Jeremiah Grossman
Robert “RSnake” Hansen
Petko “pdp” D. Petkov
Anton Rager
Seth Fogie Technical Editor and Co-Author
 |
| XSS Attacks: Cross Site Scripting Exploits & Defense |
Jeremiah Grossman founded WhiteHat Security in 2001 and is currently
the Chief Technology Officer. Prior to WhiteHat, Jeremiah was an information
security officer at Yahoo! responsible for performing security reviews
on the company’s hundreds of websites. As one of the world’s busiest web
properties, with over 17,000 web servers for customer access and 600 websites,
the highest level of security was required. Before Yahoo!, Jeremiah
worked for Amgen, Inc.
A 6-year security industry veteran, Jeremiah’s research has been featured
in USA Today, NBC, and ZDNet and touched all areas of web security. He
is a world-renowned leader in web security and frequent speaker at the
Blackhat Briefings, NASA,Air Force and Technology Conference,
Washington Software Alliance, ISSA, ISACA and Defcon.
Jeremiah has developed the widely used assessment tool “WhiteHat
Arsenal,” as well as the acclaimed Web Server Fingerprinter tool and technology.
He is a founder of the Website Security Consortium (WASC) and
the Open Website Security Project (OWASP), as well as a contributing
member of the Center for Internet Security Apache Benchmark Group.
For my family who puts up with the late nights, my friends who dare to test my
PoC code, and everyone else who is now afraid to click.
Robert “RSnake” Hansen (CISSP) is the Chief Executive Officer of
SecTheory. SecTheory is a web application and network security consulting
firm. Robert has been working with web application security since the mid
90s, beginning his career in banner click fraud detection at ValueClick.
Robert has worked for Cable & Wireless heading up managed security services,
and eBay as a Sr. Global Product Manager of Trust and Safety, focusing
on anti-phishing, anti-cross site scripting and anti-virus strategies. Robert
also sits on the technical advisory board of ClickForensics and contributes to
the security strategy of several startup companies. Before SecTheory,
Robert’s career fluctuated from Sr. Security Architect, to Director of Product
Management for a publicly traded Real Estate company, giving him a great
breath of knowledge of the entire security landscape. Robert now focuses on
upcoming threats, detection circumvention and next generation security theory.
Robert is best known for founding the web application security lab at
ha.ckers.org and is more popularly known as “RSnake.” Robert is a
member of WASC, IACSP, ISSA, and contributed to the OWASP 2.0 guide.
Petko “pdp” D. Petkov is a senior IT security consultant based in
London, United Kingdom. His day-to-day work involves identifying vulnerabilities,
building attack strategies and creating attack tools and penetration
testing infrastructures. Petko is known in the underground circles as
pdp or architect but his name is well known in the IT security industry for
his strong technical background and creative thinking. He has been working
for some of the world’s top companies, providing consultancy on the latest
security vulnerabilities and attack technologies.
His latest project, GNUCITIZEN (gnucitizen.org), is one of the leading
web application security resources on-line where part of his work is disclosed
for the benefit of the public. Petko defines himself as a cool hunter
in the security circles.
He lives with his lovely girlfriend Ivana without whom his contribution
to this book would not have been possible.
Anton Rager is an independent security researcher focused on vulnerability
exploitation, VPN security and wireless security. He is best known for
his WEPCrack tool, but has also authored other security tools including
XSS-Proxy,WEPWedgie, and IKECrack. He has presented at Shmoocon,
Defcon,Toorcon, and other conferences, and was a contributing technical
editor to the book Maximum Wireless Security.
Technical Editor
and Contributing Author
Seth Fogie is the Vice President of Dallas-based Airscanner Corporation
where he oversees the research & development of security products for
mobile platforms. Seth has co-authored several books, such as Maximum
Wireless Security, Aggressive Network Self Defense, Security Warrior, and even
contributed to PSP Hacks. Seth also writes articles for various online
resources, including Pearson Education’s InformIT.com where he is acting
co-host for their security section. In addition, and as time permits, Seth
provides training on wireless and web application security and speaks at IT
and security related conferences and seminars, such as Blackhat, Defcon, and RSA.
