Web Client Side Security -

Script InjectionTal Be’ery@Verint

2013

SOP Threat Model

Com

mun

ica

tion

Custom Code

Acco

unts

Fina

nce

Adm

inis

trat

ion

Tran

sact

ion

s Know

ledg

e M

gmt

E- Com

mer

ceBu

s.

Func

tion

s

Victim Application

3Vulnerable site sees legitimate request from victim performs the action requestedAnd sends a response

Attacker sets the trap on some website on the internet

1

2 While logged into vulnerable site,victim views attacker site

Victim site interaction

Some interaction with victim site

Injecting Script to Defeat SOP

O So SOP does not allow scripts from a different origin to access target origin’s data?

O Then, attacker must get the script to run from target’s origin!

Getting The Script InO Malvertising: Paying the server to

show content (Malicious Ads)O XSS :Abusing the application’s to

serve user contentO Breaking into the server to change

contentO Mass injectionO Watering Hole attacks

O Injecting onto the connection (MitM)

Malvertising a Script

Paying the target siteO Paying the target site to serve

attacker controlled messages to its clients

O Paying for displaying content = advertising

Online advertisingO The business engine for the web

http://blogs-images.forbes.com/roberthof/files/2012/06/iabadrev.gif

Online advertisingO Many parties are involved

http://blogs.wsj.com/digits/2011/06/06/online-ads-where-1240-companies-fit-in/

MalvertisingO Malware advertisingO Usually in the context of malware

spreadingO If it allows scripting, can create XSS

http://2.bp.blogspot.com/-qyWHGQxwkPc/Tl0dNR-1g1I/AAAAAAAACdg/wsYFRVfM3NQ/s1600/malvertising%2Byieldmanager%2Bziddu%2Bwebsite.png

Targeting AdsO Web ads can be highly targetedO “C level” in “Israel” in the “security

industry”

Injecting a Script (XSS)

XSS = Script InjectionO Victim server embeds unsanitized

user’s Input in served contentO Served content can contain a script

invocationO The script is from the origin of the

victim server and thus can access all of the origin’s data

Stored XSSO The victim server stores user

generated contentO CommentsO Profile in social networkO Reviews

O The content is displayed to other users

O If not properly sanitized the content can contain a script

Stored XSS IllustratedAttacker sets the trap – update

my profileAttacker enters a malicious script into a web page that stores the data on the server

1

Application with stored XSS vulnerability

Custom Code

Acco

unts

Finan

ceAd

min

istr

atio

nTr

ansa

ctio

nsCom

mun

ica

tion

Know

ledg

e M

gmt

E- Com

mer

ceBu

s. Fu

nctio

ns

2 Victim views page – sees attacker profile

Script runs inside victim’s browser with full access to the DOM and cookies

3 Script silently sends attacker Victim’s session cookie

1

Reflected XSSO The victim sends back (reflects) user

generated content to the userO “search results for <sent term>”O “The form details you just filled <form

data>”O The content is displayed to the userO If not properly sanitized the content

can invoke a script

Reflected XSSO Why should I attack myself?O The attacker “convinces” the victim

to attack itselfO Link is embedded in attacker siteO Phishing email

Reflected XSS Demo

Reflected XSS Demo - testing

O Search page is a classic!O /sitesearch/index.aspx?

q=bbbbbbbbbbbb

Reflected XSS Demo – XSS!O /index.aspx?q=<script>

alert( document.cookie); </script>

DOM Based XSSO Javascript can change inner HTML

through the DOMO If the script in victim server’s page

accepts input from user without sanitizing it and changes the DOM than a script can be invoked.

Javascript InvocationO Direct Script InjectionO Event handler injectionO Javascript protocol injectionO Injecting into an existing script

InjectionO Injection happens when attacker is

able to make a cross over from data area to control/code area

O All Injections (Script injections, but also SQL injection, XML injection, LDAP injection, etc.) share the same characteristics:O A token that ends the data partO Some malicious codeO A token that returns to data part

(optional)

Direct Script InjectionO <script>alert(1)</script>O HTML parsers are usually very

relaxed and forgiving

Event handler injectionO Example:O Original application:O <img src="url"

alt="some_user_text">O Attacker:O <img src="url" alt="”

onload=“evil()">

Javascript protocol injectionO Injecting the javascript pseudo

protocol in places intended for URLsO Original application:O <iframe src="user supplied url" >O Attacker:O <iframe src=“Javascript:evil()" >

Injecting into an existing script

O Input is embedded into existing script.

