hackademix.net

Internet Explorer 8’s famous XSS filter can be exploited to perform successful XSS attacks against web sites which would be otherwise safe. In other words, XSS “protection” is helping XSS attackers, oh the irony.

Well, this is not exactly news among security researchers, but those aware of the details (including Microsoft of course, Eduardo “Sirdarckcat” Vela and myself) have kept a low profile so far. Check, for instance, slide #17 in my OWASP presentation (alternate link), given two weeks ago.

However, after Microsoft left it unfixed for many months, someone apparently decided to whisper this dirty little secret in Dan Goodin (The Register)’s ear.

To Microsoft’s credit, this problem has no quick fix: in fact, it’s way worse than a simple implementation bug. Its root is a flawed design choice: when a potential XSS attack is detected, IE 8 modifies the response (the content of the target page) in order to neuter the malicious code. This is, incidentally, the only significant departure from NoScript’s approach, which modifies the request (the data sent by the client) instead, and is therefore immune.

Anyway, here’s the juice: IE 8’s response-changing mechanism can be easily exploited to turn a normally innocuous fragment of the victim page into a XSS injection. The attacker just needs a certain degree of control on the content of the web site to be injected: social networks, forums, wikis and even Google Apps are good prey. To be fair, Google Apps are not vulnerable anymore, since Google’s properties wisely choose to deploy the X-XSS-Protection: 0 header, which is the “safety switch” disabling IE 8’s XSS protection.

So, web site owners’ dilemma is, opt out or not opt out?
For browser users, there should be no dilemma at all ;-)

Strict Transport Security (STS) has gone live on PayPal yesterday.

STS is a simple yet effective system for web sites requiring high safety levels, e.g. payment gateways or financial institutions, to force HTTPS connections on every request originated by supporting browsers.

It is currently supported by NoScript, Chrome 4 beta and Sid Stamm’s Force TLS.

Together with NoScript’s anti-XSS protection, this feature makes PayPal a much safer service for NoScript users.

When Microsoft unveiled its IE 8’s “XSS filters”, almost one year ago, we could notice how, despite their impressive resemblance to NoScript’s anti-XSS protection, they were quite limited in comparison.

One of the limitations was their ability to mitigate a subset of reflective (AKA type 1) XSS vulnerabilities only, leaving them totally useless against DOM-based (AKA type 0) XSS attacks which, instead, are effectively defeated by NoScript.

Today I noticed via sla.ckers.org that such a DOM-based XSS attack is currently possible against Paypal and Ebay, no less, allowing the attacker to steal authentication info and other sensitive data, or even perform financial transactions on the behalf of the victim.

Even more interesting, modern browsers* except IE properly encode request URLs before sending them on the wire, but exploitation of this specific Paypal vulnerability requires the “double quotes” character to pass through with no encoding: therefore, while the vast majority of XSS exploits are cross-browser, this one affects exclusively IE**. Embrace and XSStend?

1. * Latest versions of Firefox, Safari, Opera and Chrome.
2. ** Variants could affect any browser, since IE’s encoding bug is generally not required for DOM-based XSS. Firefox users can protect themselves by using NoScript, even in the permissive and not recommended “Allow Scripts Globally” mode.

Everybody heard the tweets: after several other security issues, including “exotic” ones like Clickjacking or JSON hijacking, Twitter is in serious troubles again, this time with an old-school XSS worm which quickly managed to infect many users profiles and is still spreading in multiple variants.

This plague is the brainchild of a 17 years old named Mikeyy, who created it as a publicity stunt to promote his own Twitter clone, StalkDaily.com. A good technical description of its rather simple inner workings has been kindly provided by Damon Cortesi. As you can see, unless the mikeyylolz.uuuq.com doman is allowed to run JavaScript (very unlikely for NoScript users) you’re immune from infection.

