Posted: 03 Mar 2013 01:54 PM PST
Introduction
Cross Site Scripting or XSS vulnerabilities have been
reported and exploited since 1990s. XSS got listed as the top 3rd
Vulnerability in the OWASP 2013 Web application Vulnerabilities list. Cross-site scripting (XSS) is a type
of security vulnerability typically found in web applications which allows the
attackers to inject client-side script into web pages viewed by other users.
The execution of the injected code takes place at client side. A cross site
scripting vulnerability can be used by the attacker to bypass the Same Origin
Policy (SOP). In the past, the potentials of XSS vulnerability were not known.
XSS was mainly used for stealing cookies and for temporary or permanent
defacements and was not considered as high risk vulnerability. But later XSS
tunneling and Payload delivering showed us the potential of XSS Vulnerability.
Most of the large websites like Google, Facebook, Twitter, Microsoft, and
Amazon etc. even now suffers from XSS bugs. That’s a brief introduction about
XSS.
Some threats due to XSS
XSS Tunneling: With XSS Tunnel a hacker will obtain
the traffic between the victim and a webserver.
Client side code injection: A hacker can inject malicious codes
and execute them at client side.
DOS: A hacker can perform DOS against a remote
server or against the client itself.
Cookie Stealing: A hacker can obtain the session
cookies or tokens of a victim.
Malware Spreading: A hacker can spread malwares with a
website which is vulnerable to XSS.
Phishing: A hacker can embed or redirect to a
fake page of the website to get the login credentials of the victim.
Defacing: Temporary or permanent defacement of
web application is possible
What is Xenotix XSS Exploit Framework?
Xenotix
XSS Exploit Framework is
a penetration testing tool to detect and exploit XSS vulnerabilities in Web
Applications.This tool can inject codes into a webpage which are vulnerable to
XSS.It is basically a payload list based XSS Scanner and XSS Exploitation kit.
It provides a penetration tester the ability to test all the XSS payloads
available in the payload list against a web application to test for XSS
vulnerabilities. The tool supports both manual mode and automated time sharing
based test modes. The exploitation framework in the tool includes a XSS
encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader,
a XSS Reverse Shell and a XSS DDoSer. These exploitation tools will help the
penetration tester to create proof of concept attacks on vulnerable web
applications during the creation of a penetration test report.
Features of Xenotix XSS Exploit Framework
Xenotix
XSS Exploit Framework is divided into two module
1.Scanner Module
·
Built in XSS
Payloads
·
HTML5
compactable Payload list
·
XSS Auto mode
Scanner
·
XSS
Multi-Parameter Scanner
·
XSS Fuzzer
2. Exploitation Framework
·
XSS Keylogger
·
XSS
Executable Drive-by downloader
·
XSS Payload
Encoder
·
XSS Reverse
Shell
·
XSS DDoSer
·
XSS Cookie
Thief
1. Scanner Module
It
is having an inbuilt XSS payload list of above 500+ XSS payloads. It includes
HTML5 compactable XSS injection payloads.Most of the XSS filters are
implemented using String Replace filter,
htmlentities filter and htmlspecialcharacters filter. Most of
these weakly designed filters can be bypassed by specific XSS payloads present
in the inbuilt payload list.
The
above chart shows the number of XSS Payloads in different XSS Scanning tools
available in market. Xenotix XSS Exploit Framework got the world’s second largest
XSS Payload list after IBM AppScan Security which is having 700 million
payloads.
XSS Scanner Module
XSS Multi-Parameter Scanner
The
Multi-Parameter XSS Scanner comes when you have multiple parameter to test for
XSS. It can extract the different parameters from the given URL and test them
individually. It saves a lot of your time as you don’t need to test each
parameters separately.
XSS Fuzzer
The XSS Fuzzer is a convenient module to detect
hidden XSS as well as other vulnerabilities like HTTP Parameter Polution. With
the Fuzzer, one can conduct an out of the box testing of the box fuzzing to
detect hidden vulnerabilities in a web application.
2. Exploitation Framework
XSS Keylogger
The
tool includes an inbuilt victim side Key logger which is implemented using
JavaScript and PHP. PHP is served with
the help of a portable PHP server named QuickPHP by Zach Saw. A JavaScript file
is injected into the web application vulnerable to XSS and is presented to the
victim. The script captures the keystrokes made by the victim and send to a PHP
file which further write down the logs into a text file.
[VIDEO] https://www.youtube.com/watch?
