Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Scriptless Attacks
Stealing the Pie without touching the Sill



Mario Heiderich, Felix Schuster, Marcus Niemietz,
Jörg Sc...
Our Dear Speaker
       ●   Dr.-Ing. Mario Heiderich
           ●   Researcher and Post-Doc, Ruhr-Uni Bochum
             ...
Background
Cross Site Scripting

●   Lots of talks have been held
●   Plenty of research has been done
    ●   Traditional injections...
Topics Today

●   Scriptless Attacks in your Browser
    ●   Attacks bypassing NoScript
    ●   Attacks bypassing XSS Filt...
Happy Injections
Exploits

●   Three Chapters to be presented

    ●   Chapter 1: These simple tricks
    ●   Chapter 2: Advanced Class
   ...
Chapter one




    [ These simple Tricks ]
CAPCTHA Of Doom




●   Seems legit?
●   See it live: http://heideri.ch/opera/captcha/
Analysis
●   What really happens
    ●   The attacker, Clive, injects CSS...
        –   input[type=password]{content:attr...
Validation
CSS + RegEx = ?
●   Old but gold – brute-forcing passwords
    ●   But this time with CSS3 and HTML5
    ●   The secret in...
Chapter TWO




    < Advanced Class >
SVG Keylogger
●   Just a harmless login page




●   Behaving strange on closer inspection though...
    ●   Let's check t...
How is it done?

●   Attacker injected some inline SVG code
    ●
        SVG knows the <set> element
    ●
        The <s...
CSS + URL + Regex = ?
●
    More info we can steal
●
    CSS3 and @document
●   Allows to cast a Regex on the loaded URL
●...
More Madness
●   HTML5's dirname attribute
●   The most useless attribute ever
●   Worse than formaction...   which one sh...
Chapter Three




      < For Science! >
CSRF Tokens
●   Everybody knows CSRF
    ●   One domain makes a request to another
    ●   The user is logged into that ot...
CSRF and XSS

●   CSRF and XSS are good friends
    ●   JavaScript can read tokens from the DOM
    ●   Bypass most CSRF p...
Already done

●
    SDC, Gaz and thornmaker already did it
●   Check out http://p42.us/css/
●
    They used CSS
    ●   Ba...
Ingredients

●   Some links with a secret CSRF token
●   A CSS injection
    ●
        height
    ●
        width
    ●
  ...
DEMO
●   http://html5sec.org/webkit/test
The Magic Part
●   The secret ingredients
    ●   Custom SVG font – one per character
    ●   An animation – decreasing th...
Those Fonts

●   There's more we can do with custom fonts
    ●   HTML5 recommends WOFF
    ●
        All done via @font-f...
Ligatures




●   http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html
Fontforge
Attack Fonts
●   We can thus build dictionary fonts!
    ●   One character per password for example
    ●   No problem for...
Go CSS!
●   Remember the smart scrollbars?
    ●   Same thing all over again
    ●   But this time for all browsers please...
Demo




       DEMO
Conclusion

●   Scriptless Attacks versus XSS
    ●   Not many differences in impact
    ●   More common injection scenari...
Defense

●   How to protect against features?
●   How to protect against side-channels
    ●   Reduce data leakage?
    ● ...
Fin

●   Questions?
●   Discussion?
●   Please read our Paper and...
●   Thanks for your time!
Upcoming SlideShare
Loading in …5
×

of

Scriptless Attacks - Stealing the Pie without touching the Sill Slide 1 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 2 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 3 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 4 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 5 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 6 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 7 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 8 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 9 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 10 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 11 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 12 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 13 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 14 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 15 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 16 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 17 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 18 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 19 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 20 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 21 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 22 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 23 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 24 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 25 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 26 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 27 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 28 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 29 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 30 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 31 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 32 Scriptless Attacks - Stealing the Pie without touching the Sill Slide 33
Upcoming SlideShare
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else
Next
Download to read offline and view in fullscreen.

