mXSS Attacks: Attacking wellsecured Web-Applications
by using innerHTML Mutations
Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas
Magazinius, and Edward Z.Yang.
ACM CCS (November, 2013)
1
OUTLINE
XSS
 mXSS
 Exploits and Attack Surface
 Mitigation Techniques
 Evaluation
 Related Work and Conclusion

2
OUTLINE
XSS
 mXSS
 Exploits and Attack Surface
 Mitigation Techniques
 Evaluation
 Related Work and Conclusion

3
Cross-Site Scripting (XSS)

Reflected XSS
◦ Maliciously manipulated parameters

Stored XSS
http://www.collinjackson.com/research/xssauditor.pdf
◦ User contributed content stored on the
server

DOM XSS(XSS of the third kind)
◦ JavaScript library
4
Solutions for XSS

Server-side solutions
◦ Encoding, replacement, rewriting.

Client-side solutions
◦ IE8 XSS Filter
◦ Chrome XSS Auditor
◦ Firefox NoScript extension
5
OUTLINE
XSS
 mXSS
 Exploits and Attack Surface
 Mitigation Techniques
 Evaluation
 Related Work and Conclusion

6
mXSS

Mutation-based Cross-Site-Scripting
https://cure53.de/fp170.pdf
7
mXSS - At the time of testing

Impact on IE, Firefox, Chrome
◦ Webmail Clients

Bypass HTML Sanitizers
◦
◦
◦
◦
◦

HTML Purifier
htmLawed
OWASP AntiSamy
jSoup
kses
Led to subsequent changes in browser behavior.
8
innerHTML / outerHTML

An HTML element's property
◦ Creating HTML content from arbitrarily
formatted strings
◦ Serializing HTML DOM nodes into strings
http://www.jb51.net/article/16585.htm
9
Mutation

Trigger the mutation
10
Browser Model
http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
11
innerHTML-Access

Access to the innerHTML properties
◦ from (parent) element nodes

HTML editor
◦ contenteditable attribute
◦ document.execCommand()

Print preview
12
OUTLINE
XSS
 mXSS
 Exploits and Attack Surface
 Mitigation Techniques
 Evaluation
 Related Work and Conclusion

13
Exploits

innerHTML-access
A.
B.
C.
Backtick {` }
XML Namespace(xmlns)
CSS Escapes/Misfit Characters
14
Exploits – Backtick and XMLNS

Backtick {` }

XML Namespace
15
Exploits – CSS

CSS specifications propose CSS escapes
◦ v\61lue = value

Mutation
◦ 'val\27ue‘ => ‘val’ue’
16
Exploits – CSS Recursive Decoding

Bypass some of HTML filters with
recursive decoding
17
Exploits – CSS Escapes in Property
Names

Terminate the style attribute
18
Exploits – Entity-Mutation in nonHTML Documents

MIME type
◦ text/xhtml

Attacker may abuse MIME sniffing
19
Exploits – Entity-Mutation in nonHTML context of HTML documents

SVG tag, fixed
20
Attack Surface

A mutation event occur when

74.5% of the Alexa Top 1000 websites to
be using inner-HTML-assignments.
21
Attack Surface

JavaScript libraries
◦ 65% of the top 10,000 websites
◦ 48.87% using jQuery

Webmails
◦ Microsoft Hotmail,Yahoo! Mail, Redi Mail,
OpenExchange, Round-cube, etc..
◦ Bug reports were acknowledged

HTML sanitizers
◦ Add new rules for known mutation effects
22
OUTLINE
XSS
 mXSS
 Exploits and Attack Surface
 Mitigation Techniques
 Evaluation
 Related Work and Conclusion

23
Mitigation Techniques(Server-side)

HTML
◦ Appending a trailing whitespace to text ?

CSS
◦ Disallow any of the special characters
◦ Percent-escaping for parentheses and single quotes in
URLs

Implemented to HTML Purifier(CSS)
24
Mitigation Techniques(Client-side)

TrueHTML
◦ A script
◦ Overwrites the getter methods of the
innerHTML
◦ XMLSerializer DOM object
◦ Changes the HTML handling into an
XML-based processing
◦ Low performance impact compared to
filtering innerHTML-data
25
OUTLINE
XSS
 mXSS
 Exploits and Attack Surface
 Mitigation Techniques
 Evaluation
 Related Work and Conclusion

26
Evaluation - Size

http archive
◦ Average transfer size of a web page
 1,200kb(52kb by HTML, 214kb by JavaScript)

TrueHTML
◦ 820 byte of code
27
Evaluation - Time

VM1
◦ Intel Xeon X5650 CPU 2.67GHz, 2GB RAM
◦ Ubuntu 12.04 Desktop, Mozilla Firefox 14.0.1

VM2
◦ Inter Core2Duo CPU 1.86GHz, 2GB RAM
◦ Ubuntu 12.04 Desktop, Mozilla Firefox 16.0.2
Proxy Server to inject TrueHTML
 Navigation Timing API

28
Evaluation - Time

Network Testing Top 10,000
◦ Overhead 0.01%~99.94%

Local Testing 1
29
Evaluation - Time

Local Testing 2
◦ <p>…(1kb)…</p>
◦ Scale to 1,000 elements
30
OUTLINE
XSS
 mXSS
 Exploits and Attack Surface
 Mitigation Techniques
 Evaluation
 Related Work and Conclusion

31
Related Work

Abusing Internet Explorer 8's XSS Filters

Browser Security Handbook
The Tangled Web: A Guide to Securing
Modern Web Applications (book)

XSSAuditor bypasses from sla.ckers.org.
 Towards Elimination of XSS Attacks with a
Trusted and Capability Controlled DOM
(PhD thesis, Ruhr-University Bochum, 2012)

32
Conclusion

Problematic and mostly undocumented
browser behavior

“Well-formed HTML is unambiguous” is
false

Defensive tools and libraries must gain
awareness of the additional processing
layers that browsers possess.
33