Embed Size (px)
DESCRIPTION
mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations. Mario Heiderich , Jörg Schwenk , Tilman Frosch , Jonas Magazinius , and Edward Z. Yang. ACM CCS (November, 2013). OUTLINE. XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation - PowerPoint PPT Presentation
Citation preview
1
mXSS Attacks: Attacking well-secured Web-Applicationsby using innerHTML Mutations
Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z. Yang.
ACM CCS (November, 2013)
2
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
3
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
4
Cross-Site Scripting (XSS)Reflected XSS
◦Maliciously manipulated parameters
Stored XSS◦User contributed content stored on
the server
DOM XSS(XSS of the third kind)◦JavaScript library
http://www.collinjackson.com/research/xssauditor.pdf
5
Solutions for XSSServer-side solutions
◦Encoding, replacement, rewriting.
Client-side solutions◦IE8 XSS Filter◦Chrome XSS Auditor◦Firefox NoScript extension
6
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
7
mXSSMutation-based Cross-Site-Scripting
https://cure53.de/fp170.pdf
8
mXSS - At the time of testingImpact on IE, Firefox, Chrome
◦ Webmail Clients
Bypass HTML Sanitizers◦ HTML Purifier◦ htmLawed◦ OWASP AntiSamy◦ jSoup◦ kses
Led to subsequent changes in browser behavior.
9
innerHTML / outerHTMLAn HTML element's property
◦Creating HTML content from arbitrarily formatted strings
◦Serializing HTML DOM nodes into strings
http://www.jb51.net/article/16585.htm
10
MutationTrigger the mutation
11
Browser Model
http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
12
innerHTML-AccessAccess to the innerHTML
properties ◦from (parent) element nodes
HTML editor◦contenteditable attribute◦document.execCommand()
Print preview
13
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
14
ExploitsinnerHTML-access
A. Backtick {` }B. XML Namespace(xmlns)C. CSS Escapes/Misfit Characters
15
Exploits – Backtick and XMLNSBacktick {` }
XML Namespace
16
Exploits – CSSCSS specifications propose CSS
escapes◦v\61lue = value
Mutation◦'val\27ue‘ => ‘val’ue’
17
Exploits – CSS Recursive DecodingBypass some of HTML filters with
recursive decoding
18
Exploits – CSS Escapes in Property NamesTerminate the style attribute
19
Exploits – Entity-Mutation in non-HTML DocumentsMIME type
◦text/xhtml
Attacker may abuse MIME sniffing
20
Exploits – Entity-Mutation in non-HTML context of HTML documentsSVG tag, fixed
21
Attack SurfaceA mutation event occur when
74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments.
22
Attack SurfaceJavaScript libraries
◦ 65% of the top 10,000 websites◦ 48.87% using jQuery
Webmails◦ Microsoft Hotmail, Yahoo! Mail, Redi Mail,
OpenExchange, Round-cube, etc..◦ Bug reports were acknowledged
HTML sanitizers◦ Add new rules for known mutation effects
23
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
24
Mitigation Techniques(Server-side)HTML
◦ Appending a trailing whitespace to text ?
CSS◦ Disallow any of the special characters◦ Percent-escaping for parentheses and
single quotes in URLs
Implemented to HTML Purifier(CSS)
25
Mitigation Techniques(Client-side)TrueHTML
◦A script◦Overwrites the getter methods of the
innerHTML
◦XMLSerializer DOM object◦Changes the HTML handling into an
XML-based processing◦Low performance impact compared
to filtering innerHTML-data
26
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
27
Evaluation - Sizehttp archive
◦Average transfer size of a web page 1,200kb(52kb by HTML, 214kb by
JavaScript)TrueHTML
◦820 byte of code
28
Evaluation - TimeVM1
◦ Intel Xeon X5650 CPU 2.67GHz, 2GB RAM◦ Ubuntu 12.04 Desktop, Mozilla Firefox 14.0.1
VM2◦ Inter Core2Duo CPU 1.86GHz, 2GB RAM◦ Ubuntu 12.04 Desktop, Mozilla Firefox 16.0.2
Proxy Server to inject TrueHTMLNavigation Timing API
29
Evaluation - TimeNetwork Testing Top 10,000
◦Overhead 0.01%~99.94%Local Testing 1
30
Evaluation - TimeLocal Testing 2
◦<p>…(1kb)…</p>◦Scale to 1,000 elements
31
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
32
Related WorkAbusing Internet Explorer 8's XSS Filters
Browser Security HandbookThe Tangled Web: A Guide to Securing
Modern Web Applications (book)
XSSAuditor bypasses from sla.ckers.org.Towards Elimination of XSS Attacks with a
Trusted and Capability Controlled DOM (PhD thesis, Ruhr-University Bochum, 2012)
33
ConclusionProblematic and mostly
undocumented browser behavior
“Well-formed HTML is unambiguous” is false
Defensive tools and libraries must gain awareness of the additional processing layers that browsers possess.
![The innerHTML Apocalypse - XSS · PDF fileThe innerHTML Apocalypse How mXSS attacks change everything we believed to know so far ... NAMESPACE PREFIX = [default] >](https://img.pdfslide.net/doc/110x75/5a78e2f67f8b9a21538ece1f/the-innerhtml-apocalypse-xss-innerhtml-apocalypse-how-mxss-attacks-change-everything.jpg)
