External JavaScript Widget Development Best Practices (updated) (v.1.1)
Crossing Origins by Crossing Formats
1. CROSSING ORIGINS
BY
CROSSING FORMATS
Jonas Magazinius – Chalmers University of Technology
Hacker Praktikum 2012
OWASP Norway 2013
2. RELATED WORK
• GIFAR – content smuggling attack
• Billy Rios (@XSSniper), Petko D. Petkov (@pdp)
• Cross-origin CSS attack
• Chris Evans (@scarybeasts) et al.
• Content-type sniffing attacks
• Adam Barth (@adambarth) et al.
3. CROSS-ORIGIN CSS ATTACK
• Minimal amount of CSS-syntax injected in target HTML-page
• {}#f{font-family:’
• … arbitrary HTML content …
• ’}
• Attacker uses HTML-page as style-sheet in his page
• Victim visits attackers page
• Attacker can extract the arbitrary content from imported style-sheet
4. GIFAR – CONTENT SMUGGLING ATTACK
• GIF-image
• Parsed top-down, content after trailer ignored
• JAR-file
• Based on ZIP-archives
• Parsed bottom-up, content before header ignored
• GIF + JAR = GIFAR
• copy /b benign.gif + malicious.jar gifar.gif
• The GIFAR is uploaded to a vulnerable service,
• The GIFAR is mbedded from the vulnerable service on attackers page as an applet
• Any visitor to the attackers page will execute the applet
5. CONTENT SNIFFING ATTACK
• Browser performs content sniffing when server provides unknown content-type
• Content is matched against a series of signtures
• If a match is found the content is interpreted as the matched type
• Attacker creates a “chameleon” file
• Benign format + HTML
• The file is crafted to match HTML signature
• The chameleon is uploaded to a vulnerable service
• The chameleon is embedded in an iframe on the attackers page
• Any visitors will trigger the content sniffing and render the HTML
6. GENERALIZING
• One thing in common…
• … the browser re-interprets the content in a different format based on the context
• The content-type provided by the server is overridden
• Tags that allow re-interpretation of content:
• CSS – <link>-tag
• Java – <applet>-tag
• Content sniffing – <iframe>-tag
• <object> and <embed> allows arbitrary interpretation based on type attribute
7. POLYGLOT
• Definition:
• ”…a person who speaks several languages.”
• ”…a program that is valid in multiple programming languages.”
• Content that can be interpreted as multiple formats
• Example 1 – HTML / JavaScript
• data:text/html,alert('polyglot')//<script src="%23"></script>
• Example 2 – C / Pascal / PostScript / TeX / Bash / Perl / Befunge98
• (*a/*/ % #)(PostScript)/Helvetica 40 selectfont 9 400 moveto show%v"f"a0 true
showpage quit%#) 2>/dev/null;echo bash;exit #*/);int main()/*>"eb"v %a*0)unless
print"perln"__END__*/{printf("Cn");/*>>#;"egnu">:#,_@;,,,< *)begin
writeln(*output={setbox0=box255}ejectshipouthbox{TeX}end
*)('pascal');end.{*/return 0;}
8. MALICIOUS POLYGLOTS
• Two formats (or more)
• One benign
• One malicious
• Prefered format characteristics
• Widespread, commonly used format
• Error tolerant parsing, or other ways to hide foreign syntax
• Issue same-origin requests including the credentials (cookies) of the victim
9. ATTACK VECTORS – SYNTAX INJECTION
• A vulnerable webservice reflects parameters into content
• Fragments of syntax is injected resulting in a polyglot
• Polyglot is embedded under the origin of the attacker
• The polyglot has origin of, and can communicate with vulnerable service
• Visitors of the attackers domain are exploited
(1)
• Known attack instances
• Cross-origin CSS attack (2)
attacker.com
• (Cross-site scripting)
(3) (4)
vulnerable.com
10. ATTACK VECTORS – CONTENT SMUGGLING
• A vulnerable webservice allows users to upload content
• Attacker uploads a polyglot to the vulnerable origin
• Polyglot is embedded under the origin of the attacker
• The polyglot has origin of, and can communicate with vulnerable service
• Visitors of the attackers domain are exploited
(2)
• Known attack instances
(3)
• GIFAR
attacker.com
• Content sniffing attack
(4) (5)
(1)
vulnerable.com
11. PAYLOADS – EXPLOITING THE ORIGIN
• Cross-origin information leakage
• Request sensitive user information
• Leak to attacker across origins
• Cross-site request forgery
• Traditionally, issue requests with the credentials of the victim
• Protect using tokens
• Impact is far greater if it is possible to read the response
• Extract token
• Make request
12. PORTABLE DOCUMENT FORMAT
• Standardized document format – ISO32000-1
• Container format
• Embed related resources
• Contain foreign syntax by design
• Error tolerant parsing
• Powerful capabilities
13. CAPABILITIES
• Display text
• Render 2D/3D graphics
• Animations
• Forms
• Launch commands (restricted)
• Execute JavaScript
• Embed Flash
• Issue HTTP-request
• With cookies!!
