MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.

Slides:

Advertisements

Similar presentations

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Advertisements

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

JavaScript and AJAX Jonathan Foss University of Warwick

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.

An Evaluation of the Google Chrome Extension Security Architecture

Project 1 Introduction to HTML.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Tutorial 16 Working with Dynamic Content and Styles.

1st Project Introduction to HTML.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)

HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.

It’s World Wide! I NTRODUCTION TO T HE WEB 1 Photo courtesy:

INTRODUCTION TO CLIENT-SIDE WEB PROGRAMMING ACM 511 ACM 262 Course Notes.

Chapter 1 Introduction to HTML, XHTML, and CSS

Computer Concepts 2014 Chapter 7 The Web and .

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

XP New Perspectives on XML, 2 nd Edition Tutorial 10 1 WORKING WITH THE DOCUMENT OBJECT MODEL TUTORIAL 10.

A Security Review Process for Existing Software Applications

Unit 1 – Web Concepts Instructor: Brent Presley. ASSIGNMENT Read Chapter 1 Complete lab 1 – Installing Portable Apps.

Web Programming: Client/Server Applications Server sends the web pages to the client. –built into Visual Studio for development purposes Client displays.

JQUERY | INTRODUCTION. jQuery  Open source JavaScript library  Simplifies the interactions between  HTML document, or the Document Object Model (DOM),

HTML, XHTML, and CSS Sixth Edition Chapter 1 Introduction to HTML, XHTML, and CSS.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Web Design (1) Terminology. Coding ‘languages’ (1) HTML - Hypertext Markup Language - describes the content of a web page CSS - Cascading Style Sheets.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Session: 1. © Aptech Ltd. 2Introduction to the Web / Session 1  Explain the evolution of HTML  Explain the page structure used by HTML  List the drawbacks.

Internet & World Wide Web How to Program, 5/e © by Pearson Education, Inc. All Rights Reserved.

INT222 - Internet Fundamentals Shi, Yue (Sunny) Office: T2095 SENECA COLLEGE.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

HTML Concepts and Techniques Fifth Edition Chapter 1 Introduction to HTML.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

Chapter 1 Introduction to HTML, XHTML, and CSS HTML5 & CSS 7 th Edition.

Lesson 30: JavaScript and DHTML Fundamentals. Objectives Define and contrast client-side and server-side technologies used to create dynamic content for.

XSS Horror Show scary XSS vectors About me Researcher for Portswigger (makers of Burp suite) JavaScript XSS hacker I love JavaScript sandboxes Built.

Web Technology (NCS-504) Prepared By Mr. Abhishek Kesharwani Assistant Professor,UCER Naini,Allahabad.

WebShield: Enabling Various Web User Defense Techniques without Client Side Modifications Yan Chen Lab for Internet and Security Technology (LIST) Northwestern.

Overview Web Technologies Computing Science Thompson Rivers University.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)

Javascript Prof. Wenwen Li School of Geographical Sciences and Urban Planning 5644 Coor Hall

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Blackbox Reversing of XSS Filters

XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)

CSCE 548 Student Presentation Ryan Labrador

An Introduction to Web Application Security

Programming Web Pages with JavaScript

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Chapter 1 Introduction to HTML.

A Security Review Process for Existing Software Applications

BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML

Murach's JavaScript and jQuery (3rd Ed.)

Creating dynamic/interactive web pages

Exploring DOM-Based Cross Site Attacks

Cross-Site Scripting Attack (XSS)

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

mXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z. Yang. ACM CCS (November, 2013) 1

OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 2

OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 3

Cross-Site Scripting (XSS) Reflected XSS ◦ Maliciously manipulated parameters Stored XSS ◦ User contributed content stored on the server DOM XSS(XSS of the third kind) ◦ JavaScript library 4

Solutions for XSS Server-side solutions ◦ Encoding, replacement, rewriting. Client-side solutions ◦ IE8 XSS Filter ◦ Chrome XSS Auditor ◦ Firefox NoScript extension 5

OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 6

mXSS Mutation-based Cross-Site-Scripting 7

mXSS - At the time of testing Impact on IE, Firefox, Chrome ◦ Webmail Clients Bypass HTML Sanitizers ◦ HTML Purifier ◦ htmLawed ◦ OWASP AntiSamy ◦ jSoup ◦ kses Led to subsequent changes in browser behavior. 8

innerHTML / outerHTML An HTML element's property ◦ Creating HTML content from arbitrarily formatted strings ◦ Serializing HTML DOM nodes into strings 9

Mutation Trigger the mutation 10

Browser Model 11

innerHTML-Access Access to the innerHTML properties ◦ from (parent) element nodes HTML editor ◦ contenteditable attribute contenteditable attribute ◦ document.execCommand() document.execCommand() Print preview 12

OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 13

Exploits innerHTML-access A. Backtick {` } B. XML Namespace(xmlns) C. CSS Escapes/Misfit Characters 14

Exploits – Backtick and XMLNS Backtick {` } XML Namespace 15

Exploits – CSS CSS specifications propose CSS escapes ◦ v\61lue = value Mutation ◦ 'val\27ue‘ => ‘val’ue’ 16

Exploits – CSS Recursive Decoding Bypass some of HTML filters with recursive decoding 17

Exploits – CSS Escapes in Property Names Terminate the style attribute 18

Exploits – Entity-Mutation in non- HTML Documents MIME type ◦ text/xhtml Attacker may abuse MIME sniffingMIME sniffing 19

Exploits – Entity-Mutation in non- HTML context of HTML documents SVG tag, fixed 20

Attack Surface A mutation event occur when 74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments. 21

Attack Surface JavaScript libraries ◦ 65% of the top 10,000 websites ◦ 48.87% using jQuery Webmails ◦ Microsoft Hotmail, Yahoo! Mail, Redi Mail, OpenExchange, Round-cube, etc.. ◦ Bug reports were acknowledged HTML sanitizers ◦ Add new rules for known mutation effects 22

OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 23

Mitigation Techniques(Server-side) HTML ◦ Appending a trailing whitespace to text ? CSS ◦ Disallow any of the special characters ◦ Percent-escaping for parentheses and single quotes in URLs Implemented to HTML Purifier(CSS) 24

Mitigation Techniques(Client-side) TrueHTML ◦ A script ◦ Overwrites the getter methods of the innerHTML Overwrites the getter methods of the innerHTML ◦ XMLSerializer DOM object XMLSerializer DOM object ◦ Changes the HTML handling into an XML- based processing ◦ Low performance impact compared to filtering innerHTML-data 25

OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 26

Evaluation - Size http archive ◦ Average transfer size of a web page  1,200kb(52kb by HTML, 214kb by JavaScript) TrueHTML ◦ 820 byte of code 27

Evaluation - Time VM1 ◦ Intel Xeon X5650 CPU 2.67GHz, 2GB RAM ◦ Ubuntu Desktop, Mozilla Firefox VM2 ◦ Inter Core2Duo CPU 1.86GHz, 2GB RAM ◦ Ubuntu Desktop, Mozilla Firefox Proxy Server to inject TrueHTML Navigation Timing API 28

Evaluation - Time Network Testing Top 10,000 ◦ Overhead 0.01%~99.94% Local Testing 1 29

Evaluation - Time Local Testing 2 ◦ …( 1 kb)… ◦ Scale to 1,000 elements 30

OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 31

Related Work Abusing Internet Explorer 8's XSS Filters Browser Security Handbook The Tangled Web: A Guide to Securing Modern Web Applications (book) XSSAuditor bypasses from sla.ckers.org. Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM (PhD thesis, Ruhr-University Bochum, 2012) 32

Conclusion Problematic and mostly undocumented browser behavior “Well-formed HTML is unambiguous” is false Defensive tools and libraries must gain awareness of the additional processing layers that browsers possess. 33