$30 off During Our Annual Pro Sale. View Details »

XSS in the era of *.js - JS ライブラリ時代の XSS (ゼロから始めるセキュリティ入門勉強会 #15)

XSS in the era of *.js - JS ライブラリ時代の XSS (ゼロから始めるセキュリティ入門勉強会 #15)

ちょっとタイトルが言いすぎていて大反省です (適宜アップデートします, 仮)

Takashi Yoneuchi

April 23, 2018
Tweet

More Decks by Takashi Yoneuchi

Other Decks in Programming

Transcript




  1. Vue.js Security Testing
    <br/>script><br/></head><br/><body><br/><div id="example"><br/><p>{{this.<br/>$el.ownerDocument.defaultView.alert(1)}}</p><br/></div><br/><script src="init.js" nonce="random2"></<br/>script><br/></body><br/></html><br/>XSS in the era of *.js
<br/>JS ϥΠϒϥϦ࣌୅ͷ XSS<br/>Takashi Yoneuchi<br/>@lmt_swallow https://shift-js.info<br/>

    View Slide

  2. © 2018 shift-js.info All Rights Reserved.
    Outline
    ‣ Overview: XSS
    ‣ XSS ͱ͸ͲΜͳ΋ͷ͔ɾͲΜͳ෼ྨ͕͋Δ͔ΛֶͿ
    ‣ What is DOM Based XSS?
    ‣ ಛʹ DbXSS ʹ͍ͭͯɺΑ͋͘Δ۩ମྫ͔ΒݪཧΛֶͿ
    ‣ Script gadgets: what happens with *.js ?
    ‣ Script gadgets ͷ࿩ (+ ࠷ۙͷ *.js ͨͪͷొ৔ʹΑΔมԽ)
    ‣ Example: Let's defeat CSP :-)
    ‣ Vue.js Λ template compiler ͋ΓͰ࢖͏ͳΒجຊ unsafe-inline ͳ࿩
    ‣ Conclusion


    View Slide

  3. © 2018 shift-js.info All Rights Reserved.
    Notes
    ‣ ಛʹٕज़తͳ಺༰ʹؔͯ͠ɺݕূɾϨϏϡʔ͸ؤுͬ
    ͍ͯͯ͠·͕͢ɺޡΓؚ͕·ΕΔ৔߹͕͋Γ·͢ɻ
    (ൃݟͨ͠Β๻ʹ࿈བྷΛ͍ͩ͘͞!)
    ‣ ຊࢿྉ͸ޙ೔ΦϯϥΠϯͰެ։͞ΕΔ༧ఆɻ
    ‣ ࠓճͷൃදͰͷ೚ҙͷൃݴ͸ॴଐ૊৫Λ୅ද͢Δ΋
    ͷͰ͸͋Γ·ͤΜ&ࢲݟʹج͖ͮ·͢ɻ


    View Slide

  4. Overview: XSS

    View Slide

  5. © 2018 shift-js.info All Rights Reserved.
    XSS (Cross-site Scripting)

    ΫϩεαΠτεΫϦϓςΟϯά
    ‣ "Cross-Site Scripting (XSS) attacks are a type
    of injection, in which malicious scripts are
    injected into otherwise benign and trusted
    web sites." (OWASP, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) )
    ‣ ͬ͘͟Γ͍͏ͱ͜͏
    ‣ ߈ܸऀ͕ Web αΠτʹεΫϦϓτΛ஫ೖ
    ‣ ඪతͷϒϥ΢β্ͰͦΕ͕࣮ߦ͞ΕΔ


    View Slide

  6. © 2018 shift-js.info All Rights Reserved.
    XSS (Cross-site Scripting)

    ΫϩεαΠτεΫϦϓςΟϯά - ྫ


    ͜Μʹͪ͸, ͭ͹Ί ͞Μ!

    View Slide

  7. © 2018 shift-js.info All Rights Reserved.
    XSS (Cross-site Scripting)

    ΫϩεαΠτεΫϦϓςΟϯά - ྫ


    ͜Μʹͪ͸, alert(1) ͞Μ!
    ‣ ೖྗ஋͕ HTML ͷҰ෦ͱղऍ͞Εɺ ͕࣮ߦ͞Εͯ͠·͏<br/>

    View Slide

  8. © 2018 shift-js.info All Rights Reserved.
    Three kinds of XSS

    3 छͷ XSS
    ‣ Stored XSS - ஝ੵܕ XSS (ޮՌ͕࣋ଓ͢Δ)
    ‣ DB ౳ʹอଘ͞ΕͨϢʔβʔೖྗ஋͕ग़ྗ͞ΕΔࡍͷ XSS
    ‣ Reflected XSS - ൓ࣹܕ XSS: (ޮՌ͸࣋ଓ͠ͳ͍)
    ‣ ϢʔβʔೖྗΛ͙ͦ͢ͷ৔Ͱग़ྗ͢Δࡍͷ XSS

