Cross Site Scripting

All posts tagged Cross Site Scripting

BeEF – Cross –Site Scripting Exploitation

Posted by R.Dunne on June 5, 2015
Posted in: BeEF, BeEF - Cross –Site Scripting Exploitation. Tagged: , , , . Leave a comment

Overview

This exploit tutorial will give a brief overview of Cross-Site Scripting (XSS), and how to leverage it to control a victim’s browser. XSS is a very common web application vulnerability that many dismiss as low risk because they don’t understand what’s possible.an be used in a very subtle way to pivot into a company’s internal network by abusing a victim’s hooked browse.
Normally XSS targets a victim’s browser through the web application. So when a user visits the page, the attacker gets to run their code in the user’s browser.

Cross Site Scripting Using BEEF

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

The Attack Process

The Attack Process

This attack has an Attacker and a Victim.

Pic 212

The Attacker will craft a Phishing email to exploit an internal cross site scripting vulnerability.
Once exploited the Attacker can fully compromise the victim’s machines and carry out commands against that machine.
This is to prove that Cross Site Scripting is a major issue not only for the Applications themselves but for the Users that are using them.

Step 1

Find a vulnerable Web Application to Cross-Site Scripting.

For example the vulnerable parameters are:

  • FirstName
  • Last Name

Pic 10

Step 2

Phishing Email Crafted and sent to victim. Within this email the Sign up Here contains a crafted URL which you can see at the bottom of below image and better in Image further down.
This will take advantage of the Cross-Site Scripting Vulnerability. Pic 22

http://itsecgames.com/bWAPP/xss_get.php?firstname=&lastname=&form=submit

Pic 23

Pic 5This will hook the Victims browser from their machine back to the IP of the Attackers matching which is 10.10.10.99 on port 3000. 

Step 3

Victim receives the email and clicks the link, now the connection is made from the victim’s machine back to the attackers without the victim knowing.
Now the Victims browser is hooked to the IP of the Attackers matching which is 10.10.10.99 on port 3000.

Pic 21

Once the Attacker has made this connection by exploiting the Cross-Site Scripting through a Phishing attack BEEF allows the attacker to send commands to the Victim.

Attackers Machine

As we can see the IP Address for the Attackers Machine is 10.10.10.99.

Pic 6 Pic 9

Victims Machine

As we can see the IP Address for the Victims Machine is 10.10.10.97.

Pic 7

Pic 8

The below image is the Victims machine on 10.10.10.97 is now connected to the BEEF framework running on the Attackers machine 10.10.10.99.
Once the BeEF hook is loaded in the browser you can check your BeEF controller to control the victim’s browser:

Pic 11Pic 12
Pic 13

Downloading Files

Pic 14 Pic 15

Credential Harvesting


Pic 16

Pic 17

Pic 18

Pic 19

Pic 20

Blind XSS – PayPal

Posted by R.Dunne on August 12, 2014
Posted in: Blind XSS - PayPal. Tagged: , , . 1 Comment

http://www.vulnerability-lab.com/get_content.php?id=1278

Interesting Blind XSS vulnerability.

PayPal security team contacted Kunz Mejri after noticing that whenever they accessed his security researcher profile they were presented with a message that read “Hi.”PayPalThe Vulnerability Laboratory Research Team (Benjamin Kunz Mejri) discovered an application-side vulnerability in the official PayPal Inc Ethernet portal backend application (api).

They tried to blind evade and bypass the online service filter validation of the backend listings with main values of the profile.

Means whenever a moderator or admin is watching the profile of the PayPal Inc db listed user in the Ethernet, the persistent injected code executes.

In the attack scenario malicious test codes with scripts were injected in the most attractive values of the PayPal user profile database -> `bank account owner/holder (cardholder)`, `name/surname`, `company name` and of course the `account owner`.

Request Method(s):

  • POST

Vulnerable Parameter(s):

  • Bank Account Owner
  • Name and Surname
  • Companyname
  • Account Owner Affected

Module(s):

  • PayPal Inc – Ethernet Backend Portal (User Profile Listing)

CVSS (common vulnerability scoring system) count of 8.9.  Exploitation of the application-side remote web validation vulnerability requires a low privileged PayPal account with restricted access and no user interaction.  Successful exploitation of the vulnerability results in session hijacking, account database compromise, dev/admin account compromise, external redirects and persistent manipulation of affected or connected module context.

