Amrita Center for Cybersecurity, Amritapuri The Art of Executing Javascript Team bi0s
A presentation at Cysinfo - 12th Meetup in February 2018 in Bengaluru, Karnataka, India by Akhil Mahendra
Amrita Center for Cybersecurity, Amritapuri The Art of Executing Javascript Team bi0s
Amrita Center for Cybersecurity, Amritapuri About ➢ Akhil Mahendra ➢ Web application security enthusiast ➢ CTFer{@teambi0s} ➢ @Akhil_Mahendra Team bi0s
Amrita Center for Cybersecurity, Amritapuri Agenda ➢ Introduction - XSS ➢ Types of XSS and different context ➢ Same Origin Policy ➢ Content Security Policy ➢ XSS via Angular JS Team bi0s
Amrita Center for Cybersecurity, Amritapuri Introduction Attack with a wrong name ? Team bi0s
Amrita Center for Cybersecurity, Amritapuri Introduction ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability Team bi0s
Amrita Center for Cybersecurity, Amritapuri Introduction - Impact ➢ Stealing user cookies ➢ Keylogger ➢ Deface website ➢ Redirect users Team bi0s
Amrita Center for Cybersecurity, Amritapuri Types of XSS ➢ Reflected XSS ➢ Stored XSS ➢ DOM based XSS Team bi0s
Amrita Center for Cybersecurity, Amritapuri Different Context ➢ HTML ➢ Attribute ➢ Script ➢ Style ➢ Url Team bi0s
Amrita Center for Cybersecurity, Amritapuri Different Context -html context ➢ User input comes inside HTML elements ○ <p>Injection</p> ➢ POC ○ <script>alert(1)</script> Team bi0s
Amrita Center for Cybersecurity, Amritapuri Different Context -attribute context ➢ User input comes inside HTML attributes ○ <p class = ” Injection ”> </p> ○ <p Injection = ” test123 ”> </p> ➢ POC ○ “ onload=alert(1)// ○ onload=alert(1)// Team bi0s
Amrita Center for Cybersecurity, Amritapuri Different Context -script context ➢ User input comes inside <script> tags ○ <script> var a = ‘ Injection ‘; </script> ➢ POC ○ ‘;alert(1);// Team bi0s
Amrita Center for Cybersecurity, Amritapuri Different Context -style context ➢ User input comes inside <script> tags ○ <p style “ color: injection ” > </p> ➢ POC ○ expression(alert(1)); Team bi0s
Amrita Center for Cybersecurity, Amritapuri Different Context -url context ➢ User input comes inside <script> tags ○ <a href = ” injection ” > click </a> ➢ POC ○ javascript:alert(1) Team bi0s
Amrita Center for Cybersecurity, Amritapuri SOP ➢ Scripts on a page can make HTTP request and process responses between hosts that has the same: Protocol, Hostname, Port ➢ An IFRAME loaded cannot read or write data into the page unless it’s in the same origin ! Team bi0s
Amrita Center for Cybersecurity, Amritapuri SOP ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability Team bi0s
Amrita Center for Cybersecurity, Amritapuri CSP ➢ Introduced as a mechanism to mitigate code injection ➢ Directives defines: ○ From where and what content is allowed to load ○ In which context the content is allowed to execute ➢ It’s a mitigation not first line of defense! Team bi0s
Amrita Center for Cybersecurity, Amritapuri CSP - Directives ➢ Directives: ○ default-src ○ script-src ○ object-src ○ style-src ○ image-src ○ frame-src Team bi0s
Amrita Center for Cybersecurity, Amritapuri CSP - Keywords ➢ Keywords: ○ ‘*’ ○ ‘none’ ○ ‘self’ ○ ‘unsafe-inline’ ○ ‘unsafe-eval’ Team bi0s
Amrita Center for Cybersecurity, Amritapuri CSP ➢ HTTP Headers ○
<?php header(‘Content-Security-Policy: default-src https://cdn.example.net; child-src ‘none’; object-src ‘none’”’);?>➢ Meta tag in HTML ○
<meta http-equiv=”Content-Security-Policy” content=”default-src https://cdn.example.net; child-src ‘none’; object-src ‘none’”> Team bi0s
Amrita Center for Cybersecurity, Amritapuri CSP - Common mistakes ➢ unsafe-inline, unsafe-eval, data: ○ whole purpose of CSP is defeated ➢ Eg: default-src: ’self’;script-src: ‘unsafe-inline’ ○ Team bi0s Bypass : <script>alert(1)</script>
Amrita Center for Cybersecurity, Amritapuri CSP - Common mistakes ➢ Nonces: ○ Nonce must be a random string ○ Should not be reused ○ Should not be guessable Team bi0s
Amrita Center for Cybersecurity, Amritapuri CSP - Common mistakes ➢ Examples of bad nonce ○ Request 1- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ Request 2- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ e10adc3949ba59abbe56e057f20f883e - md5(123456) ○ 1231441 Team bi0s
Amrita Center for Cybersecurity, Amritapuri Demo Team bi0s
Amrita Center for Cybersecurity, Amritapuri CSP - bypass CSP Bypass Team bi0s
Amrita Center for Cybersecurity, Amritapuri XSS via Angular JS Escaping the expression sandbox for XSS Team bi0s
Amrita Center for Cybersecurity, Amritapuri Thanks @Akhil_Mahendra Team bi0s
