SlideShare a Scribd company logo

Large-Scale Analysis of Style Injection by Relative Path Overwrite

Sajjad "JJ" Arshad
Sajjad "JJ" Arshad

The Web Conference (WWW) Lyon, France, April 2018

Science
1 of 14
Download to read offline
NEU SECLAB Large-Scale Analysis of Style Injection by Relative Path Overwrite Sajjad Arshad, Seyed Ali Mirheidari, Tobias Lauinger, Bruno Crispo, Engin Kirda, William Robertson WWW - 26 April 2018
2 NEU SECLAB Relative Path Overwrite • Initially described in blog posts by Gareth Heyes and others • Largely unknown type of web attack – Does not require markup injection or particular sink type – Inject style (CSS) instead of script (JS) – “Self-reference”: Attacked document uses “itself” as stylesheet (other attack variants exist, not studied in this work) • Measure vulnerability surface of websites – How many websites can be exploited? – Which factors allow/prevent the attack?
3 NEU SECLAB Style Injection Browser Server http://example.com/*{background-image:url(...)}/ <html> <head> <link rel="stylesheet" href="style.css"> </head> <body> Not found: http://example.com/*{background-image:url(...)}/ </body> </html>
4 NEU SECLAB Path Confusion Browser Server http://example.com/*{background-image:url(...)}/ Error page http://example.com/*{background-image:url(...)}/style.css <html> ... Not found: http://example.com/*{background-image:url(...)}/style.css ... </html> ...<link rel="stylesheet" href="style.css">...
5 NEU SECLAB Self-Reference HTML external stylesheet crafted URL reflected style directives (text node)
6 NEU SECLAB Outline • Relative Path Overwrite Attack – Refection sink that allows injection of style directives – Path confusion causes stylesheet self-reference • Measurement methodology • Exploitability in practice • Countermeasures
7 NEU SECLAB Style-Based Attacks • Script injection not always possible (e.g., input sanitisation) • Successful (exfltration) attacks possible without script: – History stealing – Exfltrate credit card number (Heiderich et al., CCS 201㙣20) • Attacks typically consist of payload & injection technique – This research is not concerned about the payload – Focus on how to inject (“transport”) the payload
8 NEU SECLAB Self-Reference • Style injection requires either: – Markup injection (create a new <style> context), or – Correct sink type (injection inside existing <style> context) • Both can be hard to fnd • New technique: – Cause HTML document to reference “itself” as the stylesheet – Sink in document becomes style sink
9 NEU SECLAB Measurement Methodology 㙣. Common Crawl: extract pages with relative stylesheet path – August 201㙣6: >㙣.6B documents – Filter: Alexa Top 㙣M, must contain relative stylesheet reference 20. Python script to test path confusion, if style can be injected – Try several URL mutation techniques (see paper) – Only GET, no clicking/form submission, benign payload 3. Browser to check if injected style directives interpreted – Open page in Chrome (+Internet Explorer with framing, see paper) – Style interpreted if injected image URL seen in network traffc
10 NEU SECLAB Preconditions for Successful Attack • Relative stylesheet path: 㙣3% of docs in Common Crawl • Mutated URL causes style refection in server response (and no base tag) – 㙣.20% of documents in Candidate Set – 5.4% of domains have at least one such document • Browser loads and interprets injected style directives – Chrome: 㙣㙣k documents (<1.㙣%) on 㙣k domains (1.5%) – IE: 55k documents (1.20%) on 4k domains (㙣.6%) see paper→
11 NEU SECLAB Injected Style Not Interpreted • Only 20.9% of sites with injection successfully attacked • Attack works only if document rendered in “quirks mode” – HTML “stylesheet” has wrong MIME type & lots of syntax errors – 320% of unique document types in Chrome result in quirks mode – <㙣1% of documents (320% of domains) use quirks mode • IE: can override document type with framing technique – Fails if anti-framing techniques used by site – Fails if content type sniffng disabled – see paper for details
12 NEU SECLAB Countermeasures (㙣) Relative stylesheet path and path confusion self-reference→ • Browsers do not know about server-side content routing logic and assume directory-like URL structure – Use only absolute paths, or – Use <base> tag to tell browser how to resolve relative paths • If absolute paths or base tag value dynamically computed on server side, must take into account actual routing logic
13 NEU SECLAB Countermeasures (20) Text injection “vulnerability” and browser tolerating lots of CSS syntax errors style injection→ • Always escape any characters not in [a-z0-9] (is this realistic?) • Prevent browsers from interpreting CSS fles with many syntax errors and content type other than text/css – Specify a modern document type: <!doctype html> – In Internet Explorer, document type can be overwritten by framing, so set these headers: X-Content-Type-Options: nosniff X-Frame-Options: DENY
14 NEU SECLAB Conclusion • Over 5% of studied domains allow style injection and self- reference • Much fewer domains can be exploited, but still a consequential number in absolute terms • Different techniques (e.g., style-based attacks) require different countermeasures than script-based XSS • In contrast to script-based XSS, easy-to-use and effective countermeasures exist to mitigate the attack