XSS Executable Drive-by Downloader
Java
Drive-by download can be implemented with Xenotix XSS Exploit Framework. It
allows the attacker to download and run a malicious executable file on the victim’s
system without his knowledge and permission. You have to specify the URL for the
malicious executable and then embed the drive-by implemented webpage into a XSS
vulnerable page and serve your victim. When the victim view the injected page,
the java applet client.jar will access the command prompt and with the help of
echo command, write down some scripts to a Visual basic script file named
winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will start
winconfig.vbs. The winconfig.vbs will download the malicious executable
specified by you in the URL to temp directory and rename it as update.exe and
finally it will execute update.exe. The downloading and executing of the
malicious executable happened without the knowledge and permission of the
victim.
[VIDEO] https://www.youtube.com/watch?
XSS Payload Encoder
The
inbuilt Encoder will allow encoding into different forms to bypass various
filters and Web Application Firewalls. The encoder supports Base64 Encoding,
URL Encoding, HEX Encoding, HTML Characters Conversion, Character Code
Conversion and IP to Dword, Hex and Octal conversions.
XSS Reverse Shell
A
XSS Reverse Shell can be implemented with Xenotix XSS Exploit Framework. This
is made possible with the help of Java Drive-By. The XSS vulnerable web
application exploited with the injectable scripts generated by XSS Reverse
Shell when presented to a victim will initiate the drive by download of a
Reverse TCP connecting shell. After the drive-by download, the reverse shell is
executed by the same method used in Java Drive-by.
The
advantage of this method is that the reverse shell is downloaded and executed
in the victim’s system without his knowledge. But for the execution of reverse
shell, it will pop up a UAC dialog requesting for the permission to run the
executable. The tool is having an inbuilt Listener that listens to the reverse
shell. It is designed in a user friendly manner. All you have to do is to
specify the reverse connection IP and port.
[VIDEO] https://www.youtube.com/watch?
XSS DDoSer
With
HTML 5 comes great power. We harvest the power of HTML 5 to abuse the Cross
Origin Resource Sharing (CORS) and WebSocket to implement a DDoS attack. WebSocket is a technology that allow web
applications to have a bidirectional channel to a URI endpoint. Sockets can
send and receive data to and from a web server and respond to opening or
closing a WebSocket. The XMLHttpRequest is a JavaScript object which is used to
exchange data between a server and a bowser behind the scene. This can be used for Cross Origin Resource
Sharing (CORS). We can perform a combined and powerful DDoS attack by abusing
these two technologies. This module abuses WebSocket and creates numerous
socket connections with a target server to slow it down. Along with it by
abusing CORS, the add-on create numerous fake GET requests to slow down the
target server. When we send the first request to the target server and the
response contains the 'Access-Control-Allow-Origin' header with a value that
restricts cross site requests, then at times the browser refuses to send more
requests to the same URL. However this can be easily bypassed by making every
request unique by adding a non-existing query-string parameter with changing
values.
[VIDEO] https://www.youtube.com/watch?
XSS Cookie Thief
It’s
the traditional Cookie Stealer but a bit advanced and with real time cookie
viewer. This module allows the pentester to create cookie stealing POC.
Features for the Next Build
Current
version of XSS Exploit Framework is based on Internet Explorer’s webpage
rendering engine Trident. Since XSS got slightly different behavior in
different Web Browsers, the support for the Gecko (Used by Mozilla Firefox) and
Webkit (used by Chrome, Opera, and Safari) Rendering engines will be added up
in the next build. The support for XSS in POST Parameter and XSS testing by
modifying the headers will be included in the next build. XSS Proxy to tunnel
the victim-server traffic will be added in future builds. Automatic detection
of parameters or variables vulnerable against XSS and DOM Based XSS detection
will be added up in next build.
Conclusion
XSS
in popular website is a high security threat. Xenotix XSS Exploit Framework can
be used by Security Analysts to perform penetration test on Web Applications
against XSS vulnerability and to create POC with the inbuilt exploitation
framework. Most of the security tools related to XSS are either XSS Scanners or
XSS Exploitation tools. Xenotix XSS Exploitation Framework is the first of its
kind to act both as an XSS vulnerability scanner as well as XSS exploitation framework.
Bug bounty programs like Google Vulnerability Reward Program, Facebook Bounty,
Paypal bug bountyetc. are there. So go for a XSS hunting and grab your bounty.J
About Ajin Abraham
Ajin Abraham is an Information
Security Researcher. He is the creator of OWASP Xenotix XSS Exploit Framework.
He had published different whitepapers and tools in the scope of Information
Security. He is one among the top 10 in Chakravyuh 2012, India’s Biggest
Ethical Hacking Competition. His area of interest includes web application
penetration testing, coding tools, exploit development and fuzzing. He has been
a speaker at many security conferences including Defcon Bangalore-India 2012, ClubHack 2012, nullcon Goa 2013, AppSec APAC 2013,
Hack Miami 2013, BlackHat Europe 2013 and many more.
No comments:
Post a Comment