    ‣ DOM Based XSS - ࠷ۙͷྲྀߦΓ




    View Slide

  9. © 2018 shift-js.info All Rights Reserved.
    1. Stored XSS

    ஝ੵܕ XSS


    1. ѱҙͷ͋ΔεΫϦϓτΛೖྗ஋ͱͯ͠஫ೖ

    (e.g. ϒϩάͷίϝϯτͱͯ͠ alert(1) Λૹ৴)
    2. อଘ
    4. DB ͔ΒͷಡΈग़͠
    3. αΠτʹΞΫηε
    5. εΫϦϓτ஫ೖࡁίϯςϯπͷฦ٫

    e.g. alert(1)

    View Slide

  10. © 2018 shift-js.info All Rights Reserved.
    2. Reflected XSS

    ൓ࣹܕ XSS


    1. ѱҙͷ͋ΔεΫϦϓτؚ͕·ΕΔϦΫΤετΛ

    ඪత͕ൃߦ͢ΔΑ͏༠ಋ

    (e.g. http://example.com/?search=alert(1))
    2. ඪత͕༠ಋ͞ΕͯϦΫΤετΛൃߦ
    3. εΫϦϓτ஫ೖࡁίϯςϯπͷฦ٫

    e.g. alert(1) Ͱͷݕࡧ݁Ռ

    View Slide

  11. © 2018 shift-js.info All Rights Reserved.
    Example: Stored & Reflected XSS

    ஝ੵܕ XSS ͱ൓ࣹܕ XSSͷྫ
    ‣ αʔόʔαΠυͰϢʔβʔೖྗ஋Λ࢖ͬͯ HTML Λߏ
    ੒͢ΔࡍͷΤεέʔϓ࿙Ε͕ݪҼ
    ‣ ରࡦ
    ‣ ໽հͳέʔε͕ͨ͘͞Μ͋ͬͯେม
    ‣ ྫ͑͹ htmlspecialchars() ͷΑ͏ͳΤεέʔϓΛ௨͢


    echo 'hello, '. $potentially_malicious_value ;
    ?>

    View Slide

  12. © 2018 shift-js.info All Rights Reserved.
    3. DOM Based XSS


    1. ѱҙͷ͋ΔεΫϦϓτؚ͕·ΕΔϦΫΤετΛ

    ඪత͕ൃߦ͢ΔΑ͏༠ಋ

    (e.g. http://example.com/#query=alert(1))
    2. ඪత͕༠ಋ͞ΕͯϦΫΤετΛൃߦ
    3. ਖ਼نίϯςϯπͷฦ٫
    4. DOM ૢ࡞ʹΑΓ XSS ൃՐ

    document.getElementById("contents").innerHTML=location.hash.substring(1);

    View Slide

  13. What is DOM Based XSS ?
    - with common examples -

    View Slide

  14. © 2018 shift-js.info All Rights Reserved.

    DOM

    Document Object Model
    ‣ HTML (΍ XML) ͷߏ଄ʹ
    ΞΫηε͢ΔͨΊͷ࿮૊
    ‣ จষߏ଄Λ Tree ܗͷϞσ
    ϧͱͯ࣋ͭ͠
    ‣ WHATWG ʹΑΔఆٛ

    https://dom.spec.whatwg.org







    View Slide

  15. © 2018 shift-js.info All Rights Reserved.
    What is DOM Based XSS?

    DOM Based XSS ͱ͸
    ‣ "DOM Λ௨ͨ͡ HTML ૢ࡞ͷ݁Ռͱͯ͠ɺҙਤ͠ͳ͍ε
    ΫϦϓτ͕࣮ߦ͞ΕΔ͜ͱ΍ɺͦΕΛڐ͢੬ऑੑΛࢦ͠
    ͯɺDOM Based XSS ͱ͍͏ɻ" (IPA ςΫχΧϧ΢ΥονʮDOM Based XSSʯʹؔ͢ΔϨ
    ϙʔτ https://www.ipa.go.jp/files/000024729.pdf)
    ‣ Stored XSS ΍ Reflected XSS ͱͷҧ͍
    ‣ αʔόʔ͸͋͘·Ͱ "ਖ਼نίϯςϯπ" Λฦ͢
    ‣ αʔόʔΛ߈ܸεΫϦϓτ͕ܦ༝͠ͳ͍Մೳੑ͕͋Δ
    ‣ e.g. http://example.com/#alert(1) (ϑϥάϝϯτࣝผࢠͷར༻)


    View Slide

  16. © 2018 shift-js.info All Rights Reserved.
    Common example

    DbXSS ͷΑ͋͘Δྫ
    ‣ example.com ্Ͱ্ه JS ͕࣮ߦ͞ΕΔ৔߹ɺ
    ྫ͑͹ඪతΛ࣍ͷΑ͏ͳ URL ʹ༠ಋ͢Δͱʁ

    http://example.com/#


    <br/>p = document.getElementById("username");<br/>p.innerHTML =<br/>"<p>you are " + location.hash.substring(1) + "</p>";<br/>

