was invented (1995) • Still one of the major vulnerabilities found today • Injection-based attack • Very hard to prevent as the platform cannot distinguish between data and code • Hard to tackle ◦ Server side reflected XSS ◦ Server side stored XSS ◦ DOM XSS ◦ Mutation based XSS (browsers are complex)
the beginning • It’s clumsy to address • Requires developers to add custom protections on top of the platform • Normally addressed by adding tokens in hidden forms parameters • It is not clear what to protect, so even using frameworks might lead to issues ◦ Example: GET requests are usually not protected by frameworks but developers might decide to have state-changing APIs that use GET parameters, or some libraries might automatically parse GET forms and treat them as POST. If this happens after the anti-xsrf middleware the vulnerability is still there.
user does not expect • Example: ◦ User clicks on a link on GMail ◦ The link opens a new tab ◦ The originating page (gmail.com) gets redirected to a phishing clone (gmai1.com) asking for credentials ◦ When the user closes the new tab, they will go back to the previous context and expect it to still be gmail ◦ User inputs credentials in gmai1.com
side channels • The attacking page doesn’t need to see the cross-origin content, just the time it took to load, or the error that happened while trying to load • Same-origin policy does not protect against this kind of attacks E.g. Login detection: loading a frame errors if user is not logged in.
cross-site leaks • Extract bits of information from the time it takes to load search results • In 2016 this affected GMail and Bing to a point where credit cards could be stolen in less than 45s and the full search history in less than 90s
Many things can be obtained cross-origin and access boundaries are enforced by the browser, but within the same process • Get around Same-Origin policy because the memory is in the same process, and it can be accessed via side-channel • Requires precise timers, but they can be crafted
with controlled_index > max_index if (controlled_index < max_index) { secret_value = index_array[controlled_index]; _ = data_array[secret_value*cache_block_size]; } Measure access time to different blocks of data_array The one in secret_value position will be faster to access
strict client-side behaviors • Allows applications to instruct browsers to disable common sinks for XSS attacks • It is a rather complex specification but the latest version (v3) is reasonably easy to use and deploy compared with previous ones • The frame-ancestors sets rule for framing, thus protecting against clickjacking • It is a composed headers with many different directives to toggle browser security features
most of the DOM XSS that CSP could not address • Makes the DOM API typed (yes, types in JS) • DOM sinks can only be used with appropriate types • Trusted Types can only be constructed via policies • Policies are declared in CSP Content-Security-Policy: trusted-types policy-name
should be taken care of by the server. Only trusted scripts are nonced • Client side code is easier to secure Moreover • If the server has an injection ◦ The attacker has to leak the nonce without JS execution. This is usually very hard. ◦ The attacker has to find a working sink. Since javascript URIs and event handlers are blocked this is hard and sometimes impossible. • If the client has a bug ◦ Client-side sinks are controlled
document, embed, script, serviceworker…) ◦ Mode (cors, navigate, no-cors, same-origin, websocket...) ◦ Site (cross-site, same-origin, same-site) ◦ User (true, false) • Inform the server on what caused the request and how it will be used • Servers can now make informed decisions whether to provide the requested resource
<name>=<value>; SameSite=(Lax|Strict); [other directives] • Lax allows cross-site navigation • Strict will prevent cookies from being sent in any cross-site action
the browser to not perform some cross-site operations • Dictates top-level cross-origin behavior • Still undergoing design and implementation Cross-Origin-Opener-Policy: (same-origin|same-site) [unsafe-allow-outgoing]
required • If something is cross-origin it is displayed in different render processes, including frames. This partially addresses spectre • Relies on the OS-level process isolation to protect against hardware issues
SI to protect against Spectre • The browser tries to guess when a cross-origin resource is being maliciously loaded and blocks it • Currently protected by default MIME types: ◦ JSON ◦ HTML ◦ XML • Mimes are sniffed in a smart way to detect mislabeled responses • CORB can be opted-in by servers for all resources with Cross Origin Resource Policy (CORP): Cross-Origin-Resource-Policy: (same-origin|same-site)
• Requires client side code change • The first clickjacking protection that still allows framing • The observer knows if it is visible and for how long it’s been visible Potentially evil Observer
empijei
lizrice
kirik
murabayashi
fujiwara3
miyabit
masatokinugawa
katawara
kakehashi
aeonpeople
gunta
ranxxx
shinshiro
skipperchong
kneath
samlambert
shlominoach
eitanlees
matthewcrist
bluesmoon
trallard
moore
eileencodes
rasmusluckow
morganepeng
