IRC log of webappsec on 2017-01-25

Timestamps are in UTC.

16:48:49 [RRSAgent]
RRSAgent has joined #webappsec
16:48:49 [RRSAgent]
logging to
16:48:51 [Zakim]
Zakim has joined #webappsec
16:49:54 [bhill2]
bhill2 has joined #webappsec
16:49:56 [wseltzer]
16:50:55 [bhill2]
bhill2 has joined #webappsec
16:51:53 [bhill2]
bhill2 has joined #webappsec
16:52:52 [bhill2]
bhill2 has joined #webappsec
16:53:52 [bhill2]
bhill2 has joined #webappsec
16:54:49 [bhill2]
bhill2 has joined #webappsec
16:55:51 [bhill2]
bhill2 has joined #webappsec
16:56:47 [ArturJanc]
ArturJanc has joined #webappsec
16:56:48 [bhill2]
bhill2 has joined #webappsec
16:57:37 [francois]
francois has joined #webappsec
16:57:49 [bhill2]
bhill2 has joined #webappsec
16:57:57 [wseltzer]
present+ wseltzer
16:58:54 [bhill2]
bhill2 has joined #webappsec
16:59:51 [bhill2]
bhill2 has joined #webappsec
16:59:58 [ArturJanc]
present+ ArturJanc
17:00:14 [freddyb]
present+ freddyb
17:00:16 [lwe]
lwe has joined #webappsec
17:00:33 [mkwst]
present+ mkwst
17:01:26 [gmaone]
present+ gmaone
17:01:47 [bhill2]
bhill2 has joined #webappsec
17:01:54 [ckerschb__]
ckerschb__ has joined #webappsec
17:02:11 [bhill2]
17:02:19 [bhill2]
oh, crap. I am on an airplane.
17:02:34 [mkwst]
17:02:47 [bhill2]
17:03:03 [dveditz]
almost there
17:03:09 [dveditz]
17:04:48 [dveditz]
present+ dveditz
17:04:54 [mikispag]
mikispag has joined #webappsec
17:04:56 [bhill2]
bhill2 has joined #webappsec
17:04:56 [wseltzer]
zakim, who is here?
17:04:56 [Zakim]
Present: wseltzer, ArturJanc, freddyb, mkwst, gmaone, dveditz
17:04:57 [Zakim]
On IRC I see bhill2, mikispag, ckerschb__, lwe, francois, ArturJanc, Zakim, RRSAgent, gmaone, yoav, Agent_Smith_BR, Jb, deian, Mek, schuki, sangwhan, mounir, freddyb, jcj_moz,
17:04:58 [Zakim]
... terri, tobie, timeless, dveditz, Josh_Soref, ojan, slightlyoff, mkwst, rrware, Domenic, jww, jkt, dbaron, hadleybeeman, jochen___, adrianba, jyasskin, gszathmari, MattN,
17:04:58 [Zakim]
... wseltzer, trackbot
17:05:22 [wseltzer]
17:05:44 [ckerschb__]
present+ ckerschb__
17:05:44 [wseltzer]
Chair: dveditz
17:06:00 [wseltzer]
zakim, who is on the phone?
17:06:00 [Zakim]
Present: wseltzer, ArturJanc, freddyb, mkwst, gmaone, dveditz, ckerschb__
17:06:06 [wseltzer]
regrets+ bhill2
17:06:24 [dveditz]
TOPIC: Agenda Bashing
17:06:26 [terri]
present+ terri
17:06:38 [mkwst]
dveditz: Anything to add to the agenda?
17:07:07 [mkwst]
everyone: <crickets>
17:07:09 [dveditz]
TOPIC: Recharter update
17:07:32 [mkwst]
wseltzer: The current charter extended without change through March,
17:07:35 [wseltzer]
17:07:49 [mkwst]
... proposed draft charter at
17:08:04 [mkwst]
... Reviewing that internally, then sending it out to the AC for a wider review.
17:08:14 [mkwst]
... During that period, please ask your AC rep to indicate support.
17:08:23 [freddyb]
ah, now.
17:08:38 [mkwst]
... If you or your AC rep won't support the charter, please let us know before we propose it. :)
17:08:48 [wseltzer]
17:08:51 [mkwst]
dveditz: We've chatted about this multiple times, I hope we'll be good to go.
