XSS – Cross Site Scripting

Transcription

XSS – Cross Site Scripting
XSS – Cross Site Scripting
Jörg Schwenk
Horst Görtz Institute
Ruhr-University Bochum
Dagstuhl 2009
http://en.wikipedia.org/wiki/Crosssite_scripting
• Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in Web applications that enables
attackers to inject client-side script into Web pages viewed by other
users. A cross-site scripting vulnerability may be used by attackers
to bypass access controls such as the same origin policy. Cross-site
scripting carried out on websites accounted for roughly 80.5% of all
security vulnerabilities documented by Symantec as of 2007.[1] Their
effect may range from a petty nuisance to a significant security risk,
depending on the sensitivity of the data handled by the vulnerable
site and the nature of any security mitigation implemented by the
site's owner.
Overview
1.
2.
3.
4.
5.
6.
Web Origins, Browser DOM and the Same Origin Policy
Reflected XSS
Stored XSS
DOM XSS
Classical Countermeasures
JSAgents
DNS
AJAX engine
Real
Malware
PDF
Rendering
Javascript
Flash
Browser-based protocols
Internet
Webserver Application Database
Server
PKI
AJAX engine
Javascript
Rendering
Browser-based protocols
Internet
Webserver Application Database
Server
Browser-based protocols
AJAX engine
Javascript
Rendering
3
4: CSS
www.css-repos.com
1
2: HTML+JS
www.example.org
5
6: JS-Lib
library.js.net
Web Origins and Browser DOM
window
document
document.location
body
defines
HTML
JS
CSS
JS-Lib
loaded from
loaded from
loaded from
loaded from
www.example.org
www.example.org
www.css-repos.com
library.js.net
grants access
rights to origin
www.example.org
Browser-based Cryptographic protocols:
SOP (Same Origin Policy)
Document1
Cookies
Name
Schwenk
Document2
Form
Account
443232
Script1
Script1:
GetCookie
Amount
Script2:
Modify
Account
Script3:
Send/
Request
data
66,43
Origin: https://banking.bank.com:443
Access Denied
SOP
Origin: http://attacker.org:80
Overview
1.
2.
3.
4.
5.
6.
Web Origins, Browser DOM and the Same Origin Policy
Reflected XSS
Stored XSS
DOM XSS
Classical Countermeasures
JSAgents
Reflected XSS (non-persistent)
•
•
Angreifer übergibt
Skriptcode über
einen eigens
präparierten
Hyperlink an das
Opfer
Typisches
Angriffsziel:
Suchfunktionen in
Webseiten
Reflected XSS (non-persistent)
• Normale URL, die eine Suche auf der Webseite triggert:
http://example.com/?suche=Suchbegriff
• Resultat: <p>Sie suchten nach: Suchbegriff</p>
• Präparierte URL: http://example.com/?suche=<script
type="text/javascript">alert("XSS")</script>
• Resultat: <p>Sie suchten nach: <script
type="text/javascript">alert("XSS")</script></p>
Reflected XSS (non-persistent)
3: GET+
JS-XSS
AJAX engine
Javascript
Rendering
victim.com
4: HTML +
JS-XSS
(active)
1
2:
HTML +
JS-XSS
(inactive) attacker.org
Overview
1.
2.
3.
4.
5.
6.
Web Origins, Browser DOM and the Same Origin Policy
Reflected XSS
Stored XSS
DOM XSS
Classical Countermeasures
JSAgents
Stored XSS (persistent)
Beispiel eBay
Phisher erstellt Angebot
Bettet im Angebot „bösartigen“
Code ein
Code kompromittiert „BietenButton“
Benutzer wird zur Eingabe seiner
Zugangsdaten aufgefordert,
wobei diese Seite vom
Angreifer stammt
Benutzer gibt seine Zugangsdaten
preis
Quelle: http://www.heise.de/security/result.xhtml?url=/security/news/meldung/54272&words=eBay%20Scripting
Stored XSS (persistent)
2: GET
AJAX engine
Javascript
Rendering
victim.com
3: HTML +
JS-XSS
1:
HTML +
JS-XSS
1
attacker.org
Overview
1.
