XSS Auditor Bypass

by Olivier Arteau

This Presentation

  • General approach
     
  • Specific approach for Google Chrome
     
  • Specific approach for Internet Explorer

General approach

  • XSS detection is heuristic based

     
  • When the server transform the reflected content XSS Auditor (mostly Google Chrome) that looks for exact match can be tricked.
     
    • This happens when :
      • incorrect encoding is applied
      • custom transformation are applied
         
  • Tips : Place the transformed  content at the beginning of the script in a string value.

General approach

  • XSS detection is heuristic based

     
  • Heuristic for the reflected in some places are hard to do without false positive.
    • inside JavaScript content.
    • HTML attributes that are not quoted.

General approach

  • XSS detection is only applied before the page loads

     
  • DOM based XSS is never detected

General approach

  • XSS detection is heuristic based

     
  • Heuristic can have bug. 
    • Most have been fixed :(
    • Not reliable overtime
    • It won't be covered in this workshop

Browser specific approach

  • XSS Auditor have to minimize false positive
    • Otherwise it gets annoying to users and they disable it.
    • Otherwise website disable it to prevent their website from having issues.
       
  • Browsers have some rule that will whitelist reflected content on specific condition.

Google Chrome

  • "It's a friend"
     
    • Resources hosted on the same domain are never detected or blocked
      • Can load user content as script.
        • X-Content-Type-Options header must be not set.
      • Can load powerful library (ex.: angular.js) used elsewhere in the site.
      • Can load JavaScript with DOM based reflected content.
    • The only restriction is that the URL must not contain any GET parameter.

Internet Explorer

  • "It's from a friend"
     
    • Internet Explorer never perform XSS detection from resources where "Referer" == domain of the requested URL
       
      • JavaScript based redirect
      • Clickable URL from user content
      • <iframe> URL that you can control
      • "Referer" spoofing vulnerability
        • http://www.brokenbrowser.com/referer-spoofing-defeating-xss-filter/
        • It's fixed :(

Exercices

  • This presentation
    • https://slides.com/olivierarteau/xss-auditor-bypass/
       
  • Exercices
    • http://xss.zhack.ca/hackfest/
Made with Slides.com