research-article

Scriptless attacks: stealing the pie without touching the sill

Authors:

Mario Heiderich,

Marcus Niemietz,

Felix Schuster,

Jörg SchwenkAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 760 - 771

https://doi.org/10.1145/2382196.2382276

Published: 16 October 2012 Publication History

Abstract

Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing the causes and effects of XSS vulnerabilities. NoScript, and disabling scripting code in non-browser applications such as e-mail clients or instant messengers.

As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scenarios.

In this paper, we examine the attack surface that remains after XSS and similar scripting attacks are supposedly mitigated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs JavaScript or similar functionality to perform attacks aiming for information theft. The surprising result is that an attacker can also abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images or font files. Through several case studies, we introduce the so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive information from well protected websites. More precisely, we show that an attacker can use seemingly benign features to build side channel attacks that measure and exfiltrate almost arbitrary data displayed on a given website.

We conclude this paper with a discussion of potential mitigation techniques against this class of attacks. In addition, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a detached view or pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.

References

[1]

M. Balduzzi, C. Gimenez, D. Balzarotti, and E. Kirda. Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. In Network and Distributed System Security Symposium (NDSS), 2011.

[2]

D. Baron. :visited support allows queries into global history. https://bugzilla.mozilla.org/147777, 2002.

[3]

A. Barth, C. Jackson, and J. C. Mitchell. Robust Defenses for Cross-Site Request Forgery. In ACM Conference on Computer and Communications Security (CCS), 2008.

Digital Library

[4]

D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side xss filters. In Proceedings of the 19th international conference on World wide web, pages 91--100. ACM, 2010.

Digital Library

[5]

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. Venkatakrishnan. NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In ACM Conference on Computer and Communications Security (CCS), 2010.

Digital Library

[6]

P. Bisht and V. Venkatakrishnan. XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Springer, 2008.

Digital Library

[7]

A. Bortz and D. Boneh. Exposing Private Information by Timing Web Applications. In 16th International Conference on World Wide Web (WWW), 2007.

Digital Library

[8]

B. Bos, T.c Celik, I. Hickson, and H. Wium Lie. Generated content, automatic numbering, and lists. http://www.w3.org/TR/CSS21/generate.html, June 2011.

[9]

Z. Braniecki. CSS allows to check history via :visited. https://bugzilla.mozilla.org/224954, 2003.

[10]

D. Brumley and D. Boneh. Remote Timing Attacks are Practical. In USENIX Security Symposium, 2003.

Digital Library

[11]

CERT Coordination Center. Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. http://www.cert.org/advisories/CA-2000-02.html, 2000.

[12]

S. Chen, R. Wang, X. Wang, and K. Zhang. Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In IEEE Symposium on Security and Privacy, 2010.

Digital Library

[13]

C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. Zozzle: Fast and precise in-browser javascript malware detection. In USENIX Security Symposium, 2011.

Digital Library

[14]

J. Daggett. CSS fonts module level 3. http://www.w3.org/TR/css3-fonts/, Oct. 2011.

[15]

E. W. Felten and M. A. Schneider. Timing Attacks on Web Privacy. In ACM Conference on Computer and Communications Security (CCS), 2000.

Digital Library

[16]

M. Heiderich. Content exfiltration using scrollbar detection and media queries. http://html5sec.org/scrollbar/test, June 2012.

[17]

M. Heiderich. Measurement-based content exfiltration using smart scrollbars. http://html5sec.org/webkit/test, June 2012.

[18]

M. Heiderich. Scriptless SVG Keylogger. http://html5sec.org/keylogger, June 2012.

[19]

M. Heiderich, T. Frosch, and T. Holz. IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM. In Recent Advances in Intrusion Detection (RAID), 2011.

Digital Library

[20]

M. Heiderich, T. Frosch, M. Jensen, and T. Holz. Crouching Tiger -- Hidden Payload: Security Risks of Scalable Vectors Graphics. In ACM Conference on Computer and Communications Security (CCS), 2011.

Digital Library

[21]

D. Huang and C. Jackson. Clickjacking Attacks Unresolved. https://docs.google.com/document/pub?id=1hVcxPeCidZrM5acFH9ZoTYzg1D0VjkG3BDW_oUdn5qc, June 2011.

[22]

C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting Browser State From Web Privacy Attacks. In 15th International Conference on World Wide Web (WWW), 2006.

