Web Browsers And Other Mistakes


Published on

Bluehat v7 slides

Published in: Technology, Self Improvement
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Web Browsers And Other Mistakes

    1. 1. Web Browsers And Other Mistakes Alex “kuza55” K. [email_address] http://kuza55.blogspot.com/
    2. 2. Outline <ul><li>Understanding Web Technologies </li></ul><ul><li>Finding Vulnerabilities </li></ul><ul><li>Triggering Vulnerabilities </li></ul><ul><li>Exploiting Vulnerabilities </li></ul>
    3. 3. Understanding Web Technologies <ul><li>Cookies </li></ul><ul><li>IE: FindMimeFromData </li></ul><ul><li>Flash: crossdomain.xml & LoadPolicyFile </li></ul><ul><li>Browser Encoding Behaviour </li></ul>
    4. 4. Cookies <ul><li>What is a cookie? </li></ul><ul><ul><li>It’s a name value pair stored on the client </li></ul></ul><ul><ul><li>It is sent only o the domain it was set for </li></ul></ul><ul><ul><li>And that’s all most developers know </li></ul></ul><ul><li>Here is what a cookie looks like when it is set: </li></ul><ul><ul><li>Set-Cookie: NAME = VALUE[ ; expires= DATE][ ; path= PATH][ ; domain= DOMAIN_NAME][ ; secure][; httpOnly] </li></ul></ul><ul><li>Here is what a cookie looks like when it is sent: </li></ul><ul><ul><li>Cookie: NAME=VALUE[; NAME=VALUE] </li></ul></ul>
    5. 5. Cookies <ul><li>But where does a cookie actually get sent? </li></ul><ul><ul><li>The browser does a ‘domain-match’ which means: </li></ul></ul><ul><ul><ul><li>Domain A Matches Domain B if: </li></ul></ul></ul><ul><ul><ul><li>The domains are identical, or </li></ul></ul></ul><ul><ul><ul><li>A is a FQDN string and has the form NB, B has the form .B', and B' is a FQDN string. </li></ul></ul></ul><ul><ul><ul><li>(So, x.y.com domain-matches .y.com but not y.com) </li></ul></ul></ul><ul><ul><li>A browser sends a cookie if the domain the user is going to (A) domain-matches the domain in the cookie (B) </li></ul></ul>
    6. 6. Cookies <ul><li>So cookies set for .microsoft.com are sent to subdomain.microsoft.com </li></ul><ul><li>Who can set cookies? </li></ul><ul><ul><li>A host (A) can set cookies for any domain (B) that it domain-matches </li></ul></ul><ul><li>So subdomain.microsoft.com can set cookies for .microsoft.com </li></ul><ul><ul><li>But not for .com (two-dot rule) </li></ul></ul>
    7. 7. Cookies <ul><li>But the two-dot rule doesn’t work for registries like .co.uk since they do have two dots </li></ul><ul><ul><li>Browsers have reacted differently </li></ul></ul><ul><ul><ul><li>IE doesn’t allow cookies for (com|net|org).yy or xx.yy (unless they are in a whitelist) </li></ul></ul></ul><ul><ul><ul><li>Firefox 2 has no protections </li></ul></ul></ul><ul><ul><ul><li>Firefox 3 has a massive (but incomplete list) </li></ul></ul></ul><ul><ul><ul><li>Opera does DNS resolution on the cookie domain (B) </li></ul></ul></ul>
    8. 8. Cookies <ul><li>So on Firefox2 you can set cookies for any domain not on the com, net, org TLDs </li></ul><ul><li>In all browsers sub1.domain.com can set cookies for .domain.com which also get sent to sub2.domain.com </li></ul><ul><li>By abusing the path attribute we can effectively over-write cookies very specifically, or for the whole domain by setting lots of them </li></ul>
    9. 9. Cookies <ul><li>The secure attributes only lets cookies be transmitted over SSL </li></ul><ul><li>The httpOnly attribute doesn’t let JavaScript access cookies </li></ul><ul><ul><li>You can however access the cookie via XHR as it is being sent, so it is ineffective on sites which regenerate cookies </li></ul></ul><ul><li>On Firefox and Opera we can delete all the user’s cookies by exhausting the global limit on how many cookies can be stored </li></ul><ul><li>More detailed info at http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html </li></ul>