60 Likes

Share

Download to read offline

Scriptless Attacks - Stealing the Pie without touching the Sill

Download to read offline

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Scriptless Attacks - Stealing the Pie without touching the Sill

  1. Scriptless Attacks Stealing the Pie without touching the Sill Mario Heiderich, Felix Schuster, Marcus Niemietz, Jörg Schwenk, Thorsten Holz ACM CCS 2012 HGI / Chair for Network and Data Security Ruhr-University Bochum mario.heiderich@rub.de || @0x6D6172696F
  2. Our Dear Speaker ● Dr.-Ing. Mario Heiderich ● Researcher and Post-Doc, Ruhr-Uni Bochum – PhD Thesis on Client Side Security and Defense ● Founder of Cure53 – Penetration Testing Firm – Consulting – Simply the Best Company of the World ● Published author and international speaker – Specialized in HTML5 and SVG Security – JavaScript, XSS and Client Side Attacks ● HTML5 Security Cheatsheet – @0x6D6172696F – mario@cure53.de
  3. Background
  4. Cross Site Scripting ● Lots of talks have been held ● Plenty of research has been done ● Traditional injections ● Attacks from outer space ● XSS, XAS, XDS, XSSQLI, SWXSS, … you name it! ● Defense mechanisms on multiple layers ● Network, Server, Client and what not... – CSP, NoScript, AntiSamy and HTMLPurifier, Tripwires, Browser XSS Filters – mod_security, PHPIDS, some (often nonsense) WAF products ● But why use scripting at all?
  5. Topics Today ● Scriptless Attacks in your Browser ● Attacks bypassing NoScript ● Attacks bypassing XSS Filters ● Attacks bypassing Content Security Policy ● Thought Experiment ● What if we defeat XSS? ● What attack surface will remain? ● Will it make a difference?
  6. Happy Injections
  7. Exploits ● Three Chapters to be presented ● Chapter 1: These simple tricks ● Chapter 2: Advanced Class ● Chapter 3: For Science!
  8. Chapter one [ These simple Tricks ]
  9. CAPCTHA Of Doom ● Seems legit? ● See it live: http://heideri.ch/opera/captcha/
  10. Analysis ● What really happens ● The attacker, Clive, injects CSS... – input[type=password]{content:attr(value)} ● Then he includes a custom SVG font – @font-face {font-family: X;src: url(x.svg#X) format("svg");} ● The attacker simply flips characters – s becomes x, e becomes w, c becomes @ … ● By thinking it's a CAPTCHA... ● … Alice submits her password to the attacker
  11. Validation
  12. CSS + RegEx = ? ● Old but gold – brute-forcing passwords ● But this time with CSS3 and HTML5 ● The secret ingredient here is „validation“ ● Brute-force with RegEx! ● Let's have a look ● DEMO ● Good thing it works on all browsers ● Limited by smart password managers though
  13. Chapter TWO < Advanced Class >
  14. SVG Keylogger ● Just a harmless login page ● Behaving strange on closer inspection though... ● Let's check that http://html5sec.org/keylogger
  15. How is it done? ● Attacker injected some inline SVG code ● SVG knows the <set> element ● The <set> element can listen to events ● Even keystrokes ● The feature is called accessKey() (W3C) ● JavaScript is turned off – it's „no script“ anyway ● But the keystroke scope is hard to define ● In Firefox it's the whole document
  16. CSS + URL + Regex = ? ● More info we can steal ● CSS3 and @document ● Allows to cast a Regex on the loaded URL ● Then deploy custom CSS ● We can steal stuff now ● But we can do even more ;) ● http://html5sec.org/xssfilter/ ● Is that all? ● Maybe not
  17. More Madness ● HTML5's dirname attribute ● The most useless attribute ever ● Worse than formaction... which one should know or look up :) ● Meant to tell the server about... *drumroll* ● Text-Flow Direction! ● Also does cruel things to HTTP requests ● DEMO
  18. Chapter Three < For Science! >
  19. CSRF Tokens ● Everybody knows CSRF ● One domain makes a request to another ● The user is logged into that other domain ● Stuff happens, accounts get modified etc. ● How to we kill CSRF? ● Easily – we use tokens, nonces ● We make sure a request cannot be guessed ● Or brute-forced – good tokens are long and safe
