1 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations Presenter: Liu Yin Computer Science Department College of William.

1

mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations

Presenter: Liu YinComputer Science Department

College of William & Mary

2

Outline Introduction

XSS mXSS

Problem Description The innerHTML Property Mutation

Exploits Seven attack vectors

Attack Surface Mitigation Techniques Evaluation Conclusion

3

(Cross Site Scripting)XSS XSS enables attackers to inject client-side script into

Web pages viewed by other users

If the web site allows uncontrolled content to be supplied by users User can write content in a Guest-book or Forum. User can introduce malicious code in the content Ebay Example

Malicious Code Modification of the Document Object Model - DOM (changesome links, add some buttons) Send personal information to thirds (javascript can sendcookies to other sites)

http://csr.ebay.com/cse/list.jsf?mode=AddItem&draftId=310163633312&usecase=resume

4

Filtered HTML

XSS ExcecutesXSS Filter

(Cross Site Scripting)XSS

User input (including

an XSS vector)

would be sent to the

server,

Web App

server

Browser

User input (XSS vectors)

XSS Filter

5

Server- and client-side XSS filters share the assumption:

their HTML output and the browser-rendered HTML content are mostly identical

(mutation-based XSS)mXSSBrowser

User input XSS Filter

Filtered HTML

Web server

XSS Filter

innerHTML

Mutation

XSS Executes

False !

6

mXSS – At the time of testing Impact on IE, Firefox, Chrome

Webmail Client: Microsoft Hotmail, Yahoo! Mail…

Bypass HTML Sanitizers HTML Purifier htmLawed OWSAP AntiSamy jSoup Kses

7


XSS mXSS




8

An HTML element's property Creating HTML content from arbitrarily formatted strings Usage Example

Read access Serialize HTML DOM nodes into strings is necessary to trigger the mutation

Write access attach the transformed malicious content to the DOM.

The innerHTML Property

http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_element_innerhtml

9

The browser mutates the input string in multiple ways before sending it to the

layout engine the empty class is removed the tag names are set to upper-case the markup is sanitized the HTML entities are resolved. < < or <

Mutation

Core issue HTML markup an attacker uses to initiate an mXSS attack is considered

harmless Only the browser will transform the markup internally, thereby unfolding

the embedded attack vector and executing the malicious code.

innerHTML-access

10


XSS mXSS




11

Backtick {`} A bug report in 2007

innerHTML-access the attributes delimited by backticks or containing values starting with

backticks Often the regular quotes disappeared, leaving the backtick characters

unquoted and therefore vulnerable to injections.

Example<script> imgID.innerHTM=….;</script>

Backtick Characters breaking Attribute Delimiter Syntax

12

Unknown attributes article, aside, menu xmlns attribute

provide information on which XML namespace the element is supposed to reside on.

innerHTML-access The browser prefixes the unknown but namespaced element with the XML

namespace that in itself contains unquoted input from the xmlns attribute.

Example

XML Namespaces in Unknown Elements causing Structural Mutation

13

CSS Escapes \unicode, \asciiproperty: ’v\61 lue’ (property:’value’) When innerHTML-accessed Browser converted escapes to their canonical representation property: ’val\27ue’ PROPERTY: ’val’ue’

Backslashes in CSS Escapes causing String- Boundary Violation

14

Misfit Characters in Entity Representation breaking CSS Strings

CSS escape for double-quote character the render engine converts them into a single quote \22, ", " and &#34 ’ upon innerHTML-access.

15

Terminate the style attribute

By escaping the entire attack payload, the adversary can abuse the mutation feature and deliver arbitrary CSS-escaped HTML code.

The attack only works with the double-quote representation inside double-quoted attributes.

CSS Escapes in Property Names violating entire HTML Structure

16

Entity-Mutation in non-HTML Documents

MIME type text/xhtml, text/xml, application/xhtml+xml, application/xml A web-server can instruct a browser to render a document in XHTML/XML

by setting a matching MIME type via Content-Type HTTP headers; MIME-type dependent parser behaviors anomalies

in text/html cannot happen in text/xhtml and various related MIME type rendering modes, a CSS style

element is supposed to be capable of containing other markup elements.

17

Entity-Mutation in non-HTML context of HTML documents SVG tag, fixed

18


XSS mXSS




19

Attack Surface A mutation event occur when

Found 74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments.

JavaScript libraries 65% of the top 10,000 websites 48.87% using jQuery

20

Attack Surface Web-mailers

HTML Rich-Text Editors (RTE) innerHTML property triggered with almost any interaction : composing,

replying, spell-checking analyzed and spotted mXSS vulnerabilities in Microsoft

Hotmail, Yahoo! Mail, Rediff Mail, OpenExchange, Round- cube

Bug reports were acknowledged

HTML sanitizer Add new rules for known mutation effects challenging to develop new filtering paradigms that may

discover even unknown attack vectors.

HTML sanitizers

21


XSS mXSS




22

Mitigation Techniques Server-side mitigation

Policy: disallow any of the special characters for which browsers are known to have trouble with when it comes to a proper conversion.

refine policy for HTML,CSS, implemented to HTML Purifier

solely practical for the handling of a subset of HTML

cannot protect against dynamically generated content

23

Mitigation Techniques Client-side mitigation

TrueHTML, javascript

wrapping and sanitation process overwrite the handlers of innerHTML to intercept the

performance optimization and the markup mutation process.

free from all mutations described and documented

performance impact is low, does not require additional developer effort

24


XSS mXSS




25

Evaluation Environment TrueHTML Overhead

Access 5,000 URLs randomly chosen from Alexa top 10,000 most popular web sites

In typical usage scenarios: displaying an e-mail in a web mailer, accessing popular websites

investigate the relation between page load time overhead and page size in a controlled environment.

Demonstrate versatility: used different hardware platforms for the different parts of the evaluation

Evaluation environment completed by a proxy server to inject TrueHTML into the

HTML context of the visited pages, and a logging infrastructure.

26

Evaluation Result

user-perceived page load time is not only dependent on the size of the content,

but also reliant on the structure and type of the markup.

How True- HTML performance overhead relates to content size and the amount of

markup elements?

27

Evaluation in a controlled environment Create pages containing one element with 1kB text content

<p>…(1kb)…</p> assigned document.body.innerHTML between 1 and 100 times

Scale to 1,000 elements

28


XSS mXSS




29

Conclusion Described a novel attack technique based on a

problematic and mostly undocumented browser behavior

Analyzed the attack surface and propose an action plan for mitigating the dangers

Supplied research-derived evaluations of the feasibility and practicability of the proposed mitigation techniques.

Insights Defensive tools and libraries must gain awareness of the

additional processing layers that browsers possess. “Well-formed HTML is unambiguous” is false

30

End

Thanks!Q&A