Recommended

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security IssuesRonan Dunne, CEH, SSCP
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
AJAX - An introduction
AJAX - An introductionAJAX - An introduction
AJAX - An introductionEleonora Ciceri
 
HTML5 - An introduction
HTML5 - An introductionHTML5 - An introduction
HTML5 - An introductionEleonora Ciceri
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defensePrakashchand Suthar
 

Recommended

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security IssuesRonan Dunne, CEH, SSCP
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
AJAX - An introduction
AJAX - An introductionAJAX - An introduction
AJAX - An introductionEleonora Ciceri
 
HTML5 - An introduction
HTML5 - An introductionHTML5 - An introduction
HTML5 - An introductionEleonora Ciceri
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defensePrakashchand Suthar
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Web scraping
Web scrapingWeb scraping
Web scrapingAshley Davis
 
Apache Con U S07 F F T Sling
Apache Con U S07 F F T SlingApache Con U S07 F F T Sling
Apache Con U S07 F F T Slingday
 
Dynamic content generation
Dynamic content generationDynamic content generation
Dynamic content generationEleonora Ciceri
 
XSS
XSSXSS
XSSHrishikesh Mishra
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicysubbul
 
Same origin policy
Same origin policySame origin policy
Same origin policyVivek Madurai
 
Александр Кабалюк – SilkTest
Александр Кабалюк – SilkTestАлександр Кабалюк – SilkTest
Александр Кабалюк – SilkTestautomated-testing.info
 
HTML Semantics For Wordpress
HTML Semantics For WordpressHTML Semantics For Wordpress
HTML Semantics For Wordpressmaniraj
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Javascript cross domain communication
Javascript cross domain communicationJavascript cross domain communication
Javascript cross domain communicationChenKuo Chen
 
Web crawler synopsis
Web crawler synopsisWeb crawler synopsis
Web crawler synopsisMayur Garg
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developersn|u - The Open Security Community
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27Eoin Keary
 
Slides-Online-Week2-Website-Frontend-CSS.pptx
Slides-Online-Week2-Website-Frontend-CSS.pptxSlides-Online-Week2-Website-Frontend-CSS.pptx
Slides-Online-Week2-Website-Frontend-CSS.pptxahmadraza72678
 
Html presentation
Html presentationHtml presentation
Html presentationJordan Dichev
 

More Related Content

What's hot

AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Apache Con U S07 F F T Sling
Apache Con U S07 F F T SlingApache Con U S07 F F T Sling
Apache Con U S07 F F T Slingday
 
Dynamic content generation
Dynamic content generationDynamic content generation
Dynamic content generationEleonora Ciceri
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicysubbul
 
Александр Кабалюк – SilkTest
Александр Кабалюк – SilkTestАлександр Кабалюк – SilkTest
Александр Кабалюк – SilkTestautomated-testing.info
 
HTML Semantics For Wordpress
HTML Semantics For WordpressHTML Semantics For Wordpress
HTML Semantics For Wordpressmaniraj
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Javascript cross domain communication
Javascript cross domain communicationJavascript cross domain communication
Javascript cross domain communicationChenKuo Chen
 
Web crawler synopsis
Web crawler synopsisWeb crawler synopsis
Web crawler synopsisMayur Garg
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27Eoin Keary
 

What's hot (20)

AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Web scraping
Web scrapingWeb scraping
Web scraping
 
Apache Con U S07 F F T Sling
Apache Con U S07 F F T SlingApache Con U S07 F F T Sling
Apache Con U S07 F F T Sling
 
Dynamic content generation
Dynamic content generationDynamic content generation
Dynamic content generation
 