Introduction
Cross-site scripting vulnerabilities date back to 1996 during the early days of the World
Wide Web (Web). A time when e-commerce began to take off, the bubble days of
Netscape,Yahoo, and the obnoxious blink tag. When thousands of Web pages were
under construction, littered with the little yellow street signs, and the “cool”Web sites
used Hypertext Markup Language (HTML) Frames.The JavaScript programming language
hit the scene, an unknown harbinger of cross-site scripting, which changed the
Web application security landscape forever. JavaScript enabled Web developers to create
interactive Web page effects including image rollovers, floating menus, and the despised
pop-up window. Unimpressive by today’s Asynchronous JavaScript and XML (AJAX) application standards, but hackers soon discovered a new unexplored world of possibility.
Hackers found that when unsuspecting users visited their Web pages they could forcibly
load any Web site (bank, auction, store,Web mail, and so on) into an HTML Frame within
the same browser window.Then using JavaScript, they could cross the boundary between
the two Web sites, and read from one frame into the other.They were able to pilfer usernames
and passwords typed into HTML Forms, steal cookies, or compromise any confidential
information on the screen.The media reported the problem as a Web browser
vulnerability. Netscape Communications, the dominant browser vendor, fought back by
implementing the ”same-origin policy,” a policy restricting JavaScript on one Web site from
accessing data from another. Browser hackers took this as a challenge and began uncovering
many clever ways to circumvent the restriction.
In December 1999, David Ross was working on security response for Internet Explorer
at Microsoft. He was inspired by the work of Georgi Guninski who was at the time finding
flaws in Internet Explorer’s security model. David demonstrated that Web content could
expose “Script Injection” effectively bypassing the same security guarantees bypassed by
Georgi’s Internet Explorer code flaws, but where the fault seemed to exist on the server side
instead of the client side Internet Explorer code. David described this in a Microsoft-internal
paper entitled “Script Injection.”The paper described the issue, how it’s exploited, how the
attack can be persisted using cookies, how a cross-site scripting (XSS) virus might work, and
Input/Output (I/O) filtering solutions.
Eventually this concept was shared with CERT.The goal of this was to inform the
public so that the issue would be brought to light in a responsible way and sites would get
fixed, not just at Microsoft, but also across the industry. In a discussion around mid-January,
the cross organization team chose “Cross Site Scripting” from a rather humorous list of proposals:
■ Unauthorized Site Scripting
■ Unofficial Site Scripting
■ Uniform Resource Locator (URL) Parameter Script Insertion
Wide Web (Web). A time when e-commerce began to take off, the bubble days of
Netscape,Yahoo, and the obnoxious blink tag. When thousands of Web pages were
under construction, littered with the little yellow street signs, and the “cool”Web sites
used Hypertext Markup Language (HTML) Frames.The JavaScript programming language
hit the scene, an unknown harbinger of cross-site scripting, which changed the
Web application security landscape forever. JavaScript enabled Web developers to create
interactive Web page effects including image rollovers, floating menus, and the despised
pop-up window. Unimpressive by today’s Asynchronous JavaScript and XML (AJAX) application standards, but hackers soon discovered a new unexplored world of possibility.
Hackers found that when unsuspecting users visited their Web pages they could forcibly
load any Web site (bank, auction, store,Web mail, and so on) into an HTML Frame within
the same browser window.Then using JavaScript, they could cross the boundary between
the two Web sites, and read from one frame into the other.They were able to pilfer usernames
and passwords typed into HTML Forms, steal cookies, or compromise any confidential
information on the screen.The media reported the problem as a Web browser
vulnerability. Netscape Communications, the dominant browser vendor, fought back by
implementing the ”same-origin policy,” a policy restricting JavaScript on one Web site from
accessing data from another. Browser hackers took this as a challenge and began uncovering
many clever ways to circumvent the restriction.
In December 1999, David Ross was working on security response for Internet Explorer
at Microsoft. He was inspired by the work of Georgi Guninski who was at the time finding
flaws in Internet Explorer’s security model. David demonstrated that Web content could
expose “Script Injection” effectively bypassing the same security guarantees bypassed by
Georgi’s Internet Explorer code flaws, but where the fault seemed to exist on the server side
instead of the client side Internet Explorer code. David described this in a Microsoft-internal
paper entitled “Script Injection.”The paper described the issue, how it’s exploited, how the
attack can be persisted using cookies, how a cross-site scripting (XSS) virus might work, and
Input/Output (I/O) filtering solutions.
