1 / 33

mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations

mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations. Mario Heiderich , Jörg Schwenk , Tilman Frosch , Jonas Magazinius , and Edward Z. Yang. ACM CCS (November, 2013). OUTLINE. XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation

edan
Download Presentation

mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. mXSS Attacks: Attacking well-secured Web-Applicationsby using innerHTML Mutations Mario Heiderich, JörgSchwenk, TilmanFrosch, Jonas Magazinius, and Edward Z. Yang. ACM CCS (November, 2013)

  2. OUTLINE • XSS • mXSS • Exploits and Attack Surface • Mitigation Techniques • Evaluation • Related Work and Conclusion

  3. OUTLINE • XSS • mXSS • Exploits and Attack Surface • Mitigation Techniques • Evaluation • Related Work and Conclusion

  4. Cross-Site Scripting (XSS) • Reflected XSS • Maliciously manipulated parameters • Stored XSS • User contributed content stored on the server • DOM XSS(XSS of the third kind) • JavaScript library http://www.collinjackson.com/research/xssauditor.pdf

  5. Solutions for XSS • Server-side solutions • Encoding, replacement, rewriting. • Client-side solutions • IE8 XSS Filter • Chrome XSS Auditor • Firefox NoScript extension

  6. OUTLINE • XSS • mXSS • Exploits and Attack Surface • Mitigation Techniques • Evaluation • Related Work and Conclusion

  7. mXSS • Mutation-based Cross-Site-Scripting https://cure53.de/fp170.pdf

  8. mXSS - At the time of testing • Impact on IE, Firefox, Chrome • Webmail Clients • Bypass HTML Sanitizers • HTML Purifier • htmLawed • OWASP AntiSamy • jSoup • kses • Led to subsequent changes in browser behavior.

  9. innerHTML / outerHTML • An HTML element's property • Creating HTML content from arbitrarily formatted strings • Serializing HTML DOM nodes into strings http://www.jb51.net/article/16585.htm

  10. Mutation • Trigger the mutation

  11. Browser Model http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss

  12. innerHTML-Access • Access to the innerHTMLproperties • from (parent) element nodes • HTML editor • contenteditable attribute • document.execCommand() • Print preview

  13. OUTLINE • XSS • mXSS • Exploits and Attack Surface • Mitigation Techniques • Evaluation • Related Work and Conclusion

  14. Exploits • innerHTML-access • Backtick {` } • XML Namespace(xmlns) • CSS Escapes/Misfit Characters

  15. Exploits – Backtick and XMLNS • Backtick {` } • XML Namespace

  16. Exploits – CSS • CSS specifications propose CSS escapes • v\61lue = value • Mutation • 'val\27ue‘ => ‘val’ue’

  17. Exploits – CSS Recursive Decoding • Bypass some of HTML filters with recursive decoding

  18. Exploits – CSS Escapes in Property Names • Terminate the style attribute

  19. Exploits – Entity-Mutation in non-HTML Documents • MIME type • text/xhtml • Attacker may abuse MIME sniffing

  20. Exploits – Entity-Mutation in non-HTML context of HTML documents • SVG tag, fixed

  21. Attack Surface • A mutation event occur when • 74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments.

  22. Attack Surface • JavaScript libraries • 65% of the top 10,000 websites • 48.87% using jQuery • Webmails • Microsoft Hotmail, Yahoo! Mail, Redi Mail, OpenExchange, Round-cube, etc.. • Bug reports were acknowledged • HTML sanitizers • Add new rules for known mutation effects

  23. OUTLINE • XSS • mXSS • Exploits and Attack Surface • Mitigation Techniques • Evaluation • Related Work and Conclusion

  24. Mitigation Techniques(Server-side) • HTML • Appending a trailing whitespace to text ? • CSS • Disallow any of the special characters • Percent-escaping for parentheses and single quotes in URLs • Implemented to HTML Purifier(CSS)

  25. Mitigation Techniques(Client-side) • TrueHTML • A script • Overwrites the getter methods of the innerHTML • XMLSerializer DOM object • Changes the HTML handling into an XML-based processing • Low performance impact compared to filtering innerHTML-data

  26. OUTLINE • XSS • mXSS • Exploits and Attack Surface • Mitigation Techniques • Evaluation • Related Work and Conclusion

  27. Evaluation - Size • http archive • Average transfer size of a web page • 1,200kb(52kb by HTML, 214kb by JavaScript) • TrueHTML • 820 byte of code

  28. Evaluation - Time • VM1 • Intel Xeon X5650 CPU 2.67GHz, 2GB RAM • Ubuntu 12.04 Desktop, Mozilla Firefox 14.0.1 • VM2 • Inter Core2Duo CPU 1.86GHz, 2GB RAM • Ubuntu 12.04 Desktop, Mozilla Firefox 16.0.2 • Proxy Server to inject TrueHTML • Navigation Timing API

  29. Evaluation - Time • Network Testing Top 10,000 • Overhead 0.01%~99.94% • Local Testing 1

  30. Evaluation - Time • Local Testing 2 • <p>…(1kb)…</p> • Scale to 1,000 elements

  31. OUTLINE • XSS • mXSS • Exploits and Attack Surface • Mitigation Techniques • Evaluation • Related Work and Conclusion

  32. Related Work • Abusing Internet Explorer 8's XSS Filters • Browser Security Handbook • The Tangled Web: A Guide to Securing Modern Web Applications (book) • XSSAuditor bypasses from sla.ckers.org. • Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM (PhD thesis, Ruhr-University Bochum, 2012)

  33. Conclusion • Problematic and mostly undocumented browser behavior • “Well-formed HTML is unambiguous” is false • Defensive tools and libraries must gain awareness of the additional processing layers that browsers possess.

More Related