Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Browsers And Other Mistakes

4,373 views

Published on

Bluehat v7 slides

Published in: Technology, Self Improvement
  • Be the first to comment

Web Browsers And Other Mistakes

  1. 1. Web Browsers And Other Mistakes Alex “kuza55” K. [email_address] http://kuza55.blogspot.com/
  2. 2. Outline <ul><li>Understanding Web Technologies </li></ul><ul><li>Finding Vulnerabilities </li></ul><ul><li>Triggering Vulnerabilities </li></ul><ul><li>Exploiting Vulnerabilities </li></ul>
  3. 3. Understanding Web Technologies <ul><li>Cookies </li></ul><ul><li>IE: FindMimeFromData </li></ul><ul><li>Flash: crossdomain.xml & LoadPolicyFile </li></ul><ul><li>Browser Encoding Behaviour </li></ul>
  4. 4. Cookies <ul><li>What is a cookie? </li></ul><ul><ul><li>It’s a name value pair stored on the client </li></ul></ul><ul><ul><li>It is sent only o the domain it was set for </li></ul></ul><ul><ul><li>And that’s all most developers know </li></ul></ul><ul><li>Here is what a cookie looks like when it is set: </li></ul><ul><ul><li>Set-Cookie: NAME = VALUE[ ; expires= DATE][ ; path= PATH][ ; domain= DOMAIN_NAME][ ; secure][; httpOnly] </li></ul></ul><ul><li>Here is what a cookie looks like when it is sent: </li></ul><ul><ul><li>Cookie: NAME=VALUE[; NAME=VALUE] </li></ul></ul>
  5. 5. Cookies <ul><li>But where does a cookie actually get sent? </li></ul><ul><ul><li>The browser does a ‘domain-match’ which means: </li></ul></ul><ul><ul><ul><li>Domain A Matches Domain B if: </li></ul></ul></ul><ul><ul><ul><li>The domains are identical, or </li></ul></ul></ul><ul><ul><ul><li>A is a FQDN string and has the form NB, B has the form .B', and B' is a FQDN string. </li></ul></ul></ul><ul><ul><ul><li>(So, x.y.com domain-matches .y.com but not y.com) </li></ul></ul></ul><ul><ul><li>A browser sends a cookie if the domain the user is going to (A) domain-matches the domain in the cookie (B) </li></ul></ul>
  6. 6. Cookies <ul><li>So cookies set for .microsoft.com are sent to subdomain.microsoft.com </li></ul><ul><li>Who can set cookies? </li></ul><ul><ul><li>A host (A) can set cookies for any domain (B) that it domain-matches </li></ul></ul><ul><li>So subdomain.microsoft.com can set cookies for .microsoft.com </li></ul><ul><ul><li>But not for .com (two-dot rule) </li></ul></ul>
  7. 7. Cookies <ul><li>But the two-dot rule doesn’t work for registries like .co.uk since they do have two dots </li></ul><ul><ul><li>Browsers have reacted differently </li></ul></ul><ul><ul><ul><li>IE doesn’t allow cookies for (com|net|org).yy or xx.yy (unless they are in a whitelist) </li></ul></ul></ul><ul><ul><ul><li>Firefox 2 has no protections </li></ul></ul></ul><ul><ul><ul><li>Firefox 3 has a massive (but incomplete list) </li></ul></ul></ul><ul><ul><ul><li>Opera does DNS resolution on the cookie domain (B) </li></ul></ul></ul>
  8. 8. Cookies <ul><li>So on Firefox2 you can set cookies for any domain not on the com, net, org TLDs </li></ul><ul><li>In all browsers sub1.domain.com can set cookies for .domain.com which also get sent to sub2.domain.com </li></ul><ul><li>By abusing the path attribute we can effectively over-write cookies very specifically, or for the whole domain by setting lots of them </li></ul>
  9. 9. Cookies <ul><li>The secure attributes only lets cookies be transmitted over SSL </li></ul><ul><li>The httpOnly attribute doesn’t let JavaScript access cookies </li></ul><ul><ul><li>You can however access the cookie via XHR as it is being sent, so it is ineffective on sites which regenerate cookies </li></ul></ul><ul><li>On Firefox and Opera we can delete all the user’s cookies by exhausting the global limit on how many cookies can be stored </li></ul><ul><li>More detailed info at http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html </li></ul>
