ISACA Pune Chapter June 17th 2017 - Narendra Bhati

Understanding the XSS Vulnerability - Analysis To Exploita;on
Picture Source - h-p://resources.infosecins5tute.com ISACA Pune Chapter Monthly Lecture Mee5ng June
2017

Understanding The XSS Vulnerability - Analysis To Exploita;on

Something About Speaker (Of-Course Me) J
Narendra Bha; – OSCP, CEH
Senior Security Analyst
Suma SoK Pvt. Ltd. – Pune
Email - narendra.bha5@websecgeeks.com
Blog - h-p://websecgeeks.com
Picture Source - h-p://peachesandcake.com/about-me ISACA Pune Chapter Monthly Lecture Mee5ng June
2017

Something About Me
Senior Security Analyst
Suma SoK Pvt. Ltd. – Pune
Email - narendra.bha5@websecgeeks.com
Blog - h-p://websecgeeks.com

•  Having Four Years of Experience and have been working in Suma SoP Pvt. Ltd. as Senior Security Analyst

•  Spoke at OWASP Pune Chapter 18th Feb 2016 on Advance Web Applica5on A-acks "Dive into the Profound Web a-acks".

•  Found various cri5cal vulnerabili5es on Portals like Google, Facebook, Apple, LinkedIn, MicrosoP, Yahoo and more

•  Holds more then 12 CVE & 3 Zero days vulnerabili5es

•  Maintaining my own blog where I put my exploits and research- h-p://websecgeeks.com

ISACA Pune Chapter Monthly Lecture Mee5ng June 2017

ISACA Pune Chapter Monthly Lecture Mee5ng June
2017
What Is XSS (Cross Site Scrip5ng)

According to OWASP
XSS (Cross Site Scrip5ng) a-acks are a type of injec5on, in which malicious
scripts are injected into otherwise benign and trusted web sites

In simple words, Execu;ng our own JavaScript into the browser

What Is JavaScript

It’s a client side scrip5ng which is mostly used to control Client Side objects
Ex. Restrict the user to enter only email in email text box by applying a
JavaScript code.
Impact Of XSS

•  An a-acker can control/modify the Web Page content.
•  Hijacking the user SESSION ID
•  Redirect Users other malicious website.

Why Talk About XSS (Cross Site Scrip5ng) ?
Source - h-ps://www.brigh-alk.com/webcast/288/97255
According To OSVDB Vulnerabili5es Graph

For Fun & Proﬁt – Bug Bounty J

For Fun & Proﬁt – Bug Bounty Hunters
Slack Stored XSS Bounty Of $1000 ;)

Slack Stored XSS Bounty Of $1000 ;) in 2016
Source - h-ps://hackerone.com/reports/159460

Heroku Reﬂected XSS Bounty Of $500 ;) -
2014

XSS In Apple Online Store - 2013

Don’t Tell This To Any One _/_ , I Never Paid Income Tax For My $$$$$
Boun5es ;)

Lets Talk About The XSS
Several people are not aware about the Basic Approach to ﬁnd the XSS. What they basically do is to copy paste the payloads
In to the applica5on and hope for the XSS to trigger.

Picture Source - h-p://www.pak101.com/funnypictures/

Lets Talk About The XSS
We will follow a simple approach to Find The XSS Vulnerability
1.Analysis 2.Detec5on 3.Exploit

Reﬂec5on Filtra5on Trigger XSS

Understand The Reflec;on – No Reflec;on No XSS
1.Analysis
Reflec5on
1. User send some data
to website/applica5on
3.Server respond with same value
sent by user.

Understand The Reflec;on – No Reflec;on No XSS
1.Analysis
Reflec5on
The user input should be reflected back into client side code, if there is no reflec5on of the user input that means XSS
Is not possible.

