Scriptless Attacks - Stealing the Pie without touching the Sill

Mario Heiderich
Mario HeiderichSecurity Research / Penetration Testing
Scriptless Attacks
Stealing the Pie without touching the Sill



Mario Heiderich, Felix Schuster, Marcus Niemietz,
Jörg Schwenk, Thorsten Holz
ACM CCS 2012

HGI / Chair for Network and Data Security
Ruhr-University Bochum
mario.heiderich@rub.de || @0x6D6172696F
Our Dear Speaker
       ●   Dr.-Ing. Mario Heiderich
           ●   Researcher and Post-Doc, Ruhr-Uni Bochum
               –   PhD Thesis on Client Side Security and Defense
           ●   Founder of Cure53
               –   Penetration Testing Firm
               –   Consulting
               –   Simply the Best Company of the World
           ●   Published author and international speaker
               –   Specialized in HTML5 and SVG Security
               –   JavaScript, XSS and Client Side Attacks
           ●   HTML5 Security Cheatsheet
               –   @0x6D6172696F
               –   mario@cure53.de
Background
Cross Site Scripting

●   Lots of talks have been held
●   Plenty of research has been done
    ●   Traditional injections
    ●   Attacks from outer space
    ●   XSS, XAS, XDS, XSSQLI, SWXSS, … you name it!
    ●   Defense mechanisms on multiple layers
    ●   Network, Server, Client and what not...
        –   CSP, NoScript, AntiSamy and HTMLPurifier, Tripwires, Browser XSS Filters
        –   mod_security, PHPIDS, some (often nonsense) WAF products
●   But why use scripting at all?
Topics Today

●   Scriptless Attacks in your Browser
    ●   Attacks bypassing NoScript
    ●   Attacks bypassing XSS Filters
    ●   Attacks bypassing Content Security Policy
●   Thought Experiment
    ●   What if we defeat XSS?
    ●   What attack surface will remain?
    ●   Will it make a difference?
Happy Injections
Exploits

●   Three Chapters to be presented

    ●   Chapter 1: These simple tricks
    ●   Chapter 2: Advanced Class
    ●   Chapter 3: For Science!
Chapter one




    [ These simple Tricks ]
CAPCTHA Of Doom




●   Seems legit?
●   See it live: http://heideri.ch/opera/captcha/
Analysis
●   What really happens
    ●   The attacker, Clive, injects CSS...
        –   input[type=password]{content:attr(value)}
    ●   Then he includes a custom SVG font
        –   @font-face {font-family: X;src: url(x.svg#X)
            format("svg");}
    ●   The attacker simply flips characters
        –   s becomes x, e becomes w, c becomes @ …
    ●   By thinking it's a CAPTCHA...
    ●   … Alice submits her password to the attacker
Validation
CSS + RegEx = ?
●   Old but gold – brute-forcing passwords
    ●   But this time with CSS3 and HTML5
    ●   The secret ingredient here is „validation“
    ●   Brute-force with RegEx!
    ●   Let's have a look
    ●   DEMO


●   Good thing it works on all browsers
    ●   Limited by smart password managers though
Chapter TWO




    < Advanced Class >
SVG Keylogger
●   Just a harmless login page




●   Behaving strange on closer inspection though...
    ●   Let's check that http://html5sec.org/keylogger
How is it done?

●   Attacker injected some inline SVG code
    ●
        SVG knows the <set> element
    ●
        The <set> element can listen to events
    ●   Even keystrokes
    ●   The feature is called accessKey() (W3C)
    ●   JavaScript is turned off – it's „no script“ anyway
    ●   But the keystroke scope is hard to define

    ●   In Firefox it's the whole document
CSS + URL + Regex = ?
●
    More info we can steal
●
    CSS3 and @document
●   Allows to cast a Regex on the loaded URL
●
    Then deploy custom CSS

●   We can steal stuff now
●   But we can do even more ;)
    ●   http://html5sec.org/xssfilter/
    ●   Is that all?
    ●   Maybe not
More Madness
●   HTML5's dirname attribute
●   The most useless attribute ever
●   Worse than formaction...   which one should know or look up :)




●   Meant to tell the server about...
        *drumroll*
●   Text-Flow Direction!
●   Also does cruel things to HTTP requests
    ●   DEMO
Chapter Three




      < For Science! >
CSRF Tokens
●   Everybody knows CSRF
    ●   One domain makes a request to another
    ●   The user is logged into that other domain
    ●   Stuff happens, accounts get modified etc.