    10. 10. FindMimeFromData <ul><li>FindMimeFromData decides upon a content-type for a page, rather than strictly following a server provided content-type header </li></ul><ul><ul><li>Allows uploaded images to be rendered as javascript executing html pages </li></ul></ul><ul><ul><ul><li>Well, it used to </li></ul></ul></ul><ul><ul><ul><ul><li>Previously all GIF & JPG images with correct signatures would not be rendered as html </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Now PNGs aren’t either </li></ul></ul></ul></ul><ul><ul><ul><ul><li>We still have all the other formats though, e.g. .txt .pdf </li></ul></ul></ul></ul><ul><ul><ul><ul><li>People still make mistakes with server-side signature verification </li></ul></ul></ul></ul>
    11. 11. FindMimeFromData <ul><li>Checks are hardcoded </li></ul><ul><ul><li>Not vulnerable to encoding issues </li></ul></ul><ul><ul><li>Only first 256 bytes are checked for these strings: </li></ul></ul><ul><ul><ul><li><html </li></ul></ul></ul><ul><ul><ul><li><head </li></ul></ul></ul><ul><ul><ul><li><body </li></ul></ul></ul><ul><ul><ul><li><script </li></ul></ul></ul><ul><ul><ul><li><pre </li></ul></ul></ul><ul><ul><ul><li><table </li></ul></ul></ul><ul><ul><ul><li><a href </li></ul></ul></ul><ul><ul><ul><li><img </li></ul></ul></ul><ul><ul><ul><li><plaintext </li></ul></ul></ul><ul><ul><ul><li><title </li></ul></ul></ul>
    12. 12. FindMimeFromData <ul><li>I’ve also been told that it has some heuristic algorithms which trigger on smaller tags if there are enough of them </li></ul><ul><ul><li>Haven’t been able to reproduce with blackbox testing </li></ul></ul>
    13. 13. crossdomain.xml <ul><li>crossdomain.xml files let you allow cross-domain communication via Flash </li></ul><ul><li>They look like this: </li></ul><ul><ul><li><cross-domain-policy> </li></ul></ul><ul><ul><li><allow-access-from domain=“www.domain.com&quot; /> </li></ul></ul><ul><ul><li></cross-domain-policy> </li></ul></ul><ul><li>But do these apply to the site the flash file was loaded from, or the site it was embedded in? </li></ul><ul><ul><li>The site it was loaded from! </li></ul></ul><ul><ul><ul><li>They also get the default ability to communicate with their hosted site, regardless of crossdomain.xml </li></ul></ul></ul><ul><li>File extensions and Headers attached to the HTTP response are ignored… </li></ul><ul><ul><li>If you can upload unfiltered .xyz files, you can load the .xyz file as a flash file, and abuse it’s privileges </li></ul></ul><ul><ul><ul><li>Think OWA and other webmail </li></ul></ul></ul>
    14. 14. Flash Internals <ul><li>Flash AS2 VM is tag based </li></ul><ul><ul><li>Processed one tag after the other until it gets to the end </li></ul></ul><ul><ul><ul><li>No validity checks unless the tag is processed </li></ul></ul></ul><ul><ul><ul><ul><li>We can append junk to our swf files, and they’re still valid </li></ul></ul></ul></ul><ul><ul><ul><ul><li>So we don’t need to control the whole file </li></ul></ul></ul></ul><ul><li>So injections of odd Content-Types where you control the very start are exploitable </li></ul><ul><ul><li>Think JavaScript callbacks </li></ul></ul><ul><ul><li>Can even get around typical filtering </li></ul></ul>
    15. 15. JavaScript Callbacks <ul><li>arbitrary data here([{&quot;errors&quot;:[&quot;NO_RESULT&quot;]}]); </li></ul>
    16. 16. LoadPolicyFile <ul><li>LoadPolicyFile lets you have those files by other names and in non-root directories </li></ul><ul><li>Must be served with a Content-Type header of: </li></ul><ul><ul><li>text/* </li></ul></ul><ul><ul><li>application/xml </li></ul></ul><ul><ul><li>application/xhtml+xml </li></ul></ul><ul><ul><li>Or in some cases text/x-cross-domain-policy </li></ul></ul><ul><li>But there is also additional strictness, depending on the root crossdomain.xml </li></ul>
    17. 17. Flash 9,0,124,0 <ul><li>Adobe released a patch ~3 weeks ago </li></ul><ul><li>A lot of stuff changed </li></ul><ul><ul><li>(It seems ) Flash files now only inherit permissions if they are hosted and loaded from a given sit </li></ul></ul><ul><ul><li>Flash files can no longer force users to send (somewhat) arbitrary headers to arbitrary domains </li></ul></ul><ul><ul><ul><li>Or at least that’s the idea ;) </li></ul></ul></ul>
