Client sidesec 2013 - script injection

Web Client Side
Security -
Script Injection
Tal Be’ery
@Verint
2013

SOP Threat Model
Communicati
on
Custom Code
Accounts
Finance
Administratio
n
Transactions
Knowledge
Mgmt
E-Commerce
Bus.
Functions
Victim Application
3
Vulnerable site sees
legitimate request
from victim
performs the action
requested
And sends a
response
Attacker sets the trap on some website on the internet1
2
While logged into vulnerable site,
victim views attacker site
Victim site interaction
Some interaction
with victim site

Injecting Script to Defeat SOP
O So SOP does not allow scripts from a
different origin to access target origin’s
data?
O Then, attacker must get the script to run
from target’s origin!

Getting The Script In
O Malvertising: Paying the server to show
content (Malicious Ads)
O XSS :Abusing the application’s to serve
user content
O Breaking into the server to change content
O Mass injection
O Watering Hole attacks
O Injecting onto the connection (MitM)

Paying the target site
O Paying the target site to serve attacker
controlled messages to its clients
O Paying for displaying content = advertising

Online advertising
O The business engine for the web
http://blogs-images.forbes.com/roberthof/files/2012/06/iabadrev.gif

Online advertising
O Many parties are involved
http://blogs.wsj.com/digits/2011/06/06/online-ads-where-1240-companies-fit-in/

Malvertising
O Malware advertising
O Usually in the context of malware
spreading
O If it allows scripting, can create XSS
http://2.bp.blogspot.com/-qyWHGQxwkPc/Tl0dNR-1g1I/AAAAAAAACdg/wsYFRVfM3NQ/s1600/malvertising%2Byieldmanager%2Bziddu%2Bwebsite.png

Targeting Ads
O Web ads can be highly targeted
O “C level” in “Israel” in the “security
industry”

XSS = Script Injection
O Victim server embeds unsanitized user’s
Input in served content
O Served content can contain a script
invocation
O The script is from the origin of the victim
server and thus can access all of the
origin’s data

Stored XSS
O The victim server stores user generated
content
O Comments
O Profile in social network
O Reviews
O The content is displayed to other users
O If not properly sanitized the content can
contain a script

Stored XSS Illustrated
Attacker sets the trap – update my
profile
Attacker enters
a malicious
script into a
web page that
stores the data
on the server
1
Application
with stored
XSS
vulnerability
Custom Code
Accounts
Finance
Administratio
nTransactions
Communicati
onKnowledge
MgmtE-CommerceBus.
Functions
2 Victim views page – sees
attacker profile
Script runs
inside victim’s
browser with
full access to
the DOM and
cookies
3 Script silently sends attacker Victim’s session
cookie
1

Reflected XSS
O The victim sends back (reflects) user
generated content to the user
O “search results for <sent term>”
O “The form details you just filled <form
data>”
O The content is displayed to the user
O If not properly sanitized the content can
invoke a script

Reflected XSS
O Why should I attack myself?
O The attacker “convinces” the victim to
attack itself
O Link is embedded in attacker site
O Phishing email

Reflected XSS Demo - testing
O Search page is a classic!
O /sitesearch/index.aspx?q=bbbbbbbbbbbb

Reflected XSS Demo – XSS!
O /index.aspx?q=<script> alert(
document.cookie); </script>

DOM Based XSS
O Javascript can change inner HTML
through the DOM
O If the script in victim server’s page accepts
input from user without sanitizing it and
changes the DOM than a script can be
invoked.

Javascript Invocation
O Direct Script Injection
O Event handler injection
O Javascript protocol injection
O Injecting into an existing script

Injection
O Injection happens when attacker is able to
make a cross over from data area to
control/code area
O All Injections (Script injections, but also
SQL injection, XML injection, LDAP
injection, etc.) share the same
characteristics:
O A token that ends the data part
O Some malicious code
O A token that returns to data part (optional)

Direct Script Injection
O <script>alert(1)</script>
O HTML parsers are usually very relaxed
and forgiving

Event handler injection
O Example:
O Original application:
O <img src="url" alt="some_user_text">
O Attacker:
O <img src="url" alt="” onload=“evil()">

Javascript protocol injection
O Injecting the javascript pseudo protocol in
places intended for URLs
O Original application:
O <iframe src="user supplied url" >
O Attacker:
O <iframe src=“Javascript:evil()" >

Injecting into an existing
script
O Input is embedded into existing script.
O Script must remain syntactically correct for
the malicious payload to execute

