XSS mitigation
by Olivier Arteau
arteau [dot] olivier (at) gmail.com
This Presentation
- XSS-Protection
- Modes
- An overview of the bypass method
- CSP
- Directives
- Bypass method
Mitigation ?
- The headers
- They don't fix XSS
- They help limit what the exploit can do
- They help making exploit harder to develop
- It's a second line of defense
XSS-Protection
- Modes
- default
- X-XSS-Protection: 1
- Browser removes detected content
- block
- X-XSS-Protection: 1; mode=block
- Browser doesn't render the page when it detects something
- default
- Not setting this header will default to "enable".
- Some online tools will incorrectly tell you need to set this header to be protected. This is wrong.
XSS-Protection
- Bypasses
- Doesn't detect stored XSS.
- Doesn't detect DOM XSS
- XSS that are trigger by the JavaScript execution
- Doesn't detect stored XSS.
XSS-Protection
- Bypasses
- Google Chrome
- Reflected content that uses content from the same website is whitelisted.
- Don't allow JavaScript file upload and serve user content with "X-Content-Type-Options: nosniff".
- Use an other domain for JavaScript file.
- Reflected content that uses content from the same website is whitelisted.
- Internet Explorer
- When the Referer of the page is from the same website, the XSS Auditor is disabled.
- JavaScript redirect
- Hosted link (ex.: my website, etc.)
- When the Referer of the page is from the same website, the XSS Auditor is disabled.
- Google Chrome
XSS-Protection
- Bypasses
- More content
- http://slides.com/olivierarteau/xss-auditor-bypass#/
- More content
CSP
- Name : Content Security Policy
- Defines what content is allowed
- Is inline content allowed ?
- What protocol is content allowed ?
- What domain are permitted ?
- Is content from eval-like function allowed ?
- Can be applied to JavaScript, CSS, XHR connect, Font, IFrame, Form action, etc.
CSP
- Getting started
- This header can be set in report mode.
- Will allow you to tweak the rules until it doesn't break anything.
- Define at least the default-src
- Useful resources
- https://content-security-policy.com/
- This header can be set in report mode.
CSP
- Bypasses
- User uploaded content
- Whitelist allowed mime type.
- Use the "X-Content-Options: nosniff" header
- "unsafe-inline" for script
- Avoid using this directive
- Use nonce instead
- "data:" URI for script
- This is equivalent to "unsafe-inline"
-
Use nonce instead
- Reflected content in nonce script.
- User uploaded content
CSP
- Bypasses
- Whitelisting too many domain
- Avoid "*" for domain that have a large amount of subdomain (ex.: *.googleapis.com)
- Avoid whitelisting domain that everyone can upload to (ex.: github.com / github.io)
-
"unsafe-eval" and Angular.JS
- TODO : Check si CSP est bypassable
- ajax.googleapis.com hosts Angular.JS (even if you don't use it !)
- DOM XSS
- Whitelisting too many domain
CSP
- Bypasses
- Unfiltered callback for JSONP endpoint.
- /endpoint?callback=alert(/evil/)//
- Filter the callback arguments of JSONP endpoint to [a-zA-Z0-9$_]
- Missing "object-src" or "script-src"
- When "default-src" isn't defined
- Missing object-src (SWF + allowscriptaccess)
- Missing script-src (Can point to any script hosted anywhere)
- Unfiltered callback for JSONP endpoint.
CSP
- Bypasses
- Further reading
- https://static.googleusercontent.com/media/
research.google.com/fr//pubs/archive/45542.pdf
- https://static.googleusercontent.com/media/
- Further reading
Exercises
- Simple forum application
- Offensive exercices
- You can turn off XSS-Protection with "?xss=no"
- You can turn off CSP with "?csp=no"
- Make a payload that bypasses the XSS auditor for the following browsers.
- Chrome
- Internet Explorer
- Both
- Make a payload that bypasses the CSP policies.
- Make a payload that bypasses the CSP policies and the XSS auditor for both browsers !
- Offensive exercices
Exercises
- Simple forum application
- Defensive exercices
- Identity for the pages the fixes required to protect the application
- Where are the XSS ?
- Identity the mitigation to put in place
- What headers are missing ?
- What content must be replaced ?
- Make sure it doesn't break the website !
- You can run the website locally with Apache and try your fix
- Identity for the pages the fixes required to protect the application
- Defensive exercices
Exercises
- Simple application
- The website
- http://workshop.zhack.ca/xss-mitigation/
- http://workshop.zhack.ca/xss-mitigation/
- Source code
- http://workshop.zhack.ca/xss-mitigation/workshop.zip
- http://workshop.zhack.ca/xss-mitigation/workshop.zip
- This presentation
- https://slides.com/olivierarteau/xss-mitigation/
- The website
Solutions
- DOM XSS - Create account
- http://workshop.zhack.ca/xss-mitigation/create-account.php?test=%27%3E%3Cimg/src=%22x%22onerror=%22alert(1)%22%3E
- http://workshop.zhack.ca/xss-mitigation/create-account.php?test=%27%3E%3Cimg/src=%22x%22onerror=%22alert(1)%22%3E
- Stored XSS - Main page
- Name field of the comment
- Name field of the comment
- Reflected XSS - Login
- http://workshop.zhack.ca/xss-mitigation/login.php?error=%3Cscript%3Ealert(/xss/)%3C/script%3E&xss=no
Solutions
- XSS Auditor bypass
- Chrome
- Create an account "test" and upload your script as your image.
- http://workshop.zhack.ca/xss-mitigation/login.php?error=<script+src="/pictures/test"></script>
- Internet Explorer
- Make a comment with your website as the XSS link
- http://workshop.zhack.ca/xss-mitigation/login.php?error=<script>alert(/xss/)</script>
- Chrome
Solutions
- XSS Auditor bypass
- Both #1
- Place the link with the Chrome bypass in a website link
-
http://workshop.zhack.ca/xss-mitigation/login.php?error=<script+src="/pictures/test"></script>
- Both #2
- Use the DOM XSS in the "Create account" page
-
http://workshop.zhack.ca/xss-mitigation/create-account.php?test='><img/src="x"onerror="alert(1)">
- Both #1
Solutions
- XSS Auditor bypass
- Both #3
- Use the stored XSS in the name field (main page)
- Both #3
Solutions
- CSP bypass
- 'unsafe-inline'
- <script>alert(/xss/)</script>
- <script>alert(/xss/)</script>
- Picture upload
- <script src="/pictures/test"></script>
- Works even with 'unsafe-inline' removed
- '*.googleapis.com'
- https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22
- 'unsafe-inline'
Solutions
- Fixes !
- File upload
- Correct mime type ! image/png, image/jpeg
- X-Content-Options: nosniff
- Host jQuery on the same website or CDN with custom domain name
- Too many thing hosted on ajax.googleapis.com
- File upload
Solutions
- Fixes !
- Nonce for the inline script
- <script type="..." nonce="random_part"></script>
- 'nonce-random_part'
- Allow inline CSS
- Other possible improvement
- connect-src 'none' and child-src 'none'
- Nonce for the inline script
XSS Mitigation
By Olivier Arteau
XSS Mitigation
Slides for the OWASP Workshop presented on January 18th.
- 2,721