    18. 18. Browser Encoding Behaviour <ul><li>Horribly Understood </li></ul><ul><ul><li>Little-to-No useful documentation </li></ul></ul><ul><li>We’ve still discovered enough to exploit some apps </li></ul>
    19. 19. UTF-7 XSS <ul><li>Classic case: </li></ul><ul><ul><li>No charset in HTTP headers and no charset in meta tags </li></ul></ul><ul><ul><li>IE auto-detects UTF-7 if you throw it enough UTF-7 encoded data in the first 4Kb of a document </li></ul></ul><ul><li>Improved Classic Case: (Stefan Esser) </li></ul><ul><ul><li>As above, but don’t rely on auto-detect </li></ul></ul><ul><ul><li>Load utf-7 xss-ed page into an iframe with the outside frame having a charset of utf-7 </li></ul></ul><ul><ul><li>All browsers originally </li></ul></ul><ul><ul><li>Firefox Patched </li></ul></ul>
    20. 20. UTF-7 <ul><li>No charset in header; charset in meta tag, UTF-7 injection before meta tag </li></ul><ul><ul><li>E.g. injection in a title tag </li></ul></ul><ul><ul><ul><li>Close the title tag </li></ul></ul></ul><ul><ul><ul><li>Inject a UTF-7 encoded meta tag </li></ul></ul></ul><ul><ul><ul><li>Inject your UTF-7 encoded XSS </li></ul></ul></ul><ul><ul><ul><li>Credit to Yo suke Hasegawa </li></ul></ul></ul><ul><li>http://openmya.hacker.jp/hasegawa/PoC/utf-7/inject-meta.html </li></ul>
    21. 21. NULL Bytes <ul><li>Completely ignored in HTML by IE </li></ul><ul><li><scr%00ipt> is the same as <script> </li></ul><ul><li>Makes a lot of filters exploitable </li></ul><ul><ul><li>Including previous versions of RequestValidation </li></ul></ul>
    22. 22. Variable Width Encoding <ul><li><a href=“ <input> ”> <input> </a> </li></ul><ul><li><a href=“ <input>[MBChar] > style=“a:expression(alert(1));>text </a> </li></ul><ul><ul><li>[MBChar] is a Multibyte character, where “ or ‘ (if ‘ is used as the quote symbol) is the last byte and the first byte is the last byte of our first input </li></ul></ul><ul><ul><li>Only some character sets: </li></ul></ul><ul><ul><ul><li>http:// ha.ckers.org/charsets.html </li></ul></ul></ul>
    23. 23. HTML Entity Decoding <ul><li>When the browser uses html tag attributes it HTML-decodes them, e.g. </li></ul><ul><ul><li><a href=http://site/page.php?x=y&a=b> </li></ul></ul><ul><ul><ul><li>Is effectively the same as </li></ul></ul></ul><ul><ul><li><a href=http://site/page.php?x=y&amp;a=b> </li></ul></ul><ul><li>So </li></ul><ul><ul><li><a onclick=‘func(“test”);’> </li></ul></ul><ul><ul><ul><li>Is the same as </li></ul></ul></ul><ul><ul><li><a onclick=‘func(&quot;test&quot);’> </li></ul></ul>
    24. 24. HTML Entity Decoding <ul><li>So </li></ul><ul><ul><li><a onclick=‘func(“test&quot); eval(window.name);//”);’> </li></ul></ul><ul><ul><ul><li>Is the same as </li></ul></ul></ul><ul><ul><li><a onclick=‘func(“test”); eval(window.name);//”);’> </li></ul></ul><ul><li>So if you’re ever inserting data into attributes and the data inside could potentially be dangerous </li></ul><ul><ul><li>E.g. event handlers, URLs, styles, etc </li></ul></ul><ul><li>Decode before escaping/encoding/filtering, then re-encode </li></ul><ul><li>If not escaping/encoding/filtering; double encode to preserve value </li></ul>
    25. 25. Point? <ul><li>Most developers and security people still don’t fully understand all the technologies they work with </li></ul><ul><ul><li>Including me  </li></ul></ul><ul><li>Please provide good documentation </li></ul><ul><li>Don’t force us to black-box test IE8 to figure out how things work </li></ul><ul><ul><li>I can’t reverse my way out of a wet paper bag </li></ul></ul>
    26. 26. Finding Vulnerabilities <ul><li>IE: FindMimeFromData </li></ul><ul><li>Flash: crossdomain.xml & LoadPolicyFile </li></ul><ul><li>Browser Encoding Issues </li></ul><ul><li>IE: Inter-Protocol XSS </li></ul>
