Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Similar documents
25 Million Flows Later Large-scale Detection of DOM-based XSS. CCS 2013, Berlin Sebastian Lekies, Ben Stock, Martin Johns

Client Side Injection on Web Applications

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

HTTP Security Headers Explained

Protecting users against XSS-based password manager abuse. AsiaCCS 2014, Kyoto Ben Stock, Martin Johns

CSCE 813 Internet Security Case Study II: XSS

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Tabular Presentation of the Application Software Extended Package for Web Browsers

RKN 2015 Application Layer Short Summary

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

WEB SECURITY: XSS & CSRF

CIS 4360 Secure Computer Systems XSS

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

EasyCrypt passes an independent security audit

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Preparing for the Cross Site Request Forgery Defense

Eradicating DNS Rebinding with the Extended Same-Origin Policy

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Security: Vulnerabilities & Attacks

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Content Security Policy

Evaluating the Security Risks of Static vs. Dynamic Websites

Chrome Extension Security Architecture

NET 311 INFORMATION SECURITY

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CS 161 Computer Security

Web basics: HTTP cookies

COMP9321 Web Application Engineering

Acknowledgments... xix

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Requirements from the Application Software Extended Package for Web Browsers

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Finding Vulnerabilities in Web Applications

Exploiting and Defending: Common Web Application Vulnerabilities

Fortify Software Security Content 2017 Update 4 December 15, 2017

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

CS 161 Computer Security

Web basics: HTTP cookies

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

CS 155 Project 2. Overview & Part A

Application vulnerabilities and defences

Welcome to the OWASP TOP 10

django-secure Documentation

Web Application Security. Philippe Bogaerts

Web security: an introduction to attack techniques and defense methods

So we broke all CSPs. You won't guess what happened next!

Client Side Security And Testing Tools

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Scan Report Executive Summary

WHY CSRF WORKS. Implicit authentication by Web browsers

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

C1: Define Security Requirements

MODERN WEB APPLICATION DEFENSES

Copyright


NoScript, CSP and ABE: When The Browser Is Not Your Enemy

C ISPA. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

P2_L12 Web Security Page 1

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com

Sichere Software vom Java-Entwickler

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Web Security: XSS; Sessions

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

Web Security, Part 2

COMP9321 Web Application Engineering

BOOSTING THE SECURITY

Web Application Security

Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends

Web Security Computer Security Peter Reiher December 9, 2014

Ruby on Rails Secure Coding Recommendations

Web Application Vulnerabilities: OWASP Top 10 Revisited

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Lecture 6: Web Security CS /17/2017

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Reflected XSS Cross-Site Request Forgery Other Attacks

Common Websites Security Issues. Ziv Perry

Compliance with OWASP ASVS L1:

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

ESORICS September Martin Johns

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

CSC 405 Computer Security. Web Security

TIBCO Cloud Integration Security Overview

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Browser code isolation

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Solution of Exercise Sheet 5

Transcription:

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Steffens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock

Dimensions of Cross-Site Scripting Server Client Reflected echo "Welcome ". $_GET["name"]; document.write("welcome " + location.hash.slice(1)); Persistent mysql_query("insert INTO posts..."); //.. $res = mysql_query("select * FROM posts"); while ($row = mysql_fetch_array($res)) { print $res[0]; } localstorage.setitem("name", location.hash.slice(1)); //.. document.write("welcome " + localstorage.getitem("name"));!2

Persistent Client-Side XSS? With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim s browser, such as an HTML5 database, and never being sent to the server at all. - OWASP Wiki!3

Research Questions How many sites of the top 5k make use of data from storages in their clientside code? On how many sites can such a data flow be abused if an adversary can gain control over the storage? Out of these, how many sites can be successfully attacked by a network and Web adversary? To answer: combine taint tracking with automated exploit generation Our previous work (Lekies et al. CCS 2013) + a number of improvements for their shortcomings!4

