XSS mitigation

XSS-Protection

• Modes
  • default
    • X-XSS-Protection: 1
    • Browser removes detected content
  • block
    • X-XSS-Protection: 1; mode=block
    • Browser doesn't render the page when it detects something
• Not setting this header will default to "enable".
  • Some online tools will incorrectly tell you need to set this header to be protected. This is wrong.

XSS-Protection

• Bypasses
  • Doesn't detect stored XSS.
     
  • Doesn't detect DOM XSS
    • XSS that are trigger by the JavaScript execution

XSS-Protection

• Bypasses
  • Google Chrome
    • Reflected content that uses content from the same website is whitelisted.
      • Don't allow JavaScript file upload and serve user content with "X-Content-Type-Options: nosniff".
      • Use an other domain for JavaScript file.
  • Internet Explorer
    • When the Referer of the page is from the same website, the XSS Auditor is disabled.
      • JavaScript redirect
      • Hosted link (ex.: my website, etc.)

XSS-Protection

• Bypasses
  • More content
    • http://slides.com/olivierarteau/xss-auditor-bypass#/

CSP

• Name : Content Security Policy
• Defines what content is allowed
  • Is inline content allowed ?
  • What protocol is content allowed ?
  • What domain are permitted ?
  • Is content from eval-like function allowed ?
• Can be applied to JavaScript, CSS, XHR connect, Font, IFrame, Form action, etc.

CSP

• Getting started
  • This header can be set in report mode.
    • Will allow you to tweak the rules until it doesn't break anything.
  • Define at least the default-src
  • Useful resources
    • ​https://content-security-policy.com/

CSP

• Bypasses
  • User uploaded content
    • Whitelist allowed mime type.
    • Use the "X-Content-Options: nosniff" header
       
  • "unsafe-inline" for script
    • Avoid using this directive
    • Use nonce instead
       
  • "data:" URI for script
    • This is equivalent to "unsafe-inline"
    • Use nonce instead
       
  • ​​Reflected content in nonce script.

CSP

• Bypasses
  • Whitelisting too many domain
    • Avoid "*" for domain that have a large amount of subdomain (ex.: *.googleapis.com)
    • Avoid whitelisting domain that everyone can upload to (ex.: github.com / github.io)
       
  • "unsafe-eval" and Angular.JS
    • TODO : Check si CSP est bypassable
    • ajax.googleapis.com hosts Angular.JS (even if you don't use it !)
       
  • DOM XSS

CSP

• Bypasses
  • Unfiltered callback for JSONP endpoint.
    • /endpoint?callback=alert(/evil/)//
    • Filter the callback arguments of JSONP endpoint to [a-zA-Z0-9$_]
       
  • Missing "object-src" or "script-src"
    • When "default-src" isn't defined
    • Missing object-src (SWF + allowscriptaccess)
    • Missing script-src (Can point to any script hosted anywhere)

CSP

• Bypasses
  • Further reading
    • https://static.googleusercontent.com/media/
      research.google.com/fr//pubs/archive/45542.pdf

Exercises

• Simple forum application
  • Offensive exercices
    • You can turn off XSS-Protection with "?xss=no"
    • You can turn off CSP with "?csp=no"
    • Make a payload that bypasses the XSS auditor for the following browsers.
      • Chrome
      • Internet Explorer
      • Both
    • Make a payload that bypasses the CSP policies.
    • Make a payload that bypasses the CSP policies and the XSS auditor for both browsers !

Exercises

• Simple forum application
  • Defensive exercices
    • Identity for the pages the fixes required to protect the application
      • Where are the XSS ?
    • Identity the mitigation to put in place
      • What headers are missing ?
      • What content must be replaced ?
      • Make sure it doesn't break the website !
         
    • You can run the website locally with Apache and try your fix

Exercises

• Simple application
  • The website
    • http://workshop.zhack.ca/xss-mitigation/
       
  • Source code
    • http://workshop.zhack.ca/xss-mitigation/workshop.zip
      ​
  • This presentation
    •  https://slides.com/olivierarteau/xss-mitigation/

Solutions

• DOM XSS - Create account
  • http://workshop.zhack.ca/xss-mitigation/create-account.php?test=%27%3E%3Cimg/src=%22x%22onerror=%22alert(1)%22%3E
     
• Stored XSS - Main page
  • Name field of the comment
     
• Reflected XSS - Login
  • http://workshop.zhack.ca/xss-mitigation/login.php?error=%3Cscript%3Ealert(/xss/)%3C/script%3E&xss=no

Solutions

• XSS Auditor bypass
  • Chrome
    • Create an account "test" and upload your script as your image.
    • http://workshop.zhack.ca/xss-mitigation/login.php?error=<script+src="/pictures/test"></script>
       
  • Internet Explorer
    • Make a comment with your website as the XSS link
    • http://workshop.zhack.ca/xss-mitigation/login.php?error=<script>alert(/xss/)</script>

Solutions

• XSS Auditor bypass
  • Both #1
    • Place the link with the Chrome bypass in a website link
    • http://workshop.zhack.ca/xss-mitigation/login.php?error=<script+src="/pictures/test"></script>
       
  • Both #2
    • ​Use the DOM XSS in the "Create account" page
    • http://workshop.zhack.ca/xss-mitigation/create-account.php?test='><img/src="x"onerror="alert(1)">
      ​

Solutions

• XSS Auditor bypass
  • Both #3
    • Use the stored XSS in the name field (main page)

Solutions

• CSP bypass
  • 'unsafe-inline'
    • <script>alert(/xss/)</script>
       
  • Picture upload
    • <script src="/pictures/test"></script>
    • Works even with 'unsafe-inline' removed
       
  • '*.googleapis.com'
    • https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22

Solutions

• Fixes !
  • File upload
    • Correct mime type ! image/png, image/jpeg
    • X-Content-Options: nosniff
       
  • Host jQuery on the same website or CDN with custom domain name
    • Too many thing hosted on ajax.googleapis.com

Solutions

• Fixes !
  • Nonce for the inline script
    • <script type="..." nonce="random_part"></script>
    • 'nonce-random_part'
    • Allow inline CSS
       
  • Other possible improvement
    • connect-src 'none' and child-src 'none'