mXSS Attacks: Attacking wellsecured Web-Applications by using innerHTML Mutations Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z.Yang. ACM CCS (November, 2013) 1 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 2 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 3 Cross-Site Scripting (XSS) Reflected XSS ◦ Maliciously manipulated parameters Stored XSS http://www.collinjackson.com/research/xssauditor.pdf ◦ User contributed content stored on the server DOM XSS(XSS of the third kind) ◦ JavaScript library 4 Solutions for XSS Server-side solutions ◦ Encoding, replacement, rewriting. Client-side solutions ◦ IE8 XSS Filter ◦ Chrome XSS Auditor ◦ Firefox NoScript extension 5 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 6 mXSS Mutation-based Cross-Site-Scripting https://cure53.de/fp170.pdf 7 mXSS - At the time of testing Impact on IE, Firefox, Chrome ◦ Webmail Clients Bypass HTML Sanitizers ◦ ◦ ◦ ◦ ◦ HTML Purifier htmLawed OWASP AntiSamy jSoup kses Led to subsequent changes in browser behavior. 8 innerHTML / outerHTML An HTML element's property ◦ Creating HTML content from arbitrarily formatted strings ◦ Serializing HTML DOM nodes into strings http://www.jb51.net/article/16585.htm 9 Mutation Trigger the mutation 10 Browser Model http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss 11 innerHTML-Access Access to the innerHTML properties ◦ from (parent) element nodes HTML editor ◦ contenteditable attribute ◦ document.execCommand() Print preview 12 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 13 Exploits innerHTML-access A. B. C. Backtick {` } XML Namespace(xmlns) CSS Escapes/Misfit Characters 14 Exploits – Backtick and XMLNS Backtick {` } XML Namespace 15 Exploits – CSS CSS specifications propose CSS escapes ◦ v\61lue = value Mutation ◦ 'val\27ue‘ => ‘val’ue’ 16 Exploits – CSS Recursive Decoding Bypass some of HTML filters with recursive decoding 17 Exploits – CSS Escapes in Property Names Terminate the style attribute 18 Exploits – Entity-Mutation in nonHTML Documents MIME type ◦ text/xhtml Attacker may abuse MIME sniffing 19 Exploits – Entity-Mutation in nonHTML context of HTML documents SVG tag, fixed 20 Attack Surface A mutation event occur when 74.5% of the Alexa Top 1000 websites to be using inner-HTML-assignments. 21 Attack Surface JavaScript libraries ◦ 65% of the top 10,000 websites ◦ 48.87% using jQuery Webmails ◦ Microsoft Hotmail,Yahoo! Mail, Redi Mail, OpenExchange, Round-cube, etc.. ◦ Bug reports were acknowledged HTML sanitizers ◦ Add new rules for known mutation effects 22 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 23 Mitigation Techniques(Server-side) HTML ◦ Appending a trailing whitespace to text ? CSS ◦ Disallow any of the special characters ◦ Percent-escaping for parentheses and single quotes in URLs Implemented to HTML Purifier(CSS) 24 Mitigation Techniques(Client-side) TrueHTML ◦ A script ◦ Overwrites the getter methods of the innerHTML ◦ XMLSerializer DOM object ◦ Changes the HTML handling into an XML-based processing ◦ Low performance impact compared to filtering innerHTML-data 25 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 26 Evaluation - Size http archive ◦ Average transfer size of a web page 1,200kb(52kb by HTML, 214kb by JavaScript) TrueHTML ◦ 820 byte of code 27 Evaluation - Time VM1 ◦ Intel Xeon X5650 CPU 2.67GHz, 2GB RAM ◦ Ubuntu 12.04 Desktop, Mozilla Firefox 14.0.1 VM2 ◦ Inter Core2Duo CPU 1.86GHz, 2GB RAM ◦ Ubuntu 12.04 Desktop, Mozilla Firefox 16.0.2 Proxy Server to inject TrueHTML Navigation Timing API 28 Evaluation - Time Network Testing Top 10,000 ◦ Overhead 0.01%~99.94% Local Testing 1 29 Evaluation - Time Local Testing 2 ◦ <p>…(1kb)…</p> ◦ Scale to 1,000 elements 30 OUTLINE XSS mXSS Exploits and Attack Surface Mitigation Techniques Evaluation Related Work and Conclusion 31 Related Work Abusing Internet Explorer 8's XSS Filters Browser Security Handbook The Tangled Web: A Guide to Securing Modern Web Applications (book) XSSAuditor bypasses from sla.ckers.org. Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM (PhD thesis, Ruhr-University Bochum, 2012) 32 Conclusion Problematic and mostly undocumented browser behavior “Well-formed HTML is unambiguous” is false Defensive tools and libraries must gain awareness of the additional processing layers that browsers possess. 33