Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jonas Magazinius, Andrei Sabelfeld – Chalmers University of Technology Billy K. Rios – Cylance Inc. CROSSING ORIGINS BY CROSSING FORMATS.

Similar presentations

Presentation on theme: "Jonas Magazinius, Andrei Sabelfeld – Chalmers University of Technology Billy K. Rios – Cylance Inc. CROSSING ORIGINS BY CROSSING FORMATS."— Presentation transcript:

1 Jonas Magazinius, Andrei Sabelfeld – Chalmers University of Technology Billy K. Rios – Cylance Inc. CROSSING ORIGINS BY CROSSING FORMATS

2 ABOUT PhD Student, Chalmers until Nov 1st then Dr. Magazinius Securing the mashed up web 10:00 HA4 – Hörsalsvägen, Chalmers Co-leader of OWASP Gothenburg Part of Cure53 @internot_ Father – as some of you might remember

3 LANGUAGE-BASED SECURITY Using programming language theory for finding and mitigating security vulnerabilities Static vs. dynamic analysis Information-flow monitoring Declassification Decentralized Crossing origins by crossing formats Byproduct of research Joint work with Billy K. Rios Greatly inspired by the work of Julia Wolf

4 BACKGROUND GIFAR – content smuggling attack Billy Rios (@XSSniper), Petko D. Petkov (@pdp) Attacker uploads GIF/JAR file Cross-origin CSS attack Chris Evans (@scarybeasts) et al. Attacker injects fragments of CSS into HTML Content-type sniffing attacks Adam Barth (@adambarth) et al. Attacker uploads PS/HTML file

5 THINGS IN COMMON… … mixing formats … re-interpretation of the content

6 POLYGLOT Definition: ”…a person who speaks several languages.” ”…a program that is valid in multiple programming languages.” Content that can be interpreted as multiple formats Example 1 – HTML / JavaScript data:text/html,alert(' ') Example 2 – C / Pascal / PostScript / TeX / Bash / Perl / Befunge98 (*a/*/ % #)(PostScript)/Helvetica 40 selectfont 9 400 moveto show%v"f"a0 true showpage quit%#) 2>/dev/null;echo bash;exit #*/); int main()/*>"eb"v %a*0)unless print"perl\n"__END__*/{printf("C\n");/*>>#;"egnu">:#,_@;,,,< *)begin writeln(*\output={\setbox0=\box255}\eject\shipout\hbox{\TeX}\end *)('pascal');end.{*/ return 0;}

7 MALICIOUS POLYGLOTS Two formats (or more) One benign One malicious GIFAR – GIF/JAVA Cross-origin CSS – HTML/CSS Content-type sniffing – PS/HTML Preferred format characteristics Widespread, commonly used format Error tolerant parsing, or other ways to hide foreign syntax Cross-origin communication

8 POLYGLOT ATTACKS Infiltrate Syntax injection – Cross-origin CSS attack Content smuggling – GIFAR Embed Context based re-interpretation The content-type provided by the server is overridden Tags that allow re-interpretation of content: CSS – -tag Java – -tag Content sniffing – -tag and allows arbitrary interpretation based on type attribute

9 ATTACK VECTORS – SYNTAX INJECTION A vulnerable webservice reflects parameters into content Fragments of syntax is injected resulting in a polyglot Polyglot is embedded under the origin of the attacker The polyglot has origin of, and can communicate with vulnerable service Visitors of the attackers domain are exploited Known attack instances Cross-origin CSS attack (Cross-site scripting) (3)(4) (1) (2)

10 ATTACK VECTORS – CONTENT SMUGGLING A vulnerable webservice allows users to upload content Attacker uploads a polyglot to the vulnerable origin Polyglot is embedded under the origin of the attacker The polyglot has origin of, and can communicate with vulnerable service Visitors of the attackers domain are exploited Known attack instances GIFAR Content sniffing attack (1) (2) (3) (4)(5)

11 PAYLOADS – EXPLOITING THE ORIGIN Cross-origin information leakage Request sensitive user information Leak to attacker across origins Cross-site request forgery Traditionally, issue requests with the credentials of the victim Protect using tokens Impact is far greater if it is possible to read the response Extract token Make request

12 Standardized document format – ISO32000-1 Container format Embed related resources Contain foreign syntax by design Error tolerant parsing Powerful capabilities Display text Render 2D/3D graphics Animations Forms Launch commands (restricted) Execute JavaScript Embed Flash – just fantastic Issue HTTP-request With cookies!! PORTABLE DOCUMENT FORMAT

13 Header %PDF-1.7 Objects 1 0 obj > stream Content stream endstream endobj Cross-reference xref 00000012 0000 n endxref Trailer startxref 105 trailer > %EOF DOCUMENT STRUCTURE