  10. 10. FindMimeFromData <ul><li>FindMimeFromData decides upon a content-type for a page, rather than strictly following a server provided content-type header </li></ul><ul><ul><li>Allows uploaded images to be rendered as javascript executing html pages </li></ul></ul><ul><ul><ul><li>Well, it used to </li></ul></ul></ul><ul><ul><ul><ul><li>Previously all GIF & JPG images with correct signatures would not be rendered as html </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Now PNGs aren’t either </li></ul></ul></ul></ul><ul><ul><ul><ul><li>We still have all the other formats though, e.g. .txt .pdf </li></ul></ul></ul></ul><ul><ul><ul><ul><li>People still make mistakes with server-side signature verification </li></ul></ul></ul></ul>
  11. 11. FindMimeFromData <ul><li>Checks are hardcoded </li></ul><ul><ul><li>Not vulnerable to encoding issues </li></ul></ul><ul><ul><li>Only first 256 bytes are checked for these strings: </li></ul></ul><ul><ul><ul><li><html </li></ul></ul></ul><ul><ul><ul><li><head </li></ul></ul></ul><ul><ul><ul><li><body </li></ul></ul></ul><ul><ul><ul><li><script </li></ul></ul></ul><ul><ul><ul><li><pre </li></ul></ul></ul><ul><ul><ul><li><table </li></ul></ul></ul><ul><ul><ul><li><a href </li></ul></ul></ul><ul><ul><ul><li><img </li></ul></ul></ul><ul><ul><ul><li><plaintext </li></ul></ul></ul><ul><ul><ul><li><title </li></ul></ul></ul>
  12. 12. FindMimeFromData <ul><li>I’ve also been told that it has some heuristic algorithms which trigger on smaller tags if there are enough of them </li></ul><ul><ul><li>Haven’t been able to reproduce with blackbox testing </li></ul></ul>
  13. 13. crossdomain.xml <ul><li>crossdomain.xml files let you allow cross-domain communication via Flash </li></ul><ul><li>They look like this: </li></ul><ul><ul><li><cross-domain-policy> </li></ul></ul><ul><ul><li><allow-access-from domain=“www.domain.com&quot; /> </li></ul></ul><ul><ul><li></cross-domain-policy> </li></ul></ul><ul><li>But do these apply to the site the flash file was loaded from, or the site it was embedded in? </li></ul><ul><ul><li>The site it was loaded from! </li></ul></ul><ul><ul><ul><li>They also get the default ability to communicate with their hosted site, regardless of crossdomain.xml </li></ul></ul></ul><ul><li>File extensions and Headers attached to the HTTP response are ignored… </li></ul><ul><ul><li>If you can upload unfiltered .xyz files, you can load the .xyz file as a flash file, and abuse it’s privileges </li></ul></ul><ul><ul><ul><li>Think OWA and other webmail </li></ul></ul></ul>
  14. 14. Flash Internals <ul><li>Flash AS2 VM is tag based </li></ul><ul><ul><li>Processed one tag after the other until it gets to the end </li></ul></ul><ul><ul><ul><li>No validity checks unless the tag is processed </li></ul></ul></ul><ul><ul><ul><ul><li>We can append junk to our swf files, and they’re still valid </li></ul></ul></ul></ul><ul><ul><ul><ul><li>So we don’t need to control the whole file </li></ul></ul></ul></ul><ul><li>So injections of odd Content-Types where you control the very start are exploitable </li></ul><ul><ul><li>Think JavaScript callbacks </li></ul></ul><ul><ul><li>Can even get around typical filtering </li></ul></ul>
  15. 15. JavaScript Callbacks <ul><li>arbitrary data here([{&quot;errors&quot;:[&quot;NO_RESULT&quot;]}]); </li></ul>
  16. 16. LoadPolicyFile <ul><li>LoadPolicyFile lets you have those files by other names and in non-root directories </li></ul><ul><li>Must be served with a Content-Type header of: </li></ul><ul><ul><li>text/* </li></ul></ul><ul><ul><li>application/xml </li></ul></ul><ul><ul><li>application/xhtml+xml </li></ul></ul><ul><ul><li>Or in some cases text/x-cross-domain-policy </li></ul></ul><ul><li>But there is also additional strictness, depending on the root crossdomain.xml </li></ul>
  17. 17. Flash 9,0,124,0 <ul><li>Adobe released a patch ~3 weeks ago </li></ul><ul><li>A lot of stuff changed </li></ul><ul><ul><li>(It seems ) Flash files now only inherit permissions if they are hosted and loaded from a given sit </li></ul></ul><ul><ul><li>Flash files can no longer force users to send (somewhat) arbitrary headers to arbitrary domains </li></ul></ul><ul><ul><ul><li>Or at least that’s the idea ;) </li></ul></ul></ul>
