Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crossing Origins by Crossing Formats

Similar presentations

Presentation on theme: "Crossing Origins by Crossing Formats"— Presentation transcript:

1 Crossing Origins by Crossing Formats
Jonas Magazinius, Andrei Sabelfeld – Chalmers University of Technology Billy K. Rios – Cylance Inc.

2 About PhD Student, Chalmers Co-leader of OWASP Gothenburg
until Nov 1st then Dr. Magazinius Securing the mashed up web 10:00 HA4 – Hörsalsvägen, Chalmers Co-leader of OWASP Gothenburg Part of Cure53 @internot_ Father – as some of you might remember

3 Language-based security
Using programming language theory for finding and mitigating security vulnerabilities Static vs. dynamic analysis Information-flow monitoring Declassification Decentralized Crossing origins by crossing formats Byproduct of research Joint work with Billy K. Rios Greatly inspired by the work of Julia Wolf

4 Background GIFAR – content smuggling attack
Billy Rios Petko D. Petkov Attacker uploads GIF/JAR file Cross-origin CSS attack Chris Evans et al. Attacker injects fragments of CSS into HTML Content-type sniffing attacks Adam Barth et al. Attacker uploads PS/HTML file

5 Things in common… … mixing formats … re-interpretation of the content

6 Polyglot Definition: ”…a person who speaks several languages.”
”…a program that is valid in multiple programming languages.” Content that can be interpreted as multiple formats Example 1 – HTML / JavaScript data:text/html,alert('<script src="%23"></script>') Example 2 – C / Pascal / PostScript / TeX / Bash / Perl / Befunge98 (*a/*/ % #)(PostScript)/Helvetica 40 selectfont moveto show%v"f"a0 true showpage quit%#) 2>/dev/null;echo bash;exit #*/);int main()/*>"eb"v %a*0)unless *)begin writeln(*\output={\setbox0=\box255}\eject\shipout\hbox{\TeX}\end *)('pascal');end.{*/return 0;} ) Example 2 – C / Pascal / PostScript / TeX / Bash / Perl / Befunge98. (*a/*/ % #)(PostScript)/Helvetica 40 selectfont 9 400 moveto show%v f a0 true showpage quit%#) 2>/dev/null;echo bash;exit #*/);int main()/*> eb v %a*0)unless print perl\n __END__*/{printf( C\n );/*>>#; egnu >:#,_@;,,,< *)begin writeln(*\output={\setbox0=\box255}\eject\shipout\hbox{\TeX}\end *)( pascal );end.{*/return 0;}", "width": "800" }

7 Malicious Polyglots Two formats (or more) One benign One malicious
GIFAR – GIF/JAVA Cross-origin CSS – HTML/CSS Content-type sniffing – PS/HTML Preferred format characteristics Widespread, commonly used format Error tolerant parsing, or other ways to hide foreign syntax Cross-origin communication

8 Polyglot attacks Infiltrate Syntax injection – Cross-origin CSS attack
Content smuggling – GIFAR Embed Context based re-interpretation The content-type provided by the server is overridden Tags that allow re-interpretation of content: CSS – <link>-tag Java – <applet>-tag Content sniffing – <iframe>-tag <object> and <embed> allows arbitrary interpretation based on type attribute

9 Attack vectors – Syntax injection
A vulnerable webservice reflects parameters into content Fragments of syntax is injected resulting in a polyglot Polyglot is embedded under the origin of the attacker The polyglot has origin of, and can communicate with vulnerable service Visitors of the attackers domain are exploited Known attack instances Cross-origin CSS attack (Cross-site scripting) (1) (2) (3) (4)

10 Attack vectors – Content smuggling
A vulnerable webservice allows users to upload content Attacker uploads a polyglot to the vulnerable origin Polyglot is embedded under the origin of the attacker The polyglot has origin of, and can communicate with vulnerable service Visitors of the attackers domain are exploited Known attack instances GIFAR Content sniffing attack (2) (3) (4) (5) (1)

11 Payloads – Exploiting the origin
Cross-origin information leakage Request sensitive user information Leak to attacker across origins Cross-site request forgery Traditionally, issue requests with the credentials of the victim Protect using tokens Impact is far greater if it is possible to read the response Extract token Make request

12 Portable Document Format
Standardized document format – ISO Container format Embed related resources Contain foreign syntax by design Error tolerant parsing Powerful capabilities Display text Render 2D/3D graphics Animations Forms Launch commands (restricted) Execute JavaScript Embed Flash – just fantastic Issue HTTP-request With cookies!!

