Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks

Similar documents
Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Hack Proof Your Webapps

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

OWASP Top Ten Tools and Tactics

Thomas Röthlisberger IT Security Analyst

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Security Research Advisory SugarCRM Cross-Site Scripting Vulnerability

Check list for web developers

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Web-Application Security

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Gateway Apps - Security Summary SECURITY SUMMARY

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Protection, Usability and Improvements in Reflected XSS Filters

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Universal XSS via IE8s XSS Filters

The Prevalence of Flash Vulnerabilities on the Web

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

OWASP TOP 10 ILIA

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

WEB ATTACKS AND COUNTERMEASURES

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

Penetration Test Report

Information Technology Policy

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Using a Malicious Proxy to Pilfer Data & Wreak Havoc. Edward J. Zaborowski ed@thezees.net

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

SAP: Session (Fixation) Attacks and Protections

Cross Site Scripting Prevention

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Web attacks and security: SQL injection and cross-site scripting (XSS)

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Web Application Attacks And WAF Evasion

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

A Tale of the Weaknesses of Current Client-Side XSS Filtering

Magento Security and Vulnerabilities. Roman Stepanov

INSTANT MESSAGING SECURITY

Practical Exploitation Using A Malicious Service Set Identifier (SSID)

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Cyber Security Workshop Ethical Web Hacking

Webapps Vulnerability Report

Data Breaches and Web Servers: The Giant Sucking Sound

Security features of ZK Framework

Complete Cross-site Scripting Walkthrough

Protecting Your Organisation from Targeted Cyber Intrusion

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Using Free Tools To Test Web Application Security

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

Application security testing: Protecting your application and data

Recent Advances in Web Application Security

Internet Explorer turns your personal computer into a publicfile Server

A Tale of the Weaknesses of Current Client-side XSS Filtering

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Web Application Security Assessment and Vulnerability Mitigation Tests

WEB 2.0 AND SECURITY

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Five Tips to Reduce Risk From Modern Web Threats

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Attacks on Clients: Dynamic Content & XSS

Internet Banking System Web Application Penetration Test Report

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Cross Site Scripting in Joomla Acajoom Component

Blackbox Reversing of XSS Filters

Introduction: 1. Daily 360 Website Scanning for Malware

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Where every interaction matters.

Detection of SQL Injection and XSS Vulnerability in Web Application

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

What's the difference between spyware and a virus? What is Scareware?

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Guideline For Securing Your Web Browser

PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script

Cross-Site Scripting

Relax Everybody: HTML5 Is Securer Than You Think

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

(WAPT) Web Application Penetration Testing

Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

Essential IT Security Testing

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence

Web Application Security

Learn Ethical Hacking, Become a Pentester

What is Web Security? Motivation

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Pwning Intranets with HTML5

Transcription:

Bypassing NoScript Security Suite March 2016 Mazin Ahmed mazin@mazinahmed.net @mazen160

Table of Contents Abstract... 3 Introduction... 3 Research... 4 Solution... 7 Recommendations... 7 Notes... 7 Disclosure Timeline... 8 Conclusion... 8 References... 9 Acknowledgement... 9 Page 2 Bypassing NoScript Security Suite Mazin Ahmed

1. Abstract NoScript Security Suite is a powerful security add-on for Firefox, Seamonkey and other Mozilla-based browsers. Its main task is to block Javascript, Flash, Java, as well as many other plugins from executing untrusted code on the user s browser through blocking it and only allowing certain trusted whitelisted sites. This paper discusses different techniques that an attacker can use to bypass NoScript Security Suite Protection. These techniques can be used by malicious vectors in bypassing the default installation of NoScript. The paper also provides solutions and recommendations for end-users that can enhances the current protection of NoScript Security Suite. 2. Introduction NoScript (also known as NoScript Security Suite) is a free and open-source extension that provides additional security protection from potential exploits by disabling Javascript, Java, Flash, and other plugins for untrusted sites, and also provides a number of additional features. It's a vital addition to ensure the maximum possible security for the user. I will be demonstrating possible techniques that an attacker can use in order to bypass NoScript. I will be also explaining a mechanism that I have developed in bypassing the default installation of NoScript Security Suite. Page 3 Bypassing NoScript Security Suite Mazin Ahmed

3. Research This section discusses the results of the conducted research. 3.1 First Bypass: Using NoScript Detection Bugs The bypass can occur using a detection bug that affects NoScript. Similar bypasses have been demonstrated previously by Julien Voisin[1], Gareth Heyes[2], and others. All known issues has been patched. 3.2 Second Bypass: By Exploiting a Cross-Site Scripting Vulnerability Against Whitelisted Websites This bypass can be demonstrated by finding and exploiting a cross-site scripting vulnerability against any of the whitelisted domains. Since the whitelisted domains are allowed to execute Javascript on the client's browser, a single XSS vulnerability is all what it takes to bypass the default installation of NoScript. Although NoScript provides a cross-site scripting filter protection, it's not sufficient enough to block XSS attacks. 3.2.1 Proof of Concept live.com is whitelisted in the default installation of NoScript. I have identified a XSS vulnerability on the domain, and reported it to Microsoft. I'm not planning to disclose information regarding this XSS vulnerability, but I will be using it to demonstrate how it can be used to bypass NoScript. Figure 1: A proof of concept for an XSS vulnerability on live.com Page 4 Bypassing NoScript Security Suite Mazin Ahmed

