Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Paper notes - Code-Reuse Attacks for the Web
Mon 04 September 2017 — download

This post is in the same spirit than the ones from argp.

Since XSS aren't a solved problem yet, everyone shifted focus on second line of defence, like browser filters, HTML sanitizer, WAF and CSP. The point of the paper is to use javascript-gadgets, a bit like the ROP we're used to do in the memory-corruption world, mostly via DOM selectors, to bypass mitigations like Noscript, DOMPurify, browser XSS filters, and various CSP shenigans. Useful gadgets can be found in all modern javascript frameworks (Vue.js, Aurelia, AngularJS, Polymer, EmberJS, jQuery, Bootstrap, …). Gadgets can apparently be found by taint data-flow analysis, but it doesn't elaborate much on this front, except that it's based on the paper 25 Million Flows Later - Large-scale Detection of DOM-based XSS.

The attack looks like:

  1. Injection of our payload into the raw HTML.
  2. The XSS defence validates the payload.
  3. Our payload is modified, its markup interpreted, using gadgets.
  4. Our modified payload is executed.

I really liked the Aurelia payload to bypass everything:

<div ref=foo s.bind="$this.foo.ownerDocument.defaultview.alert(1)">

The authors are concluding:

As we have demonstrated, the current generation of XSS mitigations is unable to handle XSS attacks that leverage script gadgets to execute their payloads.

It's worth noticing that the paper comes, as it should be the case for every decent research one, with code to play with reproduce their results; it can be found here, or here (local mirror, 2017-09-04), reading the bypasses.md file is recommended ;)