MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit...
Transcript of MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit...
![Page 1: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/1.jpg)
MetaXSSploitBringing XSS in Pentesting
A journey in building a security tool
Claudio Criscione
@paradoxengine
`
![Page 2: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/2.jpg)
/me
No Aff
![Page 3: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/3.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
XSSAnd how a security tool is born!
![Page 4: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/4.jpg)
Relevant?
Web Application Security Statistics 2010 – Web Application Security Consortiumhttp://projects.webappsec.org/w/page/13246989/Web-Application-Security-Statistics
![Page 5: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/5.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Relevant in the real world?
![Page 6: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/6.jpg)
![Page 7: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/7.jpg)
![Page 8: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/8.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
A gift for pentesters
Framework security and complexity
Low hanging fruits
Time available to find bugsXSS to the rescue!
![Page 9: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/9.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Ubiquitus
Hard to patchEasy to find
![Page 10: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/10.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
In the beginning was the Alert()
![Page 11: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/11.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Where does this approach bring us?
![Page 12: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/12.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Standard customer answer"There is no risk, it's just client side"
![Page 13: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/13.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
It is our* fault
*pentesters
![Page 14: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/14.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Seeing is believing
Since user interaction is required we can avoid full real-world exploitation of the issue in the PT
![Page 15: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/15.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
WRONG!
![Page 16: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/16.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Using an Alert today vs actively exploiting the XSS is closer to running Nessus than using
Metasploit
![Page 17: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/17.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Why is this even worse?
![Page 18: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/18.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
"Oh, I've just found XSSes during this PT.
This is lame :("- The little hacker inside you
![Page 19: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/19.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
A perception mismatch
![Page 20: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/20.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
We (all of us) KNOW it is bad
We (most of us) don't feel it is "that" bad
Those (most of them) outside the community thinks it's more or less
meaningless
![Page 21: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/21.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
How do we fix this?
![Page 22: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/22.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
![Page 23: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/23.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
We build a tool!
MetaXSSploit to the rescue
Bridging the gap between Metasploit and XSS
Weaponizing XSS
![Page 24: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/24.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
The story behind MetaXSSploit
![Page 25: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/25.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
It all began one stormy night
![Page 26: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/26.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Behind the scene [1]
● I had to code a Metasploit module for an XSS vulnerability in VMware to be included in VASTO (another project)
● "Darn, I have to write everything from scratch!"● Lack of reusability of code, but the potential
was out there● Ok, let's do "something!"
![Page 27: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/27.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
I need $thisFrantic search
of $this$this does not
exist
Ok, what do I needACTUALLY?
Can it be done?Prototype
FeedbackDo you like $this?
Conference?Company?
Blog?
CodeCodeCode
Release
YES, testing happens AFTER the release!
![Page 28: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/28.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Timeline
November 2010 Had the idea
![Page 29: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/29.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Set the Goals
I will make a tool ● That I'll want to use● That other people will want to use ● That is Open Source● That can be easily extended by other people● That will speed up pentesting● That will finally allow us to store the
kowledge about XSS● That is cool enough to be presented
![Page 30: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/30.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Whenever you write new code...
Am I reinventing the wheel? Let's check!
Yes, there are relevant projects
XSSploiter
XSSer
Attack API and more...
Do they fulfill my goals?
Not easy to extend (unless you learn ALL the tool!)
It will take forever* to learn how they work
*more than 4 hours
![Page 31: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/31.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Timeline
November 2010 Had the idea
January 2011 : State of the art
![Page 32: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/32.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Draw use cases
![Page 33: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/33.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Use case – Knowledge Base
Fingerprintingthe app
Search for XSSin the knowledgebase
Create a cool demo
Point customer tothe tool
![Page 34: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/34.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Use case – Knowledge Base
Fingerprintingthe app
Create a cool demoLook up for advisory
Derive exploitCreate an
„easy enough“exploitation system
Explain to customer
Find it unpatchednext time
![Page 35: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/35.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
What about fingerprinting?
We already have some interesting project for that, like Blind Elephant
The general rule for tool building is
Solve only one problem
![Page 36: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/36.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Use case – Custom App
Find an XSS Copy Paste a module
Module readyfor next round!
Customizeand create a
new one
Deliver moduleto customer
Regression
![Page 37: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/37.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Adding some coolness
![Page 38: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/38.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Idea 1Leveraging those 100000000000 XSSes in Bugtraq so they at least serve a purpose
![Page 39: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/39.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Automatic bugtraq to MetaXSSploit
Providing XSS sample for exploitation is straightforward and most advisories will do it
Even if our method sucks badly, there are so many XSSes we are bound to have a huge library anyway
Some of these exploits end up buried and nowhere to be found after some months!
