Presentation is loading. Please wait.

Presentation is loading. Please wait.

MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.

Published byDavion Osby Modified over 9 years ago

Similar presentations

Presentation on theme: "MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and."— Presentation transcript:

1 mXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z. Yang. ACM CCS (November, 2013) 1

2 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 2

3 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 3

4 Cross-Site Scripting (XSS) Reflected XSS ◦ Maliciously manipulated parameters Stored XSS ◦ User contributed content stored on the server DOM XSS(XSS of the third kind) ◦ JavaScript library http://www.collinjackson.com/research/xssauditor.pdf 4

5 Solutions for XSS Server-side solutions ◦ Encoding, replacement, rewriting. Client-side solutions ◦ IE8 XSS Filter ◦ Chrome XSS Auditor ◦ Firefox NoScript extension 5

6 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 6

7 mXSS Mutation-based Cross-Site-Scripting https://cure53.de/fp170.pdf 7

8 mXSS - At the time of testing Impact on IE, Firefox, Chrome ◦ Webmail Clients Bypass HTML Sanitizers ◦ HTML Purifier ◦ htmLawed ◦ OWASP AntiSamy ◦ jSoup ◦ kses Led to subsequent changes in browser behavior. 8

9 innerHTML / outerHTML An HTML element's property ◦ Creating HTML content from arbitrarily formatted strings ◦ Serializing HTML DOM nodes into strings http://www.jb51.net/article/16585.htm 9

10 Mutation Trigger the mutation 10

11 Browser Model http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss 11

12 innerHTML-Access Access to the innerHTML properties ◦ from (parent) element nodes HTML editor ◦ contenteditable attribute contenteditable attribute ◦ document.execCommand() document.execCommand() Print preview 12

13 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 13

14 Exploits innerHTML-access A. Backtick {` } B. XML Namespace(xmlns) C. CSS Escapes/Misfit Characters 14

15 Exploits – Backtick and XMLNS Backtick {` } XML Namespace 15

16 Exploits – CSS CSS specifications propose CSS escapes ◦ v\61lue = value Mutation ◦ 'val\27ue‘ => ‘val’ue’ 16

17 Exploits – CSS Recursive Decoding Bypass some of HTML filters with recursive decoding 17

18 Exploits – CSS Escapes in Property Names Terminate the style attribute 18

19 Exploits – Entity-Mutation in non- HTML Documents MIME type ◦ text/xhtml Attacker may abuse MIME sniffingMIME sniffing 19

20 Exploits – Entity-Mutation in non- HTML context of HTML documents SVG tag, fixed 20

21 Attack Surface A mutation event occur when 74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments. 21

22 Attack Surface JavaScript libraries ◦ 65% of the top 10,000 websites ◦ 48.87% using jQuery Webmails ◦ Microsoft Hotmail, Yahoo! Mail, Redi Mail, OpenExchange, Round-cube, etc.. ◦ Bug reports were acknowledged HTML sanitizers ◦ Add new rules for known mutation effects 22

23 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 23

24 Mitigation Techniques(Server-side) HTML ◦ Appending a trailing whitespace to text ? CSS ◦ Disallow any of the special characters ◦ Percent-escaping for parentheses and single quotes in URLs Implemented to HTML Purifier(CSS) 24

25 Mitigation Techniques(Client-side) TrueHTML ◦ A script ◦ Overwrites the getter methods of the innerHTML Overwrites the getter methods of the innerHTML ◦ XMLSerializer DOM object XMLSerializer DOM object ◦ Changes the HTML handling into an XML- based processing ◦ Low performance impact compared to filtering innerHTML-data 25

26 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 26

27 Evaluation - Size http archive ◦ Average transfer size of a web page  1,200kb(52kb by HTML, 214kb by JavaScript) TrueHTML ◦ 820 byte of code 27

28 Evaluation - Time VM1 ◦ Intel Xeon X5650 CPU 2.67GHz, 2GB RAM ◦ Ubuntu 12.04 Desktop, Mozilla Firefox 14.0.1 VM2 ◦ Inter Core2Duo CPU 1.86GHz, 2GB RAM ◦ Ubuntu 12.04 Desktop, Mozilla Firefox 16.0.2 Proxy Server to inject TrueHTML Navigation Timing API 28

29 Evaluation - Time Network Testing Top 10,000 ◦ Overhead 0.01%~99.94% Local Testing 1 29

30 Evaluation - Time Local Testing 2 ◦ …( 1 kb)… ◦ Scale to 1,000 elements 30

31 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 31

32 Related Work Abusing Internet Explorer 8's XSS Filters Browser Security Handbook The Tangled Web: A Guide to Securing Modern Web Applications (book) XSSAuditor bypasses from sla.ckers.org. Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM (PhD thesis, Ruhr-University Bochum, 2012) 32

33 Conclusion Problematic and mostly undocumented browser behavior “Well-formed HTML is unambiguous” is false Defensive tools and libraries must gain awareness of the additional processing layers that browsers possess. 33

Download ppt "MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and."

Similar presentations

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
JavaScript and AJAX Jonathan Foss University of Warwick

JavaScript and AJAX Jonathan Foss University of Warwick
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.

HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William.

1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.

 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Project 1 Introduction to HTML.

Project 1 Introduction to HTML.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Tutorial 16 Working with Dynamic Content and Styles.

Tutorial 16 Working with Dynamic Content and Styles.
1st Project Introduction to HTML.

1st Project Introduction to HTML.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)

1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)
HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.

HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.
It’s World Wide! I NTRODUCTION TO T HE WEB 1 Photo courtesy:

It’s World Wide! I NTRODUCTION TO T HE WEB 1 Photo courtesy:
INTRODUCTION TO CLIENT-SIDE WEB PROGRAMMING ACM 511 ACM 262 Course Notes.

INTRODUCTION TO CLIENT-SIDE WEB PROGRAMMING ACM 511 ACM 262 Course Notes.

Similar presentations

Ads by Google