XSS
XSSXSS
XSS
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
 
Same origin policy
Same origin policySame origin policy
Same origin policy
 
Александр Кабалюк – SilkTest
Александр Кабалюк – SilkTestАлександр Кабалюк – SilkTest
Александр Кабалюк – SilkTest
 
HTML Semantics For Wordpress
HTML Semantics For WordpressHTML Semantics For Wordpress
HTML Semantics For Wordpress
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Javascript cross domain communication
Javascript cross domain communicationJavascript cross domain communication
Javascript cross domain communication
 
Web crawler synopsis
Web crawler synopsisWeb crawler synopsis
Web crawler synopsis
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 

Similar to Large-Scale Analysis of Style Injection by Relative Path Overwrite

Slides-Online-Week2-Website-Frontend-CSS.pptx
Slides-Online-Week2-Website-Frontend-CSS.pptxSlides-Online-Week2-Website-Frontend-CSS.pptx
Slides-Online-Week2-Website-Frontend-CSS.pptxahmadraza72678
 
Supplement web design
Supplement web designSupplement web design
Supplement web designshelly3160
 
Intro to web scraping with Python
Intro to web scraping with PythonIntro to web scraping with Python
Intro to web scraping with PythonMaris Lemba
 
WEBD 162: Intro to CSS
WEBD 162: Intro to CSSWEBD 162: Intro to CSS
WEBD 162: Intro to CSSpalomateach
 
Django introduction @ UGent
Django introduction @ UGentDjango introduction @ UGent
Django introduction @ UGentkevinvw
 
Diagnosing Technical Issues With Search Engine Optimization
Diagnosing Technical Issues With Search Engine OptimizationDiagnosing Technical Issues With Search Engine Optimization
Diagnosing Technical Issues With Search Engine OptimizationNine By Blue
 
ch04-css-basics_final.ppt
ch04-css-basics_final.pptch04-css-basics_final.ppt
ch04-css-basics_final.pptGmachImen
 
Data mining and warehouse by dr D. R. Patil sir
Data mining and warehouse by dr D. R. Patil sirData mining and warehouse by dr D. R. Patil sir
Data mining and warehouse by dr D. R. Patil sirchaudharipruthvirajr
 
Scalability andefficiencypres
Scalability andefficiencypresScalability andefficiencypres
Scalability andefficiencypresNekoGato
 
Lecture3 information retrival _web .ppt
Lecture3 information retrival _web .pptLecture3 information retrival _web .ppt
Lecture3 information retrival _web .pptnaghamallella
 
TSSJS2010 Presenatation on: Performance Anti Patterns In Ajax Applications
TSSJS2010 Presenatation on: Performance Anti Patterns In Ajax ApplicationsTSSJS2010 Presenatation on: Performance Anti Patterns In Ajax Applications
TSSJS2010 Presenatation on: Performance Anti Patterns In Ajax Applicationsguestc75cdc
 
Performance anti patterns in ajax applications
Performance anti patterns in ajax applicationsPerformance anti patterns in ajax applications
Performance anti patterns in ajax applicationsSergeyChernyshev
 

Similar to Large-Scale Analysis of Style Injection by Relative Path Overwrite (20)

Slides-Online-Week2-Website-Frontend-CSS.pptx
Slides-Online-Week2-Website-Frontend-CSS.pptxSlides-Online-Week2-Website-Frontend-CSS.pptx
Slides-Online-Week2-Website-Frontend-CSS.pptx
 
Html presentation
Html presentationHtml presentation
Html presentation
 
Supplement web design
Supplement web designSupplement web design
Supplement web design
 
Pertemuan 7
Pertemuan 7Pertemuan 7
Pertemuan 7
 
DHTML
DHTMLDHTML
DHTML
 
Intro to web scraping with Python
Intro to web scraping with PythonIntro to web scraping with Python
Intro to web scraping with Python
 
WEBD 162: Intro to CSS
WEBD 162: Intro to CSSWEBD 162: Intro to CSS
WEBD 162: Intro to CSS
 
Introducing Cascading Style Sheets
Introducing Cascading Style SheetsIntroducing Cascading Style Sheets
Introducing Cascading Style Sheets
 
Django introduction @ UGent
Django introduction @ UGentDjango introduction @ UGent
Django introduction @ UGent
 
