On Breaking PHP-based cross-site scripting protection Mechanisms in the wild
A talk by Ashar Javed
@
Garage4Hackers WebCast (28-07-2014)
Previously presented at OWASP Spain Chapter Meeting
13-06-2014, Barcelona (Spain)
Recorded Webcast here
monkey testing --- According to wikipedia
In computer science, a Monkey test (aka. Mark Testing) is a unit test that runs with no specific test in mind :)
video summarizes everything about monkey testing ...
https://www.youtube.com/watch?v=f6LWNQqs7TE
This talk is about ...
WHO AM I?
- A researcher in Ruhr University Bochum, RUB Germany
- A student of XSS who is working towards his PhD in XSS
- An XSSer / An XSS Enthusiast
- Listed in top sites' hall of fame
- A proud father of two
- Speaker @HITBKUL 2013, @DeepSec 2013, OWASP Seminar@RSA Europe 2013 and OWASP Spain 2014
- A Twitter lover @soaj1664ashar
Another reason for an xsser :)
Why I love XSS?
REASON # 1
Reason # 2
Reason # 3
see: http://slides.com/mscasharjaved/cross-site-scripting-my-love
agenda
- PHP
- XSS
- Testing Methodology
- Per-Context XSS Attack Methodology
- Summarize PHP's findings (includes built-in functions, customized XSS solutions and top PHP-based web frameworks )
- Results of Alexa Survey of Top 100 sites
- Conclusion
why Hypertext Preprocessor (PHP)?
reason # 1
http://w3techs.com/technologies/overview/programming_language/all
reason # 2
http://www.php.net/usage.php
Reason # 3
http://www.php.net/usage.php
reason # 4
http://w3techs.com/blog/entry/web_technologies_of_the_year_2013
Final reason (Top sites)
cross-site scripting (xss)
XSS according to OWASP
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
some statistics about xss
according to Prevoty CTO Kunal Anand
https://www.brighttalk.com/webcast/288/97255
according to open source vulnerability database
http://www.osvdb.org/osvdb/show_graph/1
According to OWASP top 10, 2013
http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf
According to google vulnerability reward program (vrp)
according to google trends
why you should care about XSS?
https://twitter.com/soaj1664ashar/status/362493382645383168
A recent example (traffic hijacking)
Persistent XSS Enables Large-Scale DDoS Attack
http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html
Another recent example i.e., #tweetbleed
#tweetbleed is the term coined here: https://twitter.com/pdp/status/476796934062370816
tweetDeck's persistent XSS
https://twitter.com/soaj1664ashar/status/476773831928209408
but bleeding continue ...
https://twitter.com/derGeruhn/status/476764918763749376
ends up ...
https://twitter.com/TweetDeck/status/476770732987252736
getting bored ...
what if i told you :)
but how?
testing methodology
- Simulate Real Web Applications
- Testing conducted in five common contexts (HTML, Script, Attribute, Style & URL) unless context have been explicitly mentioned ...
what is context?
context definition
https://twitter.com/soaj1664ashar/status/463960615157915648
html context
filter_function === general term
e.g., http://www.ea.com/search?q=""xyz
e.g., http://search.health.com/results.html?Ntt=""xyz
e.g., http://www.indiatimes.com/search/""xyz/
Attribute context
e.g., http://www.ea.com/search?q=""junk
e.g., http://www.ea.com/search?q=junk
e.g., http://www.drudgereportarchives.com/dsp/search.htm?searchFor=junk
script context
e.g., http://search.health.com/results.html?Ntt=xxxxxxxxxx
Double Quotes Case
e.g., http://www.dailymail.co.uk/home/search.html?sel=site&searchPhrase=xxxxxxxxxxxx
Single Quotes Case
e.g., http://www.indiatimes.com/search/xxxxxxxxxxxx/
xss in indiatimes ...
URL context
e.g., http://editor.froala.com/
e.g., http://www.tinymce.com/tryit/full.php
e.g., https://translate.twitter.com/forum/topics/5952/posts/new
Style Context
e.g., a screen-shot from ebay
live xss in ebay in style context
another xss in magento commerce in style context
summary of contexts
Attack Methodology
- Systematic in nature
- Easy to understand
- Context-Specific
- Attack methodology is `complete` and one can guarantee that there is an XSS or no XSS in a particular injection point.
- With the help of attack methodology, one can make a secure per-context XSS sanitizer
- Can be applied to other server-side languages e.g., ASP, Ruby etc
script context attack methodology
Attacker may also used single line comment in order to make closing quote's affect null & Void
"; confirm(1); //
OR
'; confirm(1); //
live demo
live demo
Question arise ...
