XSS in the era of *.js - JS ライブラリ時代の XSS (ゼロから始めるセキュリティ入門勉強会 #15)

Vue.js Security Testing
 script> </head> <body> <div id="example"> {{this. $el.ownerDocument.defaultView.alert(1)}} </div> <script src="init.js" nonce="random2"></ script> </body> </html> XSS in the era of *.js  JS ϥΠϒϥϦ࣌୅ͷ XSS Takashi Yoneuchi @lmt_swallow https://shift-js.info 

View Slide

© 2018 shift-js.info All Rights Reserved.
Outline
‣ Overview: XSS
‣ XSS ͱ͸ͲΜͳ΋ͷ͔ɾͲΜͳ෼ྨ͕͋Δ͔ΛֶͿ
‣ What is DOM Based XSS?
‣ ಛʹ DbXSS ʹ͍ͭͯɺΑ͋͘Δ۩ମྫ͔ΒݪཧΛֶͿ
‣ Script gadgets: what happens with *.js ?
‣ Script gadgets ͷ࿩ (+ ࠷ۙͷ *.js ͨͪͷొ৔ʹΑΔมԽ)
‣ Example: Let's defeat CSP :-)
‣ Vue.js Λ template compiler ͋ΓͰ࢖͏ͳΒجຊ unsafe-inline ͳ࿩
‣ Conclusion

View Slide

Notes
‣ ಛʹٕज़తͳ಺༰ʹؔͯ͠ɺݕূɾϨϏϡʔ͸ؤுͬ
͍ͯͯ͠·͕͢ɺޡΓؚ͕·ΕΔ৔߹͕͋Γ·͢ɻ
(ൃݟͨ͠Β๻ʹ࿈བྷΛ͍ͩ͘͞!)
‣ ຊࢿྉ͸ޙ೔ΦϯϥΠϯͰެ։͞ΕΔ༧ఆɻ
‣ ࠓճͷൃදͰͷ೚ҙͷൃݴ͸ॴଐ૊৫Λ୅ද͢Δ΋
ͷͰ͸͋Γ·ͤΜ&ࢲݟʹج͖ͮ·͢ɻ

View Slide

Overview: XSS

View Slide

XSS (Cross-site Scripting) 
ΫϩεαΠτεΫϦϓςΟϯά
‣ "Cross-Site Scripting (XSS) attacks are a type
of injection, in which malicious scripts are
injected into otherwise benign and trusted
web sites." (OWASP, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) )
‣ ͬ͘͟Γ͍͏ͱ͜͏
‣ ߈ܸऀ͕ Web αΠτʹεΫϦϓτΛ஫ೖ
‣ ඪతͷϒϥ΢β্ͰͦΕ͕࣮ߦ͞ΕΔ

View Slide

ΫϩεαΠτεΫϦϓςΟϯά - ྫ

͜Μʹͪ͸, ͭ͹Ί ͞Μ!

View Slide

ΫϩεαΠτεΫϦϓςΟϯά - ྫ

͜Μʹͪ͸, alert(1) ͞Μ!
‣ ೖྗ஋͕ HTML ͷҰ෦ͱղऍ͞Εɺ ͕࣮ߦ͞Εͯ͠·͏ 

View Slide

Three kinds of XSS 
3 छͷ XSS
‣ Stored XSS - ஝ੵܕ XSS (ޮՌ͕࣋ଓ͢Δ)
‣ DB ౳ʹอଘ͞ΕͨϢʔβʔೖྗ஋͕ग़ྗ͞ΕΔࡍͷ XSS
‣ Reﬂected XSS - ൓ࣹܕ XSS: (ޮՌ͸࣋ଓ͠ͳ͍)
‣ ϢʔβʔೖྗΛ͙ͦ͢ͷ৔Ͱग़ྗ͢Δࡍͷ XSS 
‣ DOM Based XSS - ࠷ۙͷྲྀߦΓ

View Slide

1. Stored XSS 
஝ੵܕ XSS

1. ѱҙͷ͋ΔεΫϦϓτΛೖྗ஋ͱͯ͠஫ೖ 
(e.g. ϒϩάͷίϝϯτͱͯ͠ alert(1) Λૹ৴)
2. อଘ
4. DB ͔ΒͷಡΈग़͠
3. αΠτʹΞΫηε
5. εΫϦϓτ஫ೖࡁίϯςϯπͷฦ٫ 
e.g. alert(1)