    27. 27. FindMimeFromData <ul><li>Usually no checks done </li></ul><ul><li>Many sites use the `recommended` Microsoft solution, setting a header like this: </li></ul><ul><ul><li>Content-Disposition: attachment </li></ul></ul><ul><ul><ul><li>Still dangerous if users open files </li></ul></ul></ul><ul><li>Some sites try to do filtering themselves </li></ul><ul><ul><li>These can usually be bypassed by throwing more knowledge of the algorithm at them </li></ul></ul>
    28. 28. FindMimeFromData <ul><li>Some sites verify you have an image for which IE has a signature </li></ul><ul><ul><li>Try setting an extension for which IE has a signature, e.g. .png </li></ul></ul><ul><ul><li>But include a valid image of another format </li></ul></ul><ul><ul><ul><li>e.g. a GIF with .jpg extension </li></ul></ul></ul><ul><li>Sometimes works since developers only verify that the image is valid using a generic function, e.g. getimagsize() for PHP </li></ul><ul><ul><li>Or they simply look for the presence of a signature </li></ul></ul>
    29. 29. crossdomain.xml <ul><li>Config: </li></ul><ul><ul><li>Check the /crossdomain.xml file </li></ul></ul><ul><ul><li>search for ” <cross-domain-policy>” site:site.com </li></ul></ul><ul><li>Content-based attacks: </li></ul><ul><ul><li>Crawl the site for instances where you control the first bytes </li></ul></ul><ul><ul><li>Inspect File uploads </li></ul></ul><ul><ul><ul><li>Try to inject a flash file under a different extension </li></ul></ul></ul>
    30. 30. LoadPolicyFile <ul><li>Examine /crossdomain.xml </li></ul><ul><ul><li>Depending on what you find there may be restrictions </li></ul></ul><ul><ul><ul><li>If no file exists; LoadPolicyFile will fail </li></ul></ul></ul><ul><ul><ul><ul><li>There were some tricks to bypass this before, but they don’t seem to work any more </li></ul></ul></ul></ul><ul><ul><ul><li>May specify restrictions on other policy files </li></ul></ul></ul><ul><ul><ul><ul><li>http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_print.html </li></ul></ul></ul></ul>
    31. 31. Browser Encoding Issues <ul><li>Check for charset in HTTP Headers </li></ul><ul><ul><li>Is it multi-byte? </li></ul></ul><ul><ul><ul><li>Can you make valid multibyte characters with a quote as the last character? </li></ul></ul></ul><ul><ul><ul><ul><li>Vulnerable </li></ul></ul></ul></ul><ul><li>Check for charset in meta tags </li></ul><ul><ul><li>Do you have a filtered injection before it? </li></ul></ul><ul><ul><ul><li>Vulnerable </li></ul></ul></ul><ul><li>Otherwise vulnerable </li></ul>
    32. 32. Inter-Protocol XSS <ul><li>Browsers speak HTTP to ports regardless if those ports understand </li></ul><ul><li>IE doesn’t perform any checks on the response </li></ul><ul><li>Firefox searches for http (case-insensitive) in the first 8 bytes </li></ul><ul><ul><li>Never going to happen unless it’s valid </li></ul></ul><ul><li>IE searches for http/ (case-insensitive) in the first 1024 bytes and then assumes the next line is a http header </li></ul><ul><ul><li>So we can sometimes do HTTP Response Splitting and Header Injection </li></ul></ul>
    33. 33. Point? <ul><li>Finding everything is hard </li></ul><ul><ul><li>Especially when clients are constantly changing </li></ul></ul><ul><ul><li>We need something for developers to more easily write secure code </li></ul></ul><ul><ul><ul><li>Frameworks </li></ul></ul></ul><ul><li>Better documentation is needed </li></ul><ul><ul><li>Most of this was found by trial and error and eureka moments by various researchers </li></ul></ul>
    34. 34. Triggering Vulnerabilities <ul><li>Logged out XSS </li></ul><ul><li>CSRF-Protected XSS </li></ul><ul><li>JavaScript Hijacking </li></ul><ul><li>Session Fixation </li></ul><ul><li>CSRF Token Fixation </li></ul><ul><li>CSRF Vulnerabilities </li></ul>
    35. 35. Logged Out XSS <ul><li>What does it mean to be ‘logged in’? </li></ul><ul><ul><li>No, its not like the meaning of life. </li></ul></ul><ul><li>To be logged in is to send a cookie tied to a valid session </li></ul><ul><li>So when are you logged out? </li></ul><ul><ul><li>When your cookie is invalid or you don’t send a cookie </li></ul></ul><ul><li>How do we log the user out for a single request? </li></ul>