Why no sort of encoding in script-context attack methodology?
answer
It simply does not work. Encoding will not help you in breaking the script context unless developers are doing some sort of explicit decoding.
Better to avoid explicit decoding but I saw developers are doing explicit decoding e.g., see my short post on Yahoo Web Analytic XSS
https://twitter.com/soaj1664ashar/status/460346852580139008
and see my write-up on XSS in alexa.com
demo shows encoding does not help you in breaking the script context
http://jsfiddle.net/4eqK4/5/
Does it mean encoding not work in script context?
The answer is "NO". It works but does not help in breaking the context.
see demo: http://jsfiddle.net/TM679/5/
json context (script)
http://xssplaygroundforfunandlearn.netai.net/series7.html
solution
take it as an exercise ....
Attribute Context attack methodology
yahoo email Was vulnerable to an xss in an attribute context
live demo
3rd step of attribute context attack methodology
``onmouseover=alert(1)
`` === back tick
`` trick discovered by Yosuke HASEGAWA
https://twitter.com/hasegawayosuke
ie8 treats back tick `` as a valid separator for attribute & attribute's value
Very useful in breaking attribute context if site is properly filtering single and double quotes
noted in HTML5 Security Cheat sheet http://html5sec.org/ by
Mario Heiderich
https://twitter.com/0x6D6172696F
Another useful tool by him is
http://html5sec.org/innerhtml/
and
must read research paper by him if you are interested in innerHTML and mutation XSS
http://www.nds.rub.de/media/emma/veroeffentlichungen/2013/12/10/mXSS-CCS13.pdf
back tick `` demos tested on Microsoft Windows XP + IE8 and tool used for testing is http://html5sec.org/innerhtml/
`` in action demo # 1
`` in action demo # 2
`` in action demo # 3
github https://github.com/ is vulnerable to innerhtml based xss
github respoNse on my report
tinymce was also vulnerable to innerhtml based xss
who is using tinymce?
Is innerHTML (i.e., ``) based XSS is exploitable?
http://xssplaygroundforfunandlearn.netai.net/innerHTMLtesting.html
question arise: who cares about ie8?
ie8 still haD 22% market share
http://view.officeapps.live.com/op/view.aspx?src=%20http%3a%2f%2fvideo.ch9.ms%2fsessions%2fbuild%2f2014%2f2-559.pptx
why no encoding in AN attribute context attack methodology?
see demo http://jsfiddle.net/9t8UM/3/
example where encoding helps ...
https://twitter.com/soaj1664ashar/status/460346852580139008
story of YWA XSSes
XSSes in ywa worth 750$
style context attack methodology
remember 1000$ XSS challenge ...
http://demo.chm-software.com/7fc785c6bd26b49d7a7698a7518a73ed/
xss attack attempts ...
78188 XSS attack attempts from 1035 unique IP addresses and no bypass ...
implementation of a generic style context cleaner
questions you might be thinking ...
feature of style context cleaner ...
It allows CSS styles ...
stylish xss in magento (worth 1000$)
http://www.scribd.com/doc/226925089/Stylish-XSS-in-Magento-When-Style-helps-you
URL context attack methodology
Will Unveil ... :)
Application Security Forum Western Switzerland
Training: "XSS & PHP: A Happily Married Couple"
http://2014.appsec-forum.ch/speakers/
November 4th, Yverdon-les-Bains (Switzerland)
OR
BlackHat Europe 2014
Briefing: Revisiting XSS Sanitization
https://www.blackhat.com/eu-14/briefings.html#revisiting-xss-sanitization
OCTOBER 16 & 17, Amsterdam, The Netherlands
stored xss in twitter translation in url context even in the presence of content security policy (CSP)
http://www.scribd.com/doc/211362856/Stored-XSS-in-Twitter-Translation
xss in magento commerce in url context (data uri)
Evaluation of Attack Methodology
php built-in functions that developers are using in the wild
A quick search on GitHub reveals ...
http://xssplayground.net23.net/clean6.html
A quick search on GitHub reveals ... (false positives are also there but still give you an idea of popularity)
http://xssplayground.net23.net/clean20.html
A quick search on GitHub shows ...
http://xssplayground.net23.net/clean21.html
summary of bypasses
customized xss solutions
Developers are also calling it with names like filterXSS and noXSS
A quick search on GitHub reveals
http://xssplayground.net23.net/clean.html
features of removexss()
Two arrays of black-listed keywords :)
html context bypassES of removexss()
http://xssplayground.net23.net/clean.html
<input type=text oninput=alert(1)>
<form action=ja	vasc
ript:alert(1)><button type=submit>
Attribute context bypasses of removexss()
All event handlers that are not part of black-listed array will bypass this protection e.g.,
onpopstate
onstorage
I tweeted about that and you will see lots of bypasses by fellow researchers
style context bypass of removexss()
width:ex/**/pression(alert(1))
URL context bypass of removexss()
ja	vasc&NewLine:ript:alert(1)
script context bypass of removexss()
'; confirm(1); '
'; confirm(1); '
A very popular but sorry to say BAD XSS protection ...