Injecting Into an Existing
Script – In the Wild
O The value of the locale HTTP parameter is
included directly in a javascript within the
response and assigned to the s_prop18
variable:
O <script>…var s_prop18="";alert(1);//“ …
</script>

Vulnerability Scanners
O Many commercial tools
O IBM AppScan
O HP WebInspect
O Etc.
O Many free tools

Exploitation tools: BeEF
O The Browser Exploitation Framework

Input/Output Sanitizaiton
O Remove “bad” characters
O Encode “bad” characters
O Context dependent!
O When input is given the code does not
know in which context it would be
displayed
O When output is presented, the context is
known, but coder may forget its untrusted
origin

Too many contexts…
HTML Style Property
Values
(e.g., .pdiv a:hover {color: red; text-
decoration: underline} )
JavaScript Data
(e.g., <script> some javascript
</script> )
HTML Attribute Values
(e.g., <input name='person'
type='TEXT' value='defaultValue'> )
HTML Element
Content
(e.g., <div> some text to display
</div> )
URI Attribute Values
(e.g., <a href="javascript:toggle('lesson')"
)
#4: All non-alphanumeric < 256  HH
ESAPI: encodeForCSS()
#3: All non-alphanumeric < 256  xHH
ESAPI: encodeForJavaScript()
#1: ( &, <, >, " )  &entity; ( ', / )  &#xHH;
ESAPI: encodeForHTML()
#2: All non-alphanumeric < 256  &#xHH
ESAPI: encodeForHTMLAttribute()
#5: All non-alphanumeric < 256  %HH
ESAPI: encodeForURL()

CSP
O Content Security Policy
O Enables the website to specify with
custom headers the allowed scripts in the
page, so no new script can be injected
O In order for CSP to be effective, the
website code has to be refactored.

NoScript
O Client side plugin
O Stops scripts, but usually kills user
experience too

Web Application Firewalls
O Stop XSS vectors
O Both reflected and persistent
O Examples:
O Imperva SecureSphere
O ModSecurity

Browser XSS filter
O Checks for script invocation in user
supplied data
O Only effective against reflected XSS

XSSed.com
O http://xssed.com/

Scanners Stats
https://www.whitehatsec.com/assets/WPst
atsReport_052013.pdf

XSS in Google
http://www.acunetix.com/blog/web-security-zone/articles/xss-vulnerability-injected-google-analytics-executed-ioss-gmail-
application/

Watering Hole
O Waiting for the victim to come to the
attacker
http://tpzoo.files.wordpress.com/2013/02/lion-zebra-water-hole.jpg

Watering Hole Attack
O Break into a website
O Plant a malicious script in it
http://eromang.zataz.com/2013/02/20/facebook-apple-twitter-watering-hole-attack-additional-informations/

MITM Can Inject Scripts
O The victim requests “good.com”
O The attacker serves arbitrary content as a
response
O Scripts served that way, are considered by
the browser as coming from “good.com”
context

Attacker Don’t Have to Be
MITM
O Full MITM capabilities are not needed
O “Man on the Side” is enough
O It’s enough to be able:
O Eavesdrop for requests
O Be able to inject false responses
O No need to stop messages

The NSA Did It!
O QUANTUM program
O “..NSA relies on its secret partnerships with
US telecoms companies… the NSA places
secret servers, codenamed Quantum, at key
places on the Internet backbone. This
placement ensures that they can react faster
than other websites can. By exploiting that
speed difference, these servers can
impersonate a visited website to the target
before the legitimate website can respond..
https://www.schneier.com/blog/archives/2013/10
/how_the_nsa_att.html

Web Client Side
Security -
Implementation Bugs

Bugs In SOP
O 2004: Malicious redirects break IE’s SOP
implementation

Universal XSS
O Browser is not just the browser
O Addons, extensions, plugins…
O Some of them may have bugs in SOP

Adobe PDF Universal XSS
O Adobe PDF Reader universal XSS
O http://host/file.pdf#anyname=javascript:yo
ur_code_here
O If a site hosts a PDF it has XSS
vulnerability
https://www.owasp.org/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf

Exploit Delivery
O Introduced with a script
O One of the Aforementioned Script Injection
techniques
O Checks for browser vendor, version and
installed component to use the right
exploit
O Creates the exploited object

Obfuscated Javascript
https://sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf

Client sidesec 2013 - script injection

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to Client sidesec 2013 - script injection (20)

More from Tal Be'ery (15)

Recently uploaded (20)

Client sidesec 2013 - script injection

Editor's Notes