A Tale of the Weaknesses of Current Client-Side XSS Filtering

Similar documents
A Tale of the Weaknesses of Current Client-side XSS Filtering

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Precise client-side protection against DOM-based Cross-Site Scripting

A tale of the weaknesses of current client-side XSS filtering

Protection, Usability and Improvements in Reflected XSS Filters

Relax Everybody: HTML5 Is Securer Than You Think

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Reliable Mitigation of DOM-based XSS

Attacks on Clients: Dynamic Content & XSS

Network Security Web Security

Analysis of Browser Defenses against XSS Attack Vectors

25 Million Flows Later - Large-scale Detection of DOM-based XSS

HTML5. Eoin Keary CTO BCC Risk Advisory.

Next Generation Clickjacking

Advanced XSS. Nicolas Golubovic

Universal XSS via IE8s XSS Filters

Project 2: Web Security Pitfalls

Web-Application Security

Cross-Site Scripting

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Security Model for the Client-Side Web Application Environments

Cross Site Scripting Prevention

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Finding XSS in Real World

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code

PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Complete Cross-site Scripting Walkthrough

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

HTTPParameter Pollution. ChrysostomosDaniel

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Security starts in the head(er)

Intrusion detection for web applications

Web Application Exploits

Web Application Security

Secure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce.

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks

Understanding Cross Site Scripting

Cross-site site Scripting Attacks on Android WebView

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in

The Top Web Application Attacks: Are you vulnerable?

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Recent Advances in Web Application Security

Check list for web developers

Defending against XSS,CSRF, and Clickjacking David Bishop

Chapter 1 Web Application (In)security 1

Carlos Muñoz Application Security Engineer WhiteHat

External Network & Web Application Assessment. For The XXX Group LLC October 2012

MASTERTAG DEVELOPER GUIDE

JavaScript By: A. Mousavi & P. Broomhead SERG, School of Engineering Design, Brunel University, UK

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web Application Scan. Document Revision Initial Report Prepared By: AppCheck-NG Version: 1.0

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Client-side Web Engineering From HTML to AJAX

Robust Defence against XSS through Context Free Grammar

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Preparing for the Cross Site Request Forgery Defense

A Survey on Threats and Vulnerabilities of Web Services

Cyber Security Workshop Ethical Web Hacking

Ruby on Rails Secure Coding Recommendations

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Uploaded images filter evasion for carrying out XSS attacks

Ethical Hacking Penetrating Web 2.0 Security

Table of Contents. Page ii

SQL INJECTION IN MYSQL

Gateway Apps - Security Summary SECURITY SUMMARY

Abusing HTML5. DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA

Webapps Vulnerability Report

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Phishing with Super Bait

Blackbox Reversing of XSS Filters

Detection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts

Criteria for web application security check. Version

CTF Web Security Training. Engin Kirda

Magento Security and Vulnerabilities. Roman Stepanov

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

OAuth 2.0 and the Road to XSS: attacking Facebook Platform. Andrey

SAP: Session (Fixation) Attacks and Protections

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Client-Side Cross-Site Scripting Protection

Ethical Hacking as a Professional Penetration Testing Technique

AJAX and JSON Lessons Learned. Jim Riecken, Senior Software Engineer, Blackboard Inc.

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Cross Site Scripting in Joomla Acajoom Component

Enhancing JavaScript Engine to Detect and Prevent XSS

Transcription:

Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering Martin Johns, Ben Stock, Sebastian Lekies

About us Martin Johns, Ben Stock, Sebastian Lekies Security Researchers at SAP, Uni Erlangen and Google More and stuff at http://kittenpics.org About this talk Results of a practical evaluation of client-side XSS filtering Technical analysis of the Chrome XSS filter Presentation of various techniques to bypass the filter

Cross-Site Scripting a.k.a. XSS (duh)

The Same-Origin Policy Question: why can t attacker.org read the visitors emails from GMail? Answer: the Same-Origin Policy is in the way Only resources with matching protocol, domain and port may gain access That makes for a sad attacker (and his kitten) http://andshesaidit.files.wordpress.com/2010/05/sad_kitten1.jpg