Eventually this concept was shared with CERT.The goal of this was to inform the
public so that the issue would be brought to light in a responsible way and sites would get
fixed, not just at Microsoft, but also across the industry. In a discussion around mid-January,
the cross organization team chose “Cross Site Scripting” from a rather humorous list of proposals:
■ Unauthorized Site Scripting
■ Unofficial Site Scripting
■ Uniform Resource Locator (URL) Parameter Script Insertion
■ Cross-site Scripting
■ Synthesized Scripting
■ Fraudulent Scripting
On January 25, 2000, Microsoft met with the Computer Emergency Response Team
(CERT), various vendors (e.g., Apache, and so forth) and other interested parties at a hotel
in Bellevue,WA to discuss the concept.
David re-wrote the internal paper with the help of Ivan Brugiolo, John Coates, and
Michael Roe, so that it was suitable for public release. In coordination with CERT,
Microsoft released this paper and other materials on February 2, 2000. Sometime during the
past few years the paper was removed from Microsoft.com; however, nothing ever dies on
the Internet. It can now be found at http://ha.ckers.org/cross-site-scripting.html
During the same time, hackers of another sort made a playground of HTML chat
rooms, message boards, guest books, and Web mail providers; any place where they could
submit text laced with HTML/JavaScript into a Web site for infecting Web users.This is
where the attack name “HTML Injection” comes from.The hackers created a rudimentary
form of JavaScript malicious software (malware) that they submitted into HTML forms to
change screen names, spoof derogatory messages, steal cookies, adjust the Web page’s colors,
proclaim virus launch warnings, and other vaguely malicious digital mischief. Shortly thereafter
another variant of the same attack surfaced.With some social engineering, it was found
that by tricking a user to click on a specially crafted malicious link would yield the same
results as HTML Injection.Web users would have no means of self-defense other than to
switch off JavaScript.
Over the years what was originally considered to be cross-site scripting, became simply
known as a Web browser vulnerability with no special name. What was HTML Injection
and malicious linking are what’s now referred to as variants of cross-site scripting, or “persistent”
and “non-persistent” cross-site scripting, respectively. Unfortunately this is a big reason
why so many people are confused by the muddled terminology. Making matters worse, the
acronym “CSS” was regularly confused with another newly born browser technology already
claiming the three-letter convention, Cascading Style Sheets. Finally in the early 2000’s, a
brilliant person suggested changing the cross-site scripting acronym to “XSS” to avoid confusion.
And just like that, it stuck. XSS had its own identity. Dozens of freshly minted white
papers and a sea of vulnerability advisories flooded the space describing its potentially devastating impact. Few would listen.
Prior to 2005, the vast majority of security experts and developers paid little attention to
XSS.The focus transfixed on buffer overflows, botnets, viruses, worms, spyware, and others.
Meanwhile a million new Web servers appear globally each month turning perimeter firewalls
into swiss cheese and rendering Secure Sockets Layer (SSL) as quaint. Most believed
JavaScript, the enabler of XSS, to be a toy programming language. “It can’t root an operating
system or exploit a database, so why should I care? How dangerous could clicking on a link
or visiting a Web page really be?” In October of 2005, we got the answer. Literally overnight
the Samy Worm, the first major XSS worm, managed to shut down the popular social networking
Web site MySpace.The payload being relatively benign, the Samy Worm was
designed to spread from a single MySpace user profile page to another, finally infecting more
than a million users in only 24 hours. Suddenly the security world was wide-awake and
research into JavaScript malware exploded.
A few short months later in early 2006, JavaScript port scanners, intranet hacks,
keystroke recorders, trojan horses, and browser history stealers arrived to make a lasting
impression. Hundreds of XSS vulnerabilities were being disclosed in major Web sites and
criminals began combining in phishing scams for an effective fraud cocktail. Unsurprising
since according to WhiteHat Security more than 70 percent of Web sites are currently vulnerable.
Mitre’s Common Vulnerabilities and Exposures (CVE) project, a dictionary of publicly
known vulnerabilities in commercial and open source software products, stated XSS had
overtaken buffer overflows to become the number 1 most discovered vulnerability. XSS
arguably stands as the most potentially devastating vulnerability facing information security
and business online.Today, when audiences are asked if they’ve heard of XSS, the hands of
nearly everyone will rise.