  18. 18. Browser Encoding Behaviour <ul><li>Horribly Understood </li></ul><ul><ul><li>Little-to-No useful documentation </li></ul></ul><ul><li>We’ve still discovered enough to exploit some apps </li></ul>
  19. 19. UTF-7 XSS <ul><li>Classic case: </li></ul><ul><ul><li>No charset in HTTP headers and no charset in meta tags </li></ul></ul><ul><ul><li>IE auto-detects UTF-7 if you throw it enough UTF-7 encoded data in the first 4Kb of a document </li></ul></ul><ul><li>Improved Classic Case: (Stefan Esser) </li></ul><ul><ul><li>As above, but don’t rely on auto-detect </li></ul></ul><ul><ul><li>Load utf-7 xss-ed page into an iframe with the outside frame having a charset of utf-7 </li></ul></ul><ul><ul><li>All browsers originally </li></ul></ul><ul><ul><li>Firefox Patched </li></ul></ul>
  20. 20. UTF-7 <ul><li>No charset in header; charset in meta tag, UTF-7 injection before meta tag </li></ul><ul><ul><li>E.g. injection in a title tag </li></ul></ul><ul><ul><ul><li>Close the title tag </li></ul></ul></ul><ul><ul><ul><li>Inject a UTF-7 encoded meta tag </li></ul></ul></ul><ul><ul><ul><li>Inject your UTF-7 encoded XSS </li></ul></ul></ul><ul><ul><ul><li>Credit to Yo suke Hasegawa </li></ul></ul></ul><ul><li>http://openmya.hacker.jp/hasegawa/PoC/utf-7/inject-meta.html </li></ul>
  21. 21. NULL Bytes <ul><li>Completely ignored in HTML by IE </li></ul><ul><li><scr%00ipt> is the same as <script> </li></ul><ul><li>Makes a lot of filters exploitable </li></ul><ul><ul><li>Including previous versions of RequestValidation </li></ul></ul>
  22. 22. Variable Width Encoding <ul><li><a href=“ <input> ”> <input> </a> </li></ul><ul><li><a href=“ <input>[MBChar] > style=“a:expression(alert(1));>text </a> </li></ul><ul><ul><li>[MBChar] is a Multibyte character, where “ or ‘ (if ‘ is used as the quote symbol) is the last byte and the first byte is the last byte of our first input </li></ul></ul><ul><ul><li>Only some character sets: </li></ul></ul><ul><ul><ul><li>http:// ha.ckers.org/charsets.html </li></ul></ul></ul>
  23. 23. HTML Entity Decoding <ul><li>When the browser uses html tag attributes it HTML-decodes them, e.g. </li></ul><ul><ul><li><a href=http://site/page.php?x=y&a=b> </li></ul></ul><ul><ul><ul><li>Is effectively the same as </li></ul></ul></ul><ul><ul><li><a href=http://site/page.php?x=y&amp;a=b> </li></ul></ul><ul><li>So </li></ul><ul><ul><li><a onclick=‘func(“test”);’> </li></ul></ul><ul><ul><ul><li>Is the same as </li></ul></ul></ul><ul><ul><li><a onclick=‘func(&quot;test&quot);’> </li></ul></ul>
  24. 24. HTML Entity Decoding <ul><li>So </li></ul><ul><ul><li><a onclick=‘func(“test&quot); eval(window.name);//”);’> </li></ul></ul><ul><ul><ul><li>Is the same as </li></ul></ul></ul><ul><ul><li><a onclick=‘func(“test”); eval(window.name);//”);’> </li></ul></ul><ul><li>So if you’re ever inserting data into attributes and the data inside could potentially be dangerous </li></ul><ul><ul><li>E.g. event handlers, URLs, styles, etc </li></ul></ul><ul><li>Decode before escaping/encoding/filtering, then re-encode </li></ul><ul><li>If not escaping/encoding/filtering; double encode to preserve value </li></ul>
  25. 25. Point? <ul><li>Most developers and security people still don’t fully understand all the technologies they work with </li></ul><ul><ul><li>Including me  </li></ul></ul><ul><li>Please provide good documentation </li></ul><ul><li>Don’t force us to black-box test IE8 to figure out how things work </li></ul><ul><ul><li>I can’t reverse my way out of a wet paper bag </li></ul></ul>
  26. 26. Finding Vulnerabilities <ul><li>IE: FindMimeFromData </li></ul><ul><li>Flash: crossdomain.xml & LoadPolicyFile </li></ul><ul><li>Browser Encoding Issues </li></ul><ul><li>IE: Inter-Protocol XSS </li></ul>
