Cross-Site Scripting: The Force Awakens

A talk by

Ashar Javed (@soaj1664ashar)

@

 

X OWASP Spain Chapter Meeting, 17th November 2016

Abstract

Later I will ask the answer ...

If you haven't seen Star Wars: The Force Awakens

A long time ago, in a continent far,
far away ....

XSS was discovered ...

Since then XSS is flourishing ...

"XSS is a completely solved problem (pause here) theoretically" by @mikewest

 

He said, "practically we see in the VRP at Google, the vast, vast majority of reports that we actually pay for are XSS even at Google, a company with a dedicated team doing nothing but preventing the developers inside of Google from doing whatever it is they want to be doing ... We build really interesting tools and we build out good solid templating systems and yet we still have an XSS attacks." @dotSecurity 2016

 

 

In last 2 years Google has awarded $1.2 million for #XSS ...

Web >Google

so you can roughly imagine the scale of XSS

3+ years ago I tweeted (still holds true in general)

XSS: An Epidemic

Smart Researcher(s) Already Talked about Post-XSS Era ...

I Wish ...

Credit Goes to ...

especially the dialogues because some of them exactly map to the XSS situation in the wild ...

This talk is more on the offensive/dark side ...

I saw it on my Twitter feed

At that time

Now

*.malwarebytes.org was in scope but not now ...

I realized during testing

https://forums.malwarebytes.org/ is using IPBoard

 

"xxxxxxxx'yyyyy</img was an XSS probe paylod

Injected "><img src=x onerror=prompt(1);> and found that

<, >, () and spaces were filtered as can be seen in the screen-shot

The accesskey method for XSSing in hidden field in modern browser was proposed by @garethheyes here.

Reward

SAP SuccessFactors

Breaking SAP's SuccessFactors's XSS Filter

SAP's Trademark Quote

'-confirm(1)-' was the attack payload

Thanks to SAP's SuccessFactors

The list of 90+ popular sites that're using SuccessFactors is available here and my related blog post.

A Tale of Seven Security Notes Related to SAP Enterprise Portal (formerly known as SAP NetWeaver Portal)

SAP NetWeaver Portal

XSSes in Role Upload & Short URLs (Security Note: 2173184 & CVSS Base Score 4.3)

XSS in Theme Integrity Test (Security Note:2175991  & CVSS Base Score 4.3)

XSS in Preview XML Forms (Security Note:2182154 & CVSS Base Score 3.5)

XSS Leads to DoS (Security Note: 2243373 & CVSS Base Score 5.0)

SAP took almost 9 months in releasing a patch for this unauthenticated DoS in NetWeaver Portal.

XSS in Portal Page Builder (Security Note:2219896 & CVSS Base Score 5.4)

XSS in Config Editor (Security Note:2224249 & CVSS Base Score 4.3)

XSS in ServerFrameworkCockpit (Security Note:2227310 & CVSS Base Score 4.3)

Acknowlegements

7 times listed in SAP's security researchers' acknowledgement page: http://scn.sap.com/docs/DOC-55451

Blox CMS

Blox CMS

XSS in Blox CMS Developers i.e., TownNews http://www.townnews365.com/

<img src=x onerror=confirm(1)// was the attack payload

The Easy Way to Scale an XSS

Further, clients/customers and about pages help in getting a big picture. The choice of code search engine may varies or depends upon you.

Thanks to Blox CMS

Blox CMS Updates & Acknowledgement

UserEcho

I realized during testing

http://community.townnews.com/ is using UserEcho: a solution for customer service

 

UserEcho

Thanks to UserEcho

Acknowledgement

Sage CRM

Stored XSS in Sage CRM

</script><script>confirm(1)</script> was an XSS attack payload

How to break Sage CRM's XSS filter?

We will use the force ...

Stored XSS in Sage CRM

Poski CMS

More information on their customers is available at http://www.poski.com/reference/

XSS in Poski CMS (filename was vulnerable)

Stored XSS in Poski CMS (at the time of delete op)

Find&Save

XSS in Find&Save Analytics Script

Thanks to Find&Save

Acknowledgement

Input in https://portal.office.com ends-up in a stored XSS in https://portal.azure.com. The organization name in portal Office is used as a subscription directory name in Azure portal.

XSS in Azure Portal

Reward

XSSes in SharePoint

Make sure that potentially dangerous characters like <, >and / etc are properly encoded in Unicode form in JSON . In SharePoint, I observed they're not doing this at all.

The goal is just to find the page(s)/end-point in a SharePoint site where JSON information (with potentially dangerous characters) is used/reflect on a page in unsafe manner. Soon I find one i.e., SharePoint's Team Sub-sites' description.

Team Sub-sites' Description in SharePoint

XSS in SharePoint

Reward

XSS in SharePoint's Manage Assigned Policies

This was the case where developers had missed to apply encoding in an HTML context. Now it is fixed and you can see the proper encoding ...

Reward

On https://store.office.com there is a feature in the form of clickable link called "Report this add-in". It initiates a GET request to https://support.microsoft.com. At this time, one of the GET parameter (RaVVisitTheDeveloper) holds the URL of reported add-in's. The URL points to the add-in developer's web-site.

RaVVisitTheDeveloper GET parameter

What if the URL is javascript:alert(1) ?

Insert Video feature of the WYSIWYG editor allows me to upload a Flash File that holds an XSS payload. The logged-in user can write a Wiki article on site at that time and WYSIWYG editor was part of it.

