IEEE Bypassing XSS Auditor
IEEE Bypassing XSS Auditor
IEEE Bypassing XSS Auditor
I. INTRODUCTION
PHP (a recursive acronym for PHP Hypertext
Preprocessor) is an open source server-side scripting
language designed for web development, but it is also used as
a general-purpose programming language. According to
Netcrafts Web Server Survey [1], by January 2013, PHP was
installed on more than 240 million websites. The most
prominent websites that use PHP include Google, Facebook,
Yahoo!, Wikipedia, Amazon, Ebay, YouTube, Flickr, and
many more. PHP code can be mixed with HTML code or it
can be used in combination with various template engines and
web frameworks. PHP code is usually processed by a PHP
interpreter, which is implemented as a web servers native
module or a Common Gateway Interface (CGI) executable.
After the PHP code is interpreted and executed, the web
server sends the resulting output to its client, usually as a part
of the served web page.
Although PHP is a powerful, free, and easy to learn and
use programming language, it comes with certain features
that makes easy to write insecure code. According to the
National Vulnerability Database [2], in 2013, 9% of all
vulnerabilities reported were related to PHP [3]. Furthermore,
it is worth noting that since 1996 about 30% of all
vulnerabilities, which are reported to the same database are
related to PHP. Web applications that are implemented in
PHP can be vulnerable to various exploit vectors, such as
XSS (Cross-Site Scripting), SQL Injections, CSRF (CrossSite Request Forgery) injections etc. The OWASP Top Ten
for 2013 [4] lists XSS as the most common security risks to
web applications. More specifically, XSS [5] is an
Fig. 1. XSS Auditor is between the HTML parser and the JavaScript
Interpreter.
response:
?>
Fig.2. Snippet 1 which is vulnerable to PHP Array Injection attack.
JavaScript Operators
1. Assignment operators
+=, -=, *=, /=, %=, |=, ^=, >>=,
<<=, >>>=
2. Comparison operators
==, ===, !=, !==, >, >-, <, <=,
>=
3. Arithmetic operators
*, %, -, /
4. Bitwise operators
|, ^, ~, >>, <<, >>>
5. Logical operators
||
JavaScript Functions
1. Functions
void(), new(), typeof(), this(),
delete(), in(), instanceof()
Other accepted characters
1. Parenthesis / Brackets / Braces
(), [], {}
2. Semicolon / linefeed Character
;, %0a, %0d
/ carriage return Character
response:
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
Netcraft,
http://news.netcraft.com/archives/2013/01/31/php-justgrows-grows.html
National Vulnerability Database (NVD), http://web.nvd.nist.gov.
PHP-related vulnerabilities on the National Vulnerability Database,
http://www.coelho.net/php_cve.html
OWASP
Top
Ten
2013,
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
OWASP,
Cross-site-Scripting(XSS),
https://www.owasp.org/index.php/Cross-site_Scripting_XSS
XSS
Auditor,
https://github.com/WebKit/webkit/blob/master/Source/WebCore/html/
parser/XSSAuditor.cpp
WebKit,
The
WebKit
Open
Source
Project,
https://github.com/WebKit/webkit
David Ross, IE 8 XSS Filter Architecture/Implementation,
http://blogs.technet.com/b/srd/archive/2008/08/19/ie-8-xss-filterarchitecture-implementation.aspx
Noscript, http://www.noscript.net.
Daniel Bates, Adam Barth, and Collin Jackson, Regular expressions
considered harmful in client-side xss filters, Proceedings of the 19th
international conference on World wide web (www 2010), USA.
sla.ckers.org,
Chrome
gets
XSS
filters,
http://sla.ckers.org/forum/read.php?13,31377
Nick Nikiforakis, Bypassing Chromes Anti-XSS filter,
http://blog.securitee.org/?p=37
Chromium, Issue 96616: Security: Google Chrome Anti-XSS filter
circumvention,
https://code.google.com/p/chromium/issues/detail?id=96616
Issue 114641: XSS
Auditor bypass with svg tags,
https://code.google.com/p/chromium/issues/detail?id=114641
Issue 114346: XSS Auditor bypass with U+2028/2029,
https://code.google.com/p/chromium/issues/detail?id=114346
Sebastian Lekies, Ben Stock, Martin Johns, A tale of the weaknesses
of current client-side XSS filtering, BlackHat USA 2014.
Keith Makan, Bypassing NoScript's XSS filters via Error Basd
SQLi, http://blog.k3170makan.com/2012/07/nonoscript-bypassingnoscripts-xss.html
R.T. Waysea's Blog, Of Trusted And Untrusted Data,
http://rtwaysea.net/blog/blog-2013-10-18-long.html
Mario Heiderich, Jrg Schwenk, Tilman Frosch, Jonas Magazinius and
Edward Z. Yang, mXSS Attacks: Attacking well-secured WebApplications by using innerHTML Mutations, Proceedings of the 2013
ACM SIGSAC conference on Computer & communications security
(CCS 13), Berlin, Germany.
html5rocks, How Browsers Work: Behind the scenes of modern web
browsers.
http://www.html5rocks.com/en/tutorials/internals/howbrowserswork/
Mozilla, The Nan Property, https://developer.mozilla.org/enUS/docs/Web/JavaScript/Reference/Global_Objects/NaN
OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet,
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29
_Prevention_Cheat_Sheet
PHP, htmlspecialchars() Convert special characters to HTML
entities, http://php.net/manual/en/function.htmlspecialchars.php
Chris
Shiflett,
Google's
XSS
Vulnerability,
http://shiflett.org/blog/2005/dec/googles-xss-vulnerability
https://github.com/stasinopoulos/webkit/commit/557d41ba23781cd53
dedc4d2e40c5af220e8b966