Advanced Cross Site Scripting

by Gavin Zuchlinski
http://libox.net/
10/16/2003
Table of Contents
Introduction
!"# $ethod
%xpansion on !"#: secure areas
Generali&ed client auto'ation
revention
Introduction
I recently read in an article the incorrect state'ent that cross site
scriptin( )*""+ can not be exploited i, the !"# 'ethod is used
instead o, G%#- .hich is co'pletely ,alse. #he 'ethod used to exploit
!"# variables 'ay also be 'odi,ied to allo. ,or 'ore advanced
ti'in( attacks .hich could allo. an attacker to (ain access to areas
that re/uire the user lo( in to a pass.ord protected area. 0hen
coupled .ith social en(ineerin( this 'ethod beco'es an extre'ely
reliable tool ,or attackers to (ain access to secured areas via account
hi1ackin(.
In typical cross site scriptin( the tar(et vie.s a .ebsite .hich
contains code inserted into the 2#$3 .hich .as not .ritten by the
.ebsite desi(ner or ad'inistrator. #his bypasses the docu'ent ob1ect
'odel .hich .as intended to protect do'ain speci,ic cookies
)sessions- settin(s- etc.+. In 'ost instances the tar(et is sent a link to
a .ebsite on the server .hich the tar(et has a le(iti'ate account and
by vie.in( that .ebsite the attackers 'alicious code is executed
)co''only 1avascript to send the user4s cookie to a third party server-
in e,,ect stealin( their session and their account+. #his .as a /uick
overvie. o, cross site scriptin( and a solid ,oundation is needed
be,ore proceedin(- 'y reco''ended readin( is i5e,ense4s *"" article
)(oo(le.co'+. #he attack presented belo. in con1unction .ith
i5e,ense4s 'ethod o, attack auto'ation 'akes ,or a very po.er,ul
co'bination.
6!#% )!ctober 17 2003+ 8 "verre 2useby has brou(ht to 'y attention
that the (enerali&ed version attack is not uni/ue- it .as discovered
,irst by 9i' :ulton
)http://....&ope.or(/$e'bers/1i'/Zope"ecurity/;lient"ide#ro1an+-
.ithout 'y kno.led(e.
Post Method
<ecause !"# variables are sent separate o, the actual .ebsite =>3 a
direct attack ,ro' the tar(et clickin( on the 'alicious link and
directly accessin( the server vulnerable to the *"" attack is not
possible )as ,ar as I kno.+. #his is opposed to a G%# re/uest .here
the variable ar(u'ents are stored in the =>3- such as
http://....(oo(le.co'/search?hl@enA/@xss .here the variables hl
and / are seen in the =>3. #he i'plications o, variables bein( sent in
this 'anner are not in the scope o, this article- but the !"# 'ethod
sends variables in the 2## re/uest and is not inte(rated in the =>3
such as is the case .ith G%#.
#o exploit a .eb pa(e .ith a cross site scriptin( vulnerability via a
G%# variable a =>3 in the ,or' o,
http://vulnerable.co'/search?/@BscriptCalert)docu'ent.cookie+
B/scriptC is co'posed. #his =>3 is then sent to the tar(et- upon
clickin( the =>3 they are taken to vulnerable.co'4s handy search
en(ine )not to 'ention the dual 2#$3 renderin( .ithin their site
,unctionality+ and the tar(et receives a 1avascript pop up .ith their
session cookie.
;reatin( exploits ,or !"# re/uests are only trivially 'ore di,,icult-
an inter'ediary .eb pa(e is needed .hich .ill hold code that .ill
,orce the client .eb bro.ser in to 'akin( the !"# re/uest to the
vulnerable server. #his is trivially done via a ,or' ).ith 'ethod !"#
and action o, the tar(et script+ and 1avascript code .hich .ill
auto'atically sub'it the ,or' on pa(e load. "ee exa'ple code block
belo..