O Script must remain syntactically correct for the malicious payload to execute

Injecting Into an Existing Script – In the Wild

O The value of the locale HTTP parameter is included directly in a javascript within the response and assigned to the s_prop18 variable:

O <script>…var s_prop18="";alert(1);//“ …

</script>

XSS Attacker’s Tools

Vulnerability ScannersO Many commercial tools

O IBM AppScanO HP WebInspectO Etc.

O Many free tools

Exploitation tools: BeEF

O The Browser Exploitation Framework

BeEF Demo!

XSS Protection

Input/Output Sanitizaiton

O Remove “bad” charactersO Encode “bad” charactersO Context dependent!O When input is given the code does

not know in which context it would be displayed

O When output is presented, the context is known, but coder may forget its untrusted origin

Too many contexts…

HTML Style Property Values

(e.g., .pdiv a:hover {color: red; text-decoration: underline} )

JavaScript Data(e.g., <script> some javascript

</script> )

HTML Attribute Values

(e.g., <input name='person' type='TEXT'

value='defaultValue'> )

HTML Element Content

(e.g., <div> some text to display </div> )

URI Attribute Values(e.g., <a

href="javascript:toggle('lesson')" )

#4: All non-alphanumeric < 256 \HH

ESAPI: encodeForCSS()

#3: All non-alphanumeric < 256 \xHH

ESAPI: encodeForJavaScript()

#1: ( &, <, >, " ) &entity; ( ', / ) &#xHH;

ESAPI: encodeForHTML()

#2: All non-alphanumeric < 256 &#xHH

ESAPI: encodeForHTMLAttribute()

#5: All non-alphanumeric < 256 %HH

ESAPI: encodeForURL()

CSPO Content Security PolicyO Enables the website to specify with

custom headers the allowed scripts in the page, so no new script can be injected

O In order for CSP to be effective, the website code has to be refactored.

NoScriptO Client side pluginO Stops scripts, but usually kills user

experience too

Web Application Firewalls

O Stop XSS vectorsO Both reflected and persistentO Examples:

O Imperva SecureSphereO ModSecurity

Browser XSS filterO Checks for script invocation in user

supplied dataO Only effective against reflected XSS

XSS in the wild

XSSed.comO http://xssed.com/

Scanners Stats

https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf

XSS in Google

http://www.acunetix.com/blog/web-security-zone/articles/xss-vulnerability-injected-google-analytics-executed-ioss-gmail-application/

Breaking into the server

Watering HoleO Waiting for the victim to come to the

attacker

http://tpzoo.files.wordpress.com/2013/02/lion-zebra-water-hole.jpg

Watering Hole AttackO Break into a websiteO Plant a malicious script in it

http://eromang.zataz.com/2013/02/20/facebook-apple-twitter-watering-hole-attack-additional-informations/

MITM

MITM

MITM Can Inject Scripts

O The victim requests “good.com”O The attacker serves arbitrary content

as a responseO Scripts served that way, are

considered by the browser as coming from “good.com” context

Attacker Don’t Have to Be MITM

O Full MITM capabilities are not neededO “Man on the Side” is enoughO It’s enough to be able:

O Eavesdrop for requestsO Be able to inject false responses

O No need to stop messages

The NSA Did It!O QUANTUM programO “..NSA relies on its secret partnerships with US

telecoms companies… the NSA places secret servers, codenamed Quantum, at key places on the Internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond..

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html

Web Client Side Security -

Implementation Bugs

Bugs In SOPO 2004: Malicious redirects break IE’s

SOP implementation

Universal XSSO Browser is not just the browserO Addons, extensions, plugins…O Some of them may have bugs in SOP

Adobe PDF Universal XSS

O Adobe PDF Reader universal XSSO http://

host/file.pdf#anyname=javascript:your_code_here

O If a site hosts a PDF it has XSS vulnerability

https://www.owasp.org/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf

Client Side Vulnerability

Black Hole Exploit Kit

Exploit DeliveryO Introduced with a script

O One of the Aforementioned Script Injection techniques

O Checks for browser vendor, version and installed component to use the right exploit

O Creates the exploited object

Obfuscated Javascript

https://sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf

Detect Vulnerabilities

PDF Exploit