mxss attacks: attacking well- secured web-applications by using innerhtml mutations mario heiderich,...
TRANSCRIPT
1
mXSS Attacks: Attacking well-secured Web-Applicationsby using innerHTML Mutations
Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z. Yang.
ACM CCS (November, 2013)
2
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
3
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
4
Cross-Site Scripting (XSS)Reflected XSS
◦Maliciously manipulated parameters
Stored XSS◦User contributed content stored on
the server
DOM XSS(XSS of the third kind)◦JavaScript library
http://www.collinjackson.com/research/xssauditor.pdf
5
Solutions for XSSServer-side solutions
◦Encoding, replacement, rewriting.
Client-side solutions◦IE8 XSS Filter◦Chrome XSS Auditor◦Firefox NoScript extension
6
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
8
mXSS - At the time of testingImpact on IE, Firefox, Chrome
◦ Webmail Clients
Bypass HTML Sanitizers◦ HTML Purifier◦ htmLawed◦ OWASP AntiSamy◦ jSoup◦ kses
Led to subsequent changes in browser behavior.
9
innerHTML / outerHTMLAn HTML element's property
◦Creating HTML content from arbitrarily formatted strings
◦Serializing HTML DOM nodes into strings
http://www.jb51.net/article/16585.htm
12
innerHTML-AccessAccess to the innerHTML
properties ◦from (parent) element nodes
HTML editor◦contenteditable attribute◦document.execCommand()
Print preview
13
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
15
Exploits – Backtick and XMLNS
Backtick {` }
XML Namespace
16
Exploits – CSSCSS specifications propose CSS
escapes◦v\61lue = value
Mutation◦'val\27ue‘ => ‘val’ue’
19
Exploits – Entity-Mutation in non-HTML DocumentsMIME type
◦text/xhtml
Attacker may abuse MIME sniffing
21
Attack SurfaceA mutation event occur when
74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments.
22
Attack SurfaceJavaScript libraries
◦ 65% of the top 10,000 websites◦ 48.87% using jQuery
Webmails◦ Microsoft Hotmail, Yahoo! Mail, Redi Mail,
OpenExchange, Round-cube, etc..◦ Bug reports were acknowledged
HTML sanitizers◦ Add new rules for known mutation effects
23
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
24
Mitigation Techniques(Server-side)HTML
◦ Appending a trailing whitespace to text ?
CSS◦ Disallow any of the special characters◦ Percent-escaping for parentheses and
single quotes in URLs
Implemented to HTML Purifier(CSS)
25
Mitigation Techniques(Client-side)TrueHTML
◦A script◦Overwrites the getter methods of the
innerHTML
◦XMLSerializer DOM object◦Changes the HTML handling into an
XML-based processing◦Low performance impact compared
to filtering innerHTML-data
26
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
27
Evaluation - Sizehttp archive
◦Average transfer size of a web page 1,200kb(52kb by HTML, 214kb by
JavaScript)
TrueHTML◦820 byte of code
28
Evaluation - TimeVM1
◦ Intel Xeon X5650 CPU 2.67GHz, 2GB RAM◦ Ubuntu 12.04 Desktop, Mozilla Firefox 14.0.1
VM2◦ Inter Core2Duo CPU 1.86GHz, 2GB RAM◦ Ubuntu 12.04 Desktop, Mozilla Firefox 16.0.2
Proxy Server to inject TrueHTMLNavigation Timing API
31
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
32
Related WorkAbusing Internet Explorer 8's XSS Filters
Browser Security HandbookThe Tangled Web: A Guide to Securing
Modern Web Applications (book)
XSSAuditor bypasses from sla.ckers.org.Towards Elimination of XSS Attacks with a
Trusted and Capability Controlled DOM (PhD thesis, Ruhr-University Bochum, 2012)