2.
3.
4.
5.
6.
Web Origins, Browser DOM and the Same Origin Policy
Reflected XSS
Stored XSS
DOM XSS
Classical Countermeasures
JSAgents
DOM based XSS (Local XSS)
Consider the following webpage located at
http://www.vulnerable.site/welcome.html
<HTML>
<TITLE>Welcome!</TITLE>
Hi
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,
document.URL.length));
</SCRIPT>
<BR>
Welcome to our system
…
</HTML>
Amit Klein, http://www.webappsec.org/projects/articles/071105.shtml
DOM based XSS (Local XSS)
Typical use:
http://www.vulnerable.site/welcome.html?name=Joe
<HTML>
<TITLE>Welcome!</TITLE>
Hi
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,
document.URL.length));
</SCRIPT>
<BR>
Welcome to our system
…
</HTML>
Amit Klein, http://www.webappsec.org/projects/articles/071105.shtml
DOM based XSS (Local XSS)
Result of:
http://www.vulnerable.site/welcome.html?name=Joe
<HTML>
<TITLE>Welcome!</TITLE>
Hi
Joe
<BR>
Welcome to our system
…
</HTML>
Amit Klein, http://www.webappsec.org/projects/articles/071105.shtml
DOM based XSS (Local XSS)
Result of:
http://www.vulnerable.site/welcome.html?name=
<script>alert(document.cookie)</script>
<HTML>
<TITLE>Welcome!</TITLE>
Hi
<script>alert(document.cookie)</script>
<BR>
Welcome to our system
…
</HTML>
Amit Klein, http://www.webappsec.org/projects/articles/071105.shtml
DOM based XSS (Local XSS)
Avoid detection by server side filtering:
http://www.vulnerable.site/welcome.html#name=
<script>alert(document.cookie)</script>
• # indicates that the string following this character is a fragment
identifier, i.e. it is only an indication to the browser which part of the
document to display
• The string following # is thus never sent to the server, but it is stored
in DOM-properties like document.location or document.URL
Amit Klein, http://www.webappsec.org/projects/articles/071105.shtml
DOM based XSS (Local XSS)
GET welcome.html
3: GET HTTP 1.1
host: www.vulnerable.site
AJAX engine
Javascript
Rendering
victim.com
4: HTML
5: XSS executed during
(local) rendering
1: GET
2:
HTML +
<a href=″http://www.vulnerable.site/welcome.html#
JS-XSS
name= <script>alert(document.cookie)</script>″>Klick
me!</a>
(inactive) attacker.org
Overview
1.
2.
3.
4.
5.
6.
Web Origins, Browser DOM and the Same Origin Policy
Reflected XSS
Stored XSS
DOM XSS
Classical Countermeasures
JSAgents
Server Side: Blocking
• If unsolicited content (e.g. Overlong cookies) is detected, processing
of the http request is blocked.
• Instead, e.g. A static webpage can be displayed.
