crossing origins by crossing formats

Crossing Origins by Crossing Formats

Jonas Magazinius, Andrei Sabelfeld Chalmers University of TechnologyBilly K. Rios Cylance Inc.Crossing Origins by Crossing FormatsAboutPhD Student, Chalmers until Nov 1st then Dr. MagaziniusSecuring the mashed up web10:00 HA4 Hrsalsvgen, Chalmers Co-leader of OWASP GothenburgPart of Cure53@internot_Father as some of you might rememberLanguage-based securityUsing programming language theory for finding and mitigating security vulnerabilitiesStatic vs. dynamic analysisInformation-flow monitoringDeclassificationDecentralized

Crossing origins by crossing formatsByproduct of researchJoint work with Billy K. RiosGreatly inspired by the work of Julia WolfBackgroundGIFAR content smuggling attackBilly Rios (@XSSniper), Petko D. Petkov (@pdp)Attacker uploads GIF/JAR file

Cross-origin CSS attackChris Evans (@scarybeasts) et al.Attacker injects fragments of CSS into HTML

Content-type sniffing attacksAdam Barth (@adambarth) et al.Attacker uploads PS/HTML file

Things in common mixing formats re-interpretation of the content

PolyglotDefinition:a person who speaks several languages.a program that is valid in multiple programming languages.Content that can be interpreted as multiple formatsExample 1 HTML / JavaScriptdata:text/html,alert('')Example 2 C / Pascal / PostScript / TeX / Bash / Perl / Befunge98(*a/*/ % #)(PostScript)/Helvetica 40 selectfont 9 400 moveto show%v"f"a0 true showpage quit%#) 2>/dev/null;echo bash;exit #*/);int main()/*>"eb"v %a*0)unless print"perl\n"__END__*/{printf("C\n");/*>>#;"egnu">:#,_@;,,,< *)begin writeln(*\output={\setbox0=\box255}\eject\shipout\hbox{\TeX}\end *)('pascal');end.{*/return 0;}Malicious PolyglotsTwo formats (or more)One benignOne malicious

GIFAR GIF/JAVACross-origin CSS HTML/CSSContent-type sniffing PS/HTML

Preferred format characteristicsWidespread, commonly used formatError tolerant parsing, or other ways to hide foreign syntaxCross-origin communication

Polyglot attacksInfiltrateSyntax injection Cross-origin CSS attackContent smuggling GIFAREmbedContext based re-interpretationThe content-type provided by the server is overridden

Tags that allow re-interpretation of content:CSS -tagJava -tagContent sniffing -tag and allows arbitrary interpretation based on type attribute

Attack vectors Syntax injectionA vulnerable webservice reflects parameters into contentFragments of syntax is injected resulting in a polyglotPolyglot is embedded under the origin of the attackerThe polyglot has origin of, and can communicate with vulnerable serviceVisitors of the attackers domain are exploitedKnown attack instancesCross-origin CSS attack(Cross-site scripting)

vulnerable.com

(3)(4)attacker.com

(1)(2)

Attack vectors Content smugglingA vulnerable webservice allows users to upload contentAttacker uploads a polyglot to the vulnerable originPolyglot is embedded under the origin of the attackerThe polyglot has origin of, and can communicate with vulnerable serviceVisitors of the attackers domain are exploitedKnown attack instancesGIFARContent sniffing attack

attacker.com

(1)

vulnerable.com

(2)(3)(4)(5)

Payloads Exploiting the origin Cross-origin information leakageRequest sensitive user informationLeak to attacker across originsCross-site request forgeryTraditionally, issue requests with the credentials of the victimProtect using tokensImpact is far greater if it is possible to read the responseExtract tokenMake requestStandardized document format ISO32000-1Container formatEmbed related resourcesContain foreign syntax by designError tolerant parsingPowerful capabilitiesDisplay textRender 2D/3D graphicsAnimationsFormsLaunch commands (restricted)Execute JavaScriptEmbed Flash just fantasticIssue HTTP-requestWith cookies!!Portable Document Format

Header %PDF-1.7Objects1 0 obj > streamContent streamendstreamendobjCross-referencexref00000012 0000 nendxrefTrailerstartxref 105trailer >%%EOF

Document Structure

%PDF-1.41 0 obj>endobj2 0 obj>endobj3 0 obj>endobj4 0 obj>>endobj5 0 obj>streamendstreamendobj6 0 obj[/PDF]endobjxref0 70000000000 65535 f0000000009 00000 n0000000074 00000 n0000000120 00000 n0000000179 00000 n0000000300 00000 n0000000384 00000 ntrailer>startxref408%%EOF

Minimal PDF (according to Specification)%PDF1 0 objtrailer

or even shorter

%PDF trailer% 1 0 obj

or even shorter

%PDF trailer