<form method="POST" action="http://vulnerable.com/search"
name="explForm"
<input t!pe=hidden name=" value="<scriptalert
#document.coo$ie%</script"
</form
<script lan&ua&e="'avascript"
setTimeout#(explForm.submit#%() *%+
</script
!ne 'illisecond a,ter the pa(e is loaded containin( this code the ,or'
)co'pletely invisible in the rendered 2#$3+ is sub'itted. In this case
you have a si'ple search ,or DBscriptCalert)docu'ent.cookie+
B/scriptCD done on vulnerable.co'4s search en(ine )and conse/uently
a 1avascript alert appears because ,or the sake o, this paper-
vulnerable.co'4s search en(ine is vulnerable to a cross site scriptin(
attack+. #he above code can be easily chan(ed i, the tar(et script
re/uires variables to be G%#- chan(e 'ethod@D!"#D to
'ethod@DG%#D. #he above code can be placed on a static .eb pa(e
on a .eb server controlled by the attacker and then the link sent to
the tar(et. Enother vector to deliver the ,or' and 1avascript to the
tar(et is via a site vulnerable to *"" throu(h a G%# re/uest.
In either case above the attacker sends the tar(et the 'alicious .eb
pa(e- the 'alicious .eb pa(e ,or's the re/uest and the re/uest is
sent to the vulnerable server. #his advances the classical cross site
scriptin( attack ,ro' a sin(le hop )tar(et FFC pa(e .ithin vulnerable
.ebsite containin( inserted code+ to t.o hops )tar(et FFC inter'ediary
re/uest ,or'ulation pa(e FFC pa(e .ithin vulnerable .ebsite
containin( inserted code+.
Expansion on POST: secure areas
#he proble' o, pass.ord protected areas also arises- .here a
pass.ord is re/uired every ti'e the user accesses the .ebsite. In
'any .ebsites .hich re/uire secure client access the cookie is not
persistent to prevent ,urther users on the co'puter ,ro' lo((in( in to
the account.
<uildin( upon the code presented above .e can circu'vent any
restrictions and still steal the session cookie ,or the te'porary
session. =n,ortunately the ti'e .indo. in .hich attacks can take
place in 'any cases is very s'all- .ith the help o, i5e,ense4s idea o,
auto'atin( attacks this s'all ti'e .indo. is no lon(er an issue. <y
addin( code on the inter'ediary .eb pa(e .hich opens a ne.
.indo. .ith the lo(in pro'pt the user 'ay no. lo( in to the secured
area )so'e social en(ineerin( 'i(ht be re/uired in order to ,orce the
user to lo( in+. "ee code belo..
<form method="POST" action="http://vulnerable.com/search"
name="explForm"
<input t!pe=hidden name=" value="<scriptalert
#document.coo$ie%</script"
</form
<script lan&ua&e="'avascript"
window.open(http://vulnerable.com/secure_login);
setTimeout#(explForm.submit#%() 1000*0%+
</script
,ote: chan&es from previous code dipla!ed in bold
0ith the inter'ediary .eb pa(e still in the back(round- the ,or'
sub'ission 'ay no. be ti'ed to allo. the user to lo( in success,ully
be,ore the exploit is sent. #o chan(e the ti'e until the ,or' is
sub'itted chan(e the second ar(u'ent in the set#i'eout ,unction-
this is the ti'e in 'illiseconds until the 1avascript code in ar(u'ent
one is executed. 0ith the user success,ully lo((ed in a child .indo.
o, the inter'ediary .eb pa(e- .hen the ,or' on the inter'ediary .eb
pa(e is sub'itted the ,or' .ill (o directly to the proble'atic script-
'alicious code inserted- and the user session 'ay be stolen.
=sin( an inter'ediary ,or exploitation sli(htly increases the
co'plexity o, a success,ul attack but allo.s ,or a hi(h de(ree o,
,lexibility- any variable that is used on a dyna'ically created .eb
pa(e .hich does not saniti&e 2#$3 'arkup is vulnerable to cross site
scriptin(.
Generalied Client Auto!ation
Generali&in( on the above techni/ue brin(s to li(ht another- and in
so'e cases a very serious- vulnerability. #he proposed techni/ue
allo.s an attacker to ,ill out ,or's .ith data they speci,y and sub'it
the' auto'atically under the context o, the client. Eny ,or's .hich
accept data ,ro' the client- assu'in( they in ,act inputted the data
they are sub'ittin(- are vulnerable.