  27. 27. FindMimeFromData <ul><li>Usually no checks done </li></ul><ul><li>Many sites use the `recommended` Microsoft solution, setting a header like this: </li></ul><ul><ul><li>Content-Disposition: attachment </li></ul></ul><ul><ul><ul><li>Still dangerous if users open files </li></ul></ul></ul><ul><li>Some sites try to do filtering themselves </li></ul><ul><ul><li>These can usually be bypassed by throwing more knowledge of the algorithm at them </li></ul></ul>
  28. 28. FindMimeFromData <ul><li>Some sites verify you have an image for which IE has a signature </li></ul><ul><ul><li>Try setting an extension for which IE has a signature, e.g. .png </li></ul></ul><ul><ul><li>But include a valid image of another format </li></ul></ul><ul><ul><ul><li>e.g. a GIF with .jpg extension </li></ul></ul></ul><ul><li>Sometimes works since developers only verify that the image is valid using a generic function, e.g. getimagsize() for PHP </li></ul><ul><ul><li>Or they simply look for the presence of a signature </li></ul></ul>
  29. 29. crossdomain.xml <ul><li>Config: </li></ul><ul><ul><li>Check the /crossdomain.xml file </li></ul></ul><ul><ul><li>search for ” <cross-domain-policy>” site:site.com </li></ul></ul><ul><li>Content-based attacks: </li></ul><ul><ul><li>Crawl the site for instances where you control the first bytes </li></ul></ul><ul><ul><li>Inspect File uploads </li></ul></ul><ul><ul><ul><li>Try to inject a flash file under a different extension </li></ul></ul></ul>
  30. 30. LoadPolicyFile <ul><li>Examine /crossdomain.xml </li></ul><ul><ul><li>Depending on what you find there may be restrictions </li></ul></ul><ul><ul><ul><li>If no file exists; LoadPolicyFile will fail </li></ul></ul></ul><ul><ul><ul><ul><li>There were some tricks to bypass this before, but they don’t seem to work any more </li></ul></ul></ul></ul><ul><ul><ul><li>May specify restrictions on other policy files </li></ul></ul></ul><ul><ul><ul><ul><li>http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_print.html </li></ul></ul></ul></ul>
  31. 31. Browser Encoding Issues <ul><li>Check for charset in HTTP Headers </li></ul><ul><ul><li>Is it multi-byte? </li></ul></ul><ul><ul><ul><li>Can you make valid multibyte characters with a quote as the last character? </li></ul></ul></ul><ul><ul><ul><ul><li>Vulnerable </li></ul></ul></ul></ul><ul><li>Check for charset in meta tags </li></ul><ul><ul><li>Do you have a filtered injection before it? </li></ul></ul><ul><ul><ul><li>Vulnerable </li></ul></ul></ul><ul><li>Otherwise vulnerable </li></ul>
  32. 32. Inter-Protocol XSS <ul><li>Browsers speak HTTP to ports regardless if those ports understand </li></ul><ul><li>IE doesn’t perform any checks on the response </li></ul><ul><li>Firefox searches for http (case-insensitive) in the first 8 bytes </li></ul><ul><ul><li>Never going to happen unless it’s valid </li></ul></ul><ul><li>IE searches for http/ (case-insensitive) in the first 1024 bytes and then assumes the next line is a http header </li></ul><ul><ul><li>So we can sometimes do HTTP Response Splitting and Header Injection </li></ul></ul>
  33. 33. Point? <ul><li>Finding everything is hard </li></ul><ul><ul><li>Especially when clients are constantly changing </li></ul></ul><ul><ul><li>We need something for developers to more easily write secure code </li></ul></ul><ul><ul><ul><li>Frameworks </li></ul></ul></ul><ul><li>Better documentation is needed </li></ul><ul><ul><li>Most of this was found by trial and error and eureka moments by various researchers </li></ul></ul>
  34. 34. Triggering Vulnerabilities <ul><li>Logged out XSS </li></ul><ul><li>CSRF-Protected XSS </li></ul><ul><li>JavaScript Hijacking </li></ul><ul><li>Session Fixation </li></ul><ul><li>CSRF Token Fixation </li></ul><ul><li>CSRF Vulnerabilities </li></ul>
  35. 35. Logged Out XSS <ul><li>What does it mean to be ‘logged in’? </li></ul><ul><ul><li>No, its not like the meaning of life. </li></ul></ul><ul><li>To be logged in is to send a cookie tied to a valid session </li></ul><ul><li>So when are you logged out? </li></ul><ul><ul><li>When your cookie is invalid or you don’t send a cookie </li></ul></ul><ul><li>How do we log the user out for a single request? </li></ul>
  36. 36. Logged Out XSS <ul><li>Stop a valid cookie being sent </li></ul><ul><ul><li>Flash to mangle the cookie </li></ul></ul><ul><ul><ul><li>Not in IE </li></ul></ul></ul><ul><ul><ul><li>Not Latest Flash </li></ul></ul></ul><ul><ul><ul><li>Some session handlers like PHP throw a warning, but still create a new session. </li></ul></ul></ul><ul><ul><li>RequestRodeo </li></ul></ul><ul><ul><ul><li>Firefox Extension which strips all auth data from off-site requests </li></ul></ul></ul><ul><ul><ul><li>Nice extension, but introduces new issues </li></ul></ul></ul><ul><ul><li>Path Specific Cookies </li></ul></ul><ul><ul><ul><li>Cross-Site Cooking </li></ul></ul></ul><ul><ul><ul><li>Subdomain XSS </li></ul></ul></ul><ul><ul><li>Hope you can somehow delete part of an authentication cookie which can be guessed, e.g. a username </li></ul></ul>
  37. 37. CSRF-Protected XSS <ul><li>Log the user in as someone else </li></ul><ul><ul><li>Log the user out first (not always necessary) </li></ul></ul><ul><ul><ul><li>Delete all cookies or CSRF or Wait (not long usually) </li></ul></ul></ul><ul><ul><ul><li>Or Stop the cookies being sent </li></ul></ul></ul><ul><ul><ul><ul><li>RequestRodeo </li></ul></ul></ul></ul><ul><ul><li>Log the user in as yourself </li></ul></ul><ul><ul><ul><li>Flash (Not IE) (Not latest) </li></ul></ul></ul><ul><ul><ul><li>Session Fixation </li></ul></ul></ul><ul><ul><ul><ul><li>URL Tokens </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>PHP, Java, others? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Cross-Site Cooking </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Subdomain XSS </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Abusing SSO systems </li></ul></ul></ul></ul>
  38. 38. JavaScript Hijacking <ul><li>Also called JSON hijacking </li></ul><ul><ul><li>Prevalent in Web 2.0 sites which use JSON to transport sensitive data </li></ul></ul><ul><ul><li>Remote <script> tags allow us to extract it if </li></ul></ul><ul><ul><ul><li>The JSON data is wrapped in a callback function </li></ul></ul></ul><ul><ul><ul><li>The user is running Firefox 2.X </li></ul></ul></ul><ul><ul><ul><ul><li>We can over-write the default constructors and read the data without it being returned to us </li></ul></ul></ul></ul><ul><li>But sometimes it is actual JavaScript hijacking, e.g. sometimes other sensitive data is included in files which are interpreted as valid JavaScript </li></ul><ul><li>So don’t put anything sensitive in JavaScript files or JSON </li></ul>
  39. 39. Session Fixation <ul><li>Instead of stealing the cookie, set the cookie and then let the user eventually authenticate using it </li></ul><ul><ul><li>Useful when we are only able to set a cookie </li></ul></ul><ul><ul><li>Standard defence is to regenerate the session id when the privilege level changes </li></ul></ul><ul><li>Usually considered difficult, unless: </li></ul><ul><ul><li>We can supply the token via the URL (sometimes) </li></ul></ul><ul><ul><ul><li>With PHP’s default session handler we must first delete the existing cookies </li></ul></ul></ul><ul><ul><li>We can use Cross-Site Cooking attacks </li></ul></ul><ul><ul><li>We have an XSS/Cookie Injection bug in a subdomain </li></ul></ul>
  40. 40. CSRF Token Fixation <ul><li>But is regenerating tokens enough? </li></ul><ul><ul><li>Not always </li></ul></ul><ul><li>Session Tokens are not the only things we want </li></ul><ul><ul><li>We want CSRF tokens </li></ul></ul><ul><ul><li>Which we can also fixate </li></ul></ul><ul><ul><ul><li>Use a similar procedure to Session Fixation </li></ul></ul></ul><ul><ul><ul><li>Still need to force the user to use our cookie </li></ul></ul></ul><ul><ul><ul><ul><li>Just as difficult to exploit </li></ul></ul></ul></ul>