    View Slide

  17. © 2018 shift-js.info All Rights Reserved.
    Common example

    DbXSS ͷΑ͋͘Δྫ
    ‣ ͜ͷ λάࣗମ͸ແ֐ (ѱ͍͜ͱ͸ͯ͠ͳ͍)<br/>‣ location.hash ͷ஋͕લท <img ...> Ͱ΋ɺͦΕ͚ͩͳΒແ֐ ͔ͭ<br/>non-executable<br/>‣ innerHTML ʹલท <img ... > ͷΑ͏ͳ location.hash ͷ஋͕ೖΔ<br/>ͱ executable ʹͳΔ<br/><br/><br/><script><br/>p = document.getElementById("username");<br/>p.innerHTML =<br/>"<p>you are " + location.hash.substring(1) + "</p>";<br/>

    View Slide

  18. © 2018 shift-js.info All Rights Reserved.
    Common example

    DbXSS ͷΑ͋͘Δྫ
    ‣ ͜ͷ λάࣗମ͸ແ֐ (ѱ͍͜ͱ͸ͯ͠ͳ͍)<br/>‣ location.hash ͷ஋͕લท <img ...> Ͱ΋ɺͦΕ͚ͩͳΒແ֐ ͔ͭ<br/>non-executable<br/>‣ innerHTML ʹલท <img ... > ͷΑ͏ͳ location.hash ͷ஋͕ೖΔ<br/>ͱ executable ʹͳΔ<br/><br/><br/><script><br/>p = document.getElementById("username");<br/>p.innerHTML =<br/>"<p>you are " + location.hash.substring(1) + "</p>";<br/>
    4PVSDFͱݺͿ
    4JOLͱݺͿ

    View Slide

  19. © 2018 shift-js.info All Rights Reserved.
    Sources & Sinks 

    ιʔεͱγϯΫ
    ‣ Source - ߈ܸऀ͕ίϯτϩʔϧͰ͖Δ஋
    e.g. location.hash, location.search, location.href, ...
    e.g. document.cookie, document.referrer, ...
    e.g. window.name, ...
    ‣ Sink - JS ੜ੒ & ࣮ߦʹ࢖ΘΕ͏ΔՕॴ
    e.g. location.href (redirect)
    e.g. HTMLElement.innerHTML
    e.g. document.write
    e.g. eval, setTimeout, setInterval, Function


    View Slide

  20. © 2018 shift-js.info All Rights Reserved.
    What makes the matters worse

    DbXSS ͷԿ͕໰୊ͳͷ͔
    ‣ DOM Based XSS ͸ ਖ਼نίϯςϯπ্Ͱى͖Δ
    ‣ DbXSS Ҏ֎ͷ 2छ: ஫ೖ͞ΕͨεΫϦϓτ͕ executable ͳܗ
    (, onerror=... ౳)<br/>Ͱฦͬͯ͘Δ(Ԛછࡁ)<br/>‣ DbXSS: non-executable ͳεΫϦϓτ͕ฦ͖ͬͯͯ(Ԛછ<br/>લ)ɺϒϥ΢βαΠυͰͦΕ͕ executable ʹͳΔ<br/>‣ αʔόʔαΠυʹϩά͕࢒Βͳ͍৔߹΋͋Δ<br/>‣ ඃ֐ͷ೺Ѳ͕೉͍͠ (e.g. location.hash ΁ͷ஫ೖ஋͸ϦΫΤετதʹؚ·Εͳ͍)<br/>‣ XSS filter ͳͲͷϒϥ΢β๷ޚػೳͷόΠύεʹ΋࢖͑Δ [4]<br/><br/><br/>

    View Slide

  21. © 2018 shift-js.info All Rights Reserved.
    When the text can be turned into an evil

    DbXSS ͷྲྀΕ


    ϒϥ΢β
    http://example.com/#
    ※ ϒϥ΢β͕ड͚औΔॠؒ͸

    ͋͘·Ͱແ֐ͳίϯςϯπ
    source
    source sink
    DOM ૢ࡞

    View Slide

  22. © 2018 shift-js.info All Rights Reserved.
    Increasing & diversifying threats

    ૿Ճɾଟ༷Խ͢Δ Db XSS ͷڴҖ
    ‣ DOM ૢ࡞ͳ͠Ͱ࡞ΒΕΔ Web αΠτ͸গͳ͍ (or ͳ͍)
    ‣ JS ͕ංେԽ͢Ε͹͢Δ΄Ͳݟ͚ͭʹ͍͘
    ‣ ͦΜͳத XSS ͸΋͸΍ϒϥ΢β্͚ͩͷ໰୊Ͱ͸ͳ͍
    ‣ e.g. Electron
    ‣ Web ։ൃͷٕज़Ͱ Desktop Apps Λ࡞ΕΔ
    ‣ XSS ͷڴҖ͕ΑΓԼͷϨΠϠʹۙͮ͘


