XSS Auditor Bypass
by Olivier Arteau
This Presentation
- General approach
- Specific approach for Google Chrome
- Specific approach for Internet Explorer
General approach
- XSS detection is heuristic based
- When the server transform the reflected content XSS Auditor (mostly Google Chrome) that looks for exact match can be tricked.
- This happens when :
- incorrect encoding is applied
- custom transformation are applied
- This happens when :
- Tips : Place the transformed content at the beginning of the script in a string value.
General approach
- XSS detection is heuristic based
- Heuristic for the reflected in some places are hard to do without false positive.
- inside JavaScript content.
- HTML attributes that are not quoted.
General approach
- XSS detection is only applied before the page loads
- DOM based XSS is never detected
General approach
- XSS detection is heuristic based
- Heuristic can have bug.
- Most have been fixed :(
- Not reliable overtime
- It won't be covered in this workshop
Browser specific approach
- XSS Auditor have to minimize false positive
- Otherwise it gets annoying to users and they disable it.
- Otherwise website disable it to prevent their website from having issues.
- Browsers have some rule that will whitelist reflected content on specific condition.
Google Chrome
-
"It's a friend"
- Resources hosted on the same domain are never detected or blocked
- Can load user content as script.
- X-Content-Type-Options header must be not set.
- Can load powerful library (ex.: angular.js) used elsewhere in the site.
- Can load JavaScript with DOM based reflected content.
- Can load user content as script.
- The only restriction is that the URL must not contain any GET parameter.
- Resources hosted on the same domain are never detected or blocked
Internet Explorer
-
"It's from a friend"
- Internet Explorer never perform XSS detection from resources where "Referer" == domain of the requested URL
- JavaScript based redirect
- Clickable URL from user content
- <iframe> URL that you can control
- "Referer" spoofing vulnerability
- http://www.brokenbrowser.com/referer-spoofing-defeating-xss-filter/
- It's fixed :(
- Internet Explorer never perform XSS detection from resources where "Referer" == domain of the requested URL
Exercices
-
This presentation
-
https://slides.com/olivierarteau/xss-auditor-bypass/
-
https://slides.com/olivierarteau/xss-auditor-bypass/
-
Exercices
- http://xss.zhack.ca/hackfest/
XSS Auditor Bypass
By Olivier Arteau
XSS Auditor Bypass
- 3,071