insane in the iframe -- the case for client-side html sanitization

Report

Post on 06-Jul-2015

2.379 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

TRANSCRIPT

David RossPrincipal Software Security EngineerTrustworthy Computing SecurityMicrosoft

@randomdross

https://twitter.com/randomdross
https://twitter.com/randomdross

*

http://www.phreedom.org/presentations/blackbox-reversing-of-xss-filters/blackbox-reversing-of-xss-filters.pdf

@NealPoolehttps://t.co/5omk5ec2UD

http://twitter.com/nealpoole
http://twitter.com/nealpoole
https://t.co/5omk5ec2UD
https://t.co/5omk5ec2UD
https://t.co/5omk5ec2UD
https://t.co/5omk5ec2UD
https://t.co/5omk5ec2UD
https://t.co/5omk5ec2UD
https://t.co/5omk5ec2UD
https://t.co/5omk5ec2UD
https://t.co/5omk5ec2UD

@kkotowicz@NealPoole @adam_baldwin

http://twitter.com/kkotowicz
http://twitter.com/kkotowicz
http://twitter.com/nealpoole
http://twitter.com/nealpoole
http://twitter.com/adam_baldwin
http://twitter.com/adam_baldwin

@sneak_@superevr

http://twitter.com/sneak_
http://twitter.com/superevr
http://twitter.com/superevr

difficult

• No independent parsing / context handling

everything else

http://lcamtuf.coredump.cx/postxss/
http://www.nds.rub.de/research/publications/scriptless-attacks/

document.implementation.createHTMLDocument

http://msdn.microsoft.com/en-us/library/ie/ff975457(v=vs.85).aspx

document.createTreeWalker

http://msdn.microsoft.com/en-us/library/ie/ff975302(v=vs.85).aspx

3. Remove elements / attributes / etc. not explicitly allowed*

* Old (less-performant) approach:Build yet another DOM by copying safe elements / attributes / etc. to a new DOM during tree walk

document.implementation.createHTMLDocument

Must never run script

http://msdn.microsoft.com/en-us/library/ie/ff975457(v=vs.85).aspx
https://developer.mozilla.org/en-US/docs/Code_snippets/HTML_to_DOM

setAttribute

http://msdn.microsoft.com/en-us/library/system.windows.forms.htmlelement.setattribute.aspx

promises / deferreds

http://msdn.microsoft.com/en-us/magazine/gg723713.aspx
http://msdn.microsoft.com/en-us/magazine/gg723713.aspx

[Demo] [Benchmark]

Options precedence / inheritance rules: (Options specified on target element) > (options specified on sanitize() call) > (default options)

http://localhost/dross/jSanity/jsanity-demo-pretty.htm
http://localhost/dross/jSanity/jsanity-benchmark-pretty.htm

Mario Heiderich @0x6D6172696FJSAgents / IceShield

Gareth Heyes @garethheyesJSLR

Ben LivshitsLoris D’Antoni

FAST

Caja HTML sanitizer

Stefano Di Paola Eduardo ‘Sirdarckcat’ Vela N.

http://mario.heideri.ch/
https://twitter.com/0x6D6172696F
http://www.nds.rub.de/research/publications/iceshield-detection-and-mitigation-malicious-sites/
http://www.nds.rub.de/research/publications/iceshield-detection-and-mitigation-malicious-sites/
https://hackvertor.co.uk/public
https://twitter.com/garethheyes
https://twitter.com/garethheyes
http://www.thespanner.co.uk/2012/06/05/jslr/
http://research.microsoft.com/en-us/um/people/livshits/
http://www.cis.upenn.edu/~lorisdan/
http://research.microsoft.com/apps/pubs/default.aspx?id=179252
https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js
https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js
http://www.wisec.it/sectou.php?id=46c5843ea4900
http://sebug.net/paper/pst_WebZine/pst_WebZine_0x04/ACS - Active Content Signatures.pdf
http://sebug.net/paper/pst_WebZine/pst_WebZine_0x04/ACS - Active Content Signatures.pdf
http://sebug.net/paper/pst_WebZine/pst_WebZine_0x04/ACS - Active Content Signatures.pdf

I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA)

1 Submitted 1 second ago by randomdross

0 comments share

top related

sanitization services in udaipur
Business
sanitization - agrochem inc
Documents
revista insane
Documents
iframe slo 2014 dvoslojno
Documents
secure data sanitization
Documents
iframe post api user guide - bli...
Documents
iframe katalog part6 iframe pivot rev7€¦ · iframe pivot...
Documents
d - 19 sanitization equipment
Documents
sanitization of electronic media
Documents
guidelines for media sanitization
Documents
simple iframe app
Technology
insane ireland
Documents
iframe slo 2014 troslojno
Documents
salon safe sanitization
Documents
robust javascript [50min] · iframe sandbox same-origin...
Documents
insane perspective
Documents
facebook:: iframe tabs erstellen
Documents
insane perspectives
Documents
sanitization in udaipur
Business
ctfa cleaning & sanitization guidelines
Documents