  41. 41. CSRF Vulnerabilities <ul><li>Usually very simple to Trigger </li></ul><ul><ul><li>Not on ASP.NET </li></ul></ul><ul><ul><ul><li>We can only do user-to-user CSRF </li></ul></ul></ul><ul><ul><ul><ul><li>Not unauthed-to-user csrf </li></ul></ul></ul></ul><ul><ul><ul><ul><li>So admin areas are unexploitable by default </li></ul></ul></ul></ul><ul><ul><ul><li>However, protections are not configurable; only programmable </li></ul></ul></ul><ul><ul><ul><ul><li>ViewStateUserKey </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Prone to replay attacks between sessions if the key is non-session specific </li></ul></ul></ul></ul></ul>
  42. 42. CSRF Vulnerabilities <ul><li>CAPTCHAs as CSRF solutions </li></ul><ul><ul><li>Two types </li></ul></ul><ul><ul><ul><li>captcha.php </li></ul></ul></ul><ul><ul><ul><li>captcha.php?id=123456 </li></ul></ul></ul><ul><ul><li>Both can be CSRF-ed </li></ul></ul><ul><ul><ul><li>captcha.php can be csrf-ed onto the page and filled in by the user </li></ul></ul></ul><ul><ul><ul><li>captcha.php?id=123456 can sometimes be retrieved, solved by an attacker, and then used in an attack </li></ul></ul></ul>
  43. 43. File Upload CSRF <ul><li>Publicly considered unexploitable until February ’08 </li></ul><ul><ul><li>Due to the unusual format of the http requests </li></ul></ul><ul><ul><li>Two methods released, by pdp and me </li></ul></ul><ul><li>An ActionScript 3 object called URLRequest gives us enough flexibility to easily forge the headers </li></ul><ul><ul><li>http:// www.gnucitizen.org /blog/cross-site-file-upload-attacks/ </li></ul></ul><ul><li>There is a browser bug which also give us enough control </li></ul><ul><ul><li>http://kuza55.blogspot.com/2008/02/csrf-ing-file-upload-fields.html </li></ul></ul>
  44. 44. Point? <ul><li>Assume all client-side vulnerabilities can be triggered </li></ul><ul><ul><li>New techniques constantly being developed </li></ul></ul><ul><ul><li>Browser technology is a moving target </li></ul></ul><ul><li>Don’t let researchers tell you there are bugs, but then not patch them because you think no-one can exploit them </li></ul>
  45. 45. Exploiting Vulnerabilities <ul><li>Beyond Simple Cookie Stealers </li></ul><ul><li>Hiding in Client-Side Channels </li></ul><ul><li>Beyond the Same-Origin Policy </li></ul>
  46. 46. Beyond Simple Cookie Stealers <ul><li>Cookie stealing payloads are still the most common </li></ul><ul><ul><li>Also most easily defeated </li></ul></ul><ul><ul><ul><li>httpOnly </li></ul></ul></ul><ul><ul><ul><li>IP locks </li></ul></ul></ul><ul><li>However more complex payloads are slowly gaining traction </li></ul>
  47. 47. Beyond Simple Cookie Stealers <ul><li>User-as-a-proxy payloads are becoming more common, especially as tools are released </li></ul><ul><ul><li>XSS Proxy </li></ul></ul><ul><ul><li>XSS Tunnel </li></ul></ul><ul><ul><ul><li>http://www.portcullis-security.com/tools/free/xssshell-xsstunnell.zip </li></ul></ul></ul><ul><li>Single action user-as-a-proxy payloads are sometimes preferable </li></ul>
  48. 48. Beyond Simple Cookie Stealers <ul><li>Other XSS Tricks </li></ul><ul><ul><li>Password manager abuse </li></ul></ul><ul><ul><li>Browser cache snooping </li></ul></ul><ul><ul><li>Altering client-side data stores </li></ul></ul>
  49. 49. Password Manager Abuse <ul><li>Browser automatically fills in passwords </li></ul><ul><ul><li>Can opt-out on Firefox </li></ul></ul><ul><ul><ul><li>signon.prefillForms </li></ul></ul></ul><ul><ul><ul><li>Still possible if you know the username </li></ul></ul></ul><ul><ul><ul><ul><li>Fill in the username </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Focus on the username field </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Focus on the password field </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Extract the password (use setTimeout) </li></ul></ul></ul></ul><ul><li>Firefox only does a domain check </li></ul><ul><ul><li>IE does a URL check and doesn’t prefill </li></ul></ul>
  50. 50. Password Manager Abuse <ul><li>However, it’s not so simple </li></ul><ul><ul><li>You need to tab to the password field for it to be filled in </li></ul></ul><ul><ul><ul><li>Focus tricks don’t work </li></ul></ul></ul><ul><li>IE has a weirder event model than Firefox </li></ul><ul><ul><li>Tabs from script do not invoke the password manager </li></ul></ul><ul><ul><li>Makes the popup blocker bypassable (well, it used to) </li></ul></ul><ul><ul><li>Makes this harder to exploit </li></ul></ul><ul><li>So we need some social engineering </li></ul><ul><li>Entice the user into pressing the tab key </li></ul>
  51. 51. Password Manager Abuse <ul><li>IE’s page check checks the top frame’s URL </li></ul><ul><ul><li>So we can’t have the page inside an iframe </li></ul></ul><ul><ul><li>Doesn’t check whether the form is off-site </li></ul></ul><ul><ul><ul><li>Not particularly useful unless you can only inject an iframe into a login page </li></ul></ul></ul><ul><ul><ul><li>Or you can do cross-site frame injection, maybe </li></ul></ul></ul><ul><li>Open the login window in a popup </li></ul><ul><ul><li>Inject JS into it </li></ul></ul><ul><ul><ul><li>Entice users to press the tab key </li></ul></ul></ul><ul><ul><ul><ul><li>Probably too much effort, and too many tricks required </li></ul></ul></ul></ul>
  52. 52. Browser Cache Snooping <ul><li>Why? </li></ul><ul><ul><li>Sensitive details </li></ul></ul><ul><ul><ul><li>Think credit cards, etc </li></ul></ul></ul><ul><li>How? </li></ul><ul><ul><li>XmlHttpRequest() </li></ul></ul><ul><li>Results? </li></ul><ul><ul><li>IE only </li></ul></ul><ul><ul><ul><li>Requires no tricks. </li></ul></ul></ul>
  53. 53. Altering client-side data stores <ul><li>Some Javascript becomes exploitable, e.g. </li></ul><ul><ul><li>window.location = getCookie(‘redirURL’); </li></ul></ul><ul><li>We still face the issue of what our payload should do </li></ul><ul><li>But we gain the benefit of persistence </li></ul>
  54. 54. Hiding in Client-Side Channels <ul><li>One of the problems with XSS is that it can be found in server logs </li></ul><ul><ul><li>This is silly since we only need the client to see our payload </li></ul></ul><ul><ul><li>So we can use client-side channels to transfer our payload </li></ul></ul><ul><ul><ul><li>document.domain </li></ul></ul></ul><ul><ul><ul><li>location.hash </li></ul></ul></ul><ul><ul><ul><li>window.name </li></ul></ul></ul><ul><ul><ul><li>sessionStorage/globalStorage </li></ul></ul></ul><ul><ul><ul><li>etc </li></ul></ul></ul>
  55. 55. Beyond the Same-Origin Policy <ul><li>Exploiting Trust Relationships </li></ul><ul><ul><li>IP </li></ul></ul><ul><ul><li>DNS </li></ul></ul>
  56. 56. Exploiting Trust Relationships: IP <ul><li>Many technologies do not discriminate by port </li></ul><ul><li>Many are not virtual host-aware </li></ul>
  57. 57. IP ports <ul><li>Cookies are shared across ports </li></ul><ul><li>Flash crossdomain.xml policies rarely make use of port restrictions </li></ul><ul><li>Why does this matter? </li></ul><ul><ul><li>Non-virtual host aware ports </li></ul></ul><ul><ul><ul><li>E.g. Inter-Protocol XSS </li></ul></ul></ul>
  58. 58. Virtual Hosts <ul><li>The domain is based on the Host: request header the browser added to the request </li></ul><ul><ul><li>Some ports may not be vhost aware but xssable </li></ul></ul><ul><ul><ul><li>Inter-Protocol XSS, Reverse Proxies, etc </li></ul></ul></ul><ul><ul><li>Some may be vhost aware, but may not know our specific vhost, e.g. chosts registered for only one port </li></ul></ul><ul><ul><ul><li>SSL Ports, Load Balancers, etc </li></ul></ul></ul><ul><ul><li>Sometimes we can manipulate the Host: header </li></ul></ul><ul><ul><ul><li>In an earlier version of Flash we could send a malformed Host: header </li></ul></ul></ul><ul><ul><ul><ul><li>addRequestHeader(“Host:blah&quot;, &quot; &quot;); </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Gets the default host </li></ul></ul></ul></ul></ul>
  59. 59. Exploiting Trust Relationships: DNS <ul><li>Many security models rely on DNS </li></ul><ul><ul><li>And the security of all sites in the DNS tree </li></ul></ul><ul><li>Implicit trust between parents and child domains </li></ul><ul><ul><li>In certain protocols anyway </li></ul></ul><ul><li>DNS is also not static or homogenous </li></ul>