14 %PDF-1.4 1 0 obj<< /Type /Catalog /Outlines 2 0 R /Pages 3 0 R >> endobj 2 0 obj > endobj 3 0 obj<< /Type /Pages /Kids [4 0 R] /Count 1 >> endobj 4 0 obj<< /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] /Contents 5 0 R /Resources >>> endobj 5 0 obj >stream endstream endobj 6 0 obj[/PDF] endobj xref 0 7 0000000000 65535 f 0000000009 00000 n 0000000074 00000 n 0000000120 00000 n 0000000179 00000 n 0000000300 00000 n 0000000384 00000 n trailer<< /Size 7 /Root 1 0 R>> startxref 408 %EOF MINIMAL PDF (ACCORDING TO SPECIFICATION)

15 %PDF 1 0 obj >>> trailer > …or even shorter… %PDF trailer% 1 0 obj >>> …or even shorter… %PDF trailer<> %PDF-1. trailer >>> …or executing JavaScript… %PDF-1. trailer > /OpenAction<> >> MINIMAL PDF (ACCORDING TO INTERPRETER) Adobe ReaderGoogle Chrome PDF Reader

16 ERROR TOLERANT PARSING This text would also be a valid %PDF-1. With the condition that the trailer %begins on a new line and that there isn’t >>> the dictionary.

17 PDF URL Action – Redirects the browser Embedded Flash Inherits the origin of the document Two-way communication Uses its own set of cookies %PDF-1. trailer < /OpenAction > >>>> JavaScript Inherits the origin of the document Uses the cookies of the browser launchURL() – Redirects the browser getURL() – Redirects the browser submitForm() – POST request via the browser XML External Entity Two-way communication Patched in latest version of Adobe Reader ( FINALLY ) COMMUNICATION

18 Mixes well with just about any format Server can verify benign format Impact CSRF Cross-origin leakage Easy to inject Token-set overlaps with HTML Context dependent Can extract sensitive information CSRF protection token User information Impact CSRF Cross-origin leakage PDF POLYGLOTS Syntax injectionContent smuggling



21 PDF as the malicious format User provided content of any kind PDF as the benign format CV database Conference systems User supplied content reflected XSS vulnerabilities JSON XML POTENTIAL TARGETS Syntax injectionContent smuggling


23 EVALUATION Syntax injection Approach Alexa top100 Results Content smuggling Approach Results Responsible disclosure


25 Determine context Send expected content-type as header Content-Type: application/pdf Content-Type: image/* Server decides whether content matches expected content-type Gives server control the interpretation of contents Error code (404, 500) Alternate content MITIGATION APPROACHES Forward notification approach

26 Browser Strict enforcement of server provided content-type Disallow type-attribute Interpreter Strict(er) parsing? Limit communication methods Syntax injection Filtering? In general, no! Content-smuggling Serve content from a sandboxed domain ( MITIGATION APPROACHES Server side (application)Client side

27 Improvements in latest version Matching first bytes against know magic values Already found a bypass! Limit worst communication method Filtering PDF tokens and keywords {, trailer } Content Security Policy DO NOT!!! PDF MITIGATION APPROACHES Server sideClient side

28 DO NOT!!! Content-Disposition: attachment; filename="fname.ext” Content-Type: application/octet-stream ” If this header is used in a response with the application/octet- stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a `save response as...' dialog. ” This is NOT respected by Adobe Reader

29 SUMMARY Polyglot attacks – New breed of cross-origin attacks Syntax injection Content-smuggling PDF-based polyglot attacks Flexible error tolerant format Powerful beyond necessity Mitigation approaches Forward notification approach Specific approaches


31 CROSS-ORIGIN CSS ATTACK Minimal amount of CSS-syntax injected in target HTML-page {}#f{font-family:’ … arbitrary HTML content … ’} Attacker uses HTML-page as style-sheet in his page Victim visits attackers page Attacker can extract the arbitrary content from imported style-sheet

32 GIFAR – CONTENT SMUGGLING ATTACK GIF-image Parsed top-down, content after trailer ignored JAR-file Based on ZIP-archives Parsed bottom-up, content before header ignored GIF + JAR = GIFAR copy /b benign.gif + malicious.jar gifar.gif The GIFAR is uploaded to a vulnerable service, The GIFAR is embedded from the vulnerable service on attackers page as an applet Any visitor to the attackers page will execute the applet

33 CONTENT SNIFFING ATTACK Browser performs content sniffing when server provides unknown content-type Content is matched against a series of signtures If a match is found the content is interpreted as the matched type Attacker creates a “chameleon” file Benign format + HTML The file is crafted to match HTML signature The chameleon is uploaded to a vulnerable service The chameleon is embedded in an iframe on the attackers page Any visitors will trigger the content sniffing and render the HTML

Download ppt "Jonas Magazinius, Andrei Sabelfeld – Chalmers University of Technology Billy K. Rios – Cylance Inc. CROSSING ORIGINS BY CROSSING FORMATS."

Similar presentations

Ads by Google