XSS the underlying problem Web Apps process data Which was provided by the user POST, GET, headers,. Data might be stored, or echoed back directly Data <script>alert(1)</script> is actually Code interpreted by the victim s browser, executed in the origin of vulnerable application Attack method Find flaw in Web application that allows injection of CODE, not just DATA (we will elaborate in a minute) Make victim visit that site è We can read your GMails J

XSS what an attacker can do Open an alert box! Hijack a session Oldest trick in the book: steal their cookies Force victim to click a link (or post something about BlackHat on Twitter) Alter content Display fake content Spoof login forms.. Steal your password manager s passwords See our AsiaCCS paper if you are interested J Do everything with the Web app, that you could do under your ID http://images.sodahead.com/polls/003820731/ 1313763967_CAT_SHOCKED_xlarge.jpeg

Types of XSS Reflected Stored Server <?php! echo "Hello.$_GET['name'];!?>! <?php! $res = mysql_query( INSERT.$_GET['message']);! [ ]! $res = mysql_query( SELECT ");! $row = mysql_fetch_assoc($res);! echo $row['message'];!?>! Client <script>! var name = location.hash.slice(1));! document.write("hello " + name);! </script>! <script>! var html= location.hash.slice(1);! localstorage.setitem( message, html);! [ ]! var message = localstorage.getitem( message );! document.write(message);! </script>! http://upload.wikimedia.org/wikipedia/commons/f/f1 /Kitten_and_partial_reflection_in_mirror.jpg http://www.cat-lovers-only.com/images/kittens-in-a-box.jpg

Reflected XSS http://vulnerable.org/?a=<script>alert(1)</script> <html>.. <script>alert(1)</script> </html> <html>.. <script>alert(1)</script> </html>

Stopping XSS attacks If you are the application s owner: Don t use user-provided data in an unencoded/unfiltered way Use secure frameworks or other magic Use Content Security Policy, sandboxed iframes,

Stopping XSS attacks If you are the application s owner: Don t use user-provided data in an unencoded/unfiltered way Use secure frameworks or other magic Use Content Security Policy, sandboxed iframes, If you are the application s user: Turn of JavaScript Client-side XSS Filters NoScript IE Chrome (the XSS Auditor )

Quick digression: finding a lot of DOMXSS vulns

Finding and exploiting DOMXSS vulnerabilities automatically at scale using byte-level taint tracking in Chromium each character in a string has its source information attached to it... Chrome extension to crawl given set of Web sites also the interface between taint engine and central server and an exploit generator using taint information and HTML and JavaScript syntax rules to generate exploits fully automatic

Results (many many cats XSS) For our study, we analyzed Alexa Top 5k Found 480 domains with vulnerabilities Reran experiment against Alexa Top 10k Found a total of 1,602 unique vulnerabilities.. On 958 domains Auditor turned off at that point

Motivation So, we had this considerable amount of real-world XSS vulnerabilities And our prime testing platform was built onto the Chrome browser Hence, we got curious: How well does the Chrome Auditor protect us? We reran our experiment, with the Auditor turned on The Auditor did not catch all of our exploits This made us even more curious Why were the exploits not blocked? And can we increase the number of bypasses?

Bypassing the XSSAuditor

Reflected XSS (revisited) http://vulnerable.org/?a=<script>alert(1)</script> <html>.. <script>alert(1)</script> </html> <html>.. <script>alert(1)</script> </html> XSS Payload is contained in the request (i.e., in the URL)!