View Slide

2. Reﬂected XSS 
൓ࣹܕ XSS

1. ѱҙͷ͋ΔεΫϦϓτؚ͕·ΕΔϦΫΤετΛ 
ඪత͕ൃߦ͢ΔΑ͏༠ಋ 
(e.g. http://example.com/?search=alert(1))
2. ඪత͕༠ಋ͞ΕͯϦΫΤετΛൃߦ
3. εΫϦϓτ஫ೖࡁίϯςϯπͷฦ٫ 
e.g. alert(1) Ͱͷݕࡧ݁Ռ

View Slide

Example: Stored & Reﬂected XSS 
஝ੵܕ XSS ͱ൓ࣹܕ XSSͷྫ
‣ αʔόʔαΠυͰϢʔβʔೖྗ஋Λ࢖ͬͯ HTML Λߏ
੒͢ΔࡍͷΤεέʔϓ࿙Ε͕ݪҼ
‣ ରࡦ
‣ ໽հͳέʔε͕ͨ͘͞Μ͋ͬͯେม
‣ ྫ͑͹ htmlspecialchars() ͷΑ͏ͳΤεέʔϓΛ௨͢

echo 'hello, '. $potentially_malicious_value ;
?>

View Slide

3. DOM Based XSS

1. ѱҙͷ͋ΔεΫϦϓτؚ͕·ΕΔϦΫΤετΛ 
ඪత͕ൃߦ͢ΔΑ͏༠ಋ 
(e.g. http://example.com/#query=alert(1))
2. ඪత͕༠ಋ͞ΕͯϦΫΤετΛൃߦ
3. ਖ਼نίϯςϯπͷฦ٫
4. DOM ૢ࡞ʹΑΓ XSS ൃՐ 
document.getElementById("contents").innerHTML=location.hash.substring(1);

View Slide

What is DOM Based XSS ?
- with common examples -

View Slide


DOM 
Document Object Model
‣ HTML (΍ XML) ͷߏ଄ʹ
ΞΫηε͢ΔͨΊͷ࿮૊
‣ จষߏ଄Λ Tree ܗͷϞσ
ϧͱͯ࣋ͭ͠
‣ WHATWG ʹΑΔఆٛ 
https://dom.spec.whatwg.org

View Slide

What is DOM Based XSS? 
DOM Based XSS ͱ͸
‣ "DOM Λ௨ͨ͡ HTML ૢ࡞ͷ݁Ռͱͯ͠ɺҙਤ͠ͳ͍ε
ΫϦϓτ͕࣮ߦ͞ΕΔ͜ͱ΍ɺͦΕΛڐ͢੬ऑੑΛࢦ͠
ͯɺDOM Based XSS ͱ͍͏ɻ" (IPA ςΫχΧϧ΢ΥονʮDOM Based XSSʯʹؔ͢ΔϨ
ϙʔτ https://www.ipa.go.jp/ﬁles/000024729.pdf)
‣ Stored XSS ΍ Reﬂected XSS ͱͷҧ͍
‣ αʔόʔ͸͋͘·Ͱ "ਖ਼نίϯςϯπ" Λฦ͢
‣ αʔόʔΛ߈ܸεΫϦϓτ͕ܦ༝͠ͳ͍Մೳੑ͕͋Δ
‣ e.g. http://example.com/#alert(1) (ϑϥάϝϯτࣝผࢠͷར༻)

View Slide

Common example 
DbXSS ͷΑ͋͘Δྫ
‣ example.com ্Ͱ্ه JS ͕࣮ߦ͞ΕΔ৔߹ɺ
ྫ͑͹ඪతΛ࣍ͷΑ͏ͳ URL ʹ༠ಋ͢Δͱʁ 
http://example.com/#

 p = document.getElementById("username"); p.innerHTML = "you are " + location.hash.substring(1) + ""; 