17:09:06 [mkwst]
... If there's something horrible you came up with over the holiday, do let us know.
17:09:18 [wseltzer]
17:09:28 [mkwst]
wseltzer: Sometimes WG and AC members aren't on the same page; if you have a chance to check with your rep, that'd be helpful.
17:09:52 [mkwst]
... I'll let you know when it's out for review.
17:09:53 [dveditz]
TOPIC: nonce / script-dynamic bypasses and mitigations
17:10:20 [dveditz]
scribenick mkwst
17:10:25 [wseltzer]
i/Anything to add/scribenick: mkwst
17:11:22 [mkwst]
ArturJanc: Recent reports of bypasses for nonce-based policies. I'll go through a few details, then mkwst might want to fill in some blanks with Chrome-specific details.
17:11:22 [bhill2]
bhill2 has joined #webappsec
17:11:44 [mkwst]
ArturJanc: Context: A few weeks ago, folks on Twitter chatted a bit about bypassing nonce-based CSP.
17:11:58 [mkwst]
... Google uses nonces.
17:12:10 [mkwst]
dveditz: It's the heart of `strict-dynamic`, right?
17:12:32 [mkwst]
ArturJanc: Right. But the attacks we're looking at right now are attacks on nonces, not on `strict-dynamic`.
17:13:03 [mkwst]
... Two broad categories of attacks
17:13:11 [mkwst]
... 1. Injection of `<base>` tags.
17:13:49 [mkwst]
... Alters the meaning of relative URLs, which means that nonced `<script>` elements can point to `` if a malicious `<base>` element is injected.
17:14:42 [mkwst]
... e.g. `<script nonce=abc src=/good.js>` turns into `<script nonce=abc src=">>` in the presence of `<base href="">`.
17:14:51 [bhill2]
bhill2 has joined #webappsec
17:15:15 [mkwst]
... Problem for nonce-based policies, not a problem for hashes or policies that list acceptable hosts.
17:15:37 [mkwst]
... Should probably note this in the spec. Many folks that use nonces don't set a `base-uri` directive. They probably should.
17:16:40 [mkwst]
... 2. SVG attribute modification via <set> and/or <animate>.
17:16:49 [mkwst]
... (Chrome-specific issue)
17:17:00 [bhill2]
bhill2 has joined #webappsec
17:17:01 [mkwst]
... Attacker injects `<svg>...<set ...>` into the page.
17:17:22 [mkwst]
... It turns any following `<script>` elements into SVGScriptElement rather than HTMLScriptElement.
17:17:39 [mkwst]
... The `<set>` element alters the script's `href` attribute.
17:17:48 [mkwst]
... Which leads to script execution.
17:18:04 [dveditz]
interesting... thought svg animation could only affect CSS properties
17:18:06 [mkwst]
... Mike fixed that in Chrome.
17:19:12 [bhill2]
bhill2 has joined #webappsec
17:19:12 [dveditz]
mkwst: "freddy from Opera fixed this in blink"
17:19:13 [mkwst]
mkwst: Right. This is a bug in Chrome, not a bug in SVG. We didn't follow the spec, Frederik from Opera fixed our implementation.
17:19:37 [mkwst]
ArturJanc: SVG seems fixed, but it points to an interesting category of attack that we should probably look into.
17:20:04 [mkwst]
... 3. Steal the nonce, use it later.
17:20:09 [mkwst]
... 3a. Steal the nonce.
17:20:18 [mkwst]
... We operate with a model in which there is an injection:
17:20:40 [mkwst]
... So, an attacker can inject CSS with attribute selectors to match the nonce value in better-than-brute-force time.
17:20:47 [mkwst]
... [nonce^=a], etc.
17:21:23 [mkwst]
... Or the attacker can inject dangling markup (`<textarea>`, `<img src='`, etc) that causes exfiltration.
17:21:29 [dveditz]
better-than-brute-force? I'll have to re-read sidarkcat's writeup
17:21:46 [mkwst]
... 3b. Once the nonce is exfiltrated, it might be possible to reuse it, based on the application's structure.
17:22:15 [mkwst]
... If the application listens for a message, and dumps it to `innerHTML`, the attacker can inject properly nonced code.
