security threats advanced client-side web · sop bypass: dns rebinding csp and xssauditor bypass:...
TRANSCRIPT
![Page 1: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/1.jpg)
Advanced client-side web security threats
Security 2 2018-19
Univeristà Ca’ Foscari Veneziawww.dais.unive.it/~focardisecgroup.dais.unive.it
![Page 2: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/2.jpg)
● Bonus● Service Vulnerabilities● Service Patches
Second CTF Results
![Page 3: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/3.jpg)
BonusSecond CTF
score(position) = (6-position)*0.1
0.4
0.5
0.3
0.2
0.2
![Page 4: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/4.jpg)
Milkyway CTF ServiceVulnerabilities
● 11 SQLi ○ One slightly harder to fix than the others
● 1 command injection (RCE!)● 1 loose comparison● 2 logical bugs● 2 misconfigurations
![Page 5: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/5.jpg)
● SOP Bypass: DNS Rebinding● CSP and XSSAuditor Bypass: Script Gadgets
Client-side web security threats
![Page 6: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/6.jpg)
● A standard browser policy that restricts access among documents or scripts loaded from different domains
● two pages have the same origin if the protocol, port, and host are the same for both pages
Cross-origin writes typically allowedCross-origin embedding typically allowedCross-origin reads typically not allowed
https://secgroup.dais.unive.it/wp-content/uploads/2018/12/Client-side-web-security.pdf
Same Origin PolicySOP
![Page 7: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/7.jpg)
● Without SOP, browsing on a malicious site will allow it to access other open pages and hijack any open session!
● How to allow cross-origin access? CORS!● CORS is a part of HTTP that lets servers specify what
hosts are permitted to load content from that server.
Same Origin PolicyCross Origin Resource Sharing (CORS)
![Page 8: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/8.jpg)
SOP BypassDNS Rebinding
Victim
172.37.0.7
CorporateWeb Server
attacker.com
Web Server
ns.attacker.com
DNS Server
attacker.com?
35.246.243.67 TTL=0
172.37.0.7Read permitted:it’s the “same origin”
![Page 9: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/9.jpg)
SOP BypassDNS Rebinding
● Victim is tricked into visiting a website, such as http://attacker.com/, under the control of an attacker.
● The attacker wants to leak the file `secret` hosted at localhost (http://localhost/secret)
● The response of the following XHR is blocked by the Same-Origin Policy
$.get("http://127.0.0.1/secret", function(data) {console.log(data)});
![Page 10: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/10.jpg)
● We can bypass the SOP by changing the IP resolved by attacker.com from 35.246.243.67 to 127.0.0.1, after the page is accessed by the victim
● Note: DNS is cached! you may need to wait several minutes for the address to change○ DNS Server cache○ OS cache○ Browser cache
SOP BypassDNS Rebinding
![Page 11: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/11.jpg)
DEMO
SOP BypassDNS Rebinding
![Page 12: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/12.jpg)
DNS Rebindingrbndr.us
● But what if I do not have access to a DNS Server?https://github.com/taviso/rbndr
DNS Rebinding Service● To switch between 127.0.0.1 and 192.168.0.1 you would
encode them as dwords1, and then use:7f000001.c0a80001.rbndr.us
$ host 7f000001.c0a80001.rbndr.us7f000001.c0a80001.rbndr.us has address 192.168.0.1$ host 7f000001.c0a80001.rbndr.us7f000001.c0a80001.rbndr.us has address 127.0.0.1
1: https://lock.cmpxchg8b.com/rebinder.html
![Page 13: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/13.jpg)
CSP and XSSAuditor bypassScript Gadgets (https://github.com/google/security-research-pocs)
XSS Mitigations
● WAFs, XSS filters (XSSAuditor)○ Block requests containing dangerous tags / attributes
● HTML Sanitizers (input/output sanitization)○ Remove dangerous tags / attributes from HTML
● Content Security Policy (CSP)○ Distinguish legitimate and injected JS code
![Page 14: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/14.jpg)
CSP and XSSAuditor bypassScript Gadgets (https://github.com/google/security-research-pocs)
A Script Gadget is an existing JS code on the page that may be used to bypass mitigations:
![Page 15: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/15.jpg)
CSP and XSSAuditor bypassScript Gadgets (https://github.com/google/security-research-pocs)
A Script Gadget is an existing JS code on the page that may be used to bypass mitigations:
![Page 16: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/16.jpg)
CSP and XSSAuditor bypassScript Gadgets (https://github.com/google/security-research-pocs)
Script Gadgets convert otherwise safe HTML tags and attributes into arbitrary code execution
Bypasses XSS mitigations that look for “<script>”
![Page 17: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/17.jpg)
CSP and XSSAuditor bypassScript Gadgets (https://github.com/google/security-research-pocs)
DEMO
![Page 18: security threats Advanced client-side web · SOP Bypass: DNS Rebinding CSP and XSSAuditor Bypass: Script Gadgets Client-side web security threats A standard browser policy that restricts](https://reader034.vdocument.in/reader034/viewer/2022042918/5f5d4f6c88043e75b21d9c9d/html5/thumbnails/18.jpg)
CSP and XSSAuditor bypassScript Gadgets (https://github.com/google/security-research-pocs)
● Script Gadgets can be found in most of the more popular web framework○ can be used to bypass most mitigations in modern
web applications