View Slide

Common example 
DbXSS ͷΑ͋͘Δྫ
‣ ͜ͷ λάࣗମ͸ແ֐ (ѱ͍͜ͱ͸ͯ͠ͳ͍) ‣ location.hash ͷ஋͕લท <img ...> Ͱ΋ɺͦΕ͚ͩͳΒແ֐ ͔ͭ non-executable ‣ innerHTML ʹલท <img ... > ͷΑ͏ͳ location.hash ͷ஋͕ೖΔ ͱ executable ʹͳΔ <script> p = document.getElementById("username"); p.innerHTML = "you are " + location.hash.substring(1) + ""; 

View Slide

Common example 
DbXSS ͷΑ͋͘Δྫ
‣ ͜ͷ λάࣗମ͸ແ֐ (ѱ͍͜ͱ͸ͯ͠ͳ͍) ‣ location.hash ͷ஋͕લท <img ...> Ͱ΋ɺͦΕ͚ͩͳΒແ֐ ͔ͭ non-executable ‣ innerHTML ʹલท <img ... > ͷΑ͏ͳ location.hash ͷ஋͕ೖΔ ͱ executable ʹͳΔ <script> p = document.getElementById("username"); p.innerHTML = "you are " + location.hash.substring(1) + ""; 
4PVSDFͱݺͿ
4JOLͱݺͿ

View Slide

Sources & Sinks  
ιʔεͱγϯΫ
‣ Source - ߈ܸऀ͕ίϯτϩʔϧͰ͖Δ஋
e.g. location.hash, location.search, location.href, ...
e.g. document.cookie, document.referrer, ...
e.g. window.name, ...
‣ Sink - JS ੜ੒ & ࣮ߦʹ࢖ΘΕ͏ΔՕॴ
e.g. location.href (redirect)
e.g. HTMLElement.innerHTML
e.g. document.write
e.g. eval, setTimeout, setInterval, Function

View Slide

What makes the matters worse 
DbXSS ͷԿ͕໰୊ͳͷ͔
‣ DOM Based XSS ͸ ਖ਼نίϯςϯπ্Ͱى͖Δ
‣ DbXSS Ҏ֎ͷ 2छ: ஫ೖ͞ΕͨεΫϦϓτ͕ executable ͳܗ
(, onerror=... ౳) Ͱฦͬͯ͘Δ(Ԛછࡁ) ‣ DbXSS: non-executable ͳεΫϦϓτ͕ฦ͖ͬͯͯ(Ԛછ લ)ɺϒϥ΢βαΠυͰͦΕ͕ executable ʹͳΔ ‣ αʔόʔαΠυʹϩά͕࢒Βͳ͍৔߹΋͋Δ ‣ ඃ֐ͷ೺Ѳ͕೉͍͠ (e.g. location.hash ΁ͷ஫ೖ஋͸ϦΫΤετதʹؚ·Εͳ͍) ‣ XSS ﬁlter ͳͲͷϒϥ΢β๷ޚػೳͷόΠύεʹ΋࢖͑Δ [4] 

View Slide

When the text can be turned into an evil 
DbXSS ͷྲྀΕ

ϒϥ΢β
※ ϒϥ΢β͕ड͚औΔॠؒ͸ 
͋͘·Ͱແ֐ͳίϯςϯπ
source
source sink
DOM ૢ࡞

View Slide

Increasing & diversifying threats 
૿Ճɾଟ༷Խ͢Δ Db XSS ͷڴҖ
‣ DOM ૢ࡞ͳ͠Ͱ࡞ΒΕΔ Web αΠτ͸গͳ͍ (or ͳ͍)
‣ JS ͕ංେԽ͢Ε͹͢Δ΄Ͳݟ͚ͭʹ͍͘
‣ ͦΜͳத XSS ͸΋͸΍ϒϥ΢β্͚ͩͷ໰୊Ͱ͸ͳ͍
‣ e.g. Electron
‣ Web ։ൃͷٕज़Ͱ Desktop Apps Λ࡞ΕΔ
‣ XSS ͷڴҖ͕ΑΓԼͷϨΠϠʹۙͮ͘

View Slide

NOTE:

View Slide

Overview: XSS 
͜͜·Ͱͷ·ͱΊ & ֶ࣍Ϳ΂͖࿩୊
‣ XSS (Cross-site Scripting) ͸େ͖͘෼͚ͯ 3 छྨ
‣ ( Stored | Reﬂected | DOM Based ) XSS 
‣ ҰॹʹԞਂ͍ XSS ͷੈքΛ୳ࡧ͠·͠ΐ͏ !
‣ จࣈίʔυͷऔѻʹىҼͨ͠ XSS [5]
‣ IE ͷ Content Snifﬁng ʹىҼͨ͠ XSS [6]
‣ ͦͷଞ໘ന͍࿩͸୔ࢁɻ

