Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William.

Published byPhoebe Boylan Modified over 9 years ago

Similar presentations

Presentation on theme: "1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William."— Presentation transcript:

1 1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William & Mary

2 2 Outline  Introduction XSS mXSS  Problem Description The innerHTML Property Mutation  Exploits Seven attack vectors  Attack Surface  Mitigation Techniques  Evaluation  Conclusion

3 3 (Cross Site Scripting)XSS  XSS enables attackers to inject client-side script into Web pages viewed by other users  If the web site allows uncontrolled content to be supplied by users User can write content in a Guest-book or Forum. User can introduce malicious code in the content Ebay Example  Malicious Code Modification of the Document Object Model - DOM (change some links, add some buttons) Send personal information to thirds (javascript can send cookies to other sites)

4 Filtered HTML XSS Excecutes XSS Filter 4 (Cross Site Scripting)XSS User input (including an XSS vector) would be sent to the server, Web App server Browser User input (XSS vectors) XSS Filter

5 5 Server- and client-side XSS filters share the assumption: their HTML output and the browser-rendered HTML content are mostly identical (mutation-based XSS)mXSS Browser User input XSS Filter Filtered HTML Web server XSS Filter innerHTML Mutation XSS Executes False !

6 6 mXSS – At the time of testing  Impact on IE, Firefox, Chrome Webmail Client: Microsoft Hotmail, Yahoo! Mail…  Bypass HTML Sanitizers HTML Purifier htmLawed OWSAP AntiSamy jSoup Kses

7 7 Outline  Introduction XSS mXSS  Problem Description The innerHTML Property Mutation  Exploits Seven attack vectors  Attack Surface  Mitigation Techniques  Evaluation  Conclusion

8 8  An HTML element's property Creating HTML content from arbitrarily formatted strings Usage Example Read access  Serialize HTML DOM nodes into strings  is necessary to trigger the mutation Write access  attach the transformed malicious content to the DOM. The innerHTML Property

9 9  The browser mutates the input string in multiple ways before sending it to the layout engine  the empty class is removed  the tag names are set to upper-case  the markup is sanitized  the HTML entities are resolved. <  < or < Mutation Core issue  HTML markup an attacker uses to initiate an mXSS attack is considered harmless  Only the browser will transform the markup internally, thereby unfolding the embedded attack vector and executing the malicious code. innerHTML-access

10 10 Outline  Introduction XSS mXSS  Problem Description The innerHTML Property Mutation  Exploits Seven attack vectors  Attack Surface  Mitigation Techniques  Evaluation  Conclusion

11 11  Backtick {`} A bug report in 2007  innerHTML-access  the attributes delimited by backticks or containing values starting with backticks  Often the regular quotes disappeared, leaving the backtick characters unquoted and therefore vulnerable to injections. Example imgID.innerHTM=….; Backtick Characters breaking Attribute Delimiter Syntax

12 12  Unknown attributes article, aside, menu xmlns attribute  provide information on which XML namespace the element is supposed to reside on.  innerHTML-access  The browser prefixes the unknown but namespaced element with the XML namespace that in itself contains unquoted input from the xmlns attribute. Example XML Namespaces in Unknown Elements causing Structural Mutation

13 13  CSS Escapes \unicode, \ascii property: ’v\61 lue’ (property:’value’) When innerHTML-accessed Browser converted escapes to their canonical representation property: ’val\27ue’  PROPERTY: ’val’ue’ Backslashes in CSS Escapes causing String- Boundary Violation

14 14 Misfit Characters in Entity Representation breaking CSS Strings  CSS escape for double-quote character the render engine converts them into a single quote \22, ", " and &#34  ’ upon innerHTML-access.

