mxss attacks: attacking well-secured web-applications by using innerhtml mutations
DESCRIPTION
mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations. Presenter: Liu Yin Computer Science Department College of William & Mary. Outline. Introduction XSS mXSS Problem Description The innerHTML Property Mutation Exploits S even attack vectors - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/1.jpg)
1
mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations
Presenter: Liu YinComputer Science Department
College of William & Mary
![Page 2: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/2.jpg)
2
Outline Introduction
XSS mXSS
Problem Description The innerHTML Property Mutation
Exploits Seven attack vectors
Attack Surface Mitigation Techniques Evaluation Conclusion
![Page 3: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/3.jpg)
3
(Cross Site Scripting)XSS XSS enables attackers to inject client-side script into
Web pages viewed by other users
If the web site allows uncontrolled content to be supplied by users User can write content in a Guest-book or Forum. User can introduce malicious code in the content Ebay Example
Malicious Code Modification of the Document Object Model - DOM (changesome links, add some buttons) Send personal information to thirds (javascript can sendcookies to other sites)
![Page 4: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/4.jpg)
4
Filtered HTML
XSS ExcecutesXSS Filter
(Cross Site Scripting)XSS
User input (including
an XSS vector)
would be sent to the
server,
Web App
server
Browser
User input (XSS vectors)
XSS Filter
![Page 5: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/5.jpg)
5
Server- and client-side XSS filters share the assumption:
their HTML output and the browser-rendered HTML content are mostly identical
(mutation-based XSS)mXSSBrowser
User input XSS Filter
Filtered HTML
Web server
XSS Filter
innerHTML
Mutation
XSS Executes
False !
![Page 6: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/6.jpg)
6
mXSS – At the time of testing Impact on IE, Firefox, Chrome
Webmail Client: Microsoft Hotmail, Yahoo! Mail…
Bypass HTML Sanitizers HTML Purifier htmLawed OWSAP AntiSamy jSoup Kses
![Page 7: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/7.jpg)
7
Outline Introduction
XSS mXSS
Problem Description The innerHTML Property Mutation
Exploits Seven attack vectors
Attack Surface Mitigation Techniques Evaluation Conclusion
![Page 8: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/8.jpg)
8
An HTML element's property Creating HTML content from arbitrarily formatted strings Usage Example
Read access Serialize HTML DOM nodes into strings is necessary to trigger the mutation
Write access attach the transformed malicious content to the DOM.
The innerHTML Property
![Page 9: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/9.jpg)
9
The browser mutates the input string in multiple ways before sending it to the
layout engine the empty class is removed the tag names are set to upper-case the markup is sanitized the HTML entities are resolved. < < or <
Mutation
Core issue HTML markup an attacker uses to initiate an mXSS attack is considered
harmless Only the browser will transform the markup internally, thereby unfolding
the embedded attack vector and executing the malicious code.
innerHTML-access
![Page 10: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/10.jpg)
10
Outline Introduction
XSS mXSS
Problem Description The innerHTML Property Mutation
Exploits Seven attack vectors
Attack Surface Mitigation Techniques Evaluation Conclusion
![Page 11: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/11.jpg)
11
Backtick {`} A bug report in 2007
innerHTML-access the attributes delimited by backticks or containing values starting with
backticks Often the regular quotes disappeared, leaving the backtick characters
unquoted and therefore vulnerable to injections.
Example<script> imgID.innerHTM=….;</script>
Backtick Characters breaking Attribute Delimiter Syntax
![Page 12: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/12.jpg)
12
Unknown attributes article, aside, menu xmlns attribute
provide information on which XML namespace the element is supposed to reside on.
innerHTML-access The browser prefixes the unknown but namespaced element with the XML
namespace that in itself contains unquoted input from the xmlns attribute.
Example
XML Namespaces in Unknown Elements causing Structural Mutation
![Page 13: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/13.jpg)
13
CSS Escapes \unicode, \asciiproperty: ’v\61 lue’ (property:’value’) When innerHTML-accessed Browser converted escapes to their canonical representation property: ’val\27ue’ PROPERTY: ’val’ue’
Backslashes in CSS Escapes causing String- Boundary Violation
![Page 14: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/14.jpg)
14
Misfit Characters in Entity Representation breaking CSS Strings
CSS escape for double-quote character the render engine converts them into a single quote \22, ", " and " ’ upon innerHTML-access.
![Page 15: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/15.jpg)
15
Terminate the style attribute
By escaping the entire attack payload, the adversary can abuse the mutation feature and deliver arbitrary CSS-escaped HTML code.