Diagnosing Technical Issues With Search Engine Optimization
Diagnosing Technical Issues With Search Engine OptimizationDiagnosing Technical Issues With Search Engine Optimization
Diagnosing Technical Issues With Search Engine Optimization
 
webcrawler.pptx
webcrawler.pptxwebcrawler.pptx
webcrawler.pptx
 
Seminar on crawler
Seminar on crawlerSeminar on crawler
Seminar on crawler
 
ch04-css-basics_final.ppt
ch04-css-basics_final.pptch04-css-basics_final.ppt
ch04-css-basics_final.ppt
 
Seo and analytics basics
Seo and analytics basicsSeo and analytics basics
Seo and analytics basics
 
Data mining and warehouse by dr D. R. Patil sir
Data mining and warehouse by dr D. R. Patil sirData mining and warehouse by dr D. R. Patil sir
Data mining and warehouse by dr D. R. Patil sir
 
Bootstrap [part 1]
Bootstrap [part 1]Bootstrap [part 1]
Bootstrap [part 1]
 
Scalability andefficiencypres
Scalability andefficiencypresScalability andefficiencypres
Scalability andefficiencypres
 
Lecture3 information retrival _web .ppt
Lecture3 information retrival _web .pptLecture3 information retrival _web .ppt
Lecture3 information retrival _web .ppt
 
TSSJS2010 Presenatation on: Performance Anti Patterns In Ajax Applications
TSSJS2010 Presenatation on: Performance Anti Patterns In Ajax ApplicationsTSSJS2010 Presenatation on: Performance Anti Patterns In Ajax Applications
TSSJS2010 Presenatation on: Performance Anti Patterns In Ajax Applications
 
Performance anti patterns in ajax applications
Performance anti patterns in ajax applicationsPerformance anti patterns in ajax applications
Performance anti patterns in ajax applications
 

More from Sajjad "JJ" Arshad

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...Sajjad "JJ" Arshad
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareSajjad "JJ" Arshad
 
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted AdsTracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted AdsSajjad "JJ" Arshad
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsSajjad "JJ" Arshad
 
Practical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow IntegrityPractical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow IntegritySajjad "JJ" Arshad
 
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Sajjad "JJ" Arshad
 
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content ProvenanceIdentifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content ProvenanceSajjad "JJ" Arshad
 
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...Sajjad "JJ" Arshad
 
A Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt StandardA Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt StandardSajjad "JJ" Arshad
 
How Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsHow Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsSajjad "JJ" Arshad
 
"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation Networks"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation NetworksSajjad "JJ" Arshad
 
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsInclude Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsSajjad "JJ" Arshad
 
On the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow IntegrityOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow IntegritySajjad "JJ" Arshad
 

More from Sajjad "JJ" Arshad (15)

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the Wild
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the Wild
 
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
 
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted AdsTracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSockets
 
Practical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow IntegrityPractical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow Integrity
 
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
 
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content ProvenanceIdentifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
 
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
 
A Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt StandardA Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt Standard
 
How Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsHow Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSockets
 
"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation Networks"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation Networks
 
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsInclude Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
 
On the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow IntegrityOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow Integrity
 

Recently uploaded

Quarter 4_Grade 8_Digestive System Structure and Functions
Quarter 4_Grade 8_Digestive System Structure and FunctionsQuarter 4_Grade 8_Digestive System Structure and Functions
Quarter 4_Grade 8_Digestive System Structure and FunctionsCharlene Llagas
 
linear Regression, multiple Regression and Annova
linear Regression, multiple Regression and Annovalinear Regression, multiple Regression and Annova
linear Regression, multiple Regression and AnnovaMansi Rastogi
 
WEEK 4 PHYSICAL SCIENCE QUARTER 3 FOR G11
WEEK 4 PHYSICAL SCIENCE QUARTER 3 FOR G11WEEK 4 PHYSICAL SCIENCE QUARTER 3 FOR G11
WEEK 4 PHYSICAL SCIENCE QUARTER 3 FOR G11GelineAvendao
 
Explainable AI for distinguishing future climate change scenarios
Explainable AI for distinguishing future climate change scenariosExplainable AI for distinguishing future climate change scenarios
Explainable AI for distinguishing future climate change scenariosZachary Labe
 