View Slide

Script gadgets:  
what happens with *.js

View Slide

What did *.js make? 
*.js ͕΋ͨΒͨ͠΋ͷ
‣ jQuery ΍ *.js (e.g. Angular.js, Vue.js, ...) ͷొ৔Ͱ
Web ։ൃ͸ܶతʹ (ྑ͍ํ޲ʹ?) มΘͬͨ
‣ MVC (MVW)
‣ getElementBy* ஍ࠈ͔Βͷղ์
‣ ৽ͨͳܗͷ XSS (ݴ͍͔͗͢΋…) ͕ొ৔͖ͯͨ͠
‣ data-* ΍ ng-* (Angular.js) , v-* (Vue.js) ͳͲͷ attributes Λ
ར༻ͨ͠ XSS

View Slide

Script gadgets - example 
Script gadget ͱ͸Կ͔ - ۩ମྫΛݟͯΈΔ
‣ 2017 ೥ʹ @slekies Β͕ൃද
‣ "By injecting benign HTML markup matching DOM
selectors used in the application we are able to
trigger the execution of speciﬁc pieces of legitimate
application code - script gadgets." [2]

 p = document.getElementById("username"); p.innerHTML = "you are " + location.hash.substring(1) + ""; 
͜ͷεΫϦϓτஅยΛ gadget ͱݺͿ

View Slide

What makes the matters worse 
DbXSS ͷԿ͕໰୊ͳͷ͔
‣ DOM Based XSS ͸ ਖ਼نίϯςϯπ্Ͱى͖Δ
‣ DbXSS Ҏ֎ͷ 2छ: ஫ೖ͞ΕͨεΫϦϓτ͕
executable ͳܗ (, onerror=... ౳) Ͱฦͬͯ͘Δ(Ԛછࡁ) ‣ DbXSS: non-executable ͳεΫϦϓτ͕ฦ͖ͬͯͯ (Ԛછલ)ɺϒϥ΢βαΠυͰͦΕ͕ executable ʹͳΔ ‣ αʔόʔαΠυʹϩά͕࢒Βͳ͍৔߹΋͋Δ → ඃ֐ͷ೺ Ѳ͕೉͍͠ (e.g. location.hash ΁ͷ஫ೖ஋͸ϦΫΤετதʹؚ·Εͳ͍) ͜͜ΛҾ͖ى͜͢ͷ͕ Script gadget 

View Slide

When the text can be turned into an evil 
Script gadgets ͷߟ͑ํ

ϒϥ΢β
p.innerHTML = "" +
location.hash.substring(1) + "";
Script gadgets
※ ϒϥ΢β͕ड͚औΔॠؒ͸ 
͋͘·Ͱແ֐ͳίϯςϯπ
source
source sink

View Slide

Script gadgets - details
‣ Script gadgets ͸ແ֐ͳ HTML λά΍ଐੑΛ࣮ߦՄ
ೳͳ JS ʹม׵ɾ࣮ߦͯ͘͠ΕΔίʔυஅยͷ͜ͱɻ
‣ e.g. ࣍ͷΑ͏ͳม׵Λߦ͏ JS (data-text ͸ຊདྷແ֐!)
‣ *.js ͨͪͷதʹ͸͜ͷྫͷΑ͏ͳૢ࡞Λ͢Δ΋ͷ͕͍Δ

alert(1)

View Slide

XSS with script gadgets
‣ ༷ʑͳ๷ޚػߏ͕ճආ͞Ε͏Δ (ύλʔϯ͸ແ਺!)
‣ XSS ﬁlters, WAF, HTML Sanitizer, CSP, ... 
‣ ͦΕΒ͍࣮͠ྫ
‣ Bootstrap3 ͷ data-target Λ࢖ͬͨ XSS (2016)  
(https://github.com/twbs/bootstrap/issues/20184)
‣ H5SC Minichallenge 3 (CSP ؀ڥԼͰͷ XSS) (2015) 
(https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-
it%27s-CSP!%22)