• Can be misused to perform DoS attacks:
– Vela 2009: Overlong Google Analytics tracking code snippets
Server Side: Stripping and Replacing
• PHP strip_tags() removes potentially dangerous characters
from user input
• If this seems too rigid, $allowable_tags can be defined; this
may open doors for XSS in single web applications
• Stripping substrings is complex: e.g. Stripping „fromCharCode“
from „fromCfromCharCodeharCode“
• Character replacement is more reliable, but can nebertheless be
circumvented (Amazon AWS attack)
Server Side: Escaping
• Potentially dangerous characters like < are prepended with a
backslash character: \<
• Potential problems with unicode characters may lead to SQLi
• innerHTML and CSS attacks
Server Side: Encoding
• PHP htmlentities() and htmlspecialchars() encode
potentially dangerous characters
• May be bypassed with e.g. UTF7 encoding of attack vectors:
+Adw-script+AD4-alert(1)+Adw-/script+AD4-
Server Side: Rewriting
• HTMLPurifier for PHP, AntiSamy for Java, SafeHTML for Windows
Server environments
• Web application want to allow posting of harmless HTML
• Different approaches:
– Only regular expressions: broken
– HTMLPurifier: Build new DOM tree, match this tree aganinst
XHTML DTD, remove non-matching elements
– Google Caja: rewrites Javascript (+HTMl + CSS) code, may
result in code expansion (1 line -> 130 lines)
Client Side Filtering
• Server does not see complete code that is rendered by the browser
– innerHTML
– DOM XSS
– Flash Parameters
• Therefore, client side filtering is applied
Client Side: IE XSS Filter
• Checks for matches between
Request URL fragments and the
resulting HTML markup
• Problems with detecting
fragmented attack vectors
(because they are only
completed by the markup parser)
Markup Parser
Request URL
IE XSS Filter
HTML Markup
Network Stack
Client Side: Webkit/Google Chrome XSS
Auditor
• Works similar to IE XSS
Filter
• Different position
HTML
Parser
Webkit
XSS
Auditor
Network Stack
Javascript
Engine
Client Side: NoScript XSS Filter (Firefox)
• Rewrites URL parameters if
URL request goes to a trusted
site
• insecure.php?a="><img/
src= onerror=alert(1)
• Is changed to
• insecure.php?a=>
img%2Fsrc=
ONERROR=ALERT 1
#some_random_number
HTML Parser
Request URL to Trusted Site
NoScript
Rewritten URL to Trusted Site
Network Stack
Content Security Policy
https://wiki.mozilla.org/Security/CSP/Specification
• Example 2: Auction site wants to allow images from anywhere, plugin
content from a list of trusted media providers (including a content
distribution network), and scripts only from its server hosting sanitized
JavaScript:
X-Content-Security-Policy: allow 'self'; img-src *;
object-src media1.com media2.com *.cdn.com;
script-src trustedscripts.example.com
• Example 4: Online payments site wants to ensure that all of the
content in its pages is loaded over SSL to prevent attackers from
eavesdropping on requests for insecure content:
X-Content-Security-Policy: allow https://*:443
IFrame Sandboxing
Sandboxed Iframes: New feature in HTML5
• No script execution
• No plugin execution
• No top oder parent access
• No form submissions
• ... Only display static HTML
• ... But this can of course be relaxed ☺
Javascript Sandboxing
• JSReg: purely written in Javascript, uses regular expressions, often
broken.
• Dojo Sandbox: blocks access to sensitive DOM properties, broken in
2010 (e.g. Unicode escapes)
• Rhino and LiveConnect: Run Javascript inside an Java applet,
which has its own Javascript parser – should be safe, broken by
Heiderich et.al.
• JSAgents/IceShield: see below
Overview
1.
2.
3.
4.
5.
6.
Web Origins, Browser DOM and the Same Origin Policy
Reflected XSS
Stored XSS
DOM XSS
Classical Countermeasures
JSAgents
Ausblick: Cross Site Request Forgery
Schritt 2: Einloggen des Opfers bei
Hotmail.
1: Login auf NY Times Webseite
3: http-Link (z.B. in einem <img>-Tag)
enthält Query-String mit dem Befehl,
eine E-Mail an [email protected]
zu senden.
Victim
38
nytimes.com
2: Anschauen der Webseite des Angreifers
http://www.freedom-totinker.com/blog/wzeller/popular-websitesvulnerable-cross-site-request-forgery-attacks
Microsoft Identity
Managment
Jörg Schwenk
Lehrstuhl für Netz- und
Datensicherheit
attacker.org
Ausblick: Cross Site Request Forgery
1. ING Direct (ingdirect.com)
– Status: Fixed
2. YouTube (youtube.com)
– Status: Fixed
3. MetaFilter (metafilter.com)
– Status: Fixed
4. The New York Times (nytimes.com)
– Status: Fixed.
39
http://www.freedom-totinker.com/blog/wzeller/popular-websitesvulnerable-cross-site-request-forgery-attacks
Microsoft Identity
Managment
Jörg Schwenk
Lehrstuhl für Netz- und
Datensicherheit

Similar documents