How we decide powerpoint presentation.pptx
How we decide powerpoint presentation.pptxHow we decide powerpoint presentation.pptx
How we decide powerpoint presentation.pptxJosielynTars
 
Environmental acoustics- noise criteria.pptx
Environmental acoustics- noise criteria.pptxEnvironmental acoustics- noise criteria.pptx
Environmental acoustics- noise criteria.pptxpriyankatabhane
 
Immunoblott technique for protein detection.ppt
Immunoblott technique for protein detection.pptImmunoblott technique for protein detection.ppt
Immunoblott technique for protein detection.pptAmirRaziq1
 
Pests of Sunflower_Binomics_Identification_Dr.UPR
Pests of Sunflower_Binomics_Identification_Dr.UPRPests of Sunflower_Binomics_Identification_Dr.UPR
Pests of Sunflower_Binomics_Identification_Dr.UPRPirithiRaju
 
FBI Profiling - Forensic Psychology.pptx
FBI Profiling - Forensic Psychology.pptxFBI Profiling - Forensic Psychology.pptx
FBI Profiling - Forensic Psychology.pptxPayal Shrivastava
 
Replisome-Cohesin Interfacing A Molecular Perspective.pdf
Replisome-Cohesin Interfacing A Molecular Perspective.pdfReplisome-Cohesin Interfacing A Molecular Perspective.pdf
Replisome-Cohesin Interfacing A Molecular Perspective.pdfAtiaGohar1
 
Oxo-Acids of Halogens and their Salts.pptx
Oxo-Acids of Halogens and their Salts.pptxOxo-Acids of Halogens and their Salts.pptx
Oxo-Acids of Halogens and their Salts.pptxfarhanvvdk
 
LESSON PLAN IN SCIENCE GRADE 4 WEEK 1 DAY 2
LESSON PLAN IN SCIENCE GRADE 4 WEEK 1 DAY 2LESSON PLAN IN SCIENCE GRADE 4 WEEK 1 DAY 2
LESSON PLAN IN SCIENCE GRADE 4 WEEK 1 DAY 2AuEnriquezLontok
 
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep LearningCombining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learningvschiavoni
 
Fertilization: Sperm and the egg—collectively called the gametes—fuse togethe...
Fertilization: Sperm and the egg—collectively called the gametes—fuse togethe...Fertilization: Sperm and the egg—collectively called the gametes—fuse togethe...
Fertilization: Sperm and the egg—collectively called the gametes—fuse togethe...D. B. S. College Kanpur
 
whole genome sequencing new and its types including shortgun and clone by clone
whole genome sequencing new and its types including shortgun and clone by clonewhole genome sequencing new and its types including shortgun and clone by clone
whole genome sequencing new and its types including shortgun and clone by clonechaudhary charan shingh university
 
DNA isolation molecular biology practical.pptx
DNA isolation molecular biology practical.pptxDNA isolation molecular biology practical.pptx
DNA isolation molecular biology practical.pptxGiDMOh
 
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPRPirithiRaju
 
Charateristics of the Angara-A5 spacecraft launched from the Vostochny Cosmod...
Charateristics of the Angara-A5 spacecraft launched from the Vostochny Cosmod...Charateristics of the Angara-A5 spacecraft launched from the Vostochny Cosmod...
Charateristics of the Angara-A5 spacecraft launched from the Vostochny Cosmod...Christina Parmionova
 

Recently uploaded (20)

Quarter 4_Grade 8_Digestive System Structure and Functions
Quarter 4_Grade 8_Digestive System Structure and FunctionsQuarter 4_Grade 8_Digestive System Structure and Functions
Quarter 4_Grade 8_Digestive System Structure and Functions
 
linear Regression, multiple Regression and Annova
linear Regression, multiple Regression and Annovalinear Regression, multiple Regression and Annova
linear Regression, multiple Regression and Annova
 
PLASMODIUM. PPTX
PLASMODIUM. PPTXPLASMODIUM. PPTX
PLASMODIUM. PPTX
 
WEEK 4 PHYSICAL SCIENCE QUARTER 3 FOR G11
WEEK 4 PHYSICAL SCIENCE QUARTER 3 FOR G11WEEK 4 PHYSICAL SCIENCE QUARTER 3 FOR G11
WEEK 4 PHYSICAL SCIENCE QUARTER 3 FOR G11
 