Bypass antiXSS filter in Chrome and Safari

Posted by R.Dunne on January 22, 2014
Posted in: Bypass antiXSS filter in Chrome and Safari, ISSUES & INFOSEC. Tagged: , , , , , , , . Leave a comment

The  bug  is  based  on  a  misuse  of  srcdoc  attribute  of  IFRAME tag,  included  in  HTML5 definition.

Identified by ElevenPaths.

To  perform an  XSS  attack  on Google  Chrome  Browser  using this  bug,  the website must  include an IFRAME and must be able to read any attribute of this element from HTTP parameters (GET/POST) without applying any charset filter. Then, in the IFRAME parameter,  the  srcdoc  attribute  may be included with JavaScript  code. Chrome cannot filter it and will be executed.

Chrome has now been Fixed but Safari is still vulnerable.

Test URL of how the Attack may look like:

http://VictimSite/iframebypass.php?iframe=%22srcdoc=%22%3Cscript%3Ealert(‘Bypass%20message’)%3C/script%3E

How the IFrame parameter handles the user input data.

xss1

XSS Payload inputted by the user and stored withing the iframe src=””srcdoc=”XSS Payload”>

xss2

XSS confirmed in browser.

xss7

HTTPOnly Cookie

Posted by R.Dunne on July 21, 2013
Posted in: HTTPOnly Cookie. Tagged: , . Leave a comment

monster

This attribute is used to help prevent attacks such as cross-site scripting, since it does not allow the cookie to be accessed via a client side script such as JavaScript.

The below example demonstrates the importance of the HTTPOnly cookie.

HTTPOny Cookie Not Enabled

Here its shows that the HTTPOny option was not selected and due to that the Users cookie has been accessed through malicious JavaScript eg, XSS.

WebG Pic 2

WebG Pic 3

As the request was sent TamperData was used to verify if the HTTPOnly cookie was Set.

HTTPOnly: False

WebG Pic 4

HTTPOny Cookie Enabled

Now with the HTTPOnly cookie enabled the Users cookie can no longer be accessed by malicious JavaScript. .

WebG Pic 5

No cookie is visible.

WebG Pic 6

Again as the request was sent TamperData was used to verify if the HTTPOnly cookie was Set.

HTTPOnly: True

WebG Pic 7

WebG Pic 8Conclusions

Set the HTTPOnly cookie.

Cross Site Tracing – XST

Posted by R.Dunne on July 21, 2013
Posted in: Cross Site Tracing - XST. Tagged: , , . Leave a comment

Issue

This attack technique was discovered by Jeremiah Grossman in 2003, in an attempt to bypass the HTTPOnly tag that Microsoft introduced in Internet Explorer 6 sp1 to protect cookies from being accessed by JavaScript.

As a matter of fact, one of the most recurring attack patterns in Cross Site Scripting is to access the document.cookie object and send it to a web server controlled by the attacker so that he/she can hijack the victim’s session. Tagging a cookie as httpOnly forbids JavaScript to access it, protecting it from being sent to a third party.

However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.

Remediation

Turn off HTTP TRACE support on all webservers.

WebGoat Tutorial

Code embedded in a web document has been controlled on the host when the visitors navigate malicious code executed in the browser.

The below image shows a parameter within WebGoat that is vulnerable.
WebG Pic 1

The HTTP TRACE response includes all the HTTP headers including authentication data and HTTP cookie contents, which are then available to the script.

Below is the malicious code to be injected into the parameter.

<script>var xhr = new XMLHttpRequest(); xhr.open(‘TRACE’, ‘http://localhost/WebGoat/attack&#8217;, false); xhr.send(null); if(200 == xhr.status)  alert(xhr.responseText);</script>

Captured POST Request shows the code has been entered.

WebG Pic 2

The malicious code has been granted a OK 200 Response.

WebG Pic 3

WebG Pic 4