    View Slide

  23. © 2018 shift-js.info All Rights Reserved.
    NOTE:


    View Slide

  24. © 2018 shift-js.info All Rights Reserved.
    Overview: XSS

    ͜͜·Ͱͷ·ͱΊ & ֶ࣍Ϳ΂͖࿩୊
    ‣ XSS (Cross-site Scripting) ͸େ͖͘෼͚ͯ 3 छྨ
    ‣ ( Stored | Reflected | DOM Based ) XSS

    ‣ ҰॹʹԞਂ͍ XSS ͷੈքΛ୳ࡧ͠·͠ΐ͏ !
    ‣ จࣈίʔυͷऔѻʹىҼͨ͠ XSS [5]
    ‣ IE ͷ Content Sniffing ʹىҼͨ͠ XSS [6]
    ‣ ͦͷଞ໘ന͍࿩͸୔ࢁɻ


    View Slide

  25. Script gadgets: 

    what happens with *.js

    View Slide

  26. © 2018 shift-js.info All Rights Reserved.
    What did *.js make?

    *.js ͕΋ͨΒͨ͠΋ͷ
    ‣ jQuery ΍ *.js (e.g. Angular.js, Vue.js, ...) ͷొ৔Ͱ
    Web ։ൃ͸ܶతʹ (ྑ͍ํ޲ʹ?) มΘͬͨ
    ‣ MVC (MVW)
    ‣ getElementBy* ஍ࠈ͔Βͷղ์
    ‣ ৽ͨͳܗͷ XSS (ݴ͍͔͗͢΋…) ͕ొ৔͖ͯͨ͠
    ‣ data-* ΍ ng-* (Angular.js) , v-* (Vue.js) ͳͲͷ attributes Λ
    ར༻ͨ͠ XSS


    View Slide

  27. © 2018 shift-js.info All Rights Reserved.
    Script gadgets - example

    Script gadget ͱ͸Կ͔ - ۩ମྫΛݟͯΈΔ
    ‣ 2017 ೥ʹ @slekies Β͕ൃද
    ‣ "By injecting benign HTML markup matching DOM
    selectors used in the application we are able to
    trigger the execution of specific pieces of legitimate
    application code - script gadgets." [2]


    <br/>p = document.getElementById("username");<br/>p.innerHTML =<br/>"<p>you are " + location.hash.substring(1) + "</p>";<br/>
    ͜ͷεΫϦϓτஅยΛ gadget ͱݺͿ

    View Slide

  28. © 2018 shift-js.info All Rights Reserved.
    What makes the matters worse

    DbXSS ͷԿ͕໰୊ͳͷ͔
    ‣ DOM Based XSS ͸ ਖ਼نίϯςϯπ্Ͱى͖Δ
    ‣ DbXSS Ҏ֎ͷ 2छ: ஫ೖ͞ΕͨεΫϦϓτ͕
    executable ͳܗ (, onerror=... ౳)<br/>Ͱฦͬͯ͘Δ(Ԛછࡁ)<br/>‣ DbXSS: non-executable ͳεΫϦϓτ͕ฦ͖ͬͯͯ<br/>(Ԛછલ)ɺϒϥ΢βαΠυͰͦΕ͕ executable ʹͳΔ<br/>‣ αʔόʔαΠυʹϩά͕࢒Βͳ͍৔߹΋͋Δ → ඃ֐ͷ೺<br/>Ѳ͕೉͍͠ (e.g. location.hash ΁ͷ஫ೖ஋͸ϦΫΤετதʹؚ·Εͳ͍)<br/><br/><br/>͜͜ΛҾ͖ى͜͢ͷ͕ Script gadget<br/>

    View Slide

  29. © 2018 shift-js.info All Rights Reserved.
    When the text can be turned into an evil

    Script gadgets ͷߟ͑ํ


    ϒϥ΢β
    p.innerHTML = "" +
    location.hash.substring(1) + "";
    Script gadgets
    http://example.com/#
    ※ ϒϥ΢β͕ड͚औΔॠؒ͸

    ͋͘·Ͱແ֐ͳίϯςϯπ
    source
    source sink

    View Slide

  30. © 2018 shift-js.info All Rights Reserved.
    Script gadgets - details
    ‣ Script gadgets ͸ແ֐ͳ HTML λά΍ଐੑΛ࣮ߦՄ
    ೳͳ JS ʹม׵ɾ࣮ߦͯ͘͠ΕΔίʔυஅยͷ͜ͱɻ
    ‣ e.g. ࣍ͷΑ͏ͳม׵Λߦ͏ JS (data-text ͸ຊདྷແ֐!)
    ‣ *.js ͨͪͷதʹ͸͜ͷྫͷΑ͏ͳૢ࡞Λ͢Δ΋ͷ͕͍Δ



    alert(1)

    View Slide

  31. © 2018 shift-js.info All Rights Reserved.
    XSS with script gadgets
    ‣ ༷ʑͳ๷ޚػߏ͕ճආ͞Ε͏Δ (ύλʔϯ͸ແ਺!)
    ‣ XSS filters, WAF, HTML Sanitizer, CSP, ...