  20. CSRF and XSS ● CSRF and XSS are good friends ● JavaScript can read tokens from the DOM ● Bypass most CSRF protection techniques ● But can we steal CSRF tokens w/o JS?
  21. Already done ● SDC, Gaz and thornmaker already did it ● Check out http://p42.us/css/ ● They used CSS ● Basically a brute-force via attribute selectors ● input[value^=a]{background:url(?a)} ● If the server catches GET /?a... ● The first character is an a ● But then what? ● There's no „second or Nth character selector“ ● They had to go input[value^=aa]{background:url(?aa)}
  22. Ingredients ● Some links with a secret CSRF token ● A CSS injection ● height ● width ● content:attr(href) ● overflow-x:none ● font-family ● And another secret ingredient
  23. DEMO ● http://html5sec.org/webkit/test
  24. The Magic Part ● The secret ingredients ● Custom SVG font – one per character ● An animation – decreasing the box size ● The overflow to control scrollbar appearance ● And finally... ● Styled scrollbar elements – WebKit only div.s::-webkit-scrollbar-track-piece :vertical:increment {background:red url(/s)}
  25. Those Fonts ● There's more we can do with custom fonts ● HTML5 recommends WOFF ● All done via @font-face ● WOFF supports an interesting feature ● Discretionary Ligatures ● Arbitrary character sequences can become one character ● Imagine.. C a t become a cat icon. Or... d e e r a lil' deer
  26. Ligatures ● http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html
  27. Fontforge
  28. Attack Fonts ● We can thus build dictionary fonts! ● One character per password for example ● No problem for a font to handle 100k+ items ● Map the string s u p e r s e c r e t into one char ● Make everything else invisible ● If the character is visible, we have a hit ● If not the password is not in the list/font ● How can we find out if nothing – or just one character is visible?
  29. Go CSS! ● Remember the smart scrollbars? ● Same thing all over again ● But this time for all browsers please ● CSS Media Queries to the rescue! ● We can deploy selective CSS depending on: – Viewport width, viewport height – @media screen and (max-width: 400px){*{foo:bar}} ● Every character gets a distinct width, and/or height ● Once scrollbars appear, the viewport width gets reduced ● By the width of the scrollbar ● Some Iframe tricks do the job and allow universal scrollbar detection ● That's all we need _:D
  30. Demo DEMO
  31. Conclusion ● Scriptless Attacks versus XSS ● Not many differences in impact ● More common injection scenarios ● Affecting sandboxes with HTML5 ● Information leaks by design ● Hard to detect and fix ● Timing and Side-Channel ● NoScript to the rescue?
  32. Defense ● How to protect against features? ● How to protect against side-channels ● Reduce data leakage? ● Build better sandboxes? ● Extend SOP to images and other side channels, ● CSP maybe? One day? ● XFO and Frame-Busters ● Better CSS filter tools are needed! ● Know your spec, contribute!
  33. Fin ● Questions? ● Discussion? ● Please read our Paper and... ● Thanks for your time!
  • ssuser12fe9c

    Feb. 7, 2019
  • arun3gi

    Nov. 1, 2018
  • KulvinderSingh81

    Feb. 24, 2018
  • Abromeit

    Dec. 9, 2017
  • faezeh_k1991

    May. 31, 2017
  • JamieFinch4

    Feb. 24, 2017
  • jeffhuangus

    Jul. 4, 2016
  • seshananda

    May. 1, 2016
  • masahiroadachi3

    Sep. 20, 2015
  • theblackunknown

    Mar. 14, 2015
  • happyreddys

    Jun. 17, 2014
  • bryanonel1

    May. 31, 2014
  • hondashi

    Apr. 25, 2014
  • bavarinbloo

    Mar. 30, 2014
  • erpalmer

    Sep. 16, 2013
  • andrewpeel

    Sep. 12, 2013
  • camiloei

    Sep. 12, 2013
  • TWSke

    Sep. 12, 2013
  • ppierre

    Sep. 12, 2013
  • mikulgohil

    Sep. 12, 2013

Views

Total views

58,051

On Slideshare

0

From embeds

0

Number of embeds

1,490

Actions

Downloads

382

Shares

0

Comments

0

Likes

60

×