#his arises .hen the ,or' itsel, is dependent only on static or
predictable in,or'ation )in,or'ation (iven to a third party site such
as re,errer can help in prediction+. =sin( the 'ethod o, exploitation
presented above- client auto'ation o, ,or' sub'ission is a trivial
task.
<form method="POST"
action="http://vulnerable.com/chan&e-ailSettin&s" name="f"
<input t!pe=hidden name=repl!.to value="attac$er/h0x.com"
<input t!pe=hidden name=si&nature value=1<a
href=http://h0x.com/exploit.htm2lic$ here</a for a free
computer securit! test) trust me) 3 used it and 4as
ama5ed61
</form
<script lan&ua&e="'avascript"
f.submit#%+
</script
En interestin( use o, this .ould be the creation o, a .eb'ail
si(nature virus. =sin( the techni/ues presented above the attacker
could co'pose a .eb pa(e that .hen visited .ould auto'ate the the
,or' .hich chan(es the si(nature sent out on e'ails to contain the
link to the 'alicious pa(e itsel,. %very ti'e a user Gin,ectedH .ith the
si(nature virus .ould send an e'ail unkno.in(ly they .ould also
send alon( text and a link persuadin( the next victi' to also click it-
and beco'e in,ected. %asy auto'ated spa''in(? Ies.
2ot'ail and IahooJ $ail have both been tested ,or this vulnerability
and they are secure a(ainst it- ho.ever each appear to have
co'bated the ,la. in very di,,erent .ays. 2ot'ail uses a si'ple
re,errer check- i, the re,errer is not ,ro' an authori&ed 2ot'ail pa(e
the user is sent directly to a lo(in pa(e. Iahoo enacted a very novel
approach to ,ix the proble'- on each ,or' there is a hidden value
na'ed G.cru'bH .hich is related to the cookie. Ell protection a(ainst
this ,la. lies .ithin the cru'b- i, the cru'b can be predicted .ithout
the cookie then Iahoo is vulnerable to this ,la..
Prevention
<ecause the (enerali&ed client auto'ation attack is very si'ple at the
server end )ideally the server vie.s only a le(iti'ate re/uest by the
client+ it is so'e.hat 'ore di,,icult to prevent. 5ue to the ,act that
the client ,or's the re/uest at their bro.ser 2## >e,errer headers
can be trusted and should be validated to ensure they co'e ,ro' an
internal script inside the syste'. >e,errer checkin( assu'es ho.ever
that the attacker can not insert arbitrary 2#$3 in to any o, the
trusted scripts- thou(h such attack .ould be considered cross site
scriptin( and separate ,ro' this.
Et the very 'ini'u' to protect a(ainst cross site scriptin( attacks
user input 'ust be stripped o, any potentially dan(erous characters
such as B C G A. Es any conscientious security pro,essional .ould do-
I 'ust preach the i'portance o, the .hitelistin( approach over
blacklistin(K in .hitelistin( only explicitly allo.ed characters are
per'itted in the input. It appears that all security vulnerabilities ste'
,ro' user input- G2ello .orldH can not be exploited unless the
attacker can 'ana(e in so'e ,or' to input data. #his should lead us
to believe that it is trivial to ensure security )in a lar(e a'ount o,
cases o, cases- but not all+ by validatin( user input to a strict ,or'.
>e(ular expressions are extre'ely po.er,ul ,or the task o,
.hitelistin( characters and validatin( that data does in ,act con,or'
to the ,or' standards )include len(th constraints also in the concept
o, ,or'+. !nce data is validated to a set o, criteria security analysis is
purely creative thinkin( o, ho. the criteria 'ay be 'ana(ed to let
throu(h speci,ic ite's it should not.
Enother option to aid in the prevention o, security ,la.s is a pro1ect I
a' a,,iliated .ith- currently code na'ed 6irvana. #his pro1ect is
devoted to creation o, user input ,ilters and validation ,unction to help
developers create secure code ,aster. #he pro1ect pa(e is no. housed
at http://libox.net/saniti&e.php but .ill soon be 'ovin( to
http://....o.asp.or(.
$y ho'e on the .eb is http://libox.net/- the 'ost current version o,
this docu'ent 'ay be ,ound there.