crossing origins by crossing formats
Click here to load reader
Post on 23-Feb-2016
54 views
Embed Size (px)
DESCRIPTION
Crossing Origins by Crossing Formats. Jonas Magazinius, Andrei Sabelfeld – Chalmers University of Technology Billy K. Rios – Cylance Inc . About. PhD Student, Chalmers until Nov 1st then Dr. Magazinius Securing the mashed up web 10:00 HA4 – Hörsalsvägen , Chalmers - PowerPoint PPT PresentationTRANSCRIPT
Crossing Origins by Crossing Formats
Jonas Magazinius, Andrei Sabelfeld Chalmers University of TechnologyBilly K. Rios Cylance Inc.Crossing Origins by Crossing FormatsAboutPhD Student, Chalmers until Nov 1st then Dr. MagaziniusSecuring the mashed up web10:00 HA4 Hrsalsvgen, Chalmers Co-leader of OWASP GothenburgPart of Cure53@internot_Father as some of you might rememberLanguage-based securityUsing programming language theory for finding and mitigating security vulnerabilitiesStatic vs. dynamic analysisInformation-flow monitoringDeclassificationDecentralized
Crossing origins by crossing formatsByproduct of researchJoint work with Billy K. RiosGreatly inspired by the work of Julia WolfBackgroundGIFAR content smuggling attackBilly Rios (@XSSniper), Petko D. Petkov (@pdp)Attacker uploads GIF/JAR file
Cross-origin CSS attackChris Evans (@scarybeasts) et al.Attacker injects fragments of CSS into HTML
Content-type sniffing attacksAdam Barth (@adambarth) et al.Attacker uploads PS/HTML file
Things in common mixing formats re-interpretation of the content
PolyglotDefinition:a person who speaks several languages.a program that is valid in multiple programming languages.Content that can be interpreted as multiple formatsExample 1 HTML / JavaScriptdata:text/html,alert('')Example 2 C / Pascal / PostScript / TeX / Bash / Perl / Befunge98(*a/*/ % #)(PostScript)/Helvetica 40 selectfont 9 400 moveto show%v"f"a0 true showpage quit%#) 2>/dev/null;echo bash;exit #*/);int main()/*>"eb"v %a*0)unless print"perl\n"__END__*/{printf("C\n");/*>>#;"egnu">:#,_@;,,,< *)begin writeln(*\output={\setbox0=\box255}\eject\shipout\hbox{\TeX}\end *)('pascal');end.{*/return 0;}Malicious PolyglotsTwo formats (or more)One benignOne malicious
GIFAR GIF/JAVACross-origin CSS HTML/CSSContent-type sniffing PS/HTML
Preferred format characteristicsWidespread, commonly used formatError tolerant parsing, or other ways to hide foreign syntaxCross-origin communication
Polyglot attacksInfiltrateSyntax injection Cross-origin CSS attackContent smuggling GIFAREmbedContext based re-interpretationThe content-type provided by the server is overridden
Tags that allow re-interpretation of content:CSS -tagJava -tagContent sniffing -tag and allows arbitrary interpretation based on type attribute
Attack vectors Syntax injectionA vulnerable webservice reflects parameters into contentFragments of syntax is injected resulting in a polyglotPolyglot is embedded under the origin of the attackerThe polyglot has origin of, and can communicate with vulnerable serviceVisitors of the attackers domain are exploitedKnown attack instancesCross-origin CSS attack(Cross-site scripting)
vulnerable.com
(3)(4)attacker.com
(1)(2)
Attack vectors Content smugglingA vulnerable webservice allows users to upload contentAttacker uploads a polyglot to the vulnerable originPolyglot is embedded under the origin of the attackerThe polyglot has origin of, and can communicate with vulnerable serviceVisitors of the attackers domain are exploitedKnown attack instancesGIFARContent sniffing attack
attacker.com
(1)
vulnerable.com
(2)(3)(4)(5)
Payloads Exploiting the origin Cross-origin information leakageRequest sensitive user informationLeak to attacker across originsCross-site request forgeryTraditionally, issue requests with the credentials of the victimProtect using tokensImpact is far greater if it is possible to read the responseExtract tokenMake requestStandardized document format ISO32000-1Container formatEmbed related resourcesContain foreign syntax by designError tolerant parsingPowerful capabilitiesDisplay textRender 2D/3D graphicsAnimationsFormsLaunch commands (restricted)Execute JavaScriptEmbed Flash just fantasticIssue HTTP-requestWith cookies!!Portable Document Format
Header %PDF-1.7Objects1 0 obj > streamContent streamendstreamendobjCross-referencexref00000012 0000 nendxrefTrailerstartxref 105trailer >%%EOF
Document Structure
%PDF-1.41 0 obj>endobj2 0 obj>endobj3 0 obj>endobj4 0 obj>>endobj5 0 obj>streamendstreamendobj6 0 obj[/PDF]endobjxref0 70000000000 65535 f0000000009 00000 n0000000074 00000 n0000000120 00000 n0000000179 00000 n0000000300 00000 n0000000384 00000 ntrailer>startxref408%%EOF
Minimal PDF (according to Specification)%PDF1 0 objtrailer
or even shorter
%PDF trailer% 1 0 obj
or even shorter
%PDF trailer