    ‣ ͦΕΒ͍࣮͠ྫ
    ‣ Bootstrap3 ͷ data-target Λ࢖ͬͨ XSS (2016) 

    (https://github.com/twbs/bootstrap/issues/20184)
    ‣ H5SC Minichallenge 3 (CSP ؀ڥԼͰͷ XSS) (2015)

    (https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-
    it%27s-CSP!%22)


    View Slide

  32. © 2018 shift-js.info All Rights Reserved.
    What makes the matters worse
    *.js ͷԿ͕໰୊ͳͷ͔
    ‣ ߈ܸख๏ & Script gadgets ͷඈ༂త૿Ճ
    ‣ CSP (Content-Security-Policy) bypass ʹར༻Մೳ
    ‣ strict-dynamic ؀ڥԼͰ͸ DOM πϦʔʹૠೖ͞Εͨ script
    λάͷ࣮ߦ͕ڐՄ͞ΕΔ
    ‣ notevil ͷΑ͏ͳ eval ୅ସΛ࢖͍ͬͯΔ΋ͷ (e.g. Vue.js ͷ CSP
    Ϗϧυ) Ͱ͸ strict-dynamic ͳ͠ & unsafe-* ͳ͠Ͱ΋೚ҙ
    ίʔυ࣮ߦ͕Մೳ
    ‣ ʮCSP ࢖ͬͯΔ͔Β XSS ා͘ͳ͍ʂʯͳΜ͍ͯ͑ͳ͍ɻ


    View Slide

  33. Example: Let's defeat CSP :-)
    - Vue.js is your strong friend! -

    View Slide

  34. © 2018 shift-js.info All Rights Reserved.
    What is Vue.js ? 

    Vue.js - The Progressive JavaScript Framework
    ‣ "Vue ͸ϢʔβʔΠϯλʔϑΣΠεΛߏங͢ΔͨΊͷϓϩά
    ϨογϒϑϨʔϜϫʔΫͰ͢ɻ" ( https://jp.vuejs.org/v2/guide/ )
    ‣ σʔλόΠϯσΟϯά (JS ม਺ͷมߋ͕ UI ʹଈ࣌൓ө͞ΕΔ) ͳͲศར


    <br/>new Vue({<br/>el: "#content",<br/>data: {<br/>message: "Hello"<br/>}<br/>});<br/>
    {{ message }}

    View Slide

  35. © 2018 shift-js.info All Rights Reserved.
    Are you safe from XSS with Vue.js?

    Vue.js ʹ͓͚Δ XSS ͷݪҼ
    ‣ ϨϯμϦϯά͕ى͜ΔՕॴͰ෼ྨͯ͠ΈΔ
    1. αʔόʔαΠυϨϯμϦϯάͰͷෆඋ (Α͋͘Δ XSS)
    2. ΫϥΠΞϯταΠυϨϯμϦϯάͰͷෆඋ
    ‣ v-html, {{{ }}} ʹΑΔ HTML ͷల։ʹΑΔ XSS
    ‣ ຊ࣭: αʔόʔଆ͔Β (ਖ਼نίϯςϯπҎ֎ͷ) HTML ͕ಈతʹ߱ͬ
    ͯ͘Δ(≒ αʔόʔαΠυϨϯμϦϯά) + ͦΕ͕ඳը͞ΕΔ
    (ΫϥΠΞϯταΠυϨϯμϦϯά) ͷࠞ༻͕ݪҼ
    ‣ ศ্ٓɺΤεέʔϓͳ͠ͰσʔλΛฦͯ͠͠·͏৔߹΋ɺ࣮࣭αʔ
    όʔαΠυϨϯμϦϯάͱଊ͍͑ͯ·͢


    View Slide

  36. © 2018 shift-js.info All Rights Reserved.
    How to use Vue.js with CSP ?

    CSP ؀ڥԼͰͷ Vue.js ͷ࢖͍ํ
    ‣ ར༻Մೳͳ Vue.js ͱ CSP ͷ૊Έ߹Θͤ͸ҎԼ
    ‣ CSP: (host|schema)-source & unsafe-eval

    Vue.js: full build ͷར༻ (template compiler ͋Γ)
    ‣ CSP: (hash|nonce)-source & unsafe-eval (& strict-dynamic)

    Vue.js: full build ͷར༻ (template compiler ͋Γ)
    ‣ CSP: (specify as you like)

    Vue.js: CSP build ͷར༻ (template compiler ͋Γ)
    ‣ CSP: (specify as you like)

    Vue.js: runtime-only build ͷར༻ (template compiler ͳ͠)


