Universal XSS via IE8s XSS Filters课件.pptVIP

Filter Bypass: 3 [\\][ ]*(([^a-z0-9~_:\\ ])|(in)).+?(({[.]}.+?)|({[\[]}.*?{[\]]}.*?))= Detects: ;document.URL=jav\x61script:alert\x280)// Filter Bypass: 3 [\\][ ]*(([^a-z0-9~_:\\ ])|(in)).+?(({[.]}.+?)|({[\[]}.*?{[\]]}.*?))= Does not detect: ;x:[document.URL=jav\x61script:alert\x280)]// Filter Bypass: 3 On IE, backtracking is limited: /x.+?(abc|0.+0)w/(xz0abcw0); Doesn’t match: xz0abcw0 But it should: xz0abcw0 Filter Bypass: 3 Simplified heuristic: .*(\[.+?\]|\..+?)= Doesn’t match ;[document.URL=asdf]// But it should: ;[document.URL=asdf]// Filter Abuse Attacks made possible because of the filters (the hash symbol loses its way) Filter Abuse: Simple When an attack is detected, altering the response before rendering can have unintened consequences. Say attacker supplies a bogus GET parameter of foo=script sc{r}ipt.*? will detect Any script tag on target page will be disabled Simple Filter Abuse: 1 How is this useful for an attacker? Disable client side security features Block Framebusters Escape Facebooks CSS Sandbox Any other JS based security controls /research/xssauditor.pdf contains a summary of the Facebook attack... Simple Filter Abuse: 1 Simple Filter Abuse: 2 How is this useful for an attacker? Render JavaScript code as HTML scriptvar foo=img src=x:x onerror=alert(0);/script sc#iptvar foo=img src=x:x onerror=alert(0)/script Simple Filter Abuse: 2 Demo JS rendered as HTML http://0x.lv/simple.html http://0x.lv/simple.html?foo=script Review An attacker can abuse the filtering mechanism to alter how a page is rendered. The filters can be abused to enable XSS in situations where it wouldnt otherwise be possible. Can other filters be abused to enable XSS? Of course!(before Jan.2010 patch) Universal XSS Intro The hash symbols fall from grace Equal Signs Equal signs are neutered [\\][ ]*(([^a-z0-9~_:\\])|(in)).*?(location).*?{=} [\\][ ]*(([^a-z0-9~_:\\ ])|(in)) .+?(([.].+?)|([\[].*?[\]].*?)){=} Regular Expression Details [\\][ ]*(([^a-z0-9~_:\\