A quick search on GitHub reveals ...
http://xssplayground.net23.net/clean1.html
why so popular?
published at http://css-tricks.com
features of cleaninput()
html context bypasses of cleaninput()
http://xssplayground.net23.net/clean1.html
<img src=x id=confirm(1) onerror=eval(id)
<iframe/src=javascript:confirm%281%29
for other contexts ... It should be :)
The goal of this function is to stop JavaScript execution via style.
http://xssplayground.net23.net/clean2.html
it performs well for cases like:
but remember the 3rd step of style context attack methodology ...
Here is the bypass :)
width:expression(alert(1))
Another popular customized XSS protection solution.
why popular?
Symphony CMS
A popular XSLT-powered open source content management system is using detectXSS() function.
according to http://www.getsymphony.com/
features of detectxss()
html context bypass of detectxss()
for other contexts ...
summary of bypasses
php-based web application frameworks
codeigniter
A Fully Baked PHP Framework
http://ellislab.com/codeigniter
codeigniter bypasses
feature of codeigniter
Disallowed JavaScript in Links & Image Tags (Snapshot from the latest CodeIgniter version available at GitHub)
https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L438
before my bypass link javascript removal feature's regular expression looks like
test-bed related to old codeigniter before i started bypassing
who is willing to bypass this? :)
bypass # 1, only forward slash (/) is enough to bypass the regular expression :)
<a/href=ja	vasc
ript:confirm(1)>clclick</a>
http://xssplayground.net23.net/clean11.html (old test-bed)
http://xssplayground.net23.net/clean100.html (new test-bed)
another feature of codeigniter
Sanitize Naughty HTML elements
Old list of naughty elements before I started bypassing ...
bypass # 2 (use of math tag and it is firefox specific bypass)
<math><a/xlink:href=javascript:confirm(1)>click</a>
http://xssplayground.net23.net/clean11.html (old test-bed)
http://xssplayground.net23.net/clean100.html (new test-bed)
new/updated list of naughty elements
old codeigniter had no support for html5 entities like 	, &COLON; and &Newline;
I was making use of these entities in order to bypass CodeIgniter's black-listing ...
now they are supporting html5 entities
https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L592
yet another feature of codeigniter
Removes Invisible characters e.g., %00 i.e., NULL
the remove invisible feature was working fine but ...
one does not simply `commit` :)
developer replied
more XSS bypasses ...
VALID SEPARATORS IN DIFFERENT BROWSERS
https://twitter.com/kinugawamasato
ref: https://zdresearch.com/zdresearch-xss1-challenge-writeup/
VALID SEPARATORS IN DIFFERENT BROWSERS
bypass # 3 \uC in action
demo: http://jsfiddle.net/GTxVt/5/
bypass # 4 & 5
Utility that is very useful for placing valid separators accordingly is:
HxD http://mh-nexus.de/en/hxd/
xss vector having all fuzz forms of whitespaces ...
https://twitter.com/soaj1664ashar/status/358574268386246656
important thing to remember as far as codeigniter is concerned ...
Only useful for HTML context ....
You should not use it for attribute, style, script and URL context.
https://github.com/EllisLab/CodeIgniter/issues/2667
initially developers were also not sure about codeigniter's usage
https://github.com/EllisLab/CodeIgniter/issues/2667
summary of bypasses
alexa top 100 sites
I surveyed top 10 sites from the following 10 categories ...
xss distribution in different categories (50 out of 100 are vulnerable)
injection distribution
my short write-up
http://www.scribd.com/doc/210121412/XSS-is-not-going-anywhere
conclusion
- Our large scale survey of PHP-based sanitisation routines shows SAD state of web security as far as XSS is concerned.
- The proposed attack and testing methodology is general and may be applied to other server-side languages.
- What if we automate this context-specific attack methodology and unleash automation tool on a large scale survey of deep web ... :)
special thanks
On Breaking PHP-based cross-site scripting protection Mechanisms in the wild A talk by Ashar Javed @ Garage4Hackers WebCast (28-07-2014) Previously presented at OWASP Spain Chapter Meeting 13-06-2014, Barcelona (Spain)
On Breaking PHP-Based Cross-Site Scripting Protections In The Wild
By Ashar Javed
On Breaking PHP-Based Cross-Site Scripting Protections In The Wild
- 29,391
