XSSAuditor allows attacker to "snipe" scripts on victim sites
Reported by
g.yoxal...@hotmail.co.uk,
Mar 25 2018
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce the problem: 1. Visit any site with the x-xss-protection in an active state, "1". 2. Now find a <script src=...> element within that page, copy it. 3. Append it to the end of the URL as such: example.com/?<script src=...> 4. Submit the request, and it will be flagged by XSS-Auditor and either block the page or remove respective elements depending on X-XSS-Protection configuration. Example can be found here: https://www.linkedin.com/in/yoxall/?%3Cscript%20src=%22https://static.licdn.com/sc/h/br/7tlyfqxqrc17n2ganq5qsasqj%22%3E%3C/script%3E What is the expected behavior? Would it be possible for the developer to specify a sort of white-list, which would not trigger the auditor? For example, a CSP directive like "audit-whitelist: static.licdn.com" which would ignore any scripts included via that trusted endpoint. This would prevent false positive flagging as seen here: https://www.linkedin.com/in/yoxall/?%3Cscript%20src=%22https://static.licdn.com/sc/h/br/7tlyfqxqrc17n2ganq5qsasqj%22%3E%3C/script%3E What went wrong? Chrome uses the XSS-Auditor to block legitimate reflected XSS attacks, however it is known that it is possible to "trick" the auditor and force false positives; ultimately rendering the page blocked. This can be bad as it can render the entire page blocked, or in some cases could potentially be misused by an attacker to block websites which should include security-related JS libraries. Example: example.com requires security.js, attacker may abuse this with example.com/?<script src=security.js>; this would remove that file's functionality from the web-page. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 65.0.3325.181 Channel: stable OS Version: 10.0 Flash Version:
,
Mar 26 2018
,
Mar 26 2018
Yes, the use of the XSS Auditor to "snipe" script in a victim page is a known attack, described here: https://www.chromium.org/developers/design-documents/xss-auditor To mitigate the threat of sniping, the filter now blocks the load of pages by default instead of simply neutering the selected script element.
,
Mar 26 2018
Would it be a good idea to add a CSP directive, say "auditior-whitelist: cdn.example.com"; for which src scripts that are located on specified sub-domain do not trigger the auditor? This would give developers more control, rather than just an outright page block? I believe certain sites revert to X-XSS-Protection: 0; due to "sniping" which IMO isn't the best solution for them. Just a suggestion I had, any thoughts?
,
Mar 26 2018
A site with a strong CSP is in a good position to safely disable the XSSAuditor as the declarative power of CSP makes it easy to forbid unsafe inline script and to gate what sources of remote scripts are permitted. I'm not sure that it would be worthwhile to add new directives to CSP to attempt to mitigate this further, as they seem unlikely to be broadly used. Attempting to automatically exempt scripts that match any existing CSP script-src rules might be more effective but I think the return-on-investment would probably still be quite low.
,
Mar 26 2018
Interesting suggestion. I agree that we do not want any new directives, but we might well consider giving a pass to scripts for which the developer has provided an explicit CSP script-src directive (or object, for object-src, etc.) Mike, thoughts?
,
Mar 26 2018
Actually adding mkwst this time.
,
Mar 26 2018
Alternatively, maybe the presence of a given directive should turn the auditor off for that class of token (and save some cycles).
,
Mar 27 2018
I don't think it's a good idea to add new directives to CSP in order to manipulate the state of the auditor. I could imagine disabling the auditor in the presence of nonces/hashes (though there's still some marginal risk with the former that the URL could be reflected into an existing script block). *shrug* I don't have a strong opinion about this. Honestly, now that we're blocking by default, I was hoping that we'd just get rid of the "filter" mode entirely rather than add more complexity on top of it. WDYT, Tom?
,
Mar 27 2018
I'm not worried about the filter mode; rather whether this would drop the false positive rate while blocking, given that sufficient CSP makes the auditor redundant. In the end, I don't think we'll want to move forward on this. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by g.yoxal...@hotmail.co.uk
, Mar 25 201817.9 KB
17.9 KB View Download