What's special about this XSS?

I reported in 2014

I received fixed email in 2016

Probe for XSS

XSS in YouTube Gaming

Reward

XSS in NetFlix

NetFlix's Sleepy Puppy Announcement

It is a reasonable assumption that NetFlix had tested Sleep Puppy on their own site before public announcement :D

Probe for XSS

XSS in Netflix

Acknowledgement

XSS in Yandex Image & Video Search

Probe for XSS

XSS in Yandex Image

XSS in Yandex Video

Acknowledgement

XSS in IKEA

Probe for XSS

XSS in IKEA

They often forgot to control </> in script context as seen in previous examples ...

Probe for XSS

XSS in Mozilla Add-Ons

Acknowledgement

#XSS: Blind Testing

How I missed 3000$ :D

Self-XSS in `rating` POST parameter in MAO

I received a message from @Paresh_parmar1

XSS in MAO Mobile Site (Edit Review Feature)

Note to Self: Check mobile site before blogging :P

XSS in Spotify

XSS in Spotify (fwdurl GET parameter (Agree Button))

Make sure as a developer, you have an eye on form's action attribute ...I mean properly encoded and/or check for redirection.

Reward

XSS in Magento

Probe for XSS

XSS in Magento

Reward

XSS in Macy's

Probe for XSS

Probe for XSS

Probe for XSS

XSS in Macy's

\ should be properly escaped or Unicode encode in script context along with other dangerous characters like ', ", <, > and / etc

The force is strong with these XSS payloads ... '-confirm`1`-' and "-confirm`1`-"

 

Why `` instead of ()? Lets see a real example(s) in the wild ...

XSS in EZDATA Analytic & Tracking Script

Code Snippet

Probe for XSS

Probe for XSS (parenthesis are filtered)

'-confirm(1)-' was XSS attack payload.

Thanks to EZDATA & ``

XSS in NFL

XSS in NBC

Many More ...

XSS in Microsoft

Probe for XSS

XSS in Microsoft

'-confirm`1`-' was the attack payload.

'-confirm`1`-' & "-confirm`1`-" are also useful if output reflection is in eventhandler(s) e.g., onmouseover onclick or onblur etc

on* reflection(s)

Demo Fiddle

Some Real Examples in the Wild ...

XSS in CBS

XSS in WBEN

Exercise: Use any code search engine & query for onblur="if(this.value=='') this.value=. This will give you vulnerable end-points ...

More Vulnerable Sites ('-confirm`1`-' or "-confirm`1`-" works like charm)

A More Interesting Case ...

Fixing this case is not easy because of the involvement of browsers' decoding order. Further, the developers should take care of the correct escaping order ... One of the SAP's NetWeaver Portal XSS (security note: 2182154) discussed earlier was related to this case.

Browsers' Decoding Order

Correct Escaping Order

A quick demo

Some Encounters with Developers

We have WAF ...

I came up with ...

 Attacker treats WAF as a speed-breaker on the road.

I found & reported ...

Make a Guess how developers fixed it ...

They fixed it by removing ()

Thanks to ES6, we have now ``

Can you spot the mistake(s)?

Note: In this case, developers're doing escaping for ' and " quotes but in an HTML context while they missed the most dangerous character in an HTML context i.e., ,<. In an HTML context, please do encoding instead of escaping.

Note: In this case, developers're doing escaping for ' and " quotes but in an attribute context. In an attribute context, please do encoding instead of escaping.

XSS in Inquirer

Note: The reflection was in input tag's value attribute but HTML comments were around the input tag. Though " has been encoded properly but HTML comments (i.e., <!--  -->) can play an important rule here.

XSS in Gazeta

We're using CSP!

CSP: A Universal Panacea?

@mikispag & @we1x already pointed out some common CSP mistakes in their talk at HITB 2016...

A recent research paper

Some CSP Policy Misconfigurations

XSS in OLX

XSS in OLX

Thanks to default-src *

Developers are doing mistake(s) in their CSP policy implementation. The question(s) arises: Is CSP's use very common & that's why noticeable mistakes? What is the current state of CSP in the wild?

In August 2014, I Tweeted

@EoinKeary said

Reining in the Web with Content Security Policy was published in WWW in April 2010 and even after six years, only less than 1% sites're using CSP ... Imagine how many resources browser vendors have invested in CSP. Something somewhere is wrong ...

 

Is it complexity of CSP? Is it willingness of developers to use it or not? Is business pressure still a thing?

 

I personally believe that CSP will never ever fly (you may disagree)

 

 

CSP restricts contents on a web page based on whitelist and whitelist is better than blacklist ...

But wait ...

"scared of whitelist" ...

Is legacy and/or 3rd party JavaScript libraries only Google's problem?

The sites like Google (some products), Facebook, Twitter, Dropbox and GitHub etc are using CSP but isn't ...

 

 

 

"Web is bigger than these sites"

 

 

They (elites) talk about strict-dynamic and require-sri-for but in the wild sites (e.g., http://papa.me/, https://54.173.252.19/signup and http://158.69.53.157:3000/ ) are still using X-WebKit-Policy (a deprecated (in October 2013) Chrome-based CSP header)

Future of XSS

No one knows but recently ...

XSS in Wind Turbine

XSS is everyone's problem

No Time to show hundreds of #XSSes in big names ... May be next time :D

Conclusion

XSS: The force awakens ...

It's true. All of it. The dark side

Thanks to Darth Vader (@DepressedDarth) for image(s)/meme(s)