This worm having been active so long is quite a surprise to me, since the exploited vulnerability (missing output encoding on users’ profile web page URL) requires less than one minute to be fixed, if you know what you’re doing. The existence of a mildly obfuscated version authorizes a scary suspect: have Twitter guys just been trying to block the original strain by signature, rather than fixing their website error? This is would be ridiculous*, since any script kiddie can create his own slightly modified version for fun or profit (and is probably doing that). And while the initial code just logs your session cookie on a remote server (which is already bad enough) and replicates itself as spam, nothing restrains a more malicious attacker from taking over your account with all its profile data right away.

The morale of this story? Never tweet without NoScript.

* Update

Ridicolous, but apparently true: in Twitter’s first hand account of the countermeasures taken over the weekend, there’s a lot of “cleaning up and locking down profiles”, but nothing about fixing the website’s bugs which allow infections like this to be spread.

About one year ago, a Firefox 3 beta appeared to eliminate a long standing XSS hazard, by preventing 3^rd party XBL from being loaded and executed in a content document.
This enhancement, while going in the right direction, received some skeptical comments because at the same time the ability of specifying inline XBL bindings using data: URIs had been introduced, opening new exploitation venues. The data: XBL thing was obviously an oversight: in fact, Firefox 3 stable didn’t allow it anymore, except “from chrome code (in other words, from the application or an extension)”.
However these mitigations had been anticipated and surpassed by a configurable cross-site XBL protection feature introduced a few months before by NoScript, whose default settings were more restrictive and effective than the new browser built-in XBL policy, even when Firefox 3.0 stable seemed to get it right. Seemed.

According to the MDC documentation,

The normal same-origin policy is used for web sites; they can only link to XBL files on the same domain, or within the chrome.

This statement tricked most readers (including myself, some sla.ckers and probably even hardcore Mozilla hackers like Jonas Sicking) into believing that everything was fine and dandy. Except that we’ve just learned (the painful way) that a more precise formulation describing what actually happens should have been:

Web pages and stylesheet can only link to XBL files in the same domain as the linking file itself.

In other words, if I open a good.com web page including a stylesheet from site evil.com, which in turn links a XBL file from the same evil.com domain, Firefox 3 lets everything work smoothly (the stylesheet and the XBL being same-origin), with the net result that XBL scripts from evil.com are allowed to run on good.com (the very “bad thing” which Firefox 3 was supposed to prevent).

I must admit that if I was not committed to supporting Firefox 2, after reading the misleading documentation above I would have likely dropped NoScript’s own cross-site XBL protection, which actually blocks any cross-site XBL (i.e. XBL from a domain different than the loading document) except from chrome: the way the documentation falsely seemed to imply and the only effective way from a XSS mitigation standpoint. Blessed be FSM the Merciful for inspiring backward compatibility concerns in my unworthy soul ;)

Unfortunately for non-believers, “bad guys” noticed this theory/practice discrepancy (or, more likely, just empirically realized that some old malicious XBL code still worked against Firefox 3) and are exploiting it in the wild, together with a similar well known Microsoft proprietary “feature” (dynamic properties) allowing JavaScript to be run from stylesheets in IE.

Specifically, The Register’s Dan Goodin wrote about an eBay scam (originally reported by Cefn Hoile) based on this XSS weakness. Of course, rather than browser flaws, there’s a fundamentally broken web design choice here to blame: allowing unfiltered user-provided stylesheets to be embedded in “trusted” content is very dangerous independently from JavaScript execution, because an attacker could modify the appearance of the page in malicious ways, e.g. for Clickjacking purposes, or even access some page content (password fields!). But on the other hand, preventing stylesheets inclusions from executing 3^rd party malicious scripts (like Opera, Safari and Chrome do) actually reduces the attack surface, which was the apparent intention of the original Firefox 3 XBL policy change.

If Microsoft, according to Goodin, won’t do anything about this issue, Mozilla developers are already working to a fix. In the meanwhile you can rely on NoScript, one step (more than one year, actually) ahead as usual…