- XSS
- REFLECTED XSS
- tell victim browser: goto
http://victim.com/form.php?name=">
- typically: we want to get document.cookie OR use cookies browsers send
- question: is user logge din?
- attacker wants to "hijack" the victim's login
- STORED XSS
- tell victim website
"my comment is
and victim website displays your comment *to other users*
- implementing pointer subterfuge
int vulnerable() {
long *pointer;
long value;
char buffer[1024];
....
overflow_with_attcker_data(buffer);
....
*pointer = value;
}
+----------------+
| return address | <-
+----------------+ |
| stack canary | |
+----------------+ |
| pointer | -|
+----------------}
| value
+----------------
| buffer
|
|
+-----------------
Possible values for pointer:
- important variable -- e.g. grade
- pointer to code or function
- e.g. return address
- e.g. global offset table pointer (for dynamically linking library funciotn)
- e.g. VTable pointer (used to find method pointers for polymorphism)
- e.g. actual function pointer in code
- object ownership and use-after-free
- programming discipline to prevent dangling pointers
(danglging pointers are what cuauses use-after-free)
- super-simple policy: neve give anyone pointers to a value
- basic ownership: there is only one pointer
- give someone else pointer? get rid of yours
- borrowing:
X
take X back = function(give away X)
- borrowing in Rust: pass reference, compiler makes sure it's equivalent to above
- lifetimes: how long are keeping the object
- during lifetime, you've given away, you can't do things with it
- relaxation for reading:
- allow borrowing multiple times for read:
- rule: no one writes --- because objects contain pointers
- allow borrowing exactly once for write
- discipline that prevents use-after-free
- other disciplines might also work
- information leak
- vulnerability can be exploited to print out "secret" information
- stack canary being output
- pointer values (adress of stack)
e.g. from uninitialized memory
- attacks and mitigations
- ASLR --- breaks attacks that need memory addresses
(unless there is an ***information leak***)
- stack smsahing --- need a substitute for return address
-- must be a memory address
- pointer subterfuge --- need to place a memory address over pointer
value
- format stirng exploits -- needed to place a memory address or
have it already be on the stack
BUT implies an informatoin leak most of the time
- return-oriented programming --- needed memory of addresses of all
gadgets
- use-after-free --- usually involves placing code pointer
- ASLR does not break --- score is after buffer on the stack
- degrees of ASLR
- non-position-independent code:
incomplete ASLR --- heap and stack and libraries randomized
but executable code wsa not
no recompiling exectuable
ROP could work here
- position-independent code
full ASLR --- what you're supposed to do
recompile executable
ROP could not work w/o informatoin leak
- disadvantages of ASLR
- requires recompiling for full ASLR
- possibly slower code when compiled with full ASLR
- program behaves inconsistently if it has memor ybugs
- "wastes" virtual address space (problem on 32-bit)
- W^X --- attack needs to write code
- lots of attacks overwrite pointers to code
- this means attacker can't just point to writeable buffer
- adds extra step: make a ROP chain or jump-oriented programming chain
- stack canaries
- overwriting return address ASSUMING you have to overwrite before it
- baggy bounds
- anything that involved bad array accesses
- stack smsahing
- pointer subterfuge
- heap smashing
- ...
- *assuming not within the same object
sturct Foo {
char buffer[100];
void (*functionPointer)(void);
}
- doesn't stop use-after-free
- vulnerable code patterns
- buffer overflow
char buffer[1000];
while ((c = getchar()) != EOF) {
buffer[i++] = c; // FORGOT TO CHECK i
}
memcpy(buffer, other_buffer, length_that_might_be_too_big);
int buffer[1000];
if (attacker_input < 1000) {
// 0x80010000 * 4 = 0x40000
int size = attacker_input * sizeof(int);
memcpy(buffer, attacker_input_buffer, size);
}
- oveflow to overwrite adjacent things:
- stack: obvious target is return addres
- heap: obvious target is malloc() data structures
or pointers in adjacent objects (e.g. Vtable pointers)
- globals: obvious target is adjacent global variables with
pointers
- format string exploit
printf(attacker_input);
sprintf(some_string, attacker_input);
fprintf(some_file, attacker_input);
- use-after-free
T *value;
...
other_thing->set_T(value);
delete value;
// other_thing still valid
// Rust: "can't change value while it's being borrowed by ..."
- command injection
subprocess.call("mail " + user_name, shell=True, input=mail_message)
$dbh->query("SELECT * FROM users WHERE username = '$username'");
- iframe problems
- "embed website in another website"
- legiitmate examples:
- advertisement in webpage
- youtube player in other website
- sneaky way to requiring URLs from other wbesites
- on same website --- can read other pages (legiitmate uses)
- useful for reflected XSS: don't have to visibile:
- completely invisible
- "styled" like text --- arbitrarily small, transparent, located at bottom of page, etc.
- clickjacking:
- provide something for user to click
- but place iframe --- other website --- embedded on top of that locatoin
- easy way: transparent and on top
- hard way: blend in --- e.g. make part of button look like part of link
- hard way: change page layout just before click
- examples:
- facebook likes
- "delete your account?" screen