Presentation is loading. Please wait.

Presentation is loading. Please wait.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

Published byJustus Claypole Modified over 9 years ago

Similar presentations

Presentation on theme: "17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation."— Presentation transcript:

1 17 th ACM CCS (October, 2010)

2  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation in Advanced Defense Lab

3  Web-hosted applications have supplanted traditional desktop applications for almost everything that requires network communication. A Presentation in Advanced Defense Lab 3

4 4

5  The same-origin policy is the basic principle used to secure Web applications from each other. A Presentation in Advanced Defense Lab 5

6  Content › HTML  Behavior › JavaScript  Appearance › Cascading Style Sheet › The first specification of CSS dates to 1996. A Presentation in Advanced Defense Lab 6

7  To allow future extensibility, the CSS specification mandates error-tolerant parsing [link].link  This leads to a security hole. › GreyMagic Security Advisory GM#004-IE (2002) [link]link › To date, all published attacks of this type have required JavaScript, and most have been specific to Internet Explorer. A Presentation in Advanced Defense Lab 7

8  Attacker Abilities › Sending and receiving arbitrary network traffic from its own servers.  Target Behavior › Attacker’s Inject strings must pass server-side cross-site scripting (XSS) filters such as HTML Purifier [link].link  Victim Behavior › The web attacker can entice the victim into visiting its site. A Presentation in Advanced Defense Lab 8

9  Cross-origin CSS attacks are possible because of existing browser behaviors, reasonable taken in isolation, but with unexpected interactions. A Presentation in Advanced Defense Lab 9

10  Session Authentication › Once a user has logged into a web application, their browser will transmit a credential with every HTTP request to that server. A Presentation in Advanced Defense Lab 10

11  Cross-Origin Content Inclusion › Requests for cross-origin resources transmit any credentials associated with the site that hosts the resource, not credentials associated with the site whose page made the reference. A Presentation in Advanced Defense Lab 11

12  Error-Tolerant Style Sheet Parsing › When browsers encounter syntax errors in CSS, they discard the current syntactic construct, skip ahead until what appears to be the beginning of the next one.  CSS parsing mode [link]link › Quirks mode › Strict/standards mode  A Presentation in Advanced Defense Lab 12

13  Principles of error-tolerant style sheet parsing › Even while skipping, parentheses, square brackets, and curly braces must be properly balanced and nested. › The next syntactic construct might begin after the next semicolon, after going up one brace level, or after the next brace-enclosed block. › The end of a style sheet closes all open constructs without error. A Presentation in Advanced Defense Lab 13

14  In a cross-origin CSS attack, the attacker injects strings into the target document that bracket the data to be stolen. A Presentation in Advanced Defense Lab 14

15 A Presentation in Advanced Defense Lab 15

16  When the victim user visits attacker.com  or @import url(http://target.com); A Presentation in Advanced Defense Lab 16

17 A Presentation in Advanced Defense Lab 17

18 A Presentation in Advanced Defense Lab 18

19  Insufficient Injection points › The attacker must inject two strings into the document containing the secret.  Quotes › If the secret contains both types of quotes, or the attacker cannot predict which type of quotes it will contain, the attack may fail. A Presentation in Advanced Defense Lab 19

20  Line Breaks › Internet Explorer permits unescaped line breaks in CSS string constants and url()s.  Character Escapes  Forcing UTF-7 › › {}#f{font-family:+ACI- A Presentation in Advanced Defense Lab 20

21  Forcing UTF-7 › › {}#f{font-family:+ACI- A Presentation in Advanced Defense Lab 21

22  The Internet Movie Database (IMDb) [link]link › allows registered users to rate films, make posts on message boards, and send private messages to each other. A Presentation in Advanced Defense Lab 22

23 A Presentation in Advanced Defense Lab 23

24  Send an email to the victim with the subject line: › ');}  Wait for some time while the victim receives other messages.  Send another email to the victim with the subject line: › {}body{background-image:url(' A Presentation in Advanced Defense Lab 24

25 A Presentation in Advanced Defense Lab 25

26  http://mail.live.com/m/ A Presentation in Advanced Defense Lab 26

27  Content Type Enforcement Proposal › HTTP header  Content-Type: text/css  Content-Type: text/html › Strict Enforcement  Strict enforcement refuses to load any style sheet crossorigin, unless it is properly labeled text/css.  content type misconfigurations are common A Presentation in Advanced Defense Lab 27

28 › Minimal Enforcement  Block if:  cross-origin  invalid content type  syntactically malformed A Presentation in Advanced Defense Lab 28

29  we crawled the top 100,000 web sites ranked by Alexa and identified all of the style sheet resources used by their front pages. A Presentation in Advanced Defense Lab 29

30 A Presentation in Advanced Defense Lab 30 Strict Enforcement  62 sites ≈ 0.06%

31 A Presentation in Advanced Defense Lab 31

32  Block Cookies › Some browsers have the option to block only “third-party” cookies, which prevents cookies from being set by a cross-origin load. › But not read… A Presentation in Advanced Defense Lab 32

33  Block JavaScript Style APIs › Many browsers already prevent JavaScript from reading parsed style rules when those rules were loaded cross-origin. A Presentation in Advanced Defense Lab 33

34  Newlines › Internet Explorer  HTML Encoding  Avoid Ambient Authentication › However, if a URL with a credential becomes visible to the victim user (e.g. via the location bar), they might be tricked into revealing it. A Presentation in Advanced Defense Lab 34

35  Content-Sniffing XSS  Barth et al  IE 8 [link]link A Presentation in Advanced Defense Lab 35

36 A Presentation in Advanced Defense Lab 36

37 A Presentation in Advanced Defense Lab 37

38 A Presentation in Advanced Defense Lab 38

39  Firefox 4.0 [link]link › Http Response Header › X-CONTENT-SECURITY-POLICY A Presentation in Advanced Defense Lab 39

40  Microsoft Research(February, 2009)  Strict enforcement A Presentation in Advanced Defense Lab 40

41 A Presentation in Advanced Defense Lab 41

Download ppt "17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
DT228/3 Web Development WWW and Client server model.

DT228/3 Web Development WWW and Client server model.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
© 2010, Robert K. Moniot Chapter 1 Introduction to Computers and the Internet 1.

© 2010, Robert K. Moniot Chapter 1 Introduction to Computers and the Internet 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.

WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.
Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.
© 2004, Robert K. Moniot Chapter 1 Introduction to Computers and the Internet.

© 2004, Robert K. Moniot Chapter 1 Introduction to Computers and the Internet.
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Chapter 2 Introduction to HTML5 Internet & World Wide Web How to Program, 5/e Copyright © Pearson, Inc. 2013. All Rights Reserved.

Chapter 2 Introduction to HTML5 Internet & World Wide Web How to Program, 5/e Copyright © Pearson, Inc All Rights Reserved.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google