mXSS Attacks: Attacking well-secured Web
Download
Report
Transcript mXSS Attacks: Attacking well-secured Web
mXSS Attacks: Attacking wellsecured Web-Applications
by using innerHTML Mutations
Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas
Magazinius, and Edward Z.Yang.
ACM CCS (November, 2013)
1
OUTLINE
XSS
mXSS
Exploits and Attack Surface
Mitigation Techniques
Evaluation
Related Work and Conclusion
2
OUTLINE
XSS
mXSS
Exploits and Attack Surface
Mitigation Techniques
Evaluation
Related Work and Conclusion
3
Cross-Site Scripting (XSS)
Reflected XSS
◦ Maliciously manipulated parameters
Stored XSS
http://www.collinjackson.com/research/xssauditor.pdf
◦ User contributed content stored on the
server
DOM XSS(XSS of the third kind)
◦ JavaScript library
4
Solutions for XSS
Server-side solutions
◦ Encoding, replacement, rewriting.
Client-side solutions
◦ IE8 XSS Filter
◦ Chrome XSS Auditor
◦ Firefox NoScript extension
5
OUTLINE
XSS
mXSS
Exploits and Attack Surface
Mitigation Techniques
Evaluation
Related Work and Conclusion
6
mXSS
Mutation-based Cross-Site-Scripting
https://cure53.de/fp170.pdf
7
mXSS - At the time of testing
Impact on IE, Firefox, Chrome
◦ Webmail Clients
Bypass HTML Sanitizers
◦
◦
◦
◦
◦
HTML Purifier
htmLawed
OWASP AntiSamy
jSoup
kses
Led to subsequent changes in browser behavior.
8
innerHTML / outerHTML
An HTML element's property
◦ Creating HTML content from arbitrarily
formatted strings
◦ Serializing HTML DOM nodes into strings
http://www.jb51.net/article/16585.htm
9
Mutation
Trigger the mutation
10
Browser Model
http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
11
innerHTML-Access
Access to the innerHTML properties
◦ from (parent) element nodes
HTML editor
◦ contenteditable attribute
◦ document.execCommand()
Print preview
12
OUTLINE
XSS
mXSS
Exploits and Attack Surface
Mitigation Techniques
Evaluation
Related Work and Conclusion
13
Exploits
innerHTML-access
A.
B.
C.
Backtick {` }
XML Namespace(xmlns)
CSS Escapes/Misfit Characters
14
Exploits – Backtick and XMLNS
Backtick {` }
XML Namespace
15
Exploits – CSS
CSS specifications propose CSS escapes
◦ v\61lue = value
Mutation
◦ 'val\27ue‘ => ‘val’ue’
16
Exploits – CSS Recursive Decoding
Bypass some of HTML filters with
recursive decoding
17
Exploits – CSS Escapes in Property
Names
Terminate the style attribute
18
Exploits – Entity-Mutation in nonHTML Documents
MIME type
◦ text/xhtml
Attacker may abuse MIME sniffing
19
Exploits – Entity-Mutation in nonHTML context of HTML documents
SVG tag, fixed
20
Attack Surface
A mutation event occur when
74.5% of the Alexa Top 1000 websites to
be using inner-HTML-assignments.
21
Attack Surface
JavaScript libraries
◦ 65% of the top 10,000 websites
◦ 48.87% using jQuery
Webmails
◦ Microsoft Hotmail,Yahoo! Mail, Redi Mail,
OpenExchange, Round-cube, etc..
◦ Bug reports were acknowledged
HTML sanitizers
◦ Add new rules for known mutation effects
22
OUTLINE
XSS
mXSS
Exploits and Attack Surface
Mitigation Techniques
Evaluation
Related Work and Conclusion
23
Mitigation Techniques(Server-side)
HTML
◦ Appending a trailing whitespace to text ?
CSS
◦ Disallow any of the special characters
◦ Percent-escaping for parentheses and single quotes in
URLs
Implemented to HTML Purifier(CSS)
24
Mitigation Techniques(Client-side)
TrueHTML
◦ A script
◦ Overwrites the getter methods of the
innerHTML
◦ XMLSerializer DOM object
◦ Changes the HTML handling into an
XML-based processing
◦ Low performance impact compared to
filtering innerHTML-data
25
OUTLINE
XSS
mXSS
Exploits and Attack Surface
Mitigation Techniques
Evaluation
Related Work and Conclusion
26
Evaluation - Size
http archive
◦ Average transfer size of a web page
1,200kb(52kb by HTML, 214kb by JavaScript)
TrueHTML
◦ 820 byte of code
27
Evaluation - Time
VM1
◦ Intel Xeon X5650 CPU 2.67GHz, 2GB RAM
◦ Ubuntu 12.04 Desktop, Mozilla Firefox 14.0.1
VM2
◦ Inter Core2Duo CPU 1.86GHz, 2GB RAM
◦ Ubuntu 12.04 Desktop, Mozilla Firefox 16.0.2
Proxy Server to inject TrueHTML
Navigation Timing API
28
Evaluation - Time
Network Testing Top 10,000
◦ Overhead 0.01%~99.94%
Local Testing 1
29
Evaluation - Time
Local Testing 2
◦ <p>…(1kb)…</p>
◦ Scale to 1,000 elements
30
OUTLINE
XSS
mXSS
Exploits and Attack Surface
Mitigation Techniques
Evaluation
Related Work and Conclusion
31
Related Work
Abusing Internet Explorer 8's XSS Filters
Browser Security Handbook
The Tangled Web: A Guide to Securing
Modern Web Applications (book)
XSSAuditor bypasses from sla.ckers.org.
Towards Elimination of XSS Attacks with a
Trusted and Capability Controlled DOM
(PhD thesis, Ruhr-University Bochum, 2012)
32
Conclusion
Problematic and mostly undocumented
browser behavior
“Well-formed HTML is unambiguous” is
false
Defensive tools and libraries must gain
awareness of the additional processing
layers that browsers possess.
33