XSS mitigation

by Olivier Arteau

arteau [dot] olivier (at) gmail.com

This Presentation

  • XSS-Protection
    • Modes
    • An overview of the bypass method
       
  • CSP
    • Directives
    • Bypass method

Mitigation ?

  • The headers
    • They don't fix XSS
    • They help limit what the exploit can do
    • They help making exploit harder to develop
    • It's a second line of defense

XSS-Protection

  • Modes
    • default
      • X-XSS-Protection: 1
      • Browser removes detected content
    • block
      • X-XSS-Protection: 1; mode=block
      • Browser doesn't render the page when it detects something
  • Not setting this header will default to "enable".
    • Some online tools will incorrectly tell you need to set this header to be protected. This is wrong.

XSS-Protection

  • Bypasses
    • Doesn't detect stored XSS.
       
    • Doesn't detect DOM XSS
      • XSS that are trigger by the JavaScript execution

XSS-Protection

  • Bypasses
    • Google Chrome
      • Reflected content that uses content from the same website is whitelisted.
        • Don't allow JavaScript file upload and serve user content with "X-Content-Type-Options: nosniff".
        • Use an other domain for JavaScript file.
    • Internet Explorer
      • When the Referer of the page is from the same website, the XSS Auditor is disabled.
        • JavaScript redirect
        • Hosted link (ex.: my website, etc.)

XSS-Protection

  • Bypasses
    • More content
      • http://slides.com/olivierarteau/xss-auditor-bypass#/

CSP

  • Name : Content Security Policy
  • Defines what content is allowed
    • Is inline content allowed ?
    • What protocol is content allowed ?
    • What domain are permitted ?
    • Is content from eval-like function allowed ?
  • Can be applied to JavaScript, CSS, XHR connect, Font, IFrame, Form action, etc.

CSP

  • Getting started
    • This header can be set in report mode.
      • Will allow you to tweak the rules until it doesn't break anything.
    • Define at least the default-src
    • Useful resources
      • https://content-security-policy.com/

CSP

  • Bypasses
    • User uploaded content
      • Whitelist allowed mime type.
      • Use the "X-Content-Options: nosniff" header
         
    • "unsafe-inline" for script
      • Avoid using this directive
      • Use nonce instead
         
    • "data:" URI for script
      • This is equivalent to "unsafe-inline"
      • Use nonce instead
         
    • ​​Reflected content in nonce script.

CSP

  • Bypasses
    • Whitelisting too many domain
      • Avoid "*" for domain that have a large amount of subdomain (ex.: *.googleapis.com)
      • Avoid whitelisting domain that everyone can upload to (ex.: github.com / github.io)
         
    • "unsafe-eval" and Angular.JS
      • TODO : Check si CSP est bypassable
      • ajax.googleapis.com hosts Angular.JS (even if you don't use it !)
         
    • DOM XSS

CSP

  • Bypasses
    • Unfiltered callback for JSONP endpoint.
      • /endpoint?callback=alert(/evil/)//
      • Filter the callback arguments of JSONP endpoint to [a-zA-Z0-9$_]
         
    • Missing "object-src" or "script-src"
      • When "default-src" isn't defined
      • Missing object-src (SWF + allowscriptaccess)
      • Missing script-src (Can point to any script hosted anywhere)

CSP

  • Bypasses
    • Further reading
      • https://static.googleusercontent.com/media/
        research.google.com/fr//pubs/archive/45542.pdf

Exercises

  • Simple forum application
    • Offensive exercices
      • You can turn off XSS-Protection with "?xss=no"
      • You can turn off CSP with "?csp=no"
      • Make a payload that bypasses the XSS auditor for the following browsers.
        • Chrome
        • Internet Explorer
        • Both
      • Make a payload that bypasses the CSP policies.
      • Make a payload that bypasses the CSP policies and the XSS auditor for both browsers !

Exercises

  • Simple forum application
    • Defensive exercices
      • Identity for the pages the fixes required to protect the application
        • Where are the XSS ?
      • Identity the mitigation to put in place
        • What headers are missing ?
        • What content must be replaced ?
        • Make sure it doesn't break the website !
           
      • You can run the website locally with Apache and try your fix

Exercises

  • Simple application
    • The website
      • http://workshop.zhack.ca/xss-mitigation/
         
    • Source code
      • http://workshop.zhack.ca/xss-mitigation/workshop.zip
    • This presentation
      •  https://slides.com/olivierarteau/xss-mitigation/

Solutions

  • DOM XSS - Create account
    • http://workshop.zhack.ca/xss-mitigation/create-account.php?test=%27%3E%3Cimg/src=%22x%22onerror=%22alert(1)%22%3E
       
  • Stored XSS - Main page
    • Name field of the comment
       
  • Reflected XSS - Login
    • http://workshop.zhack.ca/xss-mitigation/login.php?error=%3Cscript%3Ealert(/xss/)%3C/script%3E&xss=no

Solutions

  • XSS Auditor bypass
    • Chrome
      • Create an account "test" and upload your script as your image.
      • http://workshop.zhack.ca/xss-mitigation/login.php?error=<script+src="/pictures/test"></script>
         
    • Internet Explorer
      • Make a comment with your website as the XSS link
      • http://workshop.zhack.ca/xss-mitigation/login.php?error=<script>alert(/xss/)</script>

Solutions

  • XSS Auditor bypass
    • Both #1
      • Place the link with the Chrome bypass in a website link
      • http://workshop.zhack.ca/xss-mitigation/login.php?error=<script+src="/pictures/test"></script>
         
    • Both #2
      • ​Use the DOM XSS in the "Create account" page
      • http://workshop.zhack.ca/xss-mitigation/create-account.php?test='><img/src="x"onerror="alert(1)">

Solutions

  • XSS Auditor bypass
    • Both #3
      • Use the stored XSS in the name field (main page)

Solutions

  • CSP bypass
    • 'unsafe-inline'
      • <script>alert(/xss/)</script>
         
    • Picture upload
      • <script src="/pictures/test"></script>
      • Works even with 'unsafe-inline' removed
         
    • '*.googleapis.com'
      • https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22

Solutions

  • Fixes !
    • File upload
      • Correct mime type ! image/png, image/jpeg
      • X-Content-Options: nosniff
         
    • Host jQuery on the same website or CDN with custom domain name
      • Too many thing hosted on ajax.googleapis.com

Solutions

  • Fixes !
    • Nonce for the inline script
      • <script type="..." nonce="random_part"></script>
      • 'nonce-random_part'
      • Allow inline CSS
         
    • Other possible improvement
      • connect-src 'none' and child-src 'none'
Made with Slides.com