Persistent Client-Side Cross-Site Scripting Client-side technology allows for storing of data and code Cookies: typically used for preferences and configuration (e.g., language) bound to etld+1 or hostname only limited storage (typically 4096 bytes), limited charset (e.g., cannot contain semicolon) Web Storage: used to persist larger pieces of data bound to origin of the site Session Storage: persisted only within the same browser window Local Storage: shared across all windows http://vuln.com <script> eval(getstorage()); </script> 1 attack(); 2 3!5

Interlude: HTTP Strict Transport Security HTTP header (Strict-Transport-Security) sent by server only valid if sent via HTTPS Strict-Transport-Security: max-age=<expiry in seconds> includesubdomains: header is valid for all subdomains preload: allows for inclusion in preload list ensures that site cannot be loaded via HTTP until expiry is reached Domains can be preloaded in browsers HSTS preload list (https://hstspreload.org/) only possible with at least 18 weeks max-age, includesubdomains and automatic redirect from HTTP!6

Persistent Client-Side Cross-Site Scripting: Attacker Models Requirement for successful attack: persisted malicious payload extracted on every page load; single "infection" is sufficient Attacker Model #1: Network Attacker can modify unencrypted connections cannot get arbitrary TLS certificates Capabilities Cookies: set cookies for any domain without HSTS or with HSTS but without includesubdomains http://vuln.com 1 Local Storage: inject items on HTTP sites only <script> persist(); </script> 3 2!7

Persistent Client-Side Cross-Site Scripting: Attacker Models Attacker Model #2: Web Attacker can force victim's browser to visit any URL Attack Vector #1: Abuse existing XSS flaw allows to inject data into origin (Storage) or domain (cookies) HTTPS does not help at all Attack Vector #2: Abuse flows into storage requires a flow into storage item important: same storage item must be later on used http://attacker.com 2 1 http://vuln.com/?vuln=persist() hard to find in practice <script> persist(); </script> 3!8

Persistent Client-Side Cross-Site Scripting: Potential Attacks Question may arise: why bother with per-user persistent XSS if we need an XSS or an active network adversary in the first place? Potential answers Infect storage with keylogger - wait for next login Security-aware user might not login in untrusted Wifi but will in his home network Cryptojacking, there is always Cryptojacking!9

Sites with flows from cookies/local Storage Cookies Local Storage Sink Total Plain Exploits Total Plain Exploits HTML 496 319 132 (27%) 234 226 105 (45%) JavaScript 547 470 72 (13%) 392 385 108 (27%) script.src 1385 533 17 (1%) 626 297 11 (2%) Total 1645 906 213(13%) 941 654 222 (24%)!10

Exploitability under attacker models 293 sites can be exploited by a network attacker no HTTPS at all or due to lack of HSTS or lack of includesubdomains 65 sites have reflected client-side XSS in the same origin Lower bound on Web attacker no code coverage, no login not considered any other form of XSS not considered "trust relations" (domain relaxation, postmessages,...) 15% of all page loads seem to set document.domain not investigated inter- and intra-storage flows (around 100M data flows in our data)!11

Types of exploitable stored content Unstructured Data (214 domains) Can be addressed via proper encoding Structured Data (such as JSON, 108 domains) Guess what, don't use eval! Client-Side Code Caching (HTML / JavaScript, 101 domains) Service Workers for JavaScript Integrity measures Configuration Information (such as Hostnames, 28 domains) solution depends: mostly whitelisting actually works!12

PoC Two Stage Exploit!13

Summing up Conducted large-scale study on Alexa Top 5,000 1,946 domains make use of storage data in their application 1,324 domains do so without encoding at least once 418 domains have exploitable flow from storage 213 from cookie, 222 from Local Storage Real-world exploitability by attacker models 293/418 domains vulnerable to network attacker 65/418 domains vulnerable to Web attacker Persistent Client-Side is a more widespread issue than might have been assumed!14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback