Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Art of Executing JavaScript by Akhil Mahendra

451 views

Published on

The Art of Executing JavaScript by Akhil Mahendra

Published in: Software
  • Be the first to comment

  • Be the first to like this

The Art of Executing JavaScript by Akhil Mahendra

  1. 1. Team bi0s Amrita Center for Cybersecurity, Amritapuri The Art of Executing Javascript
  2. 2. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Akhil Mahendra ➢ Web application security enthusiast ➢ CTFer{@teambi0s} ➢ @Akhil_Mahendra About
  3. 3. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Introduction - XSS ➢ Types of XSS and different context ➢ Same Origin Policy ➢ Content Security Policy ➢ XSS via Angular JS Agenda
  4. 4. Team bi0s Amrita Center for Cybersecurity, Amritapuri Attack with a wrong name ? Introduction
  5. 5. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability Introduction
  6. 6. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Stealing user cookies ➢ Keylogger ➢ Deface website Introduction - Impact
  7. 7. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Reflected XSS ➢ Stored XSS ➢ DOM based XSS Types of XSS
  8. 8. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ HTML ➢ Attribute ➢ Script ➢ Style ➢ Url Different Context
  9. 9. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside HTML elements ○ <p>Injection</p> ➢ POC ○ <script>alert(1)</script> Different Context -html context
  10. 10. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside HTML attributes ○ <p class = ” Injection ”> </p> ○ <p Injection = ” test123 ”> </p> ➢ POC ○ " onmouseover="alert(1)"> ○ onmouseover="alert(1)" class Different Context -attribute context
  11. 11. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <script> var a = ‘ Injection ‘; </script> ➢ POC ○ ‘;alert(1);// Different Context -script context
  12. 12. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <p style “ color: injection ” > </p> ➢ POC ○ expression(alert(1)); Different Context -style context
  13. 13. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <a href = ” injection ” > click </a> ➢ POC ○ javascript:alert(1) Different Context -url context
  14. 14. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Scripts on a page can make HTTP request and process responses between hosts that has the same: Protocol, Hostname, Port ➢ An IFRAME loaded cannot read or write data into the page unless it’s in the same origin ! SOP
  15. 15. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability SOP
  16. 16. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Introduced as a mechanism to mitigate code injection ➢ Directives defines: ○ From where and what content are allowed to load ○ In which context the content is allowed to execute ➢ It’s a mitigation not first line of defense! CSP
  17. 17. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Directives: ○ default-src ○ script-src ○ object-src ○ style-src ○ image-src ○ frame-src CSP - Directives
  18. 18. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Keywords: ○ ‘*’ ○ 'none' ○ 'self' ○ 'unsafe-inline' ○ 'unsafe-eval' CSP - Keywords
  19. 19. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ HTTP Headers ○ <?php header('Content-Security-Policy: default-src https://cdn.example.net; object-src 'none'"’);?> ➢ Meta tag in HTML ○ <meta http-equiv="Content-Security-Policy" content="default-src https://cdn.example.net; object-src 'none'"> CSP
  20. 20. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ unsafe-inline, unsafe-eval, data: ○ whole purpose of CSP is defeated ➢ Eg: default-src: ’self’;script-src: ‘unsafe-inline’ ○ Bypass : <script>alert(1)</script> CSP - Common mistakes
  21. 21. Team bi0s Amrita Center for Cybersecurity, Amritapuri CSP - Common mistakes
  22. 22. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Nonces: ○ Nonce must be a random string ○ Should not be reused ○ Should not be guessable CSP - Common mistakes
  23. 23. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Examples of bad nonce ○ Request 1- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ Request 2- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ e10adc3949ba59abbe56e057f20f883e - md5(123456) ○ 1231441 CSP - Common mistakes
  24. 24. Team bi0s Amrita Center for Cybersecurity, Amritapuri Demo
  25. 25. Team bi0s Amrita Center for Cybersecurity, Amritapuri CSP Bypass CSP - bypass
  26. 26. Team bi0s Amrita Center for Cybersecurity, Amritapuri Escaping the expression sandbox for XSS XSS via Angular JS
  27. 27. Team bi0s Amrita Center for Cybersecurity, Amritapuri Thanks @Akhil_Mahendra

×