Post on 16-Jan-2016
HTML5Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
ContentsSetup1
2 Abusing Sockets, XHR
3 About DOM
SetupDomain: attacker.comIP: 192.168.222.133OS: Windows server 2012Server: IIS 8.0
Domain: victimserver.comIP: 192.168.223.138OS: Windows server 2012Server: IIS 8.0Language: .Net C#
Ip: 192.168.223.139OS: Windows XPBrowser: Chrome
1
Abusing sockets, XHR
SOP Vulnerabilities!!
Script, IMG, Iframe bypasses1
2 DNS Rebinding
3 PostMessage Mechanism
2
Script, IMG, Iframe bypasses
3
DNS Rebinding
DNS rebinding is an exploit in which the attacker uses Javascript in a malicious Web page to gain control of the victim’s router.
4
DNS Rebinding
visit Malicious Website
Attacker’s DNS server bind attacker.com to attacker’s IP address (short TTL). 5
DNS Rebinding
Malicious script uses XMLHttpRequest
Attacker rebinds attacker.com to target’s IP address.
In fact
6
DNS Rebinding
7
DNS Rebinding
SOP Violation!
8
DNS Rebinding
9
DNS Rebinding
10
DNS Rebinding
Browser’s DNS cache
DNS request flooding
11
DNS Rebinding
Firewall Circumvention:-Access Machine behind firewalls-Interact with a number of internal services besides HTTP(direct socket access)
12
DNS Rebinding
IP Hijacking:-Access publicly available servers from client’s IP -Take advantage of the target’s implicit or explicit trust in client’s I address
13
DOM
DOM(Document Object Model)
14
DOM
We all know that:
① Reflected XSS② Stored XSSboth purely inside client-side code
15
DOM
The third kind of XSS:
DOM Based XSS
which is not depended on the malicious data send to the service at the first time
16
DOM
The API may vulnerable in DOM based XSS
17
DOM
1). document.location2). document.URL3). document.URLUnencoded4). document.referrer5). window.location
These API can visit DOM data through a designed URL, but this kind of jumped-out window is not really harmful, attacker has no idea if users never click on the URL.
18
DOM
1). document.write()2). document.writeln()3). document.boby.innerHtml4). eval()5). window.execScript()6). window.setInterval()7). window.setTimeout()
These API are mostly used in form hijacking, inject a part of XSS code while users submit the forms. This is more dangerous, most of them are used in stealing cookie.
19
EXAMPLE: document.boby.innerHtml
While running this code, xxx will take the value of “yyyyyy”
“yyyyyy” can be replaced by something else like “<img src=1>” or Unicode like “\u003cimg src=1\u003e”.
<div id="a">xxx</div>
<script>document.getElementById("a").innerHTML="yyyyyy";</script>
20
EXAMPLE: document.boby.innerHtml
Real example: qq.com(most of you should know this right? )☺
21
EXAMPLE: document.boby.innerHtml
URL: http://datalib.ent.qq.com/cgi-bin/search?libid=1&keyvalue=aaaaaaa&attr=133&stype=2&tname=star_second.shtml (there was some vulnerabilities, but there isn’t now, I think)
<strong id="titleshow">search_by job1: aaaaaaa </strong></div><script>if("aaaaaaa"=="")document.getElementById("titleshow").innerHTML="search_by_place: all_stars";
if("job1"=="job1")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job2")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job3")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";</script>
22
EXAMPLE: document.boby.innerHtml
We know that “<“ or “>”would not be recognized, but “/”can be recongnized, So perhaps we should try Unicode!We see that if(“job1”==“job1”) is executed, so we focus on this two lines of code.
<strong id="titleshow">search_by job1: aaaaaaa </strong></div><script>if("aaaaaaa"=="")document.getElementById("titleshow").innerHTML="search_by_place: all_stars";
if("job1"=="job1")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job2")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job3")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";</script>
23
EXAMPLE: document.boby.innerHtml
As we know from above, we can change “aaaaaaa” into “\u003cimg src=1 onerror=alert(1)\u003e ”
<strong id="titleshow">search_by job1: aaaaaaa </strong></div><script>if("aaaaaaa"=="")document.getElementById("titleshow").innerHTML="search_by_place: all_stars";
if("job1"=="job1")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job2")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job3")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";</script>
24
EXAMPLE: document.boby.innerHtml
This is an example we learn when we try to get a better understand on DOM based XSS, we didn’t actually attack this website, and this vulnerability has been reported!
25
DOM
1). document.location2). document.URL3). document.open()4). window.location.href5). window.navigate()6). window.open
These API are mostly used in redirection attack. The perniciousness can be big or small, but this kind of perniciousness are often eaily ignored by people.
26
DOM
Differences between Standard XSS and DOM based XSS
27
DOM
28
DOM
How to find DOM based XSS
29
DOM
1). Using byte level taint tracking in chromium - precise source information for every character - patched sinks (for example document. write)
2). Chrome extension to crawl given set of web site - also act as interface between taint engine and backend
3). And an exploit generator - using precise taint information - and javascript and HTML syntax rules - to generate exploits fully automatic
30
What to do next
- Defend of DNS rebinding- PostMessage Mechanism- Make DOM based XSS DEMO- Find the ways to avoid the jeopardize
31
References1. http://www.oschina.net/translate/dom-based-xss-of-third-kind2. http://www.vulnerable.site/welcome.html3. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/stock4. http://www.2cto.com/Article/201303/194444.html5. http://www.owasp.org/documentation/topten/a4.html6. https://www.owasp.org/index.php/DOM_Based_XSS7. https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet8.http://www.owasp.org/images/c/c2/OWASPAppSec2007Milan_ProtectingWebAppsfromUniversalPDFXSS.ppt
32
Thank You ;)10/28 2014
Questions?