Understand The Reﬂec;on
1.Analysis
Reﬂec5on
Demo

Understand The Reflec;on
1.Analysis
Reflec5on
Important Rule Of XSS
“No Reflec5on No XSS L “

Understand The Context In Reflec;on
1.Analysis
Context In Reflec5on
What Is Context?
Contexts are the loca5ons where user input is placed.
There are different types of contexts, lets discuss them in detail.
1.  HTML Context
2.  A-ribute Context
3.  Script Context
4.  URL Context
5.  Other contexts(We will discuss later)

1.Analysis
1. HTML Context
h-p://www.websecgeeks.com/search?q=xyzxyz
When user input is reﬂect back into the html tags

1.Analysis
2. A-ribute Context
When user input is reﬂected back into the some input tag “value”
view-source:h-ps://www.bhaskar.com/search/?q=xyz

1.Analysis
3. Script Context
view-source:h-p://aajtak.intoday.in/topic/xss.html
When user input is reﬂected back into the script tag

1.Analysis
4. URL Context
Web2Py Web Framework
h-p://127.0.0.1:8000/admin/default/install_plugin/asdad?plugin=plugin-clientapi&source=sumasoP.com
When user input is reﬂected back into HREF tag

So we have seen 4 Context Where our user input get reﬂected
1. HTML Context 2. A-ribute Context
3. Script Context
4. URL Context

Understand The Filtra;on
2.Detec5on
Filtra5on
We need to check whether our given value is geVng ﬁltered/sani;zed by the applica;on or not !
Filter/Sani5ze = If we send the value ex. “<hello>” then applica5on remove the special character or change special
Value to html encoding
As Below

<hello> = hello
<hello> = &gthello&lt Demo – a-ributecontextsecure.php

Lets Trigger The XSS
1.Analysis 2.Detec5on 3.Exploit

Reﬂec5on Filtra5on Trigger XSS
3 Steps To Find XSS – Lets Apply Those Steps To Find XSS

To trigger the XSS we can use pre-deﬁne Payload(Javascript)
3.Exploit

1. HTML Context
<script>alert(1)</script>

</html></script><script>alert(1)</script>
(Close the tag where input placed)
Demo
3.Exploit

JavaScript Payload

2. A]ribute Context
“></script><script>alert(1)</script> (For double quote)

‘></script><script>alert(1)</script> (For single quote)

“onmouseover=“alert(1)” – Typical Example
Demo
3.Exploit

JavaScript Payload

3. Script Context
“;conﬁrm(1);” (For double quote)

‘;conﬁrm(1);’ (For single quote)

</script><script>alert(1)</script> (Close the tag where input
placed)

“;</script><script>alert(1)</script> (For Double Quotes, Close
the tag where input placed)

‘;</script><script>alert(1)</script> (For Single Quotes,Close the
tag where input placed)

Demo
3.Exploit

JavaScript Payload

3.Exploit

Short Case Study Of XSS In Wordfence Firewall Plugin For Wordpress

Wordfence provide premium services for Wordpress CMS to Prevent, Defence web a-acks & having 700-3000 download per day
Permission granted by Vendor To Present Wordfence XSS In ISACA Chapter

4. URL Context
javascript:alert(1)

data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
Demo
3.Exploit

JavaScript Payload

Lets Trigger The XSS 3.Exploit

Short Case Study Of XSS In Web2py Python Based Web Framework – Very Secure Framework Actually J
Picture Source - h-p://www.pyguy.com/wp-content/uploads/2016/01/show-tasks.png Permission granted by Vendor To Present Web2py XSS In ISACA Chapter

Types Of XSS
1- Reﬂected XSS

This type of XSS is temporary, need to send URL to vic5m.

2. Stored XSS

Web applica5on stored the user input, which can get trigger the XSS all the 5me user visit visit that page.

3. DOM Based XSS

Vulnerable Javascript/HTML code which takes the user input unsafely cause the DOM Based XSS
3.Exploit

Impact Of The XSS
•  Phishing A-acks
•  Redirect User To Malicious Website
•  Session Hijacking
•  DDOS A-ack
•  Rest Depends On A-acker Methodology.

How To Prevent XSS – It is as simple as that J Just Sani;ze The User Input For Special Characters

Some Mistakes Which Pentester/Security Guys OKen Do While Finding XSS Vulnerability

Do not forget to check the reflec;on on mul;ple places.

May be it is possible that one of the reflec;on point is un-secured.
Mul5ple Reflec5on

Download the source code for the Hands-On
Download – www.iamvulnerable.online/xssdemo/xssdemo.zip

End Of Presenta;on

Any Ques;ons ?

Please share your feedback of this presenta;on on narendra.bha5@websecgeeks.com

Thanks For Your Time !

ISACA Pune Chapter June 17th 2017 - Narendra Bhati

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

ISACA Pune Chapter June 17th 2017 - Narendra Bhati