    ※ full build: Vue.js v2.x ܥ, CSP build: v.1.x ܥ೿ੜͷ CSP branch Λࢦ͢

    View Slide

  37. © 2018 shift-js.info All Rights Reserved.
    Situation

    Ҏ߱ͷٞ࿦ʹ͍ͭͯͷԾఆ
    ‣ Ҏ߱ɺҎԼͷঢ়گΛԾఆ͠·͢ (݁ߏݱ࣮ʹ͋Γ͏Δγνϡ)ɻ
    ‣ Vue.js ͷ template compiler Λ࢖͍͍ͨɻ
    ‣ XSS ͕ଘࡏ͠ɺ೚ҙλάΛૠೖͰ͖Δɻ
    ‣ CSP ͸ Vue.js ͕࢖͑ΔܗͰదٓఆΊΒΕ͍ͯΔ
    ‣ ͨͩ͠ৗʹ unsafe-inline ͸ઃఆ͠ͳ͍ɻ
    ‣ CSP ʹΑΓɺ(ͺͬͱݟ) XSS ͷࣗ༝౓͸௿͍ʁ
    ‣ ΠϯϥΠϯεΫϦϓτ࣮ߦ͸Ͱ͖ͳͦ͞͏(∵ unsafe-inline ͳ͠)


    View Slide

  38. © 2018 shift-js.info All Rights Reserved.
    How to use Vue.js with CSP ?

    CSP ؀ڥԼͰͷ Vue.js ͷ࢖͍ํ
    ‣ ར༻Մೳͳ Vue.js ͱ CSP ͷ૊Έ߹Θͤ͸ҎԼ
    ‣ CSP: (host|schema)-source & unsafe-eval

    Vue.js: full build ͷར༻ (template compiler ͋Γ)
    ‣ CSP: (hash|nonce)-source & unsafe-eval (& strict-dynamic)

    Vue.js: full build ͷར༻ (template compiler ͋Γ)
    ‣ CSP: (specify as you like)

    Vue.js: CSP build ͷར༻ (template compiler ͋Γ)
    ‣ CSP: (specify as you like)

    Vue.js: runtime-only build ͷར༻ (template compiler ͳ͠)


    ͜ΕΒͭͷέʔεΛߟ͑Δ

    View Slide

  39. © 2018 shift-js.info All Rights Reserved.
    IDEA 1: inline script execution
    without unsafe-inline



    ‣ Vue.js Ͱ template compiler Λ
    ࢖͏ʹ͸ eval ૬౰ͷػೳ͕ඞཁ

    (CSP build Ͱ΋ full build Ͱ΋)
    ‣ ͜Εʹ৐͔ͬΕ͹εΫϦϓτͷ
    ΠϯϥΠϯ࣮ߦ͕unsafe-inline
    ແ͠Ͱ΋Ͱ͖ΔͷͰ͸ʁ

    View Slide

  40. © 2018 shift-js.info All Rights Reserved.
    Example: XSS with Vue.js (* build)

    @error ಺Ͱͷ೚ҙ JS ࣮ߦ
    ‣ v-on த $event.target.ownerDocument.defaultView 

    ͸ CSP build Ͱ΋ full build Ͱ΋ window ʹ౳͍͠
    ‣ ͦ͜Ͱ࣍ͷλάΛૠೖ͢Δ͜ͱΛߟ͑Δ

    ‣ @error ಺෦͸࣍ͷܗʹม׵͞ΕΔ

    scope.$event.target.ownerDocument.defaultView.alert(1)
    ‣ ͜Ε͸ window.alert(1) ͱ౳ՁͳͷͰ alert ͕ग़Δɻ
    ‣ unsafe-inline ͳ͠Ͱ΋ΠϯϥΠϯ࣮ߦ͕Մೳ


    @error="$event.target.ownerDocument.defaultView.alert(1)">

    View Slide

  41. © 2018 shift-js.info All Rights Reserved.
    Example: XSS with Vue.js (* build)

    v-if ΍ {{ }} Ͱͷ೚ҙ JS ࣮ߦ



    ‣ full build + unsafe-eval Ͱ͸͜ΕͰ alert .

    ‣ CSP build Ͱ͸͜Ε͚ͩͰ alert .
    ‣ ্هͲͪΒͷ build & policy Ͱ΋͜ΕͰ alert.
    {{this.
    $el.ownerDocument.defaultView.alert(1}}

    View Slide

  42. © 2018 shift-js.info All Rights Reserved.
    Example: XSS with Vue.js (* build)

    ·ͱΊ: Vue.js Λ࢖ͬͨ XSS ͷେ·͔ͳ෼ྨ (1)
    ‣ {{ }} (mustache ͱݺͿ) Λ࢖ͬͨ JS ࣮ߦ
    ‣ {{ this.$el.ownerDocument.defaultView.alert(1) }}
    ‣ client-side ͳ template injection ͷΑ͏ͳײ͡
    ‣ ಛ༗ͷ directive Λ༻͍ͨ JS ࣮ߦ
    ‣ v-on directive (@ Ͱ୅༻Մೳ)
    ‣ e.g. @click="$event.target.ownerDocument.defaultView.alert(1)"
    ‣ v-show, v-if, v-for, v-bind directive
    ‣ v-on ಉ༷༩͑ͨจࣈྻ͕ JS ͱͯ͠ධՁ͞ΕΔ