Web Application Security
The Web is the playground of 800 million netizens, home to 100 million Web sites, and
transporter of billions of dollars everyday. International economies have become dependent
on the Web as a global phenomenon. It’s not been long since Web mail, message boards, chat
rooms, auctions, shopping, news, banking, and other Web-based software have become part
of digital life.Today, users hand over their names, addresses, social security numbers, credit
card information, phone numbers, mother’s maiden name, annual salary, date of birth, and
sometimes even their favorite color or name of their kindergarten teacher to receive financial
statements, tax records, or day trade stock. And did I mention that roughly 8 out of 10
Web sites have serious security issues putting this data at risk? Even the most secure systems
are plagued by new security threats only recently identified as Web Application Security, the
term used to describe the methods of securing web-based software.
The organizations that collect personal and private information are responsible for protecting
it from prying eyes. Nothing less than corporate reputation and personal identity is at
stake. As vital as Web application security is and has been, we need to think bigger.We’re
beyond the relative annoyances of identity theft, script kiddy defacements, and full-disclosure
antics. New Web sites are launched that control statewide power grids, operate hydroelectric
dams, fill prescriptions, administer payroll for the majority of corporate America, run corporate
networks, and manage other truly critical functions.Think of what a malicious compromise
of one of these systems could mean. It’s hard to imagine an area of information
security that’s more important.Web applications have become the easiest, most direct, and
arguably the most exploited route for system compromise.
Until recently everyone thought firewalls, SSL, intrusion detection systems, network
scanners, and passwords were the answer to network security. Security professionals borrowed
from basic military strategy where you set up a perimeter and defended it with everything
you had.The idea was to allow the good guys in and keep the bad guys out. For the
most part, the strategy was effective, that is until the Web and e-commerce forever changed
the landscape. E-commerce requires firewalls to allow in Web (port 80 Hypertext Transfer
Protocol [HTTP] and 443 Hypertext Transfer Protocol Secure sockets [HTTPS]) traffic.
Essentially meaning you have to let in the whole world and make sure they play nice.
Seemingly overnight the Internet moved from predominantly walled networks to a global ecommerce bazaar.The perimeter became porous and security administrators found themselves
without any way to protect against insecure Web applications.
Web developers are now responsible for security as well as creating applications that fuel
Web business. Fundamental software design concepts have had to change.
Prior to this transformation,
the average piece of software was utilized by a relatively small number of users.
Developers now create software that runs on Internet-accessible Web servers to provide services
for anyone, anywhere.The scope and magnitude of their software delivery has
increased exponentially, and in so doing, the security issues have also compounded. Now
hundreds of millions of users all over the globe have direct access to corporate servers, any
number of which could be malicious adversaries. New terms such as cross-site scripting,
Structured Query Language (SQL) injection, and a dozen of other new purely Web-based
attacks have to be understood and dealt with.
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 6,384 KB |
Pages
|
646 p |
File Type
|
PDF format |
ISBN-10
ISBN-13 | 1-59749-154-3 978-1-59749-154-9 |
Copyright
| 2007 by Elsevier, Inc |
Table of Contents
Chapter 1 Cross-site Scripting Fundamentals. . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Web Application Security . . . . . . . . . . . . . . . . . . . . . . . . . .4
XML and AJAX Introduction . . . . . . . . . . . . . . . . . . . . . . . .6
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .12
Chapter 2 The XSS Discovery Toolkit . . . . . . . . . . . . . . . . 15
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Burp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Debugging DHTML With Firefox Extensions . . . . . . . . . . .21
DOM Inspector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Web Developer Firefox Extension . . . . . . . . . . . . . . . . .26
Insert Edit HTML Picture . . . . . . . . . . . . . . . . . . . .27
XSS Example in Web Developer Web Site . . . . . . . . .28
FireBug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Analyzing HTTP Traffic with Firefox Extensions . . . . . . . . .35
LiveHTTPHeaders . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
ModifyHeaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
TamperData . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
GreaseMonkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