15. SYNTAX
Objects Types
• Direct • Booleans – true, false
• Inlined in the code • Integers
• Indirect • Strings – (A string 43)
• Numbered for reference from • Names – /N#61me
other objects
• Arrays – [ 1 2 3 ]
• 10R
• Dictionaries – <</Name /Value>>
• Streams
1 0 obj (Some string)
endobj
1 0 obj <</Length 0>>stream
endstream
endobj
16. MINIMAL PDF (ACCORDING TO SPECIFICATION)
%PDF-1.4 5 0 obj<< /Length 35 >>stream
1 0 obj<< endstream
/Type /Catalog endobj
/Outlines 2 0 R 6 0 obj[/PDF]
/Pages 3 0 R endobj
>> xref
endobj 07
2 0 obj<< /Type Outlines/Count 0>> 0000000000 65535 f
endobj 0000000009 00000 n
3 0 obj<< 0000000074 00000 n
/Type /Pages 0000000120 00000 n
/Kids [4 0 R] 0000000179 00000 n
/Count 1 0000000300 00000 n
>> 0000000384 00000 n
endobj trailer<<
4 0 obj<< /Size 7
/Type /Page /Root 1 0 R>>
/Parent 3 0 R startxref
/MediaBox [0 0 612 792] 408
/Contents 5 0 R %%EOF
/Resources << /ProcSet 6 0 R >>>>
endobj
17. MINIMAL PDF (ACCORDING TO INTERPRETER)
Adobe Reader Google Chrome PDF Reader
%PDF
%PDF-1.
1 0 obj<</Pages<<>>>>
trailer<</Root<</Pages<<>>>> trailer<</Root 1 0 R>>
…or executing JavaScript… …or even shorter…
%PDF trailer% 1 0 obj
%PDF-1. <</Root 1 0 R/Pages<<>>>>
trailer<</Root<</Pages<<>>
…or even shorter…
/OpenAction<</S/JavaScript
/JS(app.alert(’PDF’))>> %PDF trailer<</Root% 1 0 obj<</Pages
>> 1 0 R>>
18. ERROR TOLERANT PARSING
This text would also be a valid %PDF-1.
With the condition that the
trailer %begins on a new line and that there isn’t
<</too /much /garbage /in /Root<</Pages<<>>>> the dictionary.
19. COMMUNICATION
• PDF
• URL Action – Redirects the browser
• JavaScript
• Inherits the origin of the document
• Uses the cookies of the browser
• launchURL() – Redirects the browser
• getURL() – Redirects the browser
• submitForm() – POST request via the browser
• XML External Entity
• Two-way communication
• Patched in latest version of Adobe Reader
• Embedded Flash
• Inherits the origin of the document
• Two-way communication
• Uses its own set of cookies
20. PDF POLYGLOTS
Syntax injection Content smuggling
• Easy to inject • Mixes well with just about any format
• Token-set overlaps with HTML • Server can verify benign format
• Context dependent
• Can extract sensitive information • Impact
• CSRF protection token • CSRF
• User information • Cross-origin leakage
• Impact
• CSRF
• Cross-origin leakage
23. POTENTIAL TARGETS
Syntax injection Content smuggling
• User supplied content reflected • PDF as the malicious format
• XSS vulnerabilities • User provided content of any kind
• JSON • PDF as the benign format
• XML • CV database
• Conference systems
25. MITIGATION
• Server-side
• Syntax injection
• Filtering? In general, no!
• PDF tokens and keywords – { <, >, trailer }
• Content-smuggling
• Serve content from a sandboxed domain (www.googleusercontent.com)
• Browser
• Strict enforcement of server provided content-type
• Disallow type-attribute
• Interpreter
• Strict parsing?
• Improvements in latest version
• Matching first bytes against know magic values
• Already found a bypass!
• Limit communication methods further
• Implemented in latest version, according to our recommendations