Script­less At­tacks – Ste­aling the Pie Wi­thout Tou­ch­ing the Sill

Mario Hei­de­rich, Mar­cus Nie­mietz, Felix Schus­ter, Thors­ten Holz, Jörg Schwenk

19th ACM Con­fe­rence on Com­pu­ter and Com­mu­ni­ca­ti­ons Se­cu­ri­ty (CCS), Ral­eigh, NC, Oc­to­ber 2012


Ab­stract

Due to their high prac­tical im­pact, Cross-Si­te Script­ing (XSS) at­tacks have attrac­ted a lot of at­ten­ti­on from the se­cu­ri­ty com­mu­ni­ty mem­bers. In the same way, a ple­t­ho­ra of more or less ef­fec­tive de­fen­se tech­ni­ques have been pro­po­sed, ad­dres­sing the cau­ses and ef­fects of XSS vul­nerabi­li­ties. As a re­sult, an ad­versa­ry often can no lon­ger in­ject or even exe­cu­te ar­bi­tra­ry script­ing code in se­ver­al re­al-li­fe sce­na­ri­os.

In this paper, we ex­ami­ne the at­tack sur­face that re­mains after XSS and si­mi­lar script­ing at­tacks are sup­po­sed­ly miti­ga­ted by preven­ting an at­ta­cker from exe­cu­ting Ja­va­Script code. We ad­dress the ques­ti­on of whe­ther an at­ta­cker re­al­ly needs Ja­va­Script or si­mi­lar func­tio­na­li­ty to per­form at­tacks ai­ming for in­for­ma­ti­on theft. The sur­pri­sing re­sult is that an at­ta­cker can also abuse Cas­ca­ding Style Sheets (CSS) in com­bi­na­ti­on with other Web tech­ni­ques like plain HTML, in­ac­tive SVG ima­ges or font files. Through se­ver­al case stu­dies, we in­tro­du­ce the so cal­led script­less at­tacks and de­mons­tra­te that an ad­versa­ry might not need to exe­cu­te code to pre­ser­ve his abi­li­ty to extract sen­si­ti­ve in­for­ma­ti­on from well pro­tec­ted web­sites. More pre­cise­ly, we show that an at­ta­cker can use see­mingly be­nign fea­tures to build side chan­nel at­tacks that me­a­su­re and ex­fil­tra­te al­most ar­bi­tra­ry data dis­play­ed on a given web­site.

We con­clu­de this paper with a di­s­cus­sion of po­ten­ti­al miti­ga­ti­on tech­ni­ques against this class of at­tacks. In ad­di­ti­on, we have im­ple­men­ted a brow­ser patch that enables a web­site to make a vital de­ter­mi­na­ti­on as to being loa­ded in a deta­ched view or pop-up win­dow. This ap­proach pro­ves use­ful for preven­ti­on of cer­tain types of at­tacks we here di­s­cuss.

[PDF]

Tags: At­tack Fonts, CSS, HTML5, Script­less At­tacks, SVG, XSS