  60. 60. Heterogeneous DNS Records <ul><li>DNS servers do not necessarily have the same records, e.g. </li></ul><ul><ul><li>A Company may have a wildcard DNS record for *.company.com resolving to 12.34.56.78 </li></ul></ul><ul><ul><li>If they now create a website at internal.company.com but only place that record on the internal DNS server </li></ul></ul><ul><ul><li>If *.company.com is vulnerable to XSS, then so is internal.company.com when resolved externally </li></ul></ul><ul><ul><ul><li>Think laptops </li></ul></ul></ul><ul><ul><ul><li>Think `persistent` payloads </li></ul></ul></ul>
  61. 61. Ambiguous IP Addresses in DNS <ul><li>Many domains inadvertently have a localhost.domain.com address pointing to 127.0.0.1 (Travis Ormandy) </li></ul><ul><ul><li>localhost.microsoft.com used to </li></ul></ul><ul><li>Many internal hosts resolve externally </li></ul><ul><li>Domains now resolve to IPs which are not controlled by domain owner </li></ul>
  62. 62. Ambiguous IP Addresses in DNS <ul><li>Exploitable in few scenarios </li></ul><ul><ul><li>Multi-User system </li></ul></ul><ul><ul><li>XSS-able service on 127.0.0.1 (Travis Ormandy) </li></ul></ul><ul><ul><ul><li>Local Machine </li></ul></ul></ul><ul><ul><ul><li>HTTP proxy </li></ul></ul></ul><ul><ul><li>Attacker on the same local net </li></ul></ul>
  63. 63. Bringing Down the Walls: document.domain <ul><li>document.domain is a read/write property which is set to the domain of the current page </li></ul><ul><li>This property can be set to any parent domain </li></ul><ul><li>To check whether sites communicate two checks must be passed (usually): </li></ul><ul><ul><li>The document.domain’s are both the same </li></ul></ul><ul><ul><li>Either both have been altered, or neither have </li></ul></ul><ul><ul><ul><li>Many sites alter the domain to allow this explicitly </li></ul></ul></ul><ul><ul><ul><ul><li>MySpace </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Live.com </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Yahoo! </li></ul></ul></ul></ul>
  64. 64. Bringing Down the Walls: document.domain <ul><li>However these is a bug in IE </li></ul><ul><ul><li>Known & Unpatched for >1 year </li></ul></ul><ul><ul><li>If a website reads the location.href property, IE will think the document.domain peoperty has been altered </li></ul></ul><ul><ul><ul><li>Many scripts read this property </li></ul></ul></ul><ul><ul><ul><ul><li>Google Analytics </li></ul></ul></ul></ul><ul><li>So any parent domains which read location.href anywhere at all effectively trust all child domains </li></ul>
  65. 65. Exploiting Trust Relationships: DNS <ul><li>Sites can set cookies for child domains and read cookies from parent domains </li></ul><ul><ul><li>sessionStorage/globalStorage can read/write to parent domains </li></ul></ul><ul><li>crossdomain.xml allows wildcards </li></ul><ul><ul><li>Commonly used </li></ul></ul><ul><ul><ul><li>amazon.com allows *.amazon.com (among others) </li></ul></ul></ul><ul><ul><ul><li>yahoo.com allows *.yahoo.com </li></ul></ul></ul><ul><li>SiteLock template for ActiveX controls allows wildcards </li></ul>
  66. 66. Subdomain Squatting <ul><li>Network Solutions hijacked their customers’ subdomains to serve ads (Techcrunch) </li></ul><ul><li>Earthlink and Comcast hijacked the subdomains of all sites on the internet and served ads to their customers (Kaminsky) </li></ul><ul><li>Both cases were XSS-able, the NetSol equivalent trivially </li></ul>
  67. 67. Point? <ul><li>Stop building technologies which put trust into DNS </li></ul><ul><ul><li>We can’t continue to blindly trust DNS </li></ul></ul><ul><li>Nothing other than same-origin-style matches should be good enough </li></ul><ul><ul><li>Sometimes that’s not good enough either </li></ul></ul><ul><ul><ul><li>Don’t do weird DNS things, and don’t use shared hosting </li></ul></ul></ul>
  68. 68. Questions?
  69. 69. Thanks!

×