XSS Filter Strategies NoScript: Check outgoing requests for JavaScript IE: Use regular expression to compare HTTP requests and responses XSSAuditor Don t look at requests When response comes in, invoke HTML parser (actually, tokenizer) When a dangerous element or attribute is found during parsing, check the corresponding request s URL

How the XSS Auditor works An incoming HTTP response is parsed Every time the parser encounters an HTML construct that potentially executes JavaScript, the Auditor is invoked Important fact one: Only during the initial parsing process Important fact two: This check is done only if certain characters are contained in the URL: <, >, and The auditor checks the HTTP request, if the encountered HTML/JavaScript can be found in the request s URL (or body) Important fact three: Depending on the HTML construct, the matching algorithm differs If a match is found, the parser replaces the potential attack with a harmless placeholder

Auditor matching rules (simplified) Inline scripts <script>alert(1)</script> Matching rule the Auditor checks whether content of script is contained in the request skipping initial comments and whitespaces, only using up to 100 characters stop if encountering a terminating character : #? //

Auditor matching rules (simplified) HTML attributes Event handlers <img onerror="alert(1)" src="//doesnot.exist"> Attributes with JavaScript URLs <iframe src="javascript:alert(1)"></iframe> For each attribute the Auditor checks whether the attribute contains a JavaScript URL or if the attribute is an event handler Matching rule Check if the complete attribute is contained in the request

Auditor matching rules (simplified) For HTML elements that can reference external content <script src="//attacker.org/script.js"></script> <embed src="//attacker.org/flash.swf"></embed> Matching rule the Auditor checks whether the tag name is contained in the request and whether the complete attribute is contained in the request

How the XSS Auditor works An incoming HTTP response is parsed Every time the parser encounters an HTML construct that potentially executes JavaScript, the Auditor is invoked Important fact one: This check is done only if certain characters are contained in the URL: <, >, and The auditor checks the HTTP request, if the encountered HTML/JavaScript can be found in the request s URL (or body) Important fact two: Depending on the HTML construct, the matching algorithm differs If a match is found, the parser replaces the potential attack with a harmless placeholder

How the XSS Auditor works An incoming HTTP response is parsed Every time the parser encounters an HTML construct that potentially executes JavaScript, the Auditor is invoked Important fact one: This check is done only if certain characters are contained in the URL: <, >, and Invocation The auditor checks the HTTP request, if the encountered HTML/JavaScript can be found in the request s URL (or body) Important fact two: Depending on the HTML construct, the matching algorithm differs Matching If a match is found, the parser replaces the potential attack with a harmless placeholder Blocking

How to bypass the XSS Auditor An incoming HTTP response is parsed Every time the parser encounters an HTML construct that potentially executes JavaScript, the Auditor is invoked Important fact one: This check is done only if certain characters are contained in the URL: <, >, and Invocation The auditor checks the HTTP request, if the encountered HTML/JavaScript can be found in the request s URL (or body) Important fact two: Depending on the HTML construct, the matching algorithm differs Matching If a match is found, the parser replaces the potential attack with a harmless placeholder Blocking

How to bypass the XSS Auditor An incoming HTTP response is parsed Every time the parser encounters an HTML construct that potentially executes JavaScript, the Auditor is invoked Important fact one: This check is done only if certain characters are contained in the URL: <, >, and Invocation The auditor checks the HTTP request, if the encountered HTML/JavaScript can be found in the request s URL (or body) Important fact two: Depending on the HTML construct, the matching algorithm differs Matching If a match is found, the parser replaces the potential attack with a harmless placeholder Blocking

How to bypass the XSS Auditor An incoming HTTP response is parsed Every time the parser encounters an HTML construct that potentially executes JavaScript, the Auditor is invoked Important fact one: This check is done only if certain characters are contained in the URL: <, >, and Invocation The auditor checks the HTTP request, if the encountered HTML/JavaScript can be found in the request s URL (or body) Important fact two: Depending on the HTML construct, the matching algorithm differs Matching If a match is found, the parser replaces the potential attack with a harmless placeholder Blocking

Avoiding Auditor Invocation

Bypass invocation using eval Filter works only for injected HTML not for injected JavaScript

Bypass invocation in the HTML Parser Parsing "document fragments" i.e. innerhtml, outerhtml, insertadjacenthtml For performance reasons, Auditor is off for document fragments è all vulnerabilities targeting these sinks go through Unquoted attribute injection Auditor is disabled if <, >, and are not found in the request All injections that lead to JS execution, that do not require these characters evade the Auditor