View Slide

What makes the matters worse
*.js ͷԿ͕໰୊ͳͷ͔
‣ ߈ܸख๏ & Script gadgets ͷඈ༂త૿Ճ
‣ CSP (Content-Security-Policy) bypass ʹར༻Մೳ
‣ strict-dynamic ؀ڥԼͰ͸ DOM πϦʔʹૠೖ͞Εͨ script
λάͷ࣮ߦ͕ڐՄ͞ΕΔ
‣ notevil ͷΑ͏ͳ eval ୅ସΛ࢖͍ͬͯΔ΋ͷ (e.g. Vue.js ͷ CSP
Ϗϧυ) Ͱ͸ strict-dynamic ͳ͠ & unsafe-* ͳ͠Ͱ΋೚ҙ
ίʔυ࣮ߦ͕Մೳ
‣ ʮCSP ࢖ͬͯΔ͔Β XSS ා͘ͳ͍ʂʯͳΜ͍ͯ͑ͳ͍ɻ

View Slide

Example: Let's defeat CSP :-)
- Vue.js is your strong friend! -

View Slide

What is Vue.js ?  
Vue.js - The Progressive JavaScript Framework
‣ "Vue ͸ϢʔβʔΠϯλʔϑΣΠεΛߏங͢ΔͨΊͷϓϩά
ϨογϒϑϨʔϜϫʔΫͰ͢ɻ" ( https://jp.vuejs.org/v2/guide/ )
‣ σʔλόΠϯσΟϯά (JS ม਺ͷมߋ͕ UI ʹଈ࣌൓ө͞ΕΔ) ͳͲศར

 new Vue({ el: "#content", data: { message: "Hello" } }); 
{{ message }}

View Slide

Are you safe from XSS with Vue.js? 
Vue.js ʹ͓͚Δ XSS ͷݪҼ
‣ ϨϯμϦϯά͕ى͜ΔՕॴͰ෼ྨͯ͠ΈΔ
1. αʔόʔαΠυϨϯμϦϯάͰͷෆඋ (Α͋͘Δ XSS)
2. ΫϥΠΞϯταΠυϨϯμϦϯάͰͷෆඋ
‣ v-html, {{{ }}} ʹΑΔ HTML ͷల։ʹΑΔ XSS
‣ ຊ࣭: αʔόʔଆ͔Β (ਖ਼نίϯςϯπҎ֎ͷ) HTML ͕ಈతʹ߱ͬ
ͯ͘Δ(≒ αʔόʔαΠυϨϯμϦϯά) + ͦΕ͕ඳը͞ΕΔ
(ΫϥΠΞϯταΠυϨϯμϦϯά) ͷࠞ༻͕ݪҼ
‣ ศ্ٓɺΤεέʔϓͳ͠ͰσʔλΛฦͯ͠͠·͏৔߹΋ɺ࣮࣭αʔ
όʔαΠυϨϯμϦϯάͱଊ͍͑ͯ·͢

View Slide

How to use Vue.js with CSP ? 
CSP ؀ڥԼͰͷ Vue.js ͷ࢖͍ํ
‣ ར༻Մೳͳ Vue.js ͱ CSP ͷ૊Έ߹Θͤ͸ҎԼ
‣ CSP: (host|schema)-source & unsafe-eval 
Vue.js: full build ͷར༻ (template compiler ͋Γ)
‣ CSP: (hash|nonce)-source & unsafe-eval (& strict-dynamic) 
‣ CSP: (specify as you like) 
Vue.js: CSP build ͷར༻ (template compiler ͋Γ)
Vue.js: runtime-only build ͷར༻ (template compiler ͳ͠)