GreaseMonkey Internals . . . . . . . . . . . . . . . . . . . . . . . .47
Creating and Installing User Scripts . . . . . . . . . . . . . . . .50
PostInterpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
XSS Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Active Exploitation with GreaseMonkey . . . . . . . . . . . .55
Hacking with Bookmarklets . . . . . . . . . . . . . . . . . . . . . . . .57
Using Technika . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .65
Chapter 3 XSS Theory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Getting XSS’ed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Non-persistent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
DOM-based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Persistent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
DOM-based XSS In Detail . . . . . . . . . . . . . . . . . . . . . . . . .75
Identifying DOM-based XSS Vulnerabilities . . . . . . . . . .76
Exploiting Non-persistent
DOM-based XSS Vulnerabilities . . . . . . . . . . . . . . . . . .80
Exploiting Persistent DOM-based XSS Vulnerabilities . . .82
Preventing DOM-based XSS Vulnerabilities . . . . . . . . . .84
Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Redirection Services . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Referring URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
CSRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Flash, QuickTime, PDF, Oh My . . . . . . . . . . . . . . . . . . . . .97
Playing with Flash Fire . . . . . . . . . . . . . . . . . . . . . . . . .98
Hidden PDF Features . . . . . . . . . . . . . . . . . . . . . . . . .105
QuickTime Hacks for Fun and Profit . . . . . . . . . . . . . .116
Backdooring Image Files . . . . . . . . . . . . . . . . . . . . . . .121
HTTP Response Injection . . . . . . . . . . . . . . . . . . . . . . . .123
Source vs. DHTML Reality . . . . . . . . . . . . . . . . . . . . . . .125
Bypassing XSS Length Limitations . . . . . . . . . . . . . . . . . . .131
XSS Filter Evasion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
When Script Gets Blocked . . . . . . . . . . . . . . . . . . . . .139
Browser Peculiarities . . . . . . . . . . . . . . . . . . . . . . . . . .150
CSS Filter Evasion . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
XML Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Attacking Obscure Filters . . . . . . . . . . . . . . . . . . . . . .155
Encoding Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .162
Chapter 4 XSS Attack Methods . . . . . . . . . . . . . . . . . . . . 163
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
History Stealing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
JavaScript/CSS API “getComputedStyle” . . . . . . . . . . .164
Code for Firefox/Mozilla.May
Work In Other Browsers . . . . . . . . . . . . . . . . . . . . .164
Stealing Search Engine Queries . . . . . . . . . . . . . . . . . .167
JavaScript Console Error Login Checker . . . . . . . . . . .167
Intranet Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Exploit Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Persistent Control . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Obtaining NAT’ed IP Addresses . . . . . . . . . . . . . . .176
Port Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Blind Web Server Fingerprinting . . . . . . . . . . . . . . . . .180
Attacking the Intranet . . . . . . . . . . . . . . . . . . . . . . . . .181
XSS Defacements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .189
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Chapter 5 Advanced XSS Attack Vectors . . . . . . . . . . . . 191
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
DNS Pinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Anti-DNS Pinning . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Anti-Anti-DNS Pinning . . . . . . . . . . . . . . . . . . . . . . .196
Anti-anti-anti-DNS Pinning
AKA Circumventing Anti-anti-DNS Pinning . . . . . . . .196
Additional Applications of Anti-DNS Pinning . . . . . . .197
IMAP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
MHTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Expect Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . .207
Hacking JSON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .217
Chapter 6 XSS Exploited . . . . . . . . . . . . . . . . . . . . . . . . . 219
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
XSS vs. Firefox Password Manager . . . . . . . . . . . . . . . . . . .220
SeXXS Offenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Equifraked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Finding the Bug . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Building the Exploit Code . . . . . . . . . . . . . . . . . . . . . .230
Owning the Cingular Xpress Mail User . . . . . . . . . . . . . . .232
The Xpress Mail Personal Edition Solution . . . . . . . . .232
Seven.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
The Ackid (AKA Custom Session ID) . . . . . . . . . . . . .234
The Inbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
