mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations
description
Transcript of mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations
![Page 1: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/1.jpg)
1
mXSS Attacks: Attacking well-secured Web-Applicationsby using innerHTML Mutations
Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z. Yang.
ACM CCS (November, 2013)
![Page 2: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/2.jpg)
2
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
![Page 3: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/3.jpg)
3
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
![Page 4: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/4.jpg)
4
Cross-Site Scripting (XSS)Reflected XSS
◦Maliciously manipulated parameters
Stored XSS◦User contributed content stored on
the server
DOM XSS(XSS of the third kind)◦JavaScript library
http://www.collinjackson.com/research/xssauditor.pdf
![Page 5: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/5.jpg)
5
Solutions for XSSServer-side solutions
◦Encoding, replacement, rewriting.
Client-side solutions◦IE8 XSS Filter◦Chrome XSS Auditor◦Firefox NoScript extension
![Page 6: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/6.jpg)
6
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
![Page 7: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/7.jpg)
7
mXSSMutation-based Cross-Site-Scripting
https://cure53.de/fp170.pdf
![Page 8: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/8.jpg)
8
mXSS - At the time of testingImpact on IE, Firefox, Chrome
◦ Webmail Clients
Bypass HTML Sanitizers◦ HTML Purifier◦ htmLawed◦ OWASP AntiSamy◦ jSoup◦ kses
Led to subsequent changes in browser behavior.
![Page 9: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/9.jpg)
9
innerHTML / outerHTMLAn HTML element's property
◦Creating HTML content from arbitrarily formatted strings
◦Serializing HTML DOM nodes into strings
http://www.jb51.net/article/16585.htm
![Page 10: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/10.jpg)
10
MutationTrigger the mutation
![Page 11: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/11.jpg)
11
Browser Model
http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
![Page 12: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/12.jpg)
12
innerHTML-AccessAccess to the innerHTML
properties ◦from (parent) element nodes
HTML editor◦contenteditable attribute◦document.execCommand()
Print preview
![Page 13: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/13.jpg)
13
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
![Page 14: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/14.jpg)
14
ExploitsinnerHTML-access
A. Backtick {` }B. XML Namespace(xmlns)C. CSS Escapes/Misfit Characters
![Page 15: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/15.jpg)
15
Exploits – Backtick and XMLNSBacktick {` }
XML Namespace
![Page 16: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/16.jpg)
16
Exploits – CSSCSS specifications propose CSS
escapes◦v\61lue = value
Mutation◦'val\27ue‘ => ‘val’ue’
![Page 17: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/17.jpg)
17
Exploits – CSS Recursive DecodingBypass some of HTML filters with
recursive decoding
![Page 18: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/18.jpg)
18
Exploits – CSS Escapes in Property NamesTerminate the style attribute
![Page 19: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/19.jpg)
19
Exploits – Entity-Mutation in non-HTML DocumentsMIME type
◦text/xhtml
Attacker may abuse MIME sniffing
![Page 20: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/20.jpg)
20
Exploits – Entity-Mutation in non-HTML context of HTML documentsSVG tag, fixed
![Page 21: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/21.jpg)
21
Attack SurfaceA mutation event occur when
74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments.
![Page 22: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/22.jpg)
22
Attack SurfaceJavaScript libraries
◦ 65% of the top 10,000 websites◦ 48.87% using jQuery
Webmails◦ Microsoft Hotmail, Yahoo! Mail, Redi Mail,
OpenExchange, Round-cube, etc..◦ Bug reports were acknowledged
HTML sanitizers◦ Add new rules for known mutation effects
![Page 23: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/23.jpg)
23
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
![Page 24: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/24.jpg)
24
Mitigation Techniques(Server-side)HTML
◦ Appending a trailing whitespace to text ?
CSS◦ Disallow any of the special characters◦ Percent-escaping for parentheses and
single quotes in URLs
Implemented to HTML Purifier(CSS)
![Page 25: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/25.jpg)
25
Mitigation Techniques(Client-side)TrueHTML
◦A script◦Overwrites the getter methods of the
innerHTML
◦XMLSerializer DOM object◦Changes the HTML handling into an
XML-based processing◦Low performance impact compared
to filtering innerHTML-data
![Page 26: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/26.jpg)
26
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
![Page 27: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/27.jpg)
27
Evaluation - Sizehttp archive
◦Average transfer size of a web page 1,200kb(52kb by HTML, 214kb by
JavaScript)TrueHTML
◦820 byte of code
![Page 28: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/28.jpg)
28
Evaluation - TimeVM1
◦ Intel Xeon X5650 CPU 2.67GHz, 2GB RAM◦ Ubuntu 12.04 Desktop, Mozilla Firefox 14.0.1
VM2◦ Inter Core2Duo CPU 1.86GHz, 2GB RAM◦ Ubuntu 12.04 Desktop, Mozilla Firefox 16.0.2
Proxy Server to inject TrueHTMLNavigation Timing API
![Page 29: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/29.jpg)
29
Evaluation - TimeNetwork Testing Top 10,000
◦Overhead 0.01%~99.94%Local Testing 1
![Page 30: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/30.jpg)
30
Evaluation - TimeLocal Testing 2
◦<p>…(1kb)…</p>◦Scale to 1,000 elements
![Page 31: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/31.jpg)
31
OUTLINEXSSmXSSExploits and Attack SurfaceMitigation TechniquesEvaluationRelated Work and Conclusion
![Page 32: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/32.jpg)
32
Related WorkAbusing Internet Explorer 8's XSS Filters
Browser Security HandbookThe Tangled Web: A Guide to Securing
Modern Web Applications (book)
XSSAuditor bypasses from sla.ckers.org.Towards Elimination of XSS Attacks with a
Trusted and Capability Controlled DOM (PhD thesis, Ruhr-University Bochum, 2012)
![Page 33: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.fdocuments.in/reader036/viewer/2022062521/56816855550346895dde6c66/html5/thumbnails/33.jpg)
33
ConclusionProblematic and mostly
undocumented browser behavior
“Well-formed HTML is unambiguous” is false
Defensive tools and libraries must gain awareness of the additional processing layers that browsers possess.