The browser is using the default installation of NoScript. The XSS payload has been executed successfully without any interruption by NoScript Security Suite. 3.3 Third Bypass: Using MITM Attacks This attack is quite different from other attacks. It uses typical MITM attacks to automate the process of bypassing NoScript Security Suite. We already know that the default installation of NoScript Security Suite is using a number of whitelisted sites that are allowed to execute Javascript freely. The security of the executed Javascript is mainly relied on the security of the whitelisted website, and the security of the current network that is being used to handle the requests. By exploiting the client's network in a way that can trick the client's browser into executing Javascript within the browser, NoScript Security Suite can be bypassed. Note that this is not a theoretical attack, I will be demonstrating it with a valid proof of concept. 3.3.1 Steps to Reproduce 1. The victim is using Firefox with NoScript Security Suite enabled. 2. The attacker has access into the victim's network. 3. The victim makes a request to a website that is using plain HTTP. 4. The attacker intercepts the response of the request, and injects a hidden iframe that points to a whitelisted site within the response. 5. The victim's browser makes a request to the whitelisted website. 6. The attacker intercepts the response of the request, and injects the desired Javascript payload. 7. The response will be received by the victim's browser. 8. The browser will render the response, and the Javascript payload will be executed. Page 5 Bypassing NoScript Security Suite Mazin Ahmed

3.3.2 Proof of Concept I have written multiple proof of concepts that can be used to automate and perform this attack on the fly. I have used BetterCap, a MITM framework that is capable of automating a number of MITM attacks. The proof of concepts that I wrote are BetterCap modules that perform the task of bypassing NoScript as described above. Download Link: [https://mazinahmed.net/uploads/hacknoscript_pocs.zip] Usage $ bettercap -G [GATEWAY] -T [TARGET] --proxy --proxy-module hack_noscript_poc.rb Now, whenever a client that is protected by NoScript makes an HTTP request, the BetterCap module would handle all the work, and ensures the executing of the Javascript payload within the victim's browser. Figure 2: A screenshot that shows the execution of Javascript against a victim s browser while using the BetterCap Module. Note that I have not exploited a cross-site scripting vulnerability on pastebin.com or dvd.netflix.com, this is the results of launching the BetterCap module within the victim s network. It will result on executing Javascript on the victim s browser that is protected by NoScript as demonstrated in Figure 2. Page 6 Bypassing NoScript Security Suite Mazin Ahmed

4. Solution The following are suggested solutions for the discussed issues with the research Update NoScript to the latest version. If you would to ensure the maximum possible protection, you need to customize the configurations using the recommendations in the next section. 5. Recommendations Ensure that Forbid active web content unless it comes from a secure (HTTPS) connection option is set to Always. Validate each entry in the whitelisted domains, and delete unnecessary whitelisted domains. If you would like a customized NoScript configuration, I have provided a NoScript configuration that can hopefully ensure a higher level of security when using NoScript Security Suite. NoScript Configuration Download Link: [https://mazinahmed.net/uploads/noscript.conf] 6. Notes Users of TOR browsers are not affected by the second and third bypass by default, since TOR is prebuilt with custom NoScript that does not include any whitelisted domain. However, you may need to double-check if your TOR browser has Forbid active web content unless it comes from a secure (HTTPS) connection option set to Always. Page 7 Bypassing NoScript Security Suite Mazin Ahmed

7. Disclosure Timeline October 25th, 2015 Initial Disclosure. October 26th,2015/November 04th, 2015 Discussion regarding a possible patch. November 19th, 2015 I Sent a proof of concept to the developer. November 20th, 2015/November 21th, 2015 Discussion regarding the exploitation of the issue. December 17th, 2015 Initial patch has been publicly released on NoScript v2.7 by removing a number of sites to reduce the attack surface. January 2st, 2016 I Demonstrated the missing points in the initial patch, and providing a second proof of concept. January 08th, 2016 The developer asked for further information. January 11th, 2016 I Responded with required information. January 23th, 2016 The developer agreed to implement the proposed solution. March 16th, 2016 A patch has been released on NoScript v2.9.0.5 to automatically upgrade to HTTPS sites found in the default whitelisting. 8. Conclusion NoScript is one of the most essential projects in the field for protecting the end-user from known (and unknown exploits in few cases). I'm a big supporter of the project, and I'm glad to help in increasing the security of NoScript Security Suite. When testing NoScript protection, I have come to conclusion that NoScript, is as same as any security product, can be bypassed in a certain way. Although the protection and the way of evading could differ from a product to another, in the end, a full evasion can always be possible. This was a short research that discusses how can NoScript Security Suite be bypassed using Cross-Site Scripting attacks against the default whitelisted sites on the default installation of NoScript. It also showed how we can use network attacks in bypassing the default installation of NoScript Security Suite. Page 8 Bypassing NoScript Security Suite Mazin Ahmed

9. References [1]: https://dustri.org/b/noscript-script-disabled-bypass-poc-for-tails-13.html [2]: http://blog.portswigger.net/2015/07/noscript-xss-filter-bypass.html 10. Acknowledgement I would like to thank the following individuals for their contribution during the research. Giorgio Maone Simone Margaritelli Page 9 Bypassing NoScript Security Suite Mazin Ahmed

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information