    View Slide

  43. © 2018 shift-js.info All Rights Reserved.
    Example: XSS with Vue.js (* build)

    ·ͱΊ: Vue.js Λ࢖ͬͨ XSS ͷେ·͔ͳ෼ྨ (2)
    ‣ ݩདྷͷ DOM Based XSS ʹ͍ۙܗͷ XSS
    ‣ source: Vue Πϯελϯεͷ data, computed, ...
    ‣ sink: v-html ΍ {{{ }}} ʹΑΔల։ (ޙऀ͸ 1 ܥͷΈ)


    <br/>new Vue({<br/>el: "#content",<br/>data: {<br/>raw: "<s>deleted</s>"<br/>}<br/>});<br/>

    View Slide

  44. © 2018 shift-js.info All Rights Reserved.
    IDEA 2: ONE MORE THING...



    ‣ εΫϦϓτͷΠϯϥΠϯ࣮ߦ͕
    unsafe-inline ແ͠Ͱ΋Ͱ͖Δͱ
    ͍͏͜ͱͰ͸ʁ → Ͱ͖ͨ!
    ‣ ͨͩෳจ࣮ߦ΍είʔϓʹ੍໿
    ͕͋ͬͨΓͯ͠໘౗ͩ͠ɺ΋ͬ
    ͱࣗ༝ʹ XSS ͍ͨ͠ʂ

    View Slide

  45. © 2018 shift-js.info All Rights Reserved.
    Let's be free from CSP (full build)

    full build + unsafe-eval Ͱͷ ೚ҙ source ͷ full bypass
    ‣ full build + unsafe-eval Ͱ͋Ε͹ɺ੍໿͔Βͷ࣍ͷ
    Α͏ͳ୤ग़͕Մೳ (ͱͬͯ΋؆୯)ɻ



    ‣ Vue.$mount ͔Βݺ͹ΕΔ compileToFunctions
    ؔ਺ͷಈ͖ΛಡΜͰΈΔ͜ͱΛ͓͢͢Ί͠·͢

    View Slide

  46. © 2018 shift-js.info All Rights Reserved.
    Let's be free from CSP (CSP build)

    CSP build ͷ nonce-sources ΍ strict-dynamic ͷ full bypass
    ‣ nonce-source ʹΑΔࢦఆ͸࣍ͷΑ͏ʹ bypass Մೳɻ

    ( script-src 'nonce-random' 'unsafe-eval'; ͷΑ͏ͳࢦఆͷ৔߹ )



    ‣ strict-dynamic bypass ͸্هͷιʔε͔Β a.nonce ͷߦΛ࡟আ
    ͢Ε͹Α͍(ͪ͜Βͷํ͸؆୯)ɻ

    View Slide

  47. © 2018 shift-js.info All Rights Reserved.
    Bypassability of CSP with Vue.js

    unsafe-inline ະࢦఆͷ৔߹ͷ෼ྨ


    CVJME XIJUFMJTU OPODF
    OPODF

    TE
    GVMM

    VF
    GVMMZ

    CZQBTTBCMF
    GVMMZ

    CZQBTTBCMF
    GVMMZ

    CZQBTTBCMF
    $41
    QBSUJBMMZ
    CZQBTTBCMF
    GVMMZCZQBTTBCMF
    GVMMZ

    CZQBTTBCMF
    SVOUJNFPOMZ
    ‣ template compiler Λ࢖͏৔߹͸େମ bypassable
    ( ue = unsafe-eval, sd = strict-dynamic )

    View Slide

  48. © 2018 shift-js.info All Rights Reserved.
    Example: XSS with Vue.js (CSP build)

    ੔ཧ: CSP ؀ڥԼͰ Vue.js Λ࢖͏ࡍͷ XSS ʹ͍ͭͯ
    ‣ ͋Δϖʔδ͕࣍ͷ৚݅Λຬͨ࣌͢͸ɺCSP ؀ڥԼ
    Ͱ΋ɺ࣮࣭ unsafe-inline ঢ়ଶʹͳͬͯ͠·͏ɻ
    ‣ Vue.js Λ࢖͍ͬͯΔ
    ‣ ͦͷ template compiler Λ࢖͍ͬͯΔ
    ‣ CSP ͷઃఆʹΑͬͯ͸೚ҙ ͷϩʔυ΍ૠ<br/>ೖʹ΋ͭͳ͕ͬͯ͠·͏ (e.g. nonce, hash ܥࢦఆ)<br/><br/><br/>

    View Slide

  49. © 2018 shift-js.info All Rights Reserved.
    Are you safe from XSS with Vue.js?

