Upload
tal-beery
View
449
Download
3
Embed Size (px)
Citation preview
Web Client Side Security -
Script InjectionTal Be’ery@Verint
2013
SOP Threat Model
Com
mun
ica
tion
Custom Code
Acco
unts
Fina
nce
Adm
inis
trat
ion
Tran
sact
ion
s Know
ledg
e M
gmt
E- Com
mer
ceBu
s.
Func
tion
s
Victim Application
3Vulnerable site sees legitimate request from victim performs the action requestedAnd sends a response
Attacker sets the trap on some website on the internet
1
2 While logged into vulnerable site,victim views attacker site
Victim site interaction
Some interaction with victim site
Injecting Script to Defeat SOP
O So SOP does not allow scripts from a different origin to access target origin’s data?
O Then, attacker must get the script to run from target’s origin!
Getting The Script InO Malvertising: Paying the server to
show content (Malicious Ads)O XSS :Abusing the application’s to
serve user contentO Breaking into the server to change
contentO Mass injectionO Watering Hole attacks
O Injecting onto the connection (MitM)
Malvertising a Script
Paying the target siteO Paying the target site to serve
attacker controlled messages to its clients
O Paying for displaying content = advertising
Online advertisingO The business engine for the web
http://blogs-images.forbes.com/roberthof/files/2012/06/iabadrev.gif
Online advertisingO Many parties are involved
http://blogs.wsj.com/digits/2011/06/06/online-ads-where-1240-companies-fit-in/
MalvertisingO Malware advertisingO Usually in the context of malware
spreadingO If it allows scripting, can create XSS
http://2.bp.blogspot.com/-qyWHGQxwkPc/Tl0dNR-1g1I/AAAAAAAACdg/wsYFRVfM3NQ/s1600/malvertising%2Byieldmanager%2Bziddu%2Bwebsite.png
Targeting AdsO Web ads can be highly targetedO “C level” in “Israel” in the “security
industry”
Injecting a Script (XSS)
XSS = Script InjectionO Victim server embeds unsanitized
user’s Input in served contentO Served content can contain a script
invocationO The script is from the origin of the
victim server and thus can access all of the origin’s data
Stored XSSO The victim server stores user
generated contentO CommentsO Profile in social networkO Reviews
O The content is displayed to other users
O If not properly sanitized the content can contain a script
Stored XSS IllustratedAttacker sets the trap – update
my profileAttacker enters a malicious script into a web page that stores the data on the server
1
Application with stored XSS vulnerability
Custom Code
Acco
unts
Finan
ceAd
min
istr
atio
nTr
ansa
ctio
nsCom
mun
ica
tion
Know
ledg
e M
gmt
E- Com
mer
ceBu
s. Fu
nctio
ns
2 Victim views page – sees attacker profile
Script runs inside victim’s browser with full access to the DOM and cookies
3 Script silently sends attacker Victim’s session cookie
1
Reflected XSSO The victim sends back (reflects) user
generated content to the userO “search results for <sent term>”O “The form details you just filled <form
data>”O The content is displayed to the userO If not properly sanitized the content
can invoke a script
Reflected XSSO Why should I attack myself?O The attacker “convinces” the victim
to attack itselfO Link is embedded in attacker siteO Phishing email
Reflected XSS Demo
Reflected XSS Demo - testing
O Search page is a classic!O /sitesearch/index.aspx?
q=bbbbbbbbbbbb
Reflected XSS Demo – XSS!O /index.aspx?q=<script>
alert( document.cookie); </script>
DOM Based XSSO Javascript can change inner HTML
through the DOMO If the script in victim server’s page
accepts input from user without sanitizing it and changes the DOM than a script can be invoked.
Javascript InvocationO Direct Script InjectionO Event handler injectionO Javascript protocol injectionO Injecting into an existing script
InjectionO Injection happens when attacker is
able to make a cross over from data area to control/code area
O All Injections (Script injections, but also SQL injection, XML injection, LDAP injection, etc.) share the same characteristics:O A token that ends the data partO Some malicious codeO A token that returns to data part
(optional)
Direct Script InjectionO <script>alert(1)</script>O HTML parsers are usually very
relaxed and forgiving
Event handler injectionO Example:O Original application:O <img src="url"
alt="some_user_text">O Attacker:O <img src="url" alt="”
onload=“evil()">
Javascript protocol injectionO Injecting the javascript pseudo
protocol in places intended for URLsO Original application:O <iframe src="user supplied url" >O Attacker:O <iframe src=“Javascript:evil()" >
Injecting into an existing script
O Input is embedded into existing script.