17:22:53 [mkwst]
... `<iframe srcdoc="<script nonce='{$nonce}'>evil!</script>">`
17:23:09 [bhill2]
bhill2 has joined #webappsec
17:23:15 [mkwst]
... Similarly, URL fragments are sometimes reflected (routing, etc).
17:23:28 [mkwst]
... A few other similar mechanisms.
17:23:53 [mkwst]
... You can run a similar kind of attack based on the cachability of a document.
17:24:25 [mkwst]
... Load the page, use the first payload to exfiltrate nonces, then `.back()`, then `.forward()`, etc.
17:24:38 [mkwst]
... If the injection doesn't depend on the URL, this is exploitable.
17:25:29 [mkwst]
... 1. Perhaps we can prevent the nonce from being stolen?
17:25:44 [mkwst]
... 2. Perhaps we can prevent the nonce from being reused, if/when stolen.
17:26:04 [dveditz]
scribenick: dveditz
17:26:21 [dveditz]
mkwst: any questions based on ArturJanc's explanations?
17:27:01 [mkwst]
dveditz: Artur, you mentioned two ways to steal the nonce. CSS and dangling markup.
17:27:04 [mkwst]
... Is there another I missed?
17:27:21 [mkwst]
ArturJanc: Dangling markup is a pretty big category.
17:27:26 [bhill2]
bhill2 has joined #webappsec
17:27:52 [mkwst]
... `<style>div { background: url('`
17:28:05 [mkwst]
... And other variants.
17:28:36 [dveditz]
mkwst: we're doing acouple of experiments to see if they change behavior and fix this
17:28:51 [dveditz]
... first is to see if we can hide the nonce from the DOM that makes this harder to do
17:29:27 [dveditz]
... f.e. move the nonce from an HTML attribute to an internal attribute of the script.
17:29:56 [bhill2]
bhill2 has joined #webappsec
17:30:13 [dveditz]
... the author writes the nonce attribute, but the parser moves the attribute so it's not available to the document.
17:30:41 [dveditz]
... can still get the nonce through the nonce IDL, foo.nonce, so scripts can pass them along to new scripts
17:30:55 [dveditz]
... we belive that if you have script execution you can do anything anyway
17:31:44 [dveditz]
... Also looking to mitigate dangling markup. Will be difficult to completely address this, but some forms may be easy to squash
17:33:00 [dveditz]
... added some experiments to chrome, 1) examine contents of URL vs base URL. If it contains a newline AND an opening brace then we'll treat that as a parse error rather than %-escaping.
17:33:18 [dveditz]
... change to URL parser--treat newlines as an error.
17:34:22 [dveditz]
... second experiment is on forms. Two types of elements that eat stuff -- textarea and select. If they're closed by EOF rather than an actual closing tag we'll fire an error rather than submit
17:35:19 [dveditz]
... We think these will prevent a couple of forms of direct exfiltration
17:36:32 [dveditz]
... That was exfiltration. on to reuse
17:37:00 [dveditz]
... generally the reuse implies a DOM api to inject script into page (e.g. <iframe srcdoc artur mentioned earlier)
17:38:04 [dveditz]
... we want a parser-inserted script to work if delivered by a page, but suspicious of ones injected by script (as parser inserted)
17:38:32 [dveditz]
... thinking of adding a new script-src keyword that means "even more strict about parser inserted"
17:39:04 [dveditz]
... Is the parser kicked off by script? (document.write, innerHTML, etc) tag scripts and probably iframes if created that way
17:39:42 [dveditz]
... check that flag when doing execution. If this new keyword is set then these scripts would not execute
17:40:05 [dveditz]
... Prevents nonce re-use, but might be a useful hardening approach in general as well
17:41:16 [dveditz]
... We were able to do this because this concept (parser inserted) already existed in the HTML spec, but it's not flagged for later use. that's new
17:41:46 [dveditz]
... we'll need to define this new concept in HTML and hope it fits as well with other browser's implementations
17:42:37 [dveditz]
... We hope this deflects both the recently discussed attacks and prevents future ones
17:43:03 [dveditz]
... as mentioned, playing with experimental implementations to see how hard this is and whether it works and will bring feedback to the group
17:44:00 [dveditz]
dveditz: could we propose certain attributes (nonce, integrity) as unavailable for CSS selector matching?