HTML-free injections Various injection techniques that live solely in the JavaScript space As the HTML parser is not involved, the Auditor is not activated 1. DOM bindings e.g. assigning src attribute of existing script tag No HTML parsing, as the injection affects the already parsed DOM 2. Second-order flows e.g. cookies or Web Storage Injection vector cannot be found in the request 3. Alternative data sources e.g. postmessages Attack vector enters the page through non-request channels

String-matching issues Create situations, in which the injected vector does not match the parsed JavaScript

Partial Injections Hijack an existing tag Hijack an existing attribute (e.g. script.src) Hijack an existing script node

Partial Injections Hijack an existing tag Hijack an existing attribute (e.g. script.src) Hijack an existing script node http://www.vuln.com/partial.html#somevalue'; cat();//!!!!! var x = 'somevalue'; cat();//';!

Trailing content Idea: use existing content to fool Auditor... while still resulting in valid JavaScript

Trailing content Idea: use existing content to fool Auditor... while still resulting in valid JavaScript http://../trail.html#'><img src=//a onerror='cat();! <img src=//a onerror='cat();px'>!

Trailing content Idea: use existing content to fool Auditor... while still resulting in valid JavaScript Further trailing content-based bypasses Trailing slashes (Auditor stops search for payload after second slash) Trailing SVG (using Semicolon)

Double injections Single input, multiple injections, single sink Multiple inputs, multiple injections, single sink Multiple injection points, multiple sinks

Double injections Single input, multiple injections, single sink Multiple inputs, multiple injections, single sink Multiple injection points, multiple sinks...multi.html#")</script>'><script>cat(); void("!! <img height='250 ")</script>'><script>cat(); void(" ' src='c.jpg'><img height='250 ")</script>'><script>cat(); void(" ' src='c.jpg'>!

Double injections Single input, multiple injections, single sink Multiple inputs, multiple injections, single sink Multiple injection points, multiple sinks...multi.html#")</script>'><script>cat(); void("!! <img height='250")</script>'> <script> cat(); void("' src='c.jpg'><img height='250") </script> '><script>cat(); void("' src='c.jpg'>!

Double injections Single input, multiple injections, single sink Multiple inputs, multiple injections, single sink Multiple injection points, multiple sinks...multi.html#")</script>'><script>cat(); void("!! <img height='250")</script>'> <script> cat(); void("' src='c.jpg'><img height='250") </script> '><script>cat(); void("' src='c.jpg'>!

Bypasses in the wild

Empirical study Using our existing infrastructure, we found 1,602 DOM-based XSS vulnerabilities on 958 domains We enhanced our exploit generator to target bypassable vulnerabilities Not targeting DOM bindings, second-order flows or alternative attacks

Results of our study 776 out of 958 domains with bypassable vulnerabilities Bypass type Domain count innerhtml 469 eval 78 srcdoc (tag hijacking) 146 Trailing content 80 Multi flows 42 Unquoted attribute 7 Inscript injection 7 Assignment to existing script src 7

Conclusion

What to take away? XSS still is a problem Attack potential maybe bigger than you thought DOM-based XSS on about 10% of the Alexa Top 10k domains Browsers deploy countermeasure to protect users IE and Chrome built-in, Firefox as a plugin Chrome arguably best filter Security analysis of the Auditor shows that there are many bypasses, related to both... invocation and string-matching issues

What else to take away? We built a fully-automated system to find DOMXSS Taint-aware browser Context-aware exploit generator We enhanced the generator to target known issues in the Auditor Allowing for more exploits to bypass the Auditor We evaluated the impact of the issues Bypassing the filter on 776 out of 958 domains (81%)... 1,162 out of 1,602 vulnerabilities (73%)

PLACE CATPIC FROM TWITTER HERE Thank you visit us at kittenpics.org Martin Johns Ben Stock Sebastian Lekies @datenkeller @kcotsneb @sebastianlekies

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information