O Script must remain syntactically correct for the malicious payload to execute
Injecting Into an Existing Script – In the Wild
O The value of the locale HTTP parameter is included directly in a javascript within the response and assigned to the s_prop18 variable:
O <script>…var s_prop18="";alert(1);//“ …
</script>
XSS Attacker’s Tools
Vulnerability ScannersO Many commercial tools
O IBM AppScanO HP WebInspectO Etc.
O Many free tools
Exploitation tools: BeEF
O The Browser Exploitation Framework
BeEF Demo!
XSS Protection
Input/Output Sanitizaiton
O Remove “bad” charactersO Encode “bad” charactersO Context dependent!O When input is given the code does
not know in which context it would be displayed
O When output is presented, the context is known, but coder may forget its untrusted origin
Too many contexts…
HTML Style Property Values
(e.g., .pdiv a:hover {color: red; text-decoration: underline} )
JavaScript Data(e.g., <script> some javascript
</script> )
HTML Attribute Values
(e.g., <input name='person' type='TEXT'
value='defaultValue'> )
HTML Element Content
(e.g., <div> some text to display </div> )
URI Attribute Values(e.g., <a
href="javascript:toggle('lesson')" )
#4: All non-alphanumeric < 256 \HH
ESAPI: encodeForCSS()
#3: All non-alphanumeric < 256 \xHH
ESAPI: encodeForJavaScript()
#1: ( &, <, >, " ) &entity; ( ', / ) &#xHH;
ESAPI: encodeForHTML()
#2: All non-alphanumeric < 256 &#xHH
ESAPI: encodeForHTMLAttribute()
#5: All non-alphanumeric < 256 %HH
ESAPI: encodeForURL()
CSPO Content Security PolicyO Enables the website to specify with
custom headers the allowed scripts in the page, so no new script can be injected
O In order for CSP to be effective, the website code has to be refactored.
NoScriptO Client side pluginO Stops scripts, but usually kills user
experience too
Web Application Firewalls
O Stop XSS vectorsO Both reflected and persistentO Examples:
O Imperva SecureSphereO ModSecurity
Browser XSS filterO Checks for script invocation in user
supplied dataO Only effective against reflected XSS
XSS in the wild
XSSed.comO http://xssed.com/
Scanners Stats
https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf
XSS in Google
http://www.acunetix.com/blog/web-security-zone/articles/xss-vulnerability-injected-google-analytics-executed-ioss-gmail-application/
Breaking into the server
Watering HoleO Waiting for the victim to come to the
attacker
http://tpzoo.files.wordpress.com/2013/02/lion-zebra-water-hole.jpg
Watering Hole AttackO Break into a websiteO Plant a malicious script in it
http://eromang.zataz.com/2013/02/20/facebook-apple-twitter-watering-hole-attack-additional-informations/
MITM
MITM
MITM Can Inject Scripts
O The victim requests “good.com”O The attacker serves arbitrary content
as a responseO Scripts served that way, are
considered by the browser as coming from “good.com” context
Attacker Don’t Have to Be MITM
O Full MITM capabilities are not neededO “Man on the Side” is enoughO It’s enough to be able:
O Eavesdrop for requestsO Be able to inject false responses
O No need to stop messages
The NSA Did It!O QUANTUM programO “..NSA relies on its secret partnerships with US
telecoms companies… the NSA places secret servers, codenamed Quantum, at key places on the Internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond..
https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html
Web Client Side Security -
Implementation Bugs
Bugs In SOPO 2004: Malicious redirects break IE’s
SOP implementation
Universal XSSO Browser is not just the browserO Addons, extensions, plugins…O Some of them may have bugs in SOP
Adobe PDF Universal XSS
O Adobe PDF Reader universal XSSO http://
host/file.pdf#anyname=javascript:your_code_here
O If a site hosts a PDF it has XSS vulnerability
https://www.owasp.org/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf
Client Side Vulnerability
Black Hole Exploit Kit
Exploit DeliveryO Introduced with a script
O One of the Aforementioned Script Injection techniques
O Checks for browser vendor, version and installed component to use the right exploit
O Creates the exploited object
Obfuscated Javascript
https://sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf
Detect Vulnerabilities
PDF Exploit