    36. 36. Logged Out XSS <ul><li>Stop a valid cookie being sent </li></ul><ul><ul><li>Flash to mangle the cookie </li></ul></ul><ul><ul><ul><li>Not in IE </li></ul></ul></ul><ul><ul><ul><li>Not Latest Flash </li></ul></ul></ul><ul><ul><ul><li>Some session handlers like PHP throw a warning, but still create a new session. </li></ul></ul></ul><ul><ul><li>RequestRodeo </li></ul></ul><ul><ul><ul><li>Firefox Extension which strips all auth data from off-site requests </li></ul></ul></ul><ul><ul><ul><li>Nice extension, but introduces new issues </li></ul></ul></ul><ul><ul><li>Path Specific Cookies </li></ul></ul><ul><ul><ul><li>Cross-Site Cooking </li></ul></ul></ul><ul><ul><ul><li>Subdomain XSS </li></ul></ul></ul><ul><ul><li>Hope you can somehow delete part of an authentication cookie which can be guessed, e.g. a username </li></ul></ul>
    37. 37. CSRF-Protected XSS <ul><li>Log the user in as someone else </li></ul><ul><ul><li>Log the user out first (not always necessary) </li></ul></ul><ul><ul><ul><li>Delete all cookies or CSRF or Wait (not long usually) </li></ul></ul></ul><ul><ul><ul><li>Or Stop the cookies being sent </li></ul></ul></ul><ul><ul><ul><ul><li>RequestRodeo </li></ul></ul></ul></ul><ul><ul><li>Log the user in as yourself </li></ul></ul><ul><ul><ul><li>Flash (Not IE) (Not latest) </li></ul></ul></ul><ul><ul><ul><li>Session Fixation </li></ul></ul></ul><ul><ul><ul><ul><li>URL Tokens </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>PHP, Java, others? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Cross-Site Cooking </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Subdomain XSS </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Abusing SSO systems </li></ul></ul></ul></ul>
    38. 38. JavaScript Hijacking <ul><li>Also called JSON hijacking </li></ul><ul><ul><li>Prevalent in Web 2.0 sites which use JSON to transport sensitive data </li></ul></ul><ul><ul><li>Remote <script> tags allow us to extract it if </li></ul></ul><ul><ul><ul><li>The JSON data is wrapped in a callback function </li></ul></ul></ul><ul><ul><ul><li>The user is running Firefox 2.X </li></ul></ul></ul><ul><ul><ul><ul><li>We can over-write the default constructors and read the data without it being returned to us </li></ul></ul></ul></ul><ul><li>But sometimes it is actual JavaScript hijacking, e.g. sometimes other sensitive data is included in files which are interpreted as valid JavaScript </li></ul><ul><li>So don’t put anything sensitive in JavaScript files or JSON </li></ul>
    39. 39. Session Fixation <ul><li>Instead of stealing the cookie, set the cookie and then let the user eventually authenticate using it </li></ul><ul><ul><li>Useful when we are only able to set a cookie </li></ul></ul><ul><ul><li>Standard defence is to regenerate the session id when the privilege level changes </li></ul></ul><ul><li>Usually considered difficult, unless: </li></ul><ul><ul><li>We can supply the token via the URL (sometimes) </li></ul></ul><ul><ul><ul><li>With PHP’s default session handler we must first delete the existing cookies </li></ul></ul></ul><ul><ul><li>We can use Cross-Site Cooking attacks </li></ul></ul><ul><ul><li>We have an XSS/Cookie Injection bug in a subdomain </li></ul></ul>
    40. 40. CSRF Token Fixation <ul><li>But is regenerating tokens enough? </li></ul><ul><ul><li>Not always </li></ul></ul><ul><li>Session Tokens are not the only things we want </li></ul><ul><ul><li>We want CSRF tokens </li></ul></ul><ul><ul><li>Which we can also fixate </li></ul></ul><ul><ul><ul><li>Use a similar procedure to Session Fixation </li></ul></ul></ul><ul><ul><ul><li>Still need to force the user to use our cookie </li></ul></ul></ul><ul><ul><ul><ul><li>Just as difficult to exploit </li></ul></ul></ul></ul>