※ full build: Vue.js v2.x ܥ, CSP build: v.1.x ܥ೿ੜͷ CSP branch Λࢦ͢

View Slide

Situation 
Ҏ߱ͷٞ࿦ʹ͍ͭͯͷԾఆ
‣ Ҏ߱ɺҎԼͷঢ়گΛԾఆ͠·͢ (݁ߏݱ࣮ʹ͋Γ͏Δγνϡ)ɻ
‣ Vue.js ͷ template compiler Λ࢖͍͍ͨɻ
‣ XSS ͕ଘࡏ͠ɺ೚ҙλάΛૠೖͰ͖Δɻ
‣ CSP ͸ Vue.js ͕࢖͑ΔܗͰదٓఆΊΒΕ͍ͯΔ
‣ ͨͩ͠ৗʹ unsafe-inline ͸ઃఆ͠ͳ͍ɻ
‣ CSP ʹΑΓɺ(ͺͬͱݟ) XSS ͷࣗ༝౓͸௿͍ʁ
‣ ΠϯϥΠϯεΫϦϓτ࣮ߦ͸Ͱ͖ͳͦ͞͏(∵ unsafe-inline ͳ͠)

View Slide

How to use Vue.js with CSP ? 
CSP ؀ڥԼͰͷ Vue.js ͷ࢖͍ํ
‣ ར༻Մೳͳ Vue.js ͱ CSP ͷ૊Έ߹Θͤ͸ҎԼ
‣ CSP: (host|schema)-source & unsafe-eval 
‣ CSP: (hash|nonce)-source & unsafe-eval (& strict-dynamic) 
Vue.js: CSP build ͷར༻ (template compiler ͋Γ)
Vue.js: runtime-only build ͷར༻ (template compiler ͳ͠)

͜ΕΒͭͷέʔεΛߟ͑Δ

View Slide

IDEA 1: inline script execution
without unsafe-inline

‣ Vue.js Ͱ template compiler Λ
࢖͏ʹ͸ eval ૬౰ͷػೳ͕ඞཁ 
(CSP build Ͱ΋ full build Ͱ΋)
‣ ͜Εʹ৐͔ͬΕ͹εΫϦϓτͷ
ΠϯϥΠϯ࣮ߦ͕unsafe-inline
ແ͠Ͱ΋Ͱ͖ΔͷͰ͸ʁ

View Slide

Example: XSS with Vue.js (* build) 
@error ಺Ͱͷ೚ҙ JS ࣮ߦ
‣ v-on த $event.target.ownerDocument.defaultView  
͸ CSP build Ͱ΋ full build Ͱ΋ window ʹ౳͍͠
‣ ͦ͜Ͱ࣍ͷλάΛૠೖ͢Δ͜ͱΛߟ͑Δ 
‣ @error ಺෦͸࣍ͷܗʹม׵͞ΕΔ 
scope.$event.target.ownerDocument.defaultView.alert(1)
‣ ͜Ε͸ window.alert(1) ͱ౳ՁͳͷͰ alert ͕ग़Δɻ
‣ unsafe-inline ͳ͠Ͱ΋ΠϯϥΠϯ࣮ߦ͕Մೳ

@error="$event.target.ownerDocument.defaultView.alert(1)">

View Slide

Example: XSS with Vue.js (* build)
 
v-if ΍ {{ }} Ͱͷ೚ҙ JS ࣮ߦ

‣ full build + unsafe-eval Ͱ͸͜ΕͰ alert .

‣ CSP build Ͱ͸͜Ε͚ͩͰ alert .
‣ ্هͲͪΒͷ build & policy Ͱ΋͜ΕͰ alert.
{{this.
$el.ownerDocument.defaultView.alert(1}}

View Slide

Example: XSS with Vue.js (* build)
 
·ͱΊ: Vue.js Λ࢖ͬͨ XSS ͷେ·͔ͳ෼ྨ (1)
‣ {{ }} (mustache ͱݺͿ) Λ࢖ͬͨ JS ࣮ߦ
‣ {{ this.$el.ownerDocument.defaultView.alert(1) }}
‣ client-side ͳ template injection ͷΑ͏ͳײ͡
‣ ಛ༗ͷ directive Λ༻͍ͨ JS ࣮ߦ
‣ v-on directive (@ Ͱ୅༻Մೳ)
‣ e.g. @click="$event.target.ownerDocument.defaultView.alert(1)"
‣ v-show, v-if, v-for, v-bind directive
‣ v-on ಉ༷༩͑ͨจࣈྻ͕ JS ͱͯ͠ධՁ͞ΕΔ

View Slide

Example: XSS with Vue.js (* build) 
·ͱΊ: Vue.js Λ࢖ͬͨ XSS ͷେ·͔ͳ෼ྨ (2)
‣ ݩདྷͷ DOM Based XSS ʹ͍ۙܗͷ XSS
‣ source: Vue Πϯελϯεͷ data, computed, ...
‣ sink: v-html ΍ {{{ }}} ʹΑΔల։ (ޙऀ͸ 1 ܥͷΈ)

 new Vue({ el: "#content", data: { raw: "<s>deleted</s>" } }); 

View Slide

IDEA 2: ONE MORE THING...

