was invented (1995) • Still one of the major vulnerabilities found today • Injection-based attack • Very hard to prevent as the platform cannot distinguish between data and code • Hard to tackle ◦ Server side reflected XSS ◦ Server side stored XSS ◦ DOM XSS ◦ Mutation based XSS (browsers are complex)
the beginning • It’s clumsy to address • Requires developers to add custom protections on top of the platform • Normally addressed by adding tokens in hidden forms parameters • It is not clear what to protect, so even using frameworks might lead to issues ◦ Example: GET requests are usually not protected by frameworks but developers might decide to have state-changing APIs that use GET parameters, or some libraries might automatically parse GET forms and treat them as POST. If this happens after the anti-xsrf middleware the vulnerability is still there.
user does not expect • Example: ◦ User clicks on a link on GMail ◦ The link opens a new tab ◦ The originating page (gmail.com) gets redirected to a phishing clone (gmai1.com) asking for credentials ◦ When the user closes the new tab, they will go back to the previous context and expect it to still be gmail ◦ User inputs credentials in gmai1.com
side channels • The attacking page doesn’t need to see the cross-origin content, just the time it took to load, or the error that happened while trying to load • Same-origin policy does not protect against this kind of attacks E.g. Login detection: loading a frame errors if user is not logged in.
cross-site leaks • Extract bits of information from the time it takes to load search results • In 2016 this affected GMail and Bing to a point where credit cards could be stolen in less than 45s and the full search history in less than 90s
Many things can be obtained cross-origin and access boundaries are enforced by the browser, but within the same process • Get around Same-Origin policy because the memory is in the same process, and it can be accessed via side-channel • Requires precise timers, but they can be crafted
with controlled_index > max_index if (controlled_index < max_index) { secret_value = index_array[controlled_index]; _ = data_array[secret_value*cache_block_size]; } Measure access time to different blocks of data_array The one in secret_value position will be faster to access
strict client-side behaviors • Allows applications to instruct browsers to disable common sinks for XSS attacks • It is a rather complex specification but the latest version (v3) is reasonably easy to use and deploy compared with previous ones • The frame-ancestors sets rule for framing, thus protecting against clickjacking • It is a composed headers with many different directives to toggle browser security features
most of the DOM XSS that CSP could not address • Makes the DOM API typed (yes, types in JS) • DOM sinks can only be used with appropriate types • Trusted Types can only be constructed via policies • Policies are declared in CSP Content-Security-Policy: trusted-types policy-name
should be taken care of by the server. Only trusted scripts are nonced • Client side code is easier to secure Moreover • If the server has an injection ◦ The attacker has to leak the nonce without JS execution. This is usually very hard. ◦ The attacker has to find a working sink. Since javascript URIs and event handlers are blocked this is hard and sometimes impossible. • If the client has a bug ◦ Client-side sinks are controlled
document, embed, script, serviceworker…) ◦ Mode (cors, navigate, no-cors, same-origin, websocket...) ◦ Site (cross-site, same-origin, same-site) ◦ User (true, false) • Inform the server on what caused the request and how it will be used • Servers can now make informed decisions whether to provide the requested resource
<name>=<value>; SameSite=(Lax|Strict); [other directives] • Lax allows cross-site navigation • Strict will prevent cookies from being sent in any cross-site action
the browser to not perform some cross-site operations • Dictates top-level cross-origin behavior • Still undergoing design and implementation Cross-Origin-Opener-Policy: (same-origin|same-site) [unsafe-allow-outgoing]
required • If something is cross-origin it is displayed in different render processes, including frames. This partially addresses spectre • Relies on the OS-level process isolation to protect against hardware issues
SI to protect against Spectre • The browser tries to guess when a cross-origin resource is being maliciously loaded and blocks it • Currently protected by default MIME types: ◦ JSON ◦ HTML ◦ XML • Mimes are sniffed in a smart way to detect mislabeled responses • CORB can be opted-in by servers for all resources with Cross Origin Resource Policy (CORP): Cross-Origin-Resource-Policy: (same-origin|same-site)
• Requires client side code change • The first clickjacking protection that still allows framing • The observer knows if it is visible and for how long it’s been visible Potentially evil Observer
empijei
ham0215
masuchoku
1ftseabass
rainerhahnekamp
coconala_engineer
oracle4engineer
__allllllllez__
bun913
lycorptech_jp
sansantech
nakamuuu
tetsuyaooooo
matthewcrist
aarron
marktimemedia
vanstee
bcantrill
smashingmag
searls
zakiwarfel
kneath
3n
holman
phodgson
