Advanced Cross Site Scripting: and CSRF
Advanced Cross Site Scripting: and CSRF
...
<div>User: <script>alert(document.cookie)</script></div>
Refresher: Stored XSS
● User input from a previous request is outputted in a page unescaped
content=<script>alert(document.cookie)</script>
...time passes...
...
<div><script>alert(document.cookie)</script></div>
The DOM (Document Object Model)
● W3C specification for HTML (and XML)
● A model representing the structure of a document
● Allows scripts (usually JavaScript) to manipulate the document
● The document is represented by a tree of nodes
○ The topmost node is called document
○ Nodes have children
● Hated by web developers everywhere
Manipulating the DOM
document.children[0].innerHTML = "<h1>OHAI!</h1>";
*It might :)
How?!
● Client-side JavaScript accesses and manipulates the DOM
● User input is taken directly from the browser
● The server might never even see the payload
○ E.g. in the case of the page ‘fragment’
An Example
Sources (non-exhaustive)
● The path
○ document.location.pathname (/users)
● The query string
○ document.location.search (/users?user=123&action=like)
● The page fragment
○ document.location.hash (/about#contact)
● Attacker-controlled cookies
○ document.cookie
● Attacker-controlled local storage
○ window.localStorage
● Reflected (but escaped!) input in variables
○ var user = “user\”name”;
Sinks (also non-exhaustive)
● document.write(x) / document.writeln(x)
● element.innerHTML = x
● document.location.href = x
● eval(x)
● setTimeout(x)
● setInterval(x)
● $(x) (jQuery)
● script.src = x
● link.href = x (requires user interaction)
● iframe.src = x
Payload Types
● HTML-based (inject into the DOM)
○ <script>alert(document.cookie)</script>
○ <img src=x onerror=alert(document.cookie)>
● URI-based (inject into src, href attributes etc)
○ javascript:alert(document.cookie)
○ data:text/html;<script>alert(document.cookie)</script>
● Pure-JS (inject into execution sinks; e.g. eval())
○ alert(document.cookie) :)
Another Example
A Real Example
The Vulnerable Code
https://zvault.razerzone.com/redir.html?redir=javascript:alert(document.domain)
https://hackerone.com/reports/266737
Protection
● Don’t pass user input to possible sinks where possible
● Escape all user input
○ The escaping mechanism must depend on the context!
● Use innerText instead of innerHTML
○ Or document.createTextNode()
● Whitelist where possible
Basic Filter Evasion
Basic Filter Evasion
Easily defeated!
/path#<scr<scriptipt>alert(document.cookie);</script>
/?page=javascript:eval(atob('YWxlcnQoZG9jdW1lbnQuY29va2llKTs='));
Avoiding Quotes
/?page=javascript:eval(String.fromCharCode(97,108,101,114,116,40,100
,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59))
Avoiding Braces
setTimeout`eval\u0028atob\u0028\u0022YWxlcnQoZG9jdW1lbnQuY29
va2llKTs=\u0022\u0029\u0029`;
=>
eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKTs="))
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals
Resources
● www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
● github.com/wisec/domxsswiki/wiki
● github.com/cure53/browser-sec-whitepaper
● prompt.ml (challenge yourself!)
● www.jsfuck.com
● tomnomnom.uk/jspayload
Anything They Can Do, Script Can Do Better
● It’s not just about stealing cookies
● Even if all cookies are httpOnly you’ve still bypassed Same Origin Policy
Same Origin Policy
● JavaScript on attacker.com cannot make requests to target.com (by default)
● target.com must specify a Cross Origin Resource Sharing policy
● If you’ve got XSS on target.com that limitation is bypassed
Cross Site Request Forgery
● Same Origin Policy does not apply to HTML forms
● A form on attacker.com can POST data to target.com
○ The user’s cookies will be sent with the request to target.com
● Example attack:
○ User is logged into target.com
○ User clicks a link to attacker.com
○ A form on attacker.com POSTs data to target.com
○ The user’s cookies / credentials are sent with the request
○ The attacker has forced the user to perform an action
A Form On target.com
:)