![Page 40: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/40.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Mirror Bugtraq
How
Grep keywords SucksCombine keywords
with scoringSucksless
Grep for PoCManualreview
Grep for theprod name
Huge spreadsheetto review
![Page 41: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/41.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Idea 2Automate the creation of exploits with a web
interface
![Page 42: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/42.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
How do we do it?
➔ "Look, i found an xss"➔ Go to the page➔ Fill up the fields, give us the vector ➔ Download the resulting code
➔ Request review on our side for inclusion
![Page 43: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/43.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Looks interesting
Code is quickly reviewed and added to the MetaXSSploit database
Bragging factor for newbies
Easy to code
![Page 44: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/44.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Did it work?
Yes, my POC is "more or less" working!
Cool!
So what do we do? Well, let's submit this one and wait for approval!
Approved? Ok now you'd better start coding!
![Page 45: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/45.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
TimelineNov 2010 - Idea
Jan 2011: State Art
End Jan 2011 Poc!
Feb 2011: HITB CFP
![Page 46: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/46.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Time to code
![Page 47: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/47.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Why Metasploit?
Well known, so it cuts time to learn
Big framework, so it cuts development time
Big name, instead of the 100000th tiny tool
![Page 48: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/48.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
But wait!
Andres Riancho : W3AF is now sponsored byRapid7, think about it as the Metasploit of
webapps. We are even going to have payloadsfor web applications!
Joshua J Drake: Yes, there is space for Improvements in Metasploit XSS support*
![Page 49: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/49.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Why not w3af?
It is meant to be used against server-side targets, not client side
Let's speak with the guy in charge and see if we can integrate!
no.
![Page 50: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/50.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
TimelineTimelineNov 2010 - Idea
Jan 2011: State Art
End Jan 2011 Poc!
Feb 2011: HITB CFP
18 Mar 2011: no w3af
![Page 51: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/51.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Reusing components
Metasploit has some interesting things in the Web / HTTP department, maybe?blackfire@Thor:~/Tools/Metasploit$ find ./ -type f | xargs grep 'Exploit::Remote::HttpServer' | grep -v svn | grep -v http | grep -v browser./modules/exploits/osx/armle/safari_libtiff.rb: include Msf::Exploit::Remote::HttpServer::HTML./modules/exploits/unix/webapp/mambo_cache_lite.rb: include Msf::Exploit::Remote::HttpServer::PHPInclude./modules/exploits/unix/webapp/php_include.rb: include Msf::Exploit::Remote::HttpServer::PHPInclude./modules/exploits/unix/webapp/base_qry_common.rb: include Msf::Exploit::Remote::HttpServer::PHPInclude./modules/exploits/unix/webapp/google_proxystylesheet_exec.rb: include Msf::Exploit::Remote::HttpServer./modules/exploits/windows/email/ms10_045_outlook_ref_resolve.rb: includeMsf::Exploit::Remote::HttpServer::HTML./modules/exploits/windows/email/ms10_045_outlook_ref_only.rb: include Msf::Exploit::Remote::HttpServer::HTML./modules/exploits/windows/misc/realtek_playlist.rb: include Msf::Exploit::Remote::HttpServer::HTML./modules/auxiliary/server/file_autopwn.rb: include Msf::Exploit::Remote::HttpServer::HTML./modules/auxiliary/gather/android_htmlfileprovider.rb: include Msf::Exploit::Remote::HttpServer::HTML
Looks interesting, but...
![Page 52: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/52.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Webapp attack support
In metasploit is less than rudimentary.
The tool has not been thought with XSS in mind.
Time to expand it, how do we do that?
![Page 53: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/53.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
What do we need
Deliver
Payloads
VectorModules
ObfuscatorAdaptor
Get the victim to execute the attack
Do “something“ - the current payloads are simply not suited for us.
Specifics for the actual exploit
Adapt the exploit to various browsers and make it harder to detect
![Page 54: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/54.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Delivering the exploit
To deliver our exploit we can leverage Metasploit HTML server feature
Built to exploit browsers, of course!
For this reason, let's create a new class of exploits, XSSEXPLOIT
module Exploit::Remote::HttpServer::XSSExploitinclude Msf::Exploit::Remote::HttpServer::HTML
![Page 55: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/55.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
XSSEXPLOIT
● XSSExploit provides the basic functionalities● Internal HTTP Server● Static content serving (for fake / phishing pages)● Invocation of obfuscators and encryptors● Helper methods for exploit check
All MetaXSSploit exploits include this module
![Page 56: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/56.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Basic form of deliveryUser hitting our web server
![Page 57: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/57.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
A new kind of payload
● We need to think about our new payload: how are we going to deliver?
● (most) standard metasploit payloads = execute something
● We have a number of different use cases● Redirects, POSTs, JS inclusions...
![Page 58: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/58.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
XSS Payload
● Always pure javascript code● The shorter the payload, and the smaller the
charset the better● Can be more or less everything
● Easy integration with all standard XSS-exploiting tools
● Want to integrate a new tool? Just create an XSS payload!
![Page 59: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/59.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
The modules : XSSExploits
● Have to override the vector_encapsulate method
● We want them to produce a complete string pointing to the target by leveraging the payload
● Sample:def vector_encapsulate(payload)weaponized = "http://#{datastore['RHOST']}:#{datastore['RPORT']}#{datastore['BASEPATH']}mkportal/modules/rss/handler_image.php?i=<script>#{payload}</script>"return weaponized
![Page 60: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/60.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Let us assemble everything like LEGO (tm)
![Page 61: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/61.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
![Page 62: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/62.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Putting all together
● In order to actually deliver the exploit, the encapsulated_payload is not enough
● We also need an header, a footer and a delivery vector
● Enter the wrapper
![Page 63: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/63.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
The wrapper
![Page 64: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/64.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
● No real match in the Metasploit architecture● Maybe encoders, but then we also need encoders
for all the actual encoding :{
● Implemented as a case switch in the XSS Payload main class
● In the end the wrapper will encapsulate the payload and produce a full HTML page to be served, ready to hit!
The wrapper
![Page 65: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/65.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Supporting POST
● Wrappers' behaviour has to mutate to accomodate posts● Payload encapsulation is different
● One of the handy speed-ups of MetaXSSploit● Some of the wrappers will not work with POST
![Page 66: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/66.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Demo TimeWake up NOW() please!
![Page 67: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/67.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Challenges and cool stuff[If we have time]
![Page 68: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/68.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Avoiding module sprawl
● We generated 500 different exploits: that means 500 files?!?
● Surely not! Most of them are just a line of POC, so we created a generic exploit module able to read and process that line... and just store it!
● In the end, just a text file as a database
![Page 69: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/69.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
BadChars and Encoding
● Each XSS exploit has to specify the set of chars it cannot use
● Payloads can be encoded, to a certain extend, but each payload requires a given set of chars
● Maximum size also considered● Less is better
![Page 70: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/70.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Browser Adapters
● Different browsers need slightly different payloads, and some payloads will not work with some browsers
● Browser Adapters can convert payloads● TBD :)
![Page 71: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/71.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Future development
![Page 72: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/72.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Integrating email sending
● We generate a fake page and code the email-sending on the server side
● We keep the wrapper logic, but of course we visit the page instead of the attacker
● We need a different wrapper for the final payload delivery
![Page 73: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/73.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
More! More! More!
● More modules, more encoders, more obfuscators
● The web app makes it easy to create some of them
● It is easy to enstablish a standard, turning all advisories directly into exploit modules
![Page 74: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/74.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Complex scenarios
● Most complex logic can be supported with specific modules, but not everthing is supported (e.g. Parallel execution of calls in the same exploit)
● Even if you have to custom code it, it's still MUCH clearer than any description and you can test for it again in the future quickly
![Page 75: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/75.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Summing Up
● We have built XSS support into Metasploit● You can use it to
● Leverage an existing Knowledge Base● Speed up actualy exploitation of XSSes● Build regression tests for web app
● Modules can be generated automatically via a webapp or by script
● Not avail NOW(), will be shortly (review process permettendo)
![Page 76: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/76.jpg)
Questions
![Page 77: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/77.jpg)
Thank you!
This was
MetaXSSploitBringing XSS in Pentesting
And I am : Claudio Criscione - @paradoxengine
claudio.criscione DALLE_PARTI_DI gmail.com
`
![Page 78: MetaXSSploitconference.hitb.org/hitbsecconf2011ams/materials/D1T2 - Claudio... · MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine](https://reader034.fdocuments.us/reader034/viewer/2022051512/603811a7cd64a00d4842a344/html5/thumbnails/78.jpg)
HITB 2011 – MetaXSSploit – Claudio Criscione
Tnx for the pictures!
http://www.flickr.com/photos/alkelda/4950272224/http://www.flickr.com/photos/john/42644763/sizes/o/http://www.flickr.com/photos/danielray/4803043617/
http://www.flickr.com/photos/zetson/3036254720/http://www.flickr.com/photos/drift-words
Roger Bissonnettehttp://www.flickr.com/photos/bri-bri