Presentation is loading. Please wait.

Presentation is loading. Please wait.

MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and.

Similar presentations


Presentation on theme: "MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and."— Presentation transcript:

1 mXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z. Yang. ACM CCS (November, 2013) 1

2 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 2

3 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 3

4 Cross-Site Scripting (XSS) Reflected XSS ◦ Maliciously manipulated parameters Stored XSS ◦ User contributed content stored on the server DOM XSS(XSS of the third kind) ◦ JavaScript library 4

5 Solutions for XSS Server-side solutions ◦ Encoding, replacement, rewriting. Client-side solutions ◦ IE8 XSS Filter ◦ Chrome XSS Auditor ◦ Firefox NoScript extension 5

6 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 6

7 mXSS Mutation-based Cross-Site-Scripting https://cure53.de/fp170.pdf 7

8 mXSS - At the time of testing Impact on IE, Firefox, Chrome ◦ Webmail Clients Bypass HTML Sanitizers ◦ HTML Purifier ◦ htmLawed ◦ OWASP AntiSamy ◦ jSoup ◦ kses Led to subsequent changes in browser behavior. 8

9 innerHTML / outerHTML An HTML element's property ◦ Creating HTML content from arbitrarily formatted strings ◦ Serializing HTML DOM nodes into strings 9

10 Mutation Trigger the mutation 10

11 Browser Model 11

12 innerHTML-Access Access to the innerHTML properties ◦ from (parent) element nodes HTML editor ◦ contenteditable attribute contenteditable attribute ◦ document.execCommand() document.execCommand() Print preview 12

13 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 13

14 Exploits innerHTML-access A. Backtick {` } B. XML Namespace(xmlns) C. CSS Escapes/Misfit Characters 14

15 Exploits – Backtick and XMLNS Backtick {` } XML Namespace 15

16 Exploits – CSS CSS specifications propose CSS escapes ◦ v\61lue = value Mutation ◦ 'val\27ue‘ => ‘val’ue’ 16

17 Exploits – CSS Recursive Decoding Bypass some of HTML filters with recursive decoding 17

18 Exploits – CSS Escapes in Property Names Terminate the style attribute 18

19 Exploits – Entity-Mutation in non- HTML Documents MIME type ◦ text/xhtml Attacker may abuse MIME sniffingMIME sniffing 19

20 Exploits – Entity-Mutation in non- HTML context of HTML documents SVG tag, fixed 20

21 Attack Surface A mutation event occur when 74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments. 21

22 Attack Surface JavaScript libraries ◦ 65% of the top 10,000 websites ◦ 48.87% using jQuery Webmails ◦ Microsoft Hotmail, Yahoo! Mail, Redi Mail, OpenExchange, Round-cube, etc.. ◦ Bug reports were acknowledged HTML sanitizers ◦ Add new rules for known mutation effects 22

23 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 23

24 Mitigation Techniques(Server-side) HTML ◦ Appending a trailing whitespace to text ? CSS ◦ Disallow any of the special characters ◦ Percent-escaping for parentheses and single quotes in URLs Implemented to HTML Purifier(CSS) 24

25 Mitigation Techniques(Client-side) TrueHTML ◦ A script ◦ Overwrites the getter methods of the innerHTML Overwrites the getter methods of the innerHTML ◦ XMLSerializer DOM object XMLSerializer DOM object ◦ Changes the HTML handling into an XML- based processing ◦ Low performance impact compared to filtering innerHTML-data 25

26 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 26

27 Evaluation - Size http archive ◦ Average transfer size of a web page  1,200kb(52kb by HTML, 214kb by JavaScript) TrueHTML ◦ 820 byte of code 27

28 Evaluation - Time VM1 ◦ Intel Xeon X5650 CPU 2.67GHz, 2GB RAM ◦ Ubuntu Desktop, Mozilla Firefox VM2 ◦ Inter Core2Duo CPU 1.86GHz, 2GB RAM ◦ Ubuntu Desktop, Mozilla Firefox Proxy Server to inject TrueHTML Navigation Timing API 28

29 Evaluation - Time Network Testing Top 10,000 ◦ Overhead 0.01%~99.94% Local Testing 1 29

30 Evaluation - Time Local Testing 2 ◦ …( 1 kb)… ◦ Scale to 1,000 elements 30

31 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 31

32 Related Work Abusing Internet Explorer 8's XSS Filters Browser Security Handbook The Tangled Web: A Guide to Securing Modern Web Applications (book) XSSAuditor bypasses from sla.ckers.org. Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM (PhD thesis, Ruhr-University Bochum, 2012) 32

33 Conclusion Problematic and mostly undocumented browser behavior “Well-formed HTML is unambiguous” is false Defensive tools and libraries must gain awareness of the additional processing layers that browsers possess. 33


Download ppt "MXSS Attacks: Attacking well- secured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and."

Similar presentations


Ads by Google