Explainable AI for distinguishing future climate change scenarios
Explainable AI for distinguishing future climate change scenariosExplainable AI for distinguishing future climate change scenarios
Explainable AI for distinguishing future climate change scenarios
 
How we decide powerpoint presentation.pptx
How we decide powerpoint presentation.pptxHow we decide powerpoint presentation.pptx
How we decide powerpoint presentation.pptx
 
Environmental acoustics- noise criteria.pptx
Environmental acoustics- noise criteria.pptxEnvironmental acoustics- noise criteria.pptx
Environmental acoustics- noise criteria.pptx
 
Immunoblott technique for protein detection.ppt
Immunoblott technique for protein detection.pptImmunoblott technique for protein detection.ppt
Immunoblott technique for protein detection.ppt
 
Pests of Sunflower_Binomics_Identification_Dr.UPR
Pests of Sunflower_Binomics_Identification_Dr.UPRPests of Sunflower_Binomics_Identification_Dr.UPR
Pests of Sunflower_Binomics_Identification_Dr.UPR
 
FBI Profiling - Forensic Psychology.pptx
FBI Profiling - Forensic Psychology.pptxFBI Profiling - Forensic Psychology.pptx
FBI Profiling - Forensic Psychology.pptx
 
Replisome-Cohesin Interfacing A Molecular Perspective.pdf
Replisome-Cohesin Interfacing A Molecular Perspective.pdfReplisome-Cohesin Interfacing A Molecular Perspective.pdf
Replisome-Cohesin Interfacing A Molecular Perspective.pdf
 
Oxo-Acids of Halogens and their Salts.pptx
Oxo-Acids of Halogens and their Salts.pptxOxo-Acids of Halogens and their Salts.pptx
Oxo-Acids of Halogens and their Salts.pptx
 
LESSON PLAN IN SCIENCE GRADE 4 WEEK 1 DAY 2
LESSON PLAN IN SCIENCE GRADE 4 WEEK 1 DAY 2LESSON PLAN IN SCIENCE GRADE 4 WEEK 1 DAY 2
LESSON PLAN IN SCIENCE GRADE 4 WEEK 1 DAY 2
 
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep LearningCombining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
Combining Asynchronous Task Parallelism and Intel SGX for Secure Deep Learning
 
Fertilization: Sperm and the egg—collectively called the gametes—fuse togethe...
Fertilization: Sperm and the egg—collectively called the gametes—fuse togethe...Fertilization: Sperm and the egg—collectively called the gametes—fuse togethe...
Fertilization: Sperm and the egg—collectively called the gametes—fuse togethe...
 
whole genome sequencing new and its types including shortgun and clone by clone
whole genome sequencing new and its types including shortgun and clone by clonewhole genome sequencing new and its types including shortgun and clone by clone
whole genome sequencing new and its types including shortgun and clone by clone
 
DNA isolation molecular biology practical.pptx
DNA isolation molecular biology practical.pptxDNA isolation molecular biology practical.pptx
DNA isolation molecular biology practical.pptx
 
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
6.1 Pests of Groundnut_Binomics_Identification_Dr.UPR
 
AZOTOBACTER AS BIOFERILIZER.PPTX
AZOTOBACTER AS BIOFERILIZER.PPTXAZOTOBACTER AS BIOFERILIZER.PPTX
AZOTOBACTER AS BIOFERILIZER.PPTX
 
Charateristics of the Angara-A5 spacecraft launched from the Vostochny Cosmod...
Charateristics of the Angara-A5 spacecraft launched from the Vostochny Cosmod...Charateristics of the Angara-A5 spacecraft launched from the Vostochny Cosmod...
Charateristics of the Angara-A5 spacecraft launched from the Vostochny Cosmod...
 