Digital Library

[23]

D. Jackson, D. Hyatt, C. Marrin, S. Galineau, and L. D. Baron. CSS animations. http://dev.w3.org/csswg/css3-animations/, Mar. 2012.

[24]

A. Janc and L. Olejnik. Web Browser History Detection as a Real-World Privacy Threat. In European Symposium on Research in Computer Security (ESORICS), 2010.

Digital Library

[25]

D. Jang, R. Jhala, S. Lerner, and H. Shacham. An Empirical Study of Privacy-violating Information Flows in JavaScript Web Applications. In ACM Conference on Computer and Communications Security (CCS), 2010.

Digital Library

[26]

T. Jim, N. Swamy, and M. Hicks. Defeating Script Injection Attacks with Browser-enforced Embedded Policies. In 16th International Conference on World Wide Web (WWW). ACM, 2007.

Digital Library

[27]

M. Johns. Code Injection Vulnerabilities in Web Applications -- Exemplified at Cross-Site Scripting. PhD thesis, University of Passau, Passau, July 2009.

[28]

M. Johns, B. Engelmann, and J. Posegga. XSSDS: Server-side Detection of Cross-site Scripting Attacks. In Annual Computer Security Applications Conference (ACSAC), 2008.

Digital Library

[29]

A. Kieyzun, P. Guo, K. Jayaraman, and M. Ernst. Automatic Creation of SQL Injection and Cross-site Scripting Attacks. In 31st International Conference on Software Engineering. IEEE Computer Society, 2009.

Digital Library

[30]

E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A Client-side Solution for Mitigating Cross-site Scripting Attacks. In ACM Symposium on Applied Computing (SAC), 2006.

Digital Library

[31]

M. Louw and V. Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In IEEE Symposium on Security and Privacy, 2009.

Digital Library

[32]

M. Jakobsson and S. Stamm. Invasive Browser Sniffing and Countermeasures. In 15th International Conference on World Wide Web (WWW), 2006.

Digital Library

[33]

G. Maone. NoScript :: Firefox add-ons. https://addons.mozilla.org/de/firefox/addon/722/, July 2010.

[34]

M. Martin and M. Lam. Automatic Generation of XSS and SQL Injection Attacks With Goal-directed Model Checking. In USENIX Security Symposium, 2008.

Digital Library

[35]

Y. Nadji, P. Saxena, and D. Song. Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In Network and Distributed System Security Symposium (NDSS), 2009.

[36]

OWASP. Top Ten Project. https://www.owasp.org/index.php/Category:OWASP\_Top\_Ten\_Project, Jan. 2012.

[37]

T. Pietraszek and C. Berghe. Defending Against Injection Attacks Through Context-sensitive String Evaluation. In Recent Advances in Intrusion Detection (RAID), 2006.

Digital Library

[38]

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In ACM Conference on Computer and Communications Security (CCS), 2009.

Digital Library

[39]

J. Ruderman. CSS on a:visited can load an image and/or reveal if visitor been to a site. https://bugzilla.mozilla.org/57351, 2000.

[40]

G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. In Web 2.0 Security and Privacy (W2SP) Workshop, July 2010.

[41]

P. Saxena, D. Molnar, and B. Livshits. Scriptgard: Preventing script injection attacks in legacy web applications with automatic sanitization. Technical report, Technical Report MSR-TR-2010-128, Microsoft Research, 2010.

[42]

D. X. Song, D. Wagner, and X. Tian. Timing Analysis of Keystrokes and Timing Attacks on SSH. In USENIX Security Symposium, 2001.

Digital Library

[43]

S. Stamm, B. Sterne, and G. Markham. Reining in the Web with Content Security Policy. In 19th International Conference on World Wide Web (WWW), 2010.

Digital Library

[44]

M. Van Gundy and H. Chen. Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-site Scripting Attacks. In Network and Distributed System Security Symposium (NDSS), 2009.

[45]

E. Vela. CSS Attribute Reader Proof Of Concept. http://eaea.sirdarckcat.net/cssar/v2/, Nov. 2009.

[46]

P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Network and Distributed System Security Symposium (NDSS), 2007.

[47]

Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and C. Jackson. I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks. In IEEE Symposium on Security and Privacy, 2011.

Digital Library

[48]

J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In European Symposium on Research in Computer Security (ESORICS), 2011.

Digital Library

[49]

H. Wium Lie, T.c Celik, D. Glazman, and A. van Kesteren. Media queries. http://www.w3.org/TR/css3-mediaqueries/, July 2010.

