thank You DerbyCon! Can t think of a question? Ask me about injections into a VBScript block

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information