Large-Scale Analysis of Style Injection by Relative Path Overwrite

  • 1. NEU SECLAB Large-Scale Analysis of Style Injection by Relative Path Overwrite Sajjad Arshad, Seyed Ali Mirheidari, Tobias Lauinger, Bruno Crispo, Engin Kirda, William Robertson WWW - 26 April 2018
  • 2. 2 NEU SECLAB Relative Path Overwrite • Initially described in blog posts by Gareth Heyes and others • Largely unknown type of web attack – Does not require markup injection or particular sink type – Inject style (CSS) instead of script (JS) – “Self-reference”: Attacked document uses “itself” as stylesheet (other attack variants exist, not studied in this work) • Measure vulnerability surface of websites – How many websites can be exploited? – Which factors allow/prevent the attack?
  • 3. 3 NEU SECLAB Style Injection Browser Server http://example.com/*{background-image:url(...)}/ <html> <head> <link rel="stylesheet" href="style.css"> </head> <body> Not found: http://example.com/*{background-image:url(...)}/ </body> </html>
  • 4. 4 NEU SECLAB Path Confusion Browser Server http://example.com/*{background-image:url(...)}/ Error page http://example.com/*{background-image:url(...)}/style.css <html> ... Not found: http://example.com/*{background-image:url(...)}/style.css ... </html> ...<link rel="stylesheet" href="style.css">...
  • 6. 6 NEU SECLAB Outline • Relative Path Overwrite Attack – Refection sink that allows injection of style directives – Path confusion causes stylesheet self-reference • Measurement methodology • Exploitability in practice • Countermeasures
  • 7. 7 NEU SECLAB Style-Based Attacks • Script injection not always possible (e.g., input sanitisation) • Successful (exfltration) attacks possible without script: – History stealing – Exfltrate credit card number (Heiderich et al., CCS 201㙣20) • Attacks typically consist of payload & injection technique – This research is not concerned about the payload – Focus on how to inject (“transport”) the payload
  • 8. 8 NEU SECLAB Self-Reference • Style injection requires either: – Markup injection (create a new <style> context), or – Correct sink type (injection inside existing <style> context) • Both can be hard to fnd • New technique: – Cause HTML document to reference “itself” as the stylesheet – Sink in document becomes style sink
  • 9. 9 NEU SECLAB Measurement Methodology 㙣. Common Crawl: extract pages with relative stylesheet path – August 201㙣6: >㙣.6B documents – Filter: Alexa Top 㙣M, must contain relative stylesheet reference 20. Python script to test path confusion, if style can be injected – Try several URL mutation techniques (see paper) – Only GET, no clicking/form submission, benign payload 3. Browser to check if injected style directives interpreted – Open page in Chrome (+Internet Explorer with framing, see paper) – Style interpreted if injected image URL seen in network traffc
  • 10. 10 NEU SECLAB Preconditions for Successful Attack • Relative stylesheet path: 㙣3% of docs in Common Crawl • Mutated URL causes style refection in server response (and no base tag) – 㙣.20% of documents in Candidate Set – 5.4% of domains have at least one such document • Browser loads and interprets injected style directives – Chrome: 㙣㙣k documents (<1.㙣%) on 㙣k domains (1.5%) – IE: 55k documents (1.20%) on 4k domains (㙣.6%) see paper→
  • 11. 11 NEU SECLAB Injected Style Not Interpreted • Only 20.9% of sites with injection successfully attacked • Attack works only if document rendered in “quirks mode” – HTML “stylesheet” has wrong MIME type & lots of syntax errors – 320% of unique document types in Chrome result in quirks mode – <㙣1% of documents (320% of domains) use quirks mode • IE: can override document type with framing technique – Fails if anti-framing techniques used by site – Fails if content type sniffng disabled – see paper for details
  • 12. 12 NEU SECLAB Countermeasures (㙣) Relative stylesheet path and path confusion self-reference→ • Browsers do not know about server-side content routing logic and assume directory-like URL structure – Use only absolute paths, or – Use <base> tag to tell browser how to resolve relative paths • If absolute paths or base tag value dynamically computed on server side, must take into account actual routing logic
  • 13. 13 NEU SECLAB Countermeasures (20) Text injection “vulnerability” and browser tolerating lots of CSS syntax errors style injection→ • Always escape any characters not in [a-z0-9] (is this realistic?) • Prevent browsers from interpreting CSS fles with many syntax errors and content type other than text/css – Specify a modern document type: <!doctype html> – In Internet Explorer, document type can be overwritten by framing, so set these headers: X-Content-Type-Options: nosniff X-Frame-Options: DENY
  • 14. 14 NEU SECLAB Conclusion • Over 5% of studied domains allow style injection and self- reference • Much fewer domains can be exploited, but still a consequential number in absolute terms • Different techniques (e.g., style-based attacks) require different countermeasures than script-based XSS • In contrast to script-based XSS, easy-to-use and effective countermeasures exist to mitigate the attack