13 Document Structure Header %PDF-1.7 Objects
1 0 obj << /Length 14>> stream Content stream endstream endobj Cross-reference xref n endxref Trailer startxref 105 trailer << /Root 1 0 R >> %%EOF

14 Minimal PDF (according to Specification)
%PDF obj<< /Type /Catalog /Outlines 2 0 R /Pages 3 0 R >> endobj 2 0 obj<< /Type Outlines/Count 0>> 3 0 obj<< /Type /Pages /Kids [4 0 R] /Count obj<< /Type /Page /Parent 3 0 R /MediaBox [ ] /Contents 5 0 R /Resources << /ProcSet 6 0 R >>>> 5 0 obj<< /Length 35 >>stream endstream endobj 6 0 obj[/PDF] xref 0 7 f n n n n n n trailer<< /Size 7 /Root 1 0 R>> startxref 408 %%EOF

15 Minimal PDF (According to Interpreter)
Adobe Reader Google Chrome PDF Reader %PDF-1. trailer<</Root<</Pages<<>>>> …or executing JavaScript… trailer<</Root<</Pages<<>> /OpenAction<</S/JavaScript /JS(app.alert(’PDF’))>> >> %PDF 1 0 obj<</Pages<<>>>> trailer<</Root 1 0 R>> …or even shorter… %PDF trailer% 1 0 obj <</Root 1 0 R/Pages<<>>>> %PDF trailer<</Root% 1 0 obj<</Pages 1 0 R>>

16 Error tolerant Parsing
This text would also be a valid %PDF-1. With the condition that the trailer %begins on a new line and that there isn’t <</too /much /garbage /in /Root<</Pages<<>>>> the dictionary.

17 Communication JavaScript Inherits the origin of the document
PDF URL Action – Redirects the browser Embedded Flash Inherits the origin of the document Two-way communication Uses its own set of cookies %PDF-1. trailer <</Root <</Pages<<>> /OpenAction <</S/URI/URI(javascript:alert(location))>> >>>> JavaScript Inherits the origin of the document Uses the cookies of the browser launchURL() – Redirects the browser getURL() – Redirects the browser submitForm() – POST request via the browser XML External Entity Two-way communication Patched in latest version of Adobe Reader (FINALLY)

18 PDF polyglots Syntax injection Content smuggling Easy to inject
Token-set overlaps with HTML Context dependent Can extract sensitive information CSRF protection token User information Impact CSRF Cross-origin leakage Mixes well with just about any format Server can verify benign format Impact CSRF Cross-origin leakage

19 PDF-based Syntax injection attack

20 PDF-based Content Smuggling Attack

21 Potential targets Syntax injection Content smuggling
User supplied content reflected XSS vulnerabilities JSON XML PDF as the malicious format User provided content of any kind PDF as the benign format CV database Conference systems


23 Evaluation Syntax injection Approach Alexa top100 Results
Content smuggling Responsible disclosure

24 Alexa top100

25 Mitigation approaches
Forward notification approach Determine context Send expected content-type as header Content-Type: application/pdf Content-Type: image/* Server decides whether content matches expected content-type Gives server control the interpretation of contents Error code (404, 500) Alternate content

26 Mitigation Approaches
Server side (application) Client side Syntax injection Filtering? In general, no! Content-smuggling Serve content from a sandboxed domain ( Browser Strict enforcement of server provided content-type Disallow type-attribute Interpreter Strict(er) parsing? Limit communication methods

27 PDF mitigation approaches
Server side Client side Filtering PDF tokens and keywords { <, >, trailer } Content Security Policy DO NOT!!! Improvements in latest version Matching first bytes against know magic values Already found a bypass!  Limit worst communication method

28 DO NOT!!! Content-Disposition: attachment; filename="fname.ext”
Content-Type: application/octet-stream ”If this header is used in a response with the application/octet- stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a `save response as...' dialog.” This is NOT respected by Adobe Reader

29 Summary Polyglot attacks – New breed of cross-origin attacks
Syntax injection Content-smuggling PDF-based polyglot attacks Flexible error tolerant format Powerful beyond necessity Mitigation approaches Forward notification approach Specific approaches

30 Thank you!

31 Cross-origin CSS attack
Minimal amount of CSS-syntax injected in target HTML-page {}#f{font-family:’ … arbitrary HTML content … ’} Attacker uses HTML-page as style-sheet in his page Victim visits attackers page Attacker can extract the arbitrary content from imported style-sheet

32 GIFar – Content smuggling attack
GIF-image Parsed top-down, content after trailer ignored JAR-file Based on ZIP-archives Parsed bottom-up, content before header ignored GIF + JAR = GIFAR copy /b benign.gif + malicious.jar gifar.gif The GIFAR is uploaded to a vulnerable service, The GIFAR is embedded from the vulnerable service on attackers page as an applet Any visitor to the attackers page will execute the applet

33 Content Sniffing attack
Browser performs content sniffing when server provides unknown content-type Content is matched against a series of signtures If a match is found the content is interpreted as the matched type Attacker creates a “chameleon” file Benign format + HTML The file is crafted to match HTML signature The chameleon is uploaded to a vulnerable service The chameleon is embedded in an iframe on the attackers page Any visitors will trigger the content sniffing and render the HTML

Download ppt "Crossing Origins by Crossing Formats"

Similar presentations

Ads by Google