Post XSS Exploitation : Advanced Attacks and Remedies


Published on

This is the presentation I used at the National Conference on “Current Scenario & Emerging trends in Information Technology" held at MSIT in march 2013.
Here is the link to the whitepaper :

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Post XSS Exploitation : Advanced Attacks and Remedies

  1. 1. Post XSS Exploitation Advanced Attacks and Remedies By Ms. Kritika Sobti Mr. Adwiteeya Agrawal
  2. 2. Introduction to XSS • Definition : Cross Site Scripting is a web application vulnerability which enables us to execute scripts by passing them as input variables. Here the parameters aren't sanitized. • Types of XSS 1. Reflected 2. Stored 3. DOM based
  3. 3. Reflected XSS Input : XSS Output : Search Result Input: <script>alert(“XSS”)</script> Output : Script Executed
  4. 4. Stored XSS Certain Parameters that are permanently stored on the website Script entered as those parameters and hence executed whenever viewed.
  5. 5. DOM based XSS DOM Based XSS is an XSS attack wherein the script is executed as a result of modifying the DOM “environment” in the victim’s browser.
  6. 6. What is POST XSS Exploitation? • Combining XSS vulnerability with other web applications vulnerabilities to execute even more dangerous attacks. • Some Of the Attacks : 1. Android file stealing. 2. URI scheme for Skype on IOS. 3. HTML5 Vulnerabilities. 4. IRC NAT pinning and Geo-location. 5. Our New Module
  7. 7. Android File Stealing Android 2.2 user visits a link that initiates a download of a file xyz.html The user is not notified and file is saved at sdcard/downloads Javascript is used to access the downloaded file and other files in the same local context.
  8. 8. Skype’s Improper URI scheme on IOS Using embeddable webkit on IOS, combined with URI schemes of third party applications, skype allows a call to be made with just the following URI : skype://1900expensivepremiumnumber?call The Skype application developed for iOS uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming user's "Full Name", allowing an attacker to craft malicious JavaScript code that runs when the victim views the message.
  9. 9. HTML5 Vulnerabilities(1) • Using API the way it is not meant be HTML5 has two APIs for making cross domain calls - Cross Origin Requests and WebSockets. By using these, JavaScript can make connections to any IP and to any port(apart from blocked ports), making them an ideal candidate for port scanning. These API's can be exploited to determine if the port being connected to is open, closed or filtered.
  10. 10. HTML5 Vulnerabilities (2) • Using API the way it is not meant be The File API in HTML5 allows JavaScript to access the file once it is chosen by the user (i.e. before uploading it). It can also be used maliciously to steal your files in XSS attack. With styling input type=file control may be used so that the user is unaware that he's going to upload the file. However input type=file directory is a splendid feature which allows the user to upload contents of a chosen directory thus giving access of the whole directory to the attacker.
  11. 11. NAT Pinning • When the victim clicks on an XSS vulnerable URL that has a hidden form connecting to (IRC port), he submits the form without knowing. An HTTP connection is created to the (fake) IRC server run by the attacker, that simply listens. The victim’s router sees an "IRC connection" (even though its client is speaking in HTTP) and an attempt at a ‘DCC chat’. DCC chats require opening of a local port on the client to which the remote chatter to connect back. Since the router is blocking all inbound connections, it decides to forward any traffic to the port in the DCC chat back to the victim.
  12. 12. XSSMAP - Geo Location Google while collecting data for the Google Street View had also collected data of the wireless networks in the vicinity and the MAC address of those routers and then mapped them to the GPS co-ordinates. XSS can retrieve the MAC address of the target's router and then uses Google Maps to retrieve GPS co-ordinates
  13. 13. Our New Module – The concept • Elastix 2.2.0 VoIP based PBX, with a web interface enables registered SIP clients to make calls just by visiting a URL. After visiting : https://IP_address_of_Elastix/recordings/misc/callme_page.php?action=c &callmenum=Extension@from-internal/h Executed Via : Iframe’s source
  14. 14. Integration with XSSF
  15. 15. Why XSSF ? • Has amazing native modules • Integrates with metasploit and facilitates using exploits in msf • Development and all setting are included in the single file(module)
  16. 16. Protection against XSS • Various filters can be used to sanitize the inputs and prevent XSS vulnerabilities. These filters keep a watch on the user inputs and checks for JavaScript or HTTP POST in the input and then stop these scripts from being executed. • A large number of Security Libraries are also available for encoding user inputs such as: OWASP Encoding Project : Google Code HTML Purifier or Htmlawed : for PHP Anti-XSS Class : for .NET Applications AntiSamy API : for .NET XSS-HTML-Filter : for Java Filters Description FILTER_SANITIZE_ENCODED URL-encode string, optionally strip or encode special characters. htmlentities For HTML filtering FILTER_SANITIZE_MAGIC_QUOTES For Applying addslashes()
  17. 17. Protection against POST XSS • Protection against post XSS involves prevention against execution of scripts entered as input variables. • Cookie security protection can be implemented by limiting the domain and path for accepting cookies, setting them as HttpOnly, using SSL and never storing confidential data in cookies. • Another method can be to disable the use of client site scripts. • Various browser add-ons are also available for prevention against XSS vulnerabilities. Some of the popular add-ons are NoScript for FireFox and NotScripts for Chrome and Opera.
  18. 18. Thanks
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.