17:44:26 [dveditz]
mkwst: we discussed that but seems super icky. requires reaching into CSS to fix a problem that has nothing to do with CSS
17:44:52 [dveditz]
... XHR/fetch has the concept of "sec-*" headers that are untouchable... could do something like that
17:45:54 [dveditz]
... Artur and I will put docs together and bring them back to the group
17:47:37 [dveditz]
ArturJanc: we found 5 or so different types of exfiltration
17:48:16 [dveditz]
... same-origin XSLT was one, but to pull this off you already need the equivalent of script execution. more academic interest
17:48:21 [ArturJanc]
17:48:34 [mkwst]
dveditz: Few minutes left.
17:48:41 [dveditz]
TOPIC: Security review of IndexedDB API
17:48:53 [mkwst]
... Request for review of IDB.
17:49:32 [dveditz]
17:49:51 [mkwst]
... Implemented in many browsers, hopefully their security teams did review.
17:49:55 [wseltzer]
17:49:56 [mkwst]
... We haven't done much formal review.
17:50:20 [mkwst]
wseltzer: I'll note that the W3C just recharted the Web Security IG.
17:50:28 [mkwst]
... That's another place that reviews can happen.
17:50:41 [mkwst]
... After recharter, they seem interested in taking on more of this kind of work.
17:50:52 [mkwst]
... Also looking at taking up the security questionnaire.
17:51:18 [mkwst]
... So, I'd invite y'all to join that group for reviews.
17:51:20 [wseltzer]
Web Security IG:
17:51:23 [dveditz]
TOPIC: Multiple origins for manifested web apps
17:51:58 [dveditz]
17:52:21 [mkwst]
dveditz: They'd like folks to look at this proposal to allow multiple scopes for a web manifest file.
17:52:28 [mkwst]
... That's the end of the agenda.
17:52:39 [mkwst]
... Any questions? Proposals for next time?
17:52:45 [mkwst]
... When _is_ next time, actually?
17:53:00 [mkwst]
... Third Wednesday of the month.
17:53:01 [freddyb]
Feb 15th?
17:53:06 [mkwst]
... February 15th.
17:53:07 [dveditz]
Feb 15, 2017 -- 3rd wednesday
17:53:33 [mkwst]
... It's on my calendar, which I got from somewhere. So hopefully it's on the W3C WebAppSec calendar that's on the group's homepage.
17:54:20 [freddyb]
calendar is embedded at the very top of
17:54:28 [dveditz]
thx freddyb
17:54:46 [mkwst]
wseltzer: Referrer Policy is moving to CR tomorrow!
17:54:52 [mkwst]
... Also, WebCrypto to REC tomorrow!
17:54:56 [mkwst]
... Huzzah!
17:55:08 [mkwst]
... Also, I'll make sure WebEx works.
17:56:03 [mkwst]
everyone: Bye!
17:56:05 [mkwst]
17:57:03 [jochen___]
yay, referrer policy, indeed :)
18:26:35 [bhill2]
bhill2 has joined #webappsec
18:31:25 [bhill2]
bhill2 has joined #webappsec
20:23:39 [Zakim]
Zakim has left #webappsec
20:25:23 [bhill2_]
bhill2_ has joined #webappsec
21:33:52 [bhill2]
bhill2 has joined #webappsec
22:18:41 [wseltzer]
rrsagent, make minutes
22:18:41 [RRSAgent]
I have made the request to generate wseltzer
22:18:52 [wseltzer]
rrsagent, make logs public
22:18:53 [wseltzer]
rrsagent, make minutes
22:18:53 [RRSAgent]
I have made the request to generate wseltzer
22:20:03 [wseltzer]
i/Few minutes left./scribenick: mkwst
22:20:05 [wseltzer]
rrsagent, make minutes
22:20:05 [RRSAgent]
I have made the request to generate wseltzer
22:20:52 [wseltzer]
s/oh, crap. I am on an airplane.//
22:20:57 [wseltzer]
22:21:05 [wseltzer]
s/almost there//
22:21:15 [wseltzer]
22:21:19 [wseltzer]
rrsagent, make minutes
22:21:19 [RRSAgent]
I have made the request to generate wseltzer
22:21:53 [wseltzer]
s/oh, crap.//
22:21:54 [wseltzer]
rrsagent, make minutes
22:21:54 [RRSAgent]
I have made the request to generate wseltzer
23:36:41 [bhill2_]
bhill2_ has joined #webappsec