    41. 41. CSRF Vulnerabilities <ul><li>Usually very simple to Trigger </li></ul><ul><ul><li>Not on ASP.NET </li></ul></ul><ul><ul><ul><li>We can only do user-to-user CSRF </li></ul></ul></ul><ul><ul><ul><ul><li>Not unauthed-to-user csrf </li></ul></ul></ul></ul><ul><ul><ul><ul><li>So admin areas are unexploitable by default </li></ul></ul></ul></ul><ul><ul><ul><li>However, protections are not configurable; only programmable </li></ul></ul></ul><ul><ul><ul><ul><li>ViewStateUserKey </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Prone to replay attacks between sessions if the key is non-session specific </li></ul></ul></ul></ul></ul>
    42. 42. CSRF Vulnerabilities <ul><li>CAPTCHAs as CSRF solutions </li></ul><ul><ul><li>Two types </li></ul></ul><ul><ul><ul><li>captcha.php </li></ul></ul></ul><ul><ul><ul><li>captcha.php?id=123456 </li></ul></ul></ul><ul><ul><li>Both can be CSRF-ed </li></ul></ul><ul><ul><ul><li>captcha.php can be csrf-ed onto the page and filled in by the user </li></ul></ul></ul><ul><ul><ul><li>captcha.php?id=123456 can sometimes be retrieved, solved by an attacker, and then used in an attack </li></ul></ul></ul>
    43. 43. File Upload CSRF <ul><li>Publicly considered unexploitable until February ’08 </li></ul><ul><ul><li>Due to the unusual format of the http requests </li></ul></ul><ul><ul><li>Two methods released, by pdp and me </li></ul></ul><ul><li>An ActionScript 3 object called URLRequest gives us enough flexibility to easily forge the headers </li></ul><ul><ul><li>http:// www.gnucitizen.org /blog/cross-site-file-upload-attacks/ </li></ul></ul><ul><li>There is a browser bug which also give us enough control </li></ul><ul><ul><li>http://kuza55.blogspot.com/2008/02/csrf-ing-file-upload-fields.html </li></ul></ul>
    44. 44. Point? <ul><li>Assume all client-side vulnerabilities can be triggered </li></ul><ul><ul><li>New techniques constantly being developed </li></ul></ul><ul><ul><li>Browser technology is a moving target </li></ul></ul><ul><li>Don’t let researchers tell you there are bugs, but then not patch them because you think no-one can exploit them </li></ul>
    45. 45. Exploiting Vulnerabilities <ul><li>Beyond Simple Cookie Stealers </li></ul><ul><li>Hiding in Client-Side Channels </li></ul><ul><li>Beyond the Same-Origin Policy </li></ul>
    46. 46. Beyond Simple Cookie Stealers <ul><li>Cookie stealing payloads are still the most common </li></ul><ul><ul><li>Also most easily defeated </li></ul></ul><ul><ul><ul><li>httpOnly </li></ul></ul></ul><ul><ul><ul><li>IP locks </li></ul></ul></ul><ul><li>However more complex payloads are slowly gaining traction </li></ul>
    47. 47. Beyond Simple Cookie Stealers <ul><li>User-as-a-proxy payloads are becoming more common, especially as tools are released </li></ul><ul><ul><li>XSS Proxy </li></ul></ul><ul><ul><li>XSS Tunnel </li></ul></ul><ul><ul><ul><li>http://www.portcullis-security.com/tools/free/xssshell-xsstunnell.zip </li></ul></ul></ul><ul><li>Single action user-as-a-proxy payloads are sometimes preferable </li></ul>
    48. 48. Beyond Simple Cookie Stealers <ul><li>Other XSS Tricks </li></ul><ul><ul><li>Password manager abuse </li></ul></ul><ul><ul><li>Browser cache snooping </li></ul></ul><ul><ul><li>Altering client-side data stores </li></ul></ul>
    49. 49. Password Manager Abuse <ul><li>Browser automatically fills in passwords </li></ul><ul><ul><li>Can opt-out on Firefox </li></ul></ul><ul><ul><ul><li>signon.prefillForms </li></ul></ul></ul><ul><ul><ul><li>Still possible if you know the username </li></ul></ul></ul><ul><ul><ul><ul><li>Fill in the username </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Focus on the username field </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Focus on the password field </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Extract the password (use setTimeout) </li></ul></ul></ul></ul><ul><li>Firefox only does a domain check </li></ul><ul><ul><li>IE does a URL check and doesn’t prefill </li></ul></ul>
