2024-08-06 –, Firenze
Are you familiar with Attack on Titan? It's a story where humanity lives in cities surrounded by giant walls to fend off Titans. The walls may block intrusion paths that are already known, but what if the Titans find an unexpected way in?
Browsers heavily depend on the Content-Type in HTTP response headers to render content, just like how the cities primarily depend on walls to protect themselves. But can we truly trust Content-Type? Our investigation into object storage revealed a critical specification: these storages allow any Content-Type to be specified in response headers, creating a new attack vector for clients.
Specifying arbitrary Content-Type strings in HTTP response headers during file uploads used to be difficult. As a result, browsers and clients often trusted the Content-Type blindly, just like how humans trusted their walls blindly. However, with the rise of object storage, setting arbitrary Content-Type headers has become easy.
In this talk, we'll explore scenarios where clients' blind trust in Content-Type leads to vulnerabilities and share findings from bug bounty platforms and OSS investigations. Let's all get prepared to defend our web applications from these new threats!
Overview
Client rendering, especially by browsers, relies heavily on the Content-Type of HTTP response headers. For example, if the HTTP response header is Content-Type: text/html, the browser interprets it as html.
Is the Content-Type specified in the HTTP response header really reliable? Certainly, the Content-Type predetermined by the server is sent to the browser in a conventional file upload, so there appears to be no problem in trusting it. Therefore, there have been many implementations in which clients, mainly browsers, unconditionally trust the Content-Type.
However, S3 and other S3-compatible object storage is now being used, and by requesting arbitrary Content-Types as metadata to such object storage, the Content-Type of the HTTP response header can be manipulated freely. In other words, a new attack path to the client has arisen.
Therefore, this presentation will introduce the scenarios caused by clients' unconditional trust in Content-Type and the results of a survey of bug bounty platforms and OSS.
A typical vulnerability caused by unconditional trust in Content-Type is XSS. An attacker sends Content-Type metadata to object storage that the browser can interpret as HTML.
For a study of Content-Types that browsers can interpret as HTML, see the following slides.
- XSS using dirty Content-Type in the cloud era
For example, suppose you have an implementation that allows uploads only if the Content-Type value matches the regular expression /\Aimage/(png|jpeg|jpg)/. This implementation can be prevented if the Content-Type is text/html or text/html;image/png, but not if it is image/png,text/html. An image/png,text/html is interpreted as text/html by major browsers such as Chrome and firefox. Two specific CVEs are as follows.
- Content-Type allowlist bypass vulnerability, possibly leading to XSS
- Content-Type allowlist bypass vulnerability which possibly leads to XSS remained
Bypass can also be done for weak string validation during object storage uploads.
For example
Prefix match startsWith: image/png,text/html
Suffix match endsWith: text/html;image/png
Partial match includes: text/html;image/png
Presentation Flow
- Self-introduction 1 min.
- What is Content-Type 1 min.
- Previous research 1 min.
- Browser interpretation 3 min.
- Traditional file upload 3 min.
- Object storage 1 min.
- File Uploading in the Cloud Era 3 mins.
- Weak validation bypass patterns 2 min.
- Validation results with bug bounty 3 mins.
- Validation results in OSS 3 min.
- Countermeasures 2 mins.
- Summary 2 mins.
Total 25 minutes
Strengths of this presentation
The strengths of this presentation are the following four points
1. the presenter is familiar with cloud security and security of cloud-based applications
2. appropriate for the cloud-native and cloud-first era
3. the discovery of a new attack path against browsers
4. discovery of Content-Type interpretation in browsers
-
the presenter is familiar with cloud security and security of cloud-based applications
We, the proposers of this presentation, are proud to say that we are usually familiar with cloud security and applications built and implemented using cloud computing.
In the past, we have presented anti-patterns for serverless applications at AWS Dev Day in Japan and have given talks to security engineers and developers on application security and threats targeting cloud environments using the latest technology stack.
- AWS Dev Day 2023 E-2: Security by Design with Amazon S3, Amazon Cognito, and AWS Lambda Anti-Patterns
- Introduction to Modern Web Security by Reading and Understanding Context
- How to face threats specific to public clouds -
appropriate for the cloud-native, cloud-first era
The theme of this talk is how to design and implement applications built on the cloud to reduce security risks from attacks that exploit Object Storage metadata specifications. Among them, cloud-native or cloud-first environments that deal with volatile environments such as containers, auto-scale infrastructure, and FaaS, store and deliver files in Object Storage instead of delivering files from the server's disk storage. Since this is an important service and a major implementation that supports the idea of cloud-native and cloud-first, we believe that presenting at BSides LV will be fruitful for the attendees. -
the discovery of a new attack path against browsers
Changing the Content-Type of an HTTP response was difficult with traditional file uploads. However, we have discovered a new route of attack via object storage metadata. This is a novelty not found in other presentations.
- File Upload Security in Object Storage - Rethinking “Malicious Data Writing” in the Cloud Era -
the discovery of the browser's Content-Type interpretation
Traditionally, there has been research on predefined Content-Types that are interpreted as HTML, but how browsers interpret arbitrary Content-Types has not been studied. This is another novelty not found in other presentations.
- XSS via S3! New Perspective on Attack Methods Using Mysterious Content-Type Values
Eiji Mori
Eiji Mori joined Flatt Security in April 2021 after completing graduate studies at Kagoshima University. As a security engineer, he is mainly in charge of web application diagnostics and smartphone application diagnostics.
He has been involved in security camp related events in the past and has a wide range of interests from hardware to software. His hobbies are vulnerability research and muscle training.
Norihide Saito has been involved in development and security-related work since he was a student, and joined Flatt Security in 2020. He is currently a security engineer in charge of security diagnostics mainly for web applications and public clouds, and is active in external organizations such as ISOG-J WG1.