[50]

G. Wondracek, T. Holz, E. Kirda, and C. Kruegel. A Practical Attack to De-anonymize Social Network Users. In IEEE Symposium on Security and Privacy, 2010.

Digital Library

[51]

P. Wurzinger, C. Platzer, C. Ludl, E. Kirda, and C. Kruegel. SWAP: Mitigating XSS Attacks Using a Reverse Proxy. In ICSE Workshop on Software Engineering for Secure Systems. IEEE Computer Society, 2009.

Digital Library

[52]

M. Zalewski. Postcards from the post-XSS world. http://lcamtuf.coredump.cx/postxss/, 2011.

Cited By

Bae H(2024)Evaluation of Malware Classification Models for Heterogeneous DataSensors10.3390/s2401028824:1(288)Online publication date: 3-Jan-2024
https://doi.org/10.3390/s24010288
Carboneri AGhasemisharif MKarami SPolakis J(2023)When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627186(44-55)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627186
Noß DKnittel LMainka CNiemietz MSchwenk JMeng WJensen CCremers CKirda E(2023)Finding All Cross-Site Needles in the DOM Stack: A Comprehensive Methodology for the Automatic XS-Leak Detection in Web BrowsersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616598(2456-2470)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616598
Show More Cited By

Index Terms

Scriptless attacks: stealing the pie without touching the sill
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Scriptless attacks: Stealing more pie without touching the sill
Web Application Security Web @ 25

Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, ...
A survey of detection methods for XSS attacks
Abstract
Cross-site scripting attack (abbreviated as XSS) is an unremitting problem for the Web applications since the early 2000s. It is a code injection attack on the client-side where an attacker injects malicious payload into a vulnerable ...
Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Cross-Site Scripting (XSS) is an unremitting problem for the Web. Since its initial public documentation in 2000 until now, XSS has been continuously on top of the vulnerability statistics. Even though there has been a considerable amount of research and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
1,183
Total Downloads

Downloads (Last 12 months)38
Downloads (Last 6 weeks)4

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bae H(2024)Evaluation of Malware Classification Models for Heterogeneous DataSensors10.3390/s2401028824:1(288)Online publication date: 3-Jan-2024
https://doi.org/10.3390/s24010288
Carboneri AGhasemisharif MKarami SPolakis J(2023)When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627186(44-55)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627186
Noß DKnittel LMainka CNiemietz MSchwenk JMeng WJensen CCremers CKirda E(2023)Finding All Cross-Site Needles in the DOM Stack: A Comprehensive Methodology for the Automatic XS-Leak Detection in Web BrowsersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616598(2456-2470)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616598
Lin XAraujo FTaylor TJang JPolakis J(2023)Fashion Faux Pas: Implicit Stylistic Fingerprints for Bypassing Browsers' Anti-Fingerprinting Defenses2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179437(987-1004)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179437
Lv YShi WZhang WLu HTian Z(2023)Do Not Trust the Clouds Easily: The Insecurity of Content Security Policy Based on Object StorageIEEE Internet of Things Journal10.1109/JIOT.2023.323865810:12(10462-10470)Online publication date: 15-Jun-2023
https://doi.org/10.1109/JIOT.2023.3238658
Schwenk JSchwenk J(2022)Web Security and Single Sign-On ProtocolsGuide to Internet Cryptography10.1007/978-3-031-19439-9_20(467-503)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_20
Roth SGröber LBackes MKrombholz KStock BKim YKim JVigna GShi E(2021)12 Angry Developers - A Qualitative Study on Developers' Struggles with CSPProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484780(3085-3103)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484780
Bae HLee YKim YHwang UYoon SPaek Y(2021)Learn2Evade: Learning-Based Generative Model for Evading PDF Malware ClassifiersIEEE Transactions on Artificial Intelligence10.1109/TAI.2021.31031392:4(299-313)Online publication date: Aug-2021
https://doi.org/10.1109/TAI.2021.3103139
Wang PBangert JKern C(2021)If It's Not Secure, It Should Not CompileProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00123(1360-1372)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00123
Meyuhas BGelernter NHerzberg A(2020)Cross-Site Search Attacks: Unauthorized Queries over Private DataCryptology and Network Security10.1007/978-3-030-65411-5_3(43-62)Online publication date: 14-Dec-2020
https://dl.acm.org/doi/10.1007/978-3-030-65411-5_3
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents