mXSS At­tacks: At­ta­cking well-se­cu­red Web-Ap­p­li­ca­ti­ons by using in­nerHT­ML Mu­ta­ti­ons

Mario Hei­de­rich, Jörg Schwenk, Til­man Frosch, Jonas Ma­ga­zi­ni­us, Ed­ward Z. Yang

20th ACM Con­fe­rence on Com­pu­ter and Com­mu­ni­ca­ti­ons Se­cu­ri­ty (CCS), Ber­lin, Ger­ma­ny, No­vem­ber 2013

Ab­stract

Back in 2007, Ha­se­ga­wa dis­co­ver­ed a novel Cross-Si­te Script­ing (XSS) vec­tor based on the mis­t­re­at­ment of the back­tick cha­rac­ter in a sin­gle brow­ser im­ple­men­ta­ti­on. This in­iti­al­ly look­ed like an im­ple­men­ta­ti­on error that could ea­si­ly be fixed. In­s­tead, as this paper shows, it was the first ex­amp­le of a new class of XSS vec­tors, the class of mu­ta­ti­on-ba­sed XSS (mXSS) vec­tors, which may occur in in­nerHT­ML and re­la­ted pro­per­ties. mXSS af­fects all three major brow­ser fa­mi­lies: IE, Fi­re­fox, and Chro­me.

We were able to place stored mXSS vec­tors in high-pro­fi­le ap­p­li­ca­ti­ons like Yahoo! Mail, Re­diff Mail, Open­Ex­chan­ge, Zim­bra, Round­cu­be, and se­ver­al com­mer­ci­al pro­ducts. mXSS vec­tors by­pas­sed wi­de­ly de­ploy­ed ser­ver-si­de XSS pro­tec­tion tech­ni­ques (like HTML Pu­ri­fier, kses, ht­mlLa­wed, Blue­print and Goog­le Caja), cli­ent-si­de fil­ters (XSS Au­di­tor, IE XSS Fil­ter), Web Ap­p­li­ca­ti­on Fire­wall (WAF) sys­tems, as well as In­tru­si­on De­tec­tion and In­tru­si­on Preven­ti­on Sys­tems (IDS/IPS). We de­scri­be a sce­na­rio in which see­mingly im­mu­ne en­t­i­ties are being ren­de­red prone to an at­tack based on the be­ha­vi­or of an in­vol­ved party, in our case the brow­ser. Mo­re­over, it pro­ves very dif­fi­cult to miti­ga­te these at­tacks: In brow­ser im­ple­men­ta­ti­ons, mXSS is clo­se­ly re­la­ted to per­for­mance en­han­ce­ments ap­p­lied to the HTML code be­fo­re ren­de­ring; in ser­ver side fil­ters, strict fil­ter rules would break many web ap­p­li­ca­ti­ons since the mXSS vec­tors pre­sen­ted in this paper are harm­less when sent to the brow­ser.

This paper in­tro­du­ces and di­s­cus­ses a set of seven dif­fe­rent sub­clas­ses of mXSS at­tacks, among which only one was pre­vious­ly known. The work eva­lua­tes the at­tack sur­face, show­ca­ses ex­am­ples of vul­nerable high-pro­fi­le ap­p­li­ca­ti­ons, and pro­vi­des a set of prac­tica­ble and low-over­head so­lu­ti­ons to de­fend against these kinds of at­tacks.

Tags: brow­ser-se­cu­ri­ty, web-se­cu­ri­ty