The Document Folder . . . . . . . . . . . . . . . . . . . . . . . . .236
E-mail Cross-linkage . . . . . . . . . . . . . . . . . . . . . . . . . .237
CSFR Proof of Concepts . . . . . . . . . . . . . . . . . . . . . .238
Cookie Grab . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Xpressmail Snarfer . . . . . . . . . . . . . . . . . . . . . . . . .241
Owning the Documents . . . . . . . . . . . . . . . . . . . . .248
Alternate XSS: Outside the BoXXS . . . . . . . . . . . . . . . . . .248
Owning the Owner . . . . . . . . . . . . . . . . . . . . . . . . . .249
The SILICA and CANVAS . . . . . . . . . . . . . . . . . . .249
Building the Scripted Share . . . . . . . . . . . . . . . . . . .250
Owning the Owner . . . . . . . . . . . . . . . . . . . . . . . .251
Lessons Learned and Free Advertising . . . . . . . . . . .252
Airpwned with XSS . . . . . . . . . . . . . . . . . . . . . . . . . .252
XSS Injection: XSSing Protected Systems . . . . . . . . . . .256
The Decompiled Flash Method . . . . . . . . . . . . . . . .256
Application Memory Massaging –
XSS via an Executable . . . . . . . . . . . . . . . . . . . . . .261
XSS Old School - Windows Mobile PIE 4.2 . . . . . . . . . . .262
Cross-frame Scripting Illustrated . . . . . . . . . . . . . . . . .263
XSSing Firefox Extensions . . . . . . . . . . . . . . . . . . . . . . . .267
GreaseMonkey Backdoors . . . . . . . . . . . . . . . . . . . . . .267
GreaseMonkey Bugs . . . . . . . . . . . . . . . . . . . . . . . . . .270
XSS the Backend: Snoopwned . . . . . . . . . . . . . . . . . . .275
XSS Anonymous Script Storage - TinyURL 0day . . . . .277
XSS Exploitation: Point-Click-Own with EZPhotoSales . .285
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .291
Chapter 7 Exploit Frameworks . . . . . . . . . . . . . . . . . . . . 293
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
AttackAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Enumerating the Client . . . . . . . . . . . . . . . . . . . . . . . .298
Attacking Networks . . . . . . . . . . . . . . . . . . . . . . . . . .307
Hijacking the Browser . . . . . . . . . . . . . . . . . . . . . . . . .315
Controlling Zombies . . . . . . . . . . . . . . . . . . . . . . . . . .319
BeEF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Installing and Configuring BeEF . . . . . . . . . . . . . . . . .323
Controlling Zombies . . . . . . . . . . . . . . . . . . . . . . . . . .323
BeEF Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Standard Browser Exploits . . . . . . . . . . . . . . . . . . . . . .327
Port Scanning with BeEF . . . . . . . . . . . . . . . . . . . . . .327
Inter-protocol Exploitation
and Communication with BeEF . . . . . . . . . . . . . . . . .328
CAL9000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
XSS Attacks, Cheat Sheets, and Checklists . . . . . . . . . .331
Encoder, Decoders, and Miscellaneous Tools . . . . . . . . .334
HTTP Requests/Responses and Automatic Testing . . . .335
Overview of XSS-Proxy . . . . . . . . . . . . . . . . . . . . . . . . . .338
XSS-Proxy Hijacking Explained . . . . . . . . . . . . . . . . .341
Browser Hijacking Details . . . . . . . . . . . . . . . . . . . .343
Attacker Control Interface . . . . . . . . . . . . . . . . . . .346
Using XSS-Proxy: Examples . . . . . . . . . . . . . . . . . . . .347
Setting Up XSS-Proxy . . . . . . . . . . . . . . . . . . . . . .347
Injection and Initialization Vectors For XSS-Proxy .350
Handoff and CSRF With Hijacks . . . . . . . . . . . . . .352
Sage and File:// Hijack With Malicious RSS Feed .354
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .372
Chapter 8 XSS Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Exponential XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
XSS Warhol Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Linear XSS Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Samy Is My Hero . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .393
Chapter 9 Preventing XSS Attacks . . . . . . . . . . . . . . . . . 395
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Input Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400
Output Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Web Browser’s Security . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Browser Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Add More Security To Your Web Browser . . . . . . . . . .403
Disabling Features . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Use a Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . .404
Don’t Click On Links in E-mail, Almost Ever . . . . . . . .404
Defend your Web Mail . . . . . . . . . . . . . . . . . . . . . . . .404
Beware of Overly Long URL’s . . . . . . . . . . . . . . . . . . .404
URL Shorteners . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Secrets Questions and Lost Answers . . . . . . . . . . . . . . .405
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .407
Appendix A The Owned List . . . . . . . . . . . . . . . . . . . . . . 409
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