‣ εΫϦϓτͷΠϯϥΠϯ࣮ߦ͕
unsafe-inline ແ͠Ͱ΋Ͱ͖Δͱ
͍͏͜ͱͰ͸ʁ → Ͱ͖ͨ!
‣ ͨͩෳจ࣮ߦ΍είʔϓʹ੍໿
͕͋ͬͨΓͯ͠໘౗ͩ͠ɺ΋ͬ
ͱࣗ༝ʹ XSS ͍ͨ͠ʂ

View Slide

Let's be free from CSP (full build) 
full build + unsafe-eval Ͱͷ ೚ҙ source ͷ full bypass
‣ full build + unsafe-eval Ͱ͋Ε͹ɺ੍໿͔Βͷ࣍ͷ
Α͏ͳ୤ग़͕Մೳ (ͱͬͯ΋؆୯)ɻ

‣ Vue.$mount ͔Βݺ͹ΕΔ compileToFunctions
ؔ਺ͷಈ͖ΛಡΜͰΈΔ͜ͱΛ͓͢͢Ί͠·͢

View Slide

Let's be free from CSP (CSP build) 
CSP build ͷ nonce-sources ΍ strict-dynamic ͷ full bypass
‣ nonce-source ʹΑΔࢦఆ͸࣍ͷΑ͏ʹ bypass Մೳɻ 
( script-src 'nonce-random' 'unsafe-eval'; ͷΑ͏ͳࢦఆͷ৔߹ )

‣ strict-dynamic bypass ͸্هͷιʔε͔Β a.nonce ͷߦΛ࡟আ
͢Ε͹Α͍(ͪ͜Βͷํ͸؆୯)ɻ

View Slide

Bypassability of CSP with Vue.js 
unsafe-inline ະࢦఆͷ৔߹ͷ෼ྨ

CVJME XIJUFMJTU OPODF
OPODF 
TE
GVMM 
VF
GVMMZ 
CZQBTTBCMF
GVMMZ 
CZQBTTBCMF
GVMMZ 
CZQBTTBCMF
$41
QBSUJBMMZ
CZQBTTBCMF
GVMMZCZQBTTBCMF
GVMMZ 
CZQBTTBCMF
SVOUJNFPOMZ
‣ template compiler Λ࢖͏৔߹͸େମ bypassable
( ue = unsafe-eval, sd = strict-dynamic )

View Slide

Example: XSS with Vue.js (CSP build) 
੔ཧ: CSP ؀ڥԼͰ Vue.js Λ࢖͏ࡍͷ XSS ʹ͍ͭͯ
‣ ͋Δϖʔδ͕࣍ͷ৚݅Λຬͨ࣌͢͸ɺCSP ؀ڥԼ
Ͱ΋ɺ࣮࣭ unsafe-inline ঢ়ଶʹͳͬͯ͠·͏ɻ
‣ Vue.js Λ࢖͍ͬͯΔ
‣ ͦͷ template compiler Λ࢖͍ͬͯΔ
‣ CSP ͷઃఆʹΑͬͯ͸೚ҙ ͷϩʔυ΍ૠ ೖʹ΋ͭͳ͕ͬͯ͠·͏ (e.g. nonce, hash ܥࢦఆ) 

View Slide

Are you safe from XSS with Vue.js? 
Vue.js ʹ͓͚Δ XSS ͷݪҼ
‣ ϨϯμϦϯά͕ى͜ΔՕॴͰ෼ྨͯ͠ΈΔɻ
1. αʔόʔαΠυϨϯμϦϯάͰͷෆඋ (Α͋͘Δ XSS)
2. ΫϥΠΞϯταΠυϨϯμϦϯάͰͷෆඋ
‣ v-html, {{{ }}} ʹΑΔ HTML ͷల։ʹΑΔ XSS
‣ ຊ࣭: αʔόʔଆ͔Β (ਖ਼نίϯςϯπҎ֎ͷ) HTML ͕ಈతʹ߱ͬͯ
͘Δ(≒ αʔόʔαΠυϨϯμϦϯά) + ͦΕ͕ඳը͞ΕΔ (Ϋ
ϥΠΞϯταΠυϨϯμϦϯά) ͷࠞ༻͕ݪҼ
‣ ศ্ٓɺΤεέʔϓͳ͠ͰσʔλΛฦͯ͠͠·͏৔߹΋ɺ
࣮࣭αʔόʔαΠυϨϯμϦϯάͱଊ͍͑ͯ·͢