    50. 50. Password Manager Abuse <ul><li>However, it’s not so simple </li></ul><ul><ul><li>You need to tab to the password field for it to be filled in </li></ul></ul><ul><ul><ul><li>Focus tricks don’t work </li></ul></ul></ul><ul><li>IE has a weirder event model than Firefox </li></ul><ul><ul><li>Tabs from script do not invoke the password manager </li></ul></ul><ul><ul><li>Makes the popup blocker bypassable (well, it used to) </li></ul></ul><ul><ul><li>Makes this harder to exploit </li></ul></ul><ul><li>So we need some social engineering </li></ul><ul><li>Entice the user into pressing the tab key </li></ul>
    51. 51. Password Manager Abuse <ul><li>IE’s page check checks the top frame’s URL </li></ul><ul><ul><li>So we can’t have the page inside an iframe </li></ul></ul><ul><ul><li>Doesn’t check whether the form is off-site </li></ul></ul><ul><ul><ul><li>Not particularly useful unless you can only inject an iframe into a login page </li></ul></ul></ul><ul><ul><ul><li>Or you can do cross-site frame injection, maybe </li></ul></ul></ul><ul><li>Open the login window in a popup </li></ul><ul><ul><li>Inject JS into it </li></ul></ul><ul><ul><ul><li>Entice users to press the tab key </li></ul></ul></ul><ul><ul><ul><ul><li>Probably too much effort, and too many tricks required </li></ul></ul></ul></ul>
    52. 52. Browser Cache Snooping <ul><li>Why? </li></ul><ul><ul><li>Sensitive details </li></ul></ul><ul><ul><ul><li>Think credit cards, etc </li></ul></ul></ul><ul><li>How? </li></ul><ul><ul><li>XmlHttpRequest() </li></ul></ul><ul><li>Results? </li></ul><ul><ul><li>IE only </li></ul></ul><ul><ul><ul><li>Requires no tricks. </li></ul></ul></ul>
    53. 53. Altering client-side data stores <ul><li>Some Javascript becomes exploitable, e.g. </li></ul><ul><ul><li>window.location = getCookie(‘redirURL’); </li></ul></ul><ul><li>We still face the issue of what our payload should do </li></ul><ul><li>But we gain the benefit of persistence </li></ul>
    54. 54. Hiding in Client-Side Channels <ul><li>One of the problems with XSS is that it can be found in server logs </li></ul><ul><ul><li>This is silly since we only need the client to see our payload </li></ul></ul><ul><ul><li>So we can use client-side channels to transfer our payload </li></ul></ul><ul><ul><ul><li>document.domain </li></ul></ul></ul><ul><ul><ul><li>location.hash </li></ul></ul></ul><ul><ul><ul><li>window.name </li></ul></ul></ul><ul><ul><ul><li>sessionStorage/globalStorage </li></ul></ul></ul><ul><ul><ul><li>etc </li></ul></ul></ul>
    55. 55. Beyond the Same-Origin Policy <ul><li>Exploiting Trust Relationships </li></ul><ul><ul><li>IP </li></ul></ul><ul><ul><li>DNS </li></ul></ul>
    56. 56. Exploiting Trust Relationships: IP <ul><li>Many technologies do not discriminate by port </li></ul><ul><li>Many are not virtual host-aware </li></ul>
    57. 57. IP ports <ul><li>Cookies are shared across ports </li></ul><ul><li>Flash crossdomain.xml policies rarely make use of port restrictions </li></ul><ul><li>Why does this matter? </li></ul><ul><ul><li>Non-virtual host aware ports </li></ul></ul><ul><ul><ul><li>E.g. Inter-Protocol XSS </li></ul></ul></ul>
    58. 58. Virtual Hosts <ul><li>The domain is based on the Host: request header the browser added to the request </li></ul><ul><ul><li>Some ports may not be vhost aware but xssable </li></ul></ul><ul><ul><ul><li>Inter-Protocol XSS, Reverse Proxies, etc </li></ul></ul></ul><ul><ul><li>Some may be vhost aware, but may not know our specific vhost, e.g. chosts registered for only one port </li></ul></ul><ul><ul><ul><li>SSL Ports, Load Balancers, etc </li></ul></ul></ul><ul><ul><li>Sometimes we can manipulate the Host: header </li></ul></ul><ul><ul><ul><li>In an earlier version of Flash we could send a malformed Host: header </li></ul></ul></ul><ul><ul><ul><ul><li>addRequestHeader(“Host:blah&quot;, &quot; &quot;); </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Gets the default host </li></ul></ul></ul></ul></ul>
    59. 59. Exploiting Trust Relationships: DNS <ul><li>Many security models rely on DNS </li></ul><ul><ul><li>And the security of all sites in the DNS tree </li></ul></ul><ul><li>Implicit trust between parents and child domains </li></ul><ul><ul><li>In certain protocols anyway </li></ul></ul><ul><li>DNS is also not static or homogenous </li></ul>