The attack only works with the double-quote representation inside double-quoted attributes.
CSS Escapes in Property Names violating entire HTML Structure
![Page 16: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/16.jpg)
16
Entity-Mutation in non-HTML Documents
MIME type text/xhtml, text/xml, application/xhtml+xml, application/xml A web-server can instruct a browser to render a document in XHTML/XML
by setting a matching MIME type via Content-Type HTTP headers; MIME-type dependent parser behaviors anomalies
in text/html cannot happen in text/xhtml and various related MIME type rendering modes, a CSS style
element is supposed to be capable of containing other markup elements.
![Page 17: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/17.jpg)
17
Entity-Mutation in non-HTML context of HTML documents SVG tag, fixed
![Page 18: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/18.jpg)
18
Outline Introduction
XSS mXSS
Problem Description The innerHTML Property Mutation
Exploits Seven attack vectors
Attack Surface Mitigation Techniques Evaluation Conclusion
![Page 19: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/19.jpg)
19
Attack Surface A mutation event occur when
Found 74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments.
JavaScript libraries 65% of the top 10,000 websites 48.87% using jQuery
![Page 20: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/20.jpg)
20
Attack Surface Web-mailers
HTML Rich-Text Editors (RTE) innerHTML property triggered with almost any interaction : composing,
replying, spell-checking analyzed and spotted mXSS vulnerabilities in Microsoft
Hotmail, Yahoo! Mail, Rediff Mail, OpenExchange, Round- cube
Bug reports were acknowledged
HTML sanitizer Add new rules for known mutation effects challenging to develop new filtering paradigms that may
discover even unknown attack vectors.
HTML sanitizers
![Page 21: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/21.jpg)
21
Outline Introduction
XSS mXSS
Problem Description The innerHTML Property Mutation
Exploits Seven attack vectors
Attack Surface Mitigation Techniques Evaluation Conclusion
![Page 22: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/22.jpg)
22
Mitigation Techniques Server-side mitigation
Policy: disallow any of the special characters for which browsers are known to have trouble with when it comes to a proper conversion.
refine policy for HTML,CSS, implemented to HTML Purifier
solely practical for the handling of a subset of HTML
cannot protect against dynamically generated content
![Page 23: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/23.jpg)
23
Mitigation Techniques Client-side mitigation
TrueHTML, javascript
wrapping and sanitation process overwrite the handlers of innerHTML to intercept the
performance optimization and the markup mutation process.
free from all mutations described and documented
performance impact is low, does not require additional developer effort
![Page 24: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/24.jpg)
24
Outline Introduction
XSS mXSS
Problem Description The innerHTML Property Mutation
Exploits Seven attack vectors
Attack Surface Mitigation Techniques Evaluation Conclusion
![Page 25: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/25.jpg)
25
Evaluation Environment TrueHTML Overhead
Access 5,000 URLs randomly chosen from Alexa top 10,000 most popular web sites
In typical usage scenarios: displaying an e-mail in a web mailer, accessing popular websites
investigate the relation between page load time overhead and page size in a controlled environment.
Demonstrate versatility: used different hardware platforms for the different parts of the evaluation
Evaluation environment completed by a proxy server to inject TrueHTML into the
HTML context of the visited pages, and a logging infrastructure.
![Page 26: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/26.jpg)
26
Evaluation Result
user-perceived page load time is not only dependent on the size of the content,
but also reliant on the structure and type of the markup.
How True- HTML performance overhead relates to content size and the amount of
markup elements?
![Page 27: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/27.jpg)
27
Evaluation in a controlled environment Create pages containing one element with 1kB text content
<p>…(1kb)…</p> assigned document.body.innerHTML between 1 and 100 times
Scale to 1,000 elements
![Page 28: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/28.jpg)
28
Outline Introduction
XSS mXSS
Problem Description The innerHTML Property Mutation
Exploits Seven attack vectors
Attack Surface Mitigation Techniques Evaluation Conclusion
![Page 29: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/29.jpg)
29
Conclusion Described a novel attack technique based on a
problematic and mostly undocumented browser behavior
Analyzed the attack surface and propose an action plan for mitigating the dangers
Supplied research-derived evaluations of the feasibility and practicability of the proposed mitigation techniques.
Insights Defensive tools and libraries must gain awareness of the
additional processing layers that browsers possess. “Well-formed HTML is unambiguous” is false
![Page 30: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations](https://reader036.vdocument.in/reader036/viewer/2022062517/5681373c550346895d9ecd16/html5/thumbnails/30.jpg)
30
End
Thanks!Q&A