View Slide

How to use Vue.js safely 
Vue.js Λฏ࿨ʹ࢖͏ʹ͸
‣ େલఏ: αʔόʔαΠυϨϯμϦϯάͱΫϥΠΞϯ
ταΠυϨϯμϦϯάΛࠞ༻͠ͳ͍ (Vue.js ʹݶΒͣ)
‣ Vue.js Λ࢖͏ͳΒɺαʔόʔαΠυϨϯμϦϯάΛ
ݶΓͳ͘ݮΒ͢ (೉͍͚͠ΕͲ…)
‣ Template compiler Λۃྗ࢖Θͳ͍ɻtemplate: Ͱ
͸ͳ͘ɺrender: Λ࢖͓͏ɻ
‣ ϓϦίϯύΠϧ͢Δ

View Slide

Conclusion

View Slide

·ͱΊ
‣ XSS (Cross-site Scripting) ͸େ͖͘෼͚ͯ 3 छྨ
‣ ( Stored | Reﬂected | DOM Based ) XSS 
‣ JS ϥΠϒϥϦ͕ essential ʹͳ͖ͬͯͨ͜ͱͰɺXSS
ͷόϦΤʔγϣϯ͕޿͕͖ͬͯͨ
‣ JS ϥΠϒϥϦ࢖༻࣌ʹ͸͜ͷ͜ͱΛ಄ʹཹΊΑ͏
‣ CSP bypass ʹ࢖ΘΕΔ৔߹΋͋Δ

View Slide

Thank you for listening :-)
Any Questions?
Takashi Yoneuchi ( @lmt_swallow )
https://shift-js.info

View Slide

References
(1) XSS࠶ೖ໳ (@ockeghem ઌੜ) 
ʰಙؙຊʱͷಙؙઌੜ͕ XSS ͱ͸Կ͔ɺͲ͏໰୊ͳͷ͔Λ·ͱΊͨࢿྉɻ 
ˠ https://www.slideshare.net/ockeghem/xssreintroduction
(2) S. Lekies, K. Kotowicz, S. Groß, E. A. V. Nava, and M. Johns,
“Code-Reuse Attacks for the Web : Breaking Cross-Site
Scripting Mitigations via Script Gadgets,” ACM SIGSAC Conf.
Comput. Commun. Secur., pp. 1709–1723, 2017.
(3) Breaking XSS mitigations via Script Gadgets  
https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-
Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf 
POC ͨͪ https://github.com/google/security-research-pocs/tree/master/script-gadgets

View Slide

References
(4) Browser's XSS Filter Bypass Cheat Sheet 
https://github.com/masatokinugawa/ﬁlterbypass/wiki/Browser%27s-XSS-Filter-Bypass-Cheat-
Sheet
(5) UTF-7ʹΑΔΫϩεαΠτεΫϦϓςΟϯά߈ܸ 
http://gihyo.jp/admin/serial/01/charcode/0001
(6)ʦແࢹͰ͖ͳ͍ʧIEͷContent-Typeແࢹ 
http://www.atmarkit.co.jp/ait/articles/0903/30/news118.html
(7) Vue.js: Copyright (c) 2013-present, Yuxi (Evan) You 
Released under the MIT license  
https://raw.githubusercontent.com/vuejs/vue/dev/LICENSE

View Slide

XSS in the era of *.js - JS ライブラリ時代の XSS (ゼロから始めるセキュリティ入門勉強会 #15)

XSS in the era of *.js - JS ライブラリ時代の XSS (ゼロから始めるセキュリティ入門勉強会 #15)

Takashi Yoneuchi

More Decks by Takashi Yoneuchi

Other Decks in Programming

Featured

Transcript