●   How to we kill CSRF?
    ●   Easily – we use tokens, nonces
    ●   We make sure a request cannot be guessed
    ●   Or brute-forced – good tokens are long and safe
CSRF and XSS

●   CSRF and XSS are good friends
    ●   JavaScript can read tokens from the DOM
    ●   Bypass most CSRF protection techniques




    ●   But can we steal CSRF tokens w/o JS?
Already done

●
    SDC, Gaz and thornmaker already did it
●   Check out http://p42.us/css/
●
    They used CSS
    ●   Basically a brute-force via attribute selectors
    ●
        input[value^=a]{background:url(?a)}
    ●   If the server catches GET /?a...
    ●   The first character is an a
●   But then what?
●
    There's no „second or Nth character selector“
●
    They had to go input[value^=aa]{background:url(?aa)}
Ingredients

●   Some links with a secret CSRF token
●   A CSS injection
    ●
        height
    ●
        width
    ●
        content:attr(href)
    ●
        overflow-x:none
    ●
        font-family
    ●   And another secret ingredient
DEMO
●   http://html5sec.org/webkit/test
The Magic Part
●   The secret ingredients
    ●   Custom SVG font – one per character
    ●   An animation – decreasing the box size
    ●   The overflow to control scrollbar appearance
    ●   And finally...

    ●   Styled scrollbar elements – WebKit only
        div.s::-webkit-scrollbar-track-piece
        :vertical:increment {background:red url(/s)}
Those Fonts

●   There's more we can do with custom fonts
    ●   HTML5 recommends WOFF
    ●
        All done via @font-face


●   WOFF supports an interesting feature
    ●   Discretionary Ligatures
    ●   Arbitrary character sequences can become one character
    ●   Imagine.. C a t become a cat icon. Or... d e e r a lil' deer
Ligatures




●   http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html
Fontforge
Attack Fonts
●   We can thus build dictionary fonts!
    ●   One character per password for example
    ●   No problem for a font to handle 100k+ items
●   Map the string s u p e r s e c r e t into one char
●   Make everything else invisible
●   If the character is visible, we have a hit
    ●   If not the password is not in the list/font




●   How can we find out if nothing – or just one character is
    visible?
Go CSS!
●   Remember the smart scrollbars?
    ●   Same thing all over again
    ●   But this time for all browsers please
●   CSS Media Queries to the rescue!
    ●
        We can deploy selective CSS depending on:
        –   Viewport width, viewport height
        –   @media screen and (max-width: 400px){*{foo:bar}}
    ●   Every character gets a distinct width, and/or height
    ●
        Once scrollbars appear, the viewport width gets reduced
    ●   By the width of the scrollbar
    ●   Some Iframe tricks do the job and allow universal scrollbar detection


●   That's all we need _:D
Demo




       DEMO
Conclusion

●   Scriptless Attacks versus XSS
    ●   Not many differences in impact
    ●   More common injection scenarios
    ●   Affecting sandboxes with HTML5
    ●   Information leaks by design
●   Hard to detect and fix
●   Timing and Side-Channel
●   NoScript to the rescue?
Defense

●   How to protect against features?
●   How to protect against side-channels
    ●   Reduce data leakage?
    ●   Build better sandboxes?
    ●   Extend SOP to images and other side channels,
    ●   CSP maybe? One day?
●   XFO and Frame-Busters
●   Better CSS filter tools are needed!
●   Know your spec, contribute!
Fin

●   Questions?
●   Discussion?
●   Please read our Paper and...
●   Thanks for your time!
1 of 33

Recommended

In the DOM, no one will hear you scream by
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
33.2K views60 slides
Locking the Throneroom 2.0 by
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
6.4K views47 slides
Attacking thru HTTP Host header by
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
1.8K views29 slides
The Image that called me - Active Content Injection with SVG Files by
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
10.1K views29 slides
The innerHTML Apocalypse by
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
35K views51 slides
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015 by
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
6.5K views84 slides

More Related Content

What's hot

XSS Magic tricks by
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
13.7K views59 slides
HTTP Request Smuggling via higher HTTP versions by
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
9.5K views41 slides
Ekoparty 2017 - The Bug Hunter's Methodology by
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
7.9K views58 slides
Node JS reverse shell by
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
4.9K views23 slides
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,... by
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
45.4K views52 slides
Same Origin Method Execution (BlackHat EU2014) by
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Ben Hayak
6.4K views98 slides

What's hot(20)

