Archive for September, 2006

Awakening the Sleeping Giant v1.0

September 02nd, 2