    60. 60. Heterogeneous DNS Records <ul><li>DNS servers do not necessarily have the same records, e.g. </li></ul><ul><ul><li>A Company may have a wildcard DNS record for *.company.com resolving to </li></ul></ul><ul><ul><li>If they now create a website at internal.company.com but only place that record on the internal DNS server </li></ul></ul><ul><ul><li>If *.company.com is vulnerable to XSS, then so is internal.company.com when resolved externally </li></ul></ul><ul><ul><ul><li>Think laptops </li></ul></ul></ul><ul><ul><ul><li>Think `persistent` payloads </li></ul></ul></ul>
    61. 61. Ambiguous IP Addresses in DNS <ul><li>Many domains inadvertently have a localhost.domain.com address pointing to (Travis Ormandy) </li></ul><ul><ul><li>localhost.microsoft.com used to </li></ul></ul><ul><li>Many internal hosts resolve externally </li></ul><ul><li>Domains now resolve to IPs which are not controlled by domain owner </li></ul>
    62. 62. Ambiguous IP Addresses in DNS <ul><li>Exploitable in few scenarios </li></ul><ul><ul><li>Multi-User system </li></ul></ul><ul><ul><li>XSS-able service on (Travis Ormandy) </li></ul></ul><ul><ul><ul><li>Local Machine </li></ul></ul></ul><ul><ul><ul><li>HTTP proxy </li></ul></ul></ul><ul><ul><li>Attacker on the same local net </li></ul></ul>
    63. 63. Bringing Down the Walls: document.domain <ul><li>document.domain is a read/write property which is set to the domain of the current page </li></ul><ul><li>This property can be set to any parent domain </li></ul><ul><li>To check whether sites communicate two checks must be passed (usually): </li></ul><ul><ul><li>The document.domain’s are both the same </li></ul></ul><ul><ul><li>Either both have been altered, or neither have </li></ul></ul><ul><ul><ul><li>Many sites alter the domain to allow this explicitly </li></ul></ul></ul><ul><ul><ul><ul><li>MySpace </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Live.com </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Yahoo! </li></ul></ul></ul></ul>
    64. 64. Bringing Down the Walls: document.domain <ul><li>However these is a bug in IE </li></ul><ul><ul><li>Known & Unpatched for >1 year </li></ul></ul><ul><ul><li>If a website reads the location.href property, IE will think the document.domain peoperty has been altered </li></ul></ul><ul><ul><ul><li>Many scripts read this property </li></ul></ul></ul><ul><ul><ul><ul><li>Google Analytics </li></ul></ul></ul></ul><ul><li>So any parent domains which read location.href anywhere at all effectively trust all child domains </li></ul>
    65. 65. Exploiting Trust Relationships: DNS <ul><li>Sites can set cookies for child domains and read cookies from parent domains </li></ul><ul><ul><li>sessionStorage/globalStorage can read/write to parent domains </li></ul></ul><ul><li>crossdomain.xml allows wildcards </li></ul><ul><ul><li>Commonly used </li></ul></ul><ul><ul><ul><li>amazon.com allows *.amazon.com (among others) </li></ul></ul></ul><ul><ul><ul><li>yahoo.com allows *.yahoo.com </li></ul></ul></ul><ul><li>SiteLock template for ActiveX controls allows wildcards </li></ul>
    66. 66. Subdomain Squatting <ul><li>Network Solutions hijacked their customers’ subdomains to serve ads (Techcrunch) </li></ul><ul><li>Earthlink and Comcast hijacked the subdomains of all sites on the internet and served ads to their customers (Kaminsky) </li></ul><ul><li>Both cases were XSS-able, the NetSol equivalent trivially </li></ul>
    67. 67. Point? <ul><li>Stop building technologies which put trust into DNS </li></ul><ul><ul><li>We can’t continue to blindly trust DNS </li></ul></ul><ul><li>Nothing other than same-origin-style matches should be good enough </li></ul><ul><ul><li>Sometimes that’s not good enough either </li></ul></ul><ul><ul><ul><li>Don’t do weird DNS things, and don’t use shared hosting </li></ul></ul></ul>
    68. 68. Questions?
    69. 69. Thanks!