    Vue.js ʹ͓͚Δ XSS ͷݪҼ
    ‣ ϨϯμϦϯά͕ى͜ΔՕॴͰ෼ྨͯ͠ΈΔɻ
    1. αʔόʔαΠυϨϯμϦϯάͰͷෆඋ (Α͋͘Δ XSS)
    2. ΫϥΠΞϯταΠυϨϯμϦϯάͰͷෆඋ
    ‣ v-html, {{{ }}} ʹΑΔ HTML ͷల։ʹΑΔ XSS
    ‣ ຊ࣭: αʔόʔଆ͔Β (ਖ਼نίϯςϯπҎ֎ͷ) HTML ͕ಈతʹ߱ͬͯ
    ͘Δ(≒ αʔόʔαΠυϨϯμϦϯά) + ͦΕ͕ඳը͞ΕΔ (Ϋ
    ϥΠΞϯταΠυϨϯμϦϯά) ͷࠞ༻͕ݪҼ
    ‣ ศ্ٓɺΤεέʔϓͳ͠ͰσʔλΛฦͯ͠͠·͏৔߹΋ɺ
    ࣮࣭αʔόʔαΠυϨϯμϦϯάͱଊ͍͑ͯ·͢


    View Slide

  50. © 2018 shift-js.info All Rights Reserved.
    How to use Vue.js safely

    Vue.js Λฏ࿨ʹ࢖͏ʹ͸
    ‣ େલఏ: αʔόʔαΠυϨϯμϦϯάͱΫϥΠΞϯ
    ταΠυϨϯμϦϯάΛࠞ༻͠ͳ͍ (Vue.js ʹݶΒͣ)
    ‣ Vue.js Λ࢖͏ͳΒɺαʔόʔαΠυϨϯμϦϯάΛ
    ݶΓͳ͘ݮΒ͢ (೉͍͚͠ΕͲ…)
    ‣ Template compiler Λۃྗ࢖Θͳ͍ɻtemplate: Ͱ
    ͸ͳ͘ɺrender: Λ࢖͓͏ɻ
    ‣ ϓϦίϯύΠϧ͢Δ


    View Slide

  51. Conclusion

    View Slide

  52. © 2018 shift-js.info All Rights Reserved.
    ·ͱΊ
    ‣ XSS (Cross-site Scripting) ͸େ͖͘෼͚ͯ 3 छྨ
    ‣ ( Stored | Reflected | DOM Based ) XSS

    ‣ JS ϥΠϒϥϦ͕ essential ʹͳ͖ͬͯͨ͜ͱͰɺXSS
    ͷόϦΤʔγϣϯ͕޿͕͖ͬͯͨ
    ‣ JS ϥΠϒϥϦ࢖༻࣌ʹ͸͜ͷ͜ͱΛ಄ʹཹΊΑ͏
    ‣ CSP bypass ʹ࢖ΘΕΔ৔߹΋͋Δ


    View Slide

  53. Thank you for listening :-)
    Any Questions?
    Takashi Yoneuchi ( @lmt_swallow )
    https://shift-js.info

    View Slide

  54. © 2018 shift-js.info All Rights Reserved.
    References
    (1) XSS࠶ೖ໳ (@ockeghem ઌੜ)

    ʰಙؙຊʱͷಙؙઌੜ͕ XSS ͱ͸Կ͔ɺͲ͏໰୊ͳͷ͔Λ·ͱΊͨࢿྉɻ

    ˠ https://www.slideshare.net/ockeghem/xssreintroduction
    (2) S. Lekies, K. Kotowicz, S. Groß, E. A. V. Nava, and M. Johns,
    “Code-Reuse Attacks for the Web : Breaking Cross-Site
    Scripting Mitigations via Script Gadgets,” ACM SIGSAC Conf.
    Comput. Commun. Secur., pp. 1709–1723, 2017.
    (3) Breaking XSS mitigations via Script Gadgets 

    https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-
    Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf

    POC ͨͪ https://github.com/google/security-research-pocs/tree/master/script-gadgets


    View Slide

  55. © 2018 shift-js.info All Rights Reserved.
    References
    (4) Browser's XSS Filter Bypass Cheat Sheet

    https://github.com/masatokinugawa/filterbypass/wiki/Browser%27s-XSS-Filter-Bypass-Cheat-
    Sheet
    (5) UTF-7ʹΑΔΫϩεαΠτεΫϦϓςΟϯά߈ܸ

    http://gihyo.jp/admin/serial/01/charcode/0001
    (6)ʦແࢹͰ͖ͳ͍ʧIEͷContent-Typeແࢹ

    http://www.atmarkit.co.jp/ait/articles/0903/30/news118.html
    (7) Vue.js: Copyright (c) 2013-present, Yuxi (Evan) You

    Released under the MIT license 

    https://raw.githubusercontent.com/vuejs/vue/dev/LICENSE


    View Slide