XSS Magic tricks by GarethHeyes
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes13.7K views
HTTP Request Smuggling via higher HTTP versions by neexemil
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil9.5K views
Ekoparty 2017 - The Bug Hunter's Methodology by bugcrowd
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd7.9K views
Node JS reverse shell by Madhu Akula
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula4.9K views
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,... by Mario Heiderich
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich45.4K views
Same Origin Method Execution (BlackHat EU2014) by Ben Hayak
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Ben Hayak6.4K views
Cross Site Scripting ( XSS) by Amit Tyagi
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi27.3K views
Cross site scripting by kinish kumar
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar30.1K views
OWASP AppSecCali 2015 - Marshalling Pickles by Christopher Frohoff
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff132.8K views
NGINX Installation and Tuning by NGINX, Inc.
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
NGINX, Inc.10.3K views
Express JS by Alok Guha
Express JSExpress JS
Express JS
Alok Guha2.5K views
aclpwn - Active Directory ACL exploitation with BloodHound by DirkjanMollema
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema11.5K views
Scaling MQTT With Apache Kafka by kellogh
Scaling MQTT With Apache KafkaScaling MQTT With Apache Kafka
Scaling MQTT With Apache Kafka
kellogh32K views
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour by Soroush Dalili
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili52.9K views
XSS - Do you know EVERYTHING? by Yurii Bilyk
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk4.8K views
Neat tricks to bypass CSRF-protection by Mikhail Egorov
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov17.6K views

Similar to Scriptless Attacks - Stealing the Pie without touching the Sill

An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015 by
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
1.1K views63 slides
How to be a Developer by
How to be a DeveloperHow to be a Developer
How to be a DeveloperReza Nurfachmi
327 views65 slides
Developer &lt; eat love code > by
Developer   &lt; eat love code >Developer   &lt; eat love code >
Developer &lt; eat love code >Rizky Ariestiyansyah
440 views65 slides
Security Vulnerabilities: How to Defend Against Them by
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
441 views66 slides
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen... by
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
2K views52 slides
The Future of Web Attacks - CONFidence 2010 by
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
2.9K views36 slides

Similar to Scriptless Attacks - Stealing the Pie without touching the Sill(20)

An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015 by CODE BLUE
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE1.1K views
Security Vulnerabilities: How to Defend Against Them by Martin Vigo
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
Martin Vigo441 views
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen... by MMT - Multimediatreff
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
The Future of Web Attacks - CONFidence 2010 by Mario Heiderich
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich2.9K views
Mario heiderich. got your nose! how to steal your precious data without using... by Yury Chemerkin
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin1.5K views
I thought you were my friend - Malicious Markup by Mario Heiderich
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich3.6K views
HTML5 New Features and Resources by Ron Reiter
HTML5 New Features and ResourcesHTML5 New Features and Resources
HTML5 New Features and Resources
Ron Reiter2.7K views
Sandboxing JS and HTML. A lession Learned by Minded Security
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security1.9K views
Passwords good badugly181212-2 by Iftach Ian Amit
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
Iftach Ian Amit1.4K views
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich) by PROIDEA
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
PROIDEA165 views
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜 by Seungmin Shin
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜
Seungmin Shin2.4K views
AWS re:Invent 2016 Fast Forward by Shuen-Huei Guan
AWS re:Invent 2016 Fast ForwardAWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast Forward
Shuen-Huei Guan2.9K views
Defcon 20-zulla-improving-web-vulnerability-scanning by zulla
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
zulla576 views
Defcon 20-zulla-improving-web-vulnerability-scanning by zulla
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
zulla557 views
Hacking Vulnerable Websites to Bypass Firewalls by Netsparker
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker8.9K views

More from Mario Heiderich

An Abusive Relationship with AngularJS by
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
129.2K views66 slides
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-... by
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
30.4K views55 slides
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ... by
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
3.2K views40 slides
Dev and Blind - Attacking the weakest Link in IT Security by
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
5.6K views39 slides
HTML5 - The Good, the Bad, the Ugly by
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
2K views22 slides
Web Wuermer by
Web WuermerWeb Wuermer
Web WuermerMario Heiderich
1.6K views46 slides

More from Mario Heiderich(10)

An Abusive Relationship with AngularJS by Mario Heiderich
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich129.2K views
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-... by Mario Heiderich
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich30.4K views
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ... by Mario Heiderich
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich3.2K views
Dev and Blind - Attacking the weakest Link in IT Security by Mario Heiderich
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich5.6K views
HTML5 - The Good, the Bad, the Ugly by Mario Heiderich
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich2K views
JavaScript From Hell - CONFidence 2.0 2009 by Mario Heiderich
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich21.9K views
I thought you were my friend! by Mario Heiderich
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
Mario Heiderich1.7K views
Generic Attack Detection - ph-Neutral 0x7d8 by Mario Heiderich
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich1.5K views