15 Terminate the style attribute By escaping the entire attack payload, the adversary can abuse the mutation feature and deliver arbitrary CSS-escaped HTML code. The attack only works with the double-quote representation inside double-quoted attributes. 15 CSS Escapes in Property Names violating entire HTML Structure

16 16 Entity-Mutation in non-HTML Documents MIME type  text/xhtml, text/xml, application/xhtml+xml, application/xml  A web-server can instruct a browser to render a document in XHTML/XML by setting a matching MIME type via Content-Type HTTP headers;  MIME-type dependent parser behaviors  anomalies  in text/html  cannot happen  in text/xhtml and various related MIME type rendering modes, a CSS style element is supposed to be capable of containing other markup elements.

17 17 Entity-Mutation in non-HTML context of HTML documents  SVG tag, fixed

18 18 Outline  Introduction XSS mXSS  Problem Description The innerHTML Property Mutation  Exploits Seven attack vectors  Attack Surface  Mitigation Techniques  Evaluation  Conclusion

19 19 Attack Surface A mutation event occur when Found 74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments. JavaScript libraries  65% of the top 10,000 websites  48.87% using jQuery

20 20 Attack Surface Web-mailers  HTML Rich-Text Editors (RTE)  innerHTML property  triggered with almost any interaction : composing, replying, spell-checking  analyzed and spotted mXSS vulnerabilities in Microsoft Hotmail, Yahoo! Mail, Rediff Mail, OpenExchange, Round- cube  Bug reports were acknowledged HTML sanitizer  Add new rules for known mutation effects  challenging to develop new filtering paradigms that may discover even unknown attack vectors. HTML sanitizers

21 21 Outline  Introduction XSS mXSS  Problem Description The innerHTML Property Mutation  Exploits Seven attack vectors  Attack Surface  Mitigation Techniques  Evaluation  Conclusion

22 22 Mitigation Techniques Server-side mitigation  Policy: disallow any of the special characters for which browsers are known to have trouble with when it comes to a proper conversion.  refine policy for HTML,CSS, implemented to HTML Purifier  solely practical for the handling of a subset of HTML  cannot protect against dynamically generated content

23 23 Mitigation Techniques Client-side mitigation  TrueHTML, javascript  wrapping and sanitation process  overwrite the handlers of innerHTML to intercept the performance optimization and the markup mutation process.  free from all mutations described and documented  performance impact is low, does not require additional developer effort

24 24 Outline  Introduction XSS mXSS  Problem Description The innerHTML Property Mutation  Exploits Seven attack vectors  Attack Surface  Mitigation Techniques  Evaluation  Conclusion

25 25 Evaluation Environment TrueHTML Overhead  Access 5,000 URLs randomly chosen from Alexa top 10,000 most popular web sites  In typical usage scenarios: displaying an e-mail in a web mailer, accessing popular websites  investigate the relation between page load time overhead and page size in a controlled environment.  Demonstrate versatility: used different hardware platforms for the different parts of the evaluation Evaluation environment  completed by a proxy server to inject TrueHTML into the HTML context of the visited pages, and a logging infrastructure.

26 26 Evaluation Result user-perceived page load time is not only dependent on the size of the content, but also reliant on the structure and type of the markup. How True- HTML performance overhead relates to content size and the amount of markup elements?

27 27 Evaluation in a controlled environment  Create pages containing one element with 1kB text content  …( 1 kb)…  assigned document.body.innerHTML between 1 and 100 times  Scale to 1,000 elements

28 28 Outline  Introduction XSS mXSS  Problem Description The innerHTML Property Mutation  Exploits Seven attack vectors  Attack Surface  Mitigation Techniques  Evaluation  Conclusion

29 29 Conclusion Described a novel attack technique based on a problematic and mostly undocumented browser behavior Analyzed the attack surface and propose an action plan for mitigating the dangers Supplied research-derived evaluations of the feasibility and practicability of the proposed mitigation techniques. Insights  Defensive tools and libraries must gain awareness of the additional processing layers that browsers possess.  “Well-formed HTML is unambiguous” is false

30 30 End Thanks! Q&A

Download ppt "1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.

MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.

HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.
Computer Sciences Department

Computer Sciences Department
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google