How to detect xss and exploit it  document
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

How to detect xss and exploit it document

  • 930 views
Uploaded on

cross site scripting , css how to detect on other websites

cross site scripting , css how to detect on other websites

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
930
On Slideshare
928
From Embeds
2
Number of Embeds
1

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 2

https://twitter.com 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Portcullis Computer Security www.portcullis-security.com
  • 2. How to detect and exploit %99 of XSS Vulnerabilities 2 April 2008 Portcullis Computer Security Limited 2007 2
  • 3. XSS? So What? • Recently XSS has proven to be dangerous enough to consider. • And it allows you to jump into VPN or it allows you to bypass firewall rules via XSS Tunnelling. 2 April 2008 Portcullis Computer Security Limited 2007 3
  • 4. What is it about? • It’s all about where output goes… • • • • Straight into HTML Into Javascript / VbScript block As tag attribute And some other rare, strange places… 2 April 2008 Portcullis Computer Security Limited 2007 4
  • 5. Understanding exploiting XSS • It’s like SQL injection but now our subsystem is not a database it’s a browser and instead of a single quote we’ve got some new meta characters. 2 April 2008 Portcullis Computer Security Limited 2007 5
  • 6. Ultimate Challenge • Ultimate challenge of XSS issues is able to escape current block and make browsers render your piece of code. 2 April 2008 Portcullis Computer Security Limited 2007 6
  • 7. XSS Types These are most common XSS examples which you are going to see in the wild. I’ll try to show a demo to exploit them. • HTML – Normal • HTML – Attribute without quotes • HTML – Attribute with single quotes • HTML – In Comments • HTML – In Javascript Blocks • DOM based XSS • Flash based XSS • Direct Linking 2 April 2008 Portcullis Computer Security Limited 2007 7
  • 8. Not Covered Before jumping into exploiting these specific issues; Following rare but has seen concepts are not covered in this talk. • • • • • • XAS – Cross Application Scripting Security Zones of IE Client-Site issues like .jar problem Advanced Flash Analyzes for XSS Exploiting XSS in real world Bypassing HTML parsing based XSS filters like gmail, myspace etc. 2 April 2008 Portcullis Computer Security Limited 2007 8
  • 9. HTML - Normal • Most common XSS type, At least it was the most common one. But nowadays most of the developers aware of it. • In this demo we assumed there is no filtering in the server-side. 2 April 2008 Portcullis Computer Security Limited 2007 9
  • 10. HTML - Normal DEMO <s c r i pt >a l e r t ( 0x 1) </ s c r i pt > er 2 April 2008 Portcullis Computer Security Limited 2007 10
  • 11. HTML – Attributes without Quotes • When output used as an HTML attribute in the application, if it’s coded in a sloppy HTML which has no quotes around it even if there is a server-side filtering we can bypass it! 2 April 2008 Portcullis Computer Security Limited 2007 11
  • 12. HTML – Attributes without Quotes DEMO %20onl oa d=a l er t ( 0x 2) %20 2 April 2008 Portcullis Computer Security Limited 2007 12
  • 13. HTML – Attributes with Single Quotes • Wrapping HTML attributes with a single quote is quite common, valid but a poor practice. • Since single quote is not considered as HTML meta character is not encoded by any of default XSS filter functions like html_entities() or Server.HTMLEncode() 2 April 2008 Portcullis Computer Security Limited 2007 13
  • 14. HTML –Attributes with Single Quotes DEMO ’ onl oa d=a l er t ( 0x 3) 2 April 2008 Portcullis Computer Security Limited 2007 14
  • 15. HTML – In Comments • If output goes into an HTML comment we need “>” closing tag. • This will be encoded by default filters, so it should be unfiltered. 2 April 2008 Portcullis Computer Security Limited 2007 15
  • 16. HTML – In Comments DEMO --! ><s c r i pt >a l er t ( 0x 4) </ s c r i pt > 2 April 2008 Portcullis Computer Security Limited 2007 16
  • 17. HTML – Javascript Blocks • Javascript blocks are too dangerous because meta characters are changing in there. If output goes into javascript we are not tag opener any more or double quotes. • It all depends where it goes in Javascript, we may need a single quote, may need a double quotes or maybe only a space or semi column. 2 April 2008 Portcullis Computer Security Limited 2007 17
  • 18. HTML – In Comments DEMO ; a l er t ( 0x 5) 2 April 2008 Portcullis Computer Security Limited 2007 18
  • 19. HTML – DOM Based • This is one of the most rare and hard to spot XSS types. • You need a simple source code analyse over the script code. • Most of DOM based XSS issues can not be identified by automated scanners ( to be honest non of them! ) 2 April 2008 Portcullis Computer Security Limited 2007 19
  • 20. HTML – In Comments DEMO # a l er t ( 0x 6) 2 April 2008 Portcullis Computer Security Limited 2007 20
  • 21. HTML – Flash Based XSS • It’s being more and more popular • There are several ways to see an XSS issue in Flash but most common ones • Remote flash file loading • Direct Linking • Flash application generally load remote resources and if this resources can be controlled by parameters then it can be called directly and can be forced to call a remote malisious flash object. 2 April 2008 Portcullis Computer Security Limited 2007 21
  • 22. HTML – Flash Based XSS DEMO v ul n. s wf ? pl a y e r =ht t p: / / ex a mple. c om/x s s . s wf _ge t URL(‘ j a v a s c r i pt : a l er t ( 0x 7) ’ _ ge ) 2 April 2008 Portcullis Computer Security Limited 2007 22
  • 23. HTML – Direct Linking • If linking functionality exist almost, always vulnerable to this attack! • It can be something like • • • Your e-mail address Homepage URL Your photo URL etc…. 2 April 2008 Portcullis Computer Security Limited 2007 23
  • 24. HTML – Flash Based XSS DEMO j a v a s c r i pt : a l e r t ( 0x 8) er 2 April 2008 Portcullis Computer Security Limited 2007 24
  • 25. Final Words • If a XSS issue is exploitable in Internet Explorer it’s highly possibly exploitable in Mozilla based browser, attack vector may differs. • CSS ex pr e s s i on( ) and –mozes bi ndi ng can allow you to trigger XSS payloads onload 2 April 2008 Portcullis Computer Security Limited 2007 25
  • 26. Final Words • Know what you send… • Your browser can do some encoding which may invalidate your XSS test • To able to exploit target server you may need to send HTML characters without proper encoding • Confirm what you send from your proxy and be sure you tested it with encoding and without encoding 2 April 2008 Portcullis Computer Security Limited 2007 26
  • 27. vbs cr i pt : msgbox(‘ A ny Questi ons? ’ ) 2 April 2008 Portcullis Computer Security Limited 2007 27