Recently uploaded

Business Analyst Series 2023 - Week 4 Session 8 by
Business Analyst Series 2023 -  Week 4 Session 8Business Analyst Series 2023 -  Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8DianaGray10
145 views13 slides
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineShapeBlue
225 views19 slides
LLMs in Production: Tooling, Process, and Team Structure by
LLMs in Production: Tooling, Process, and Team StructureLLMs in Production: Tooling, Process, and Team Structure
LLMs in Production: Tooling, Process, and Team StructureAggregage
57 views77 slides
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...ShapeBlue
164 views13 slides
Initiating and Advancing Your Strategic GIS Governance Strategy by
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance StrategySafe Software
184 views68 slides
MVP and prioritization.pdf by
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdfrahuldharwal141
39 views8 slides

Recently uploaded(20)

Business Analyst Series 2023 - Week 4 Session 8 by DianaGray10
Business Analyst Series 2023 -  Week 4 Session 8Business Analyst Series 2023 -  Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10145 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue225 views
LLMs in Production: Tooling, Process, and Team Structure by Aggregage
LLMs in Production: Tooling, Process, and Team StructureLLMs in Production: Tooling, Process, and Team Structure
LLMs in Production: Tooling, Process, and Team Structure
Aggregage57 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue164 views
Initiating and Advancing Your Strategic GIS Governance Strategy by Safe Software
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance Strategy
Safe Software184 views
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue152 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays58 views
The Power of Generative AI in Accelerating No Code Adoption.pdf by Saeed Al Dhaheri
The Power of Generative AI in Accelerating No Code Adoption.pdfThe Power of Generative AI in Accelerating No Code Adoption.pdf
The Power of Generative AI in Accelerating No Code Adoption.pdf
Saeed Al Dhaheri39 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue208 views
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash162 views
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... by ShapeBlue
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
ShapeBlue196 views
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue by ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
ShapeBlue265 views
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ... by ShapeBlue
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
ShapeBlue120 views
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... by ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue141 views
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue108 views
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue by ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue139 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty65 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays36 views

Scriptless Attacks - Stealing the Pie without touching the Sill

  • 1. Scriptless Attacks Stealing the Pie without touching the Sill Mario Heiderich, Felix Schuster, Marcus Niemietz, Jörg Schwenk, Thorsten Holz ACM CCS 2012 HGI / Chair for Network and Data Security Ruhr-University Bochum mario.heiderich@rub.de || @0x6D6172696F
  • 2. Our Dear Speaker ● Dr.-Ing. Mario Heiderich ● Researcher and Post-Doc, Ruhr-Uni Bochum – PhD Thesis on Client Side Security and Defense ● Founder of Cure53 – Penetration Testing Firm – Consulting – Simply the Best Company of the World ● Published author and international speaker – Specialized in HTML5 and SVG Security – JavaScript, XSS and Client Side Attacks ● HTML5 Security Cheatsheet – @0x6D6172696F – mario@cure53.de
  • 4. Cross Site Scripting ● Lots of talks have been held ● Plenty of research has been done ● Traditional injections ● Attacks from outer space ● XSS, XAS, XDS, XSSQLI, SWXSS, … you name it! ● Defense mechanisms on multiple layers ● Network, Server, Client and what not... – CSP, NoScript, AntiSamy and HTMLPurifier, Tripwires, Browser XSS Filters – mod_security, PHPIDS, some (often nonsense) WAF products ● But why use scripting at all?
  • 5. Topics Today ● Scriptless Attacks in your Browser ● Attacks bypassing NoScript ● Attacks bypassing XSS Filters ● Attacks bypassing Content Security Policy ● Thought Experiment ● What if we defeat XSS? ● What attack surface will remain? ● Will it make a difference?
  • 7. Exploits ● Three Chapters to be presented ● Chapter 1: These simple tricks ● Chapter 2: Advanced Class ● Chapter 3: For Science!
  • 8. Chapter one [ These simple Tricks ]
  • 9. CAPCTHA Of Doom ● Seems legit? ● See it live: http://heideri.ch/opera/captcha/
  • 10. Analysis ● What really happens ● The attacker, Clive, injects CSS... – input[type=password]{content:attr(value)} ● Then he includes a custom SVG font – @font-face {font-family: X;src: url(x.svg#X) format("svg");} ● The attacker simply flips characters – s becomes x, e becomes w, c becomes @ … ● By thinking it's a CAPTCHA... ● … Alice submits her password to the attacker
  • 12. CSS + RegEx = ? ● Old but gold – brute-forcing passwords ● But this time with CSS3 and HTML5 ● The secret ingredient here is „validation“ ● Brute-force with RegEx! ● Let's have a look ● DEMO ● Good thing it works on all browsers ● Limited by smart password managers though
  • 13. Chapter TWO < Advanced Class >
  • 14. SVG Keylogger ● Just a harmless login page ● Behaving strange on closer inspection though... ● Let's check that http://html5sec.org/keylogger
  • 15. How is it done? ● Attacker injected some inline SVG code ● SVG knows the <set> element ● The <set> element can listen to events ● Even keystrokes ● The feature is called accessKey() (W3C) ● JavaScript is turned off – it's „no script“ anyway ● But the keystroke scope is hard to define ● In Firefox it's the whole document
  • 16. CSS + URL + Regex = ? ● More info we can steal ● CSS3 and @document ● Allows to cast a Regex on the loaded URL ● Then deploy custom CSS ● We can steal stuff now ● But we can do even more ;) ● http://html5sec.org/xssfilter/ ● Is that all? ● Maybe not
  • 17. More Madness ● HTML5's dirname attribute ● The most useless attribute ever ● Worse than formaction... which one should know or look up :) ● Meant to tell the server about... *drumroll* ● Text-Flow Direction! ● Also does cruel things to HTTP requests ● DEMO
  • 18. Chapter Three < For Science! >
  • 19. CSRF Tokens ● Everybody knows CSRF ● One domain makes a request to another ● The user is logged into that other domain ● Stuff happens, accounts get modified etc. ● How to we kill CSRF? ● Easily – we use tokens, nonces ● We make sure a request cannot be guessed ● Or brute-forced – good tokens are long and safe
  • 20. CSRF and XSS ● CSRF and XSS are good friends ● JavaScript can read tokens from the DOM ● Bypass most CSRF protection techniques ● But can we steal CSRF tokens w/o JS?
  • 21. Already done ● SDC, Gaz and thornmaker already did it ● Check out http://p42.us/css/ ● They used CSS ● Basically a brute-force via attribute selectors ● input[value^=a]{background:url(?a)} ● If the server catches GET /?a... ● The first character is an a ● But then what? ● There's no „second or Nth character selector“ ● They had to go input[value^=aa]{background:url(?aa)}
  • 22. Ingredients ● Some links with a secret CSRF token ● A CSS injection ● height ● width ● content:attr(href) ● overflow-x:none ● font-family ● And another secret ingredient
  • 23. DEMO ● http://html5sec.org/webkit/test
  • 24. The Magic Part ● The secret ingredients ● Custom SVG font – one per character ● An animation – decreasing the box size ● The overflow to control scrollbar appearance ● And finally... ● Styled scrollbar elements – WebKit only div.s::-webkit-scrollbar-track-piece :vertical:increment {background:red url(/s)}
  • 25. Those Fonts ● There's more we can do with custom fonts ● HTML5 recommends WOFF ● All done via @font-face ● WOFF supports an interesting feature ● Discretionary Ligatures ● Arbitrary character sequences can become one character ● Imagine.. C a t become a cat icon. Or... d e e r a lil' deer
  • 26. Ligatures ● http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html
  • 28. Attack Fonts ● We can thus build dictionary fonts! ● One character per password for example ● No problem for a font to handle 100k+ items ● Map the string s u p e r s e c r e t into one char ● Make everything else invisible ● If the character is visible, we have a hit ● If not the password is not in the list/font ● How can we find out if nothing – or just one character is visible?
  • 29. Go CSS! ● Remember the smart scrollbars? ● Same thing all over again ● But this time for all browsers please ● CSS Media Queries to the rescue! ● We can deploy selective CSS depending on: – Viewport width, viewport height – @media screen and (max-width: 400px){*{foo:bar}} ● Every character gets a distinct width, and/or height ● Once scrollbars appear, the viewport width gets reduced ● By the width of the scrollbar ● Some Iframe tricks do the job and allow universal scrollbar detection ● That's all we need _:D
  • 30. Demo DEMO
  • 31. Conclusion ● Scriptless Attacks versus XSS ● Not many differences in impact ● More common injection scenarios ● Affecting sandboxes with HTML5 ● Information leaks by design ● Hard to detect and fix ● Timing and Side-Channel ● NoScript to the rescue?
  • 32. Defense ● How to protect against features? ● How to protect against side-channels ● Reduce data leakage? ● Build better sandboxes? ● Extend SOP to images and other side channels, ● CSP maybe? One day? ● XFO and Frame-Busters ● Better CSS filter tools are needed! ● Know your spec, contribute!
  • 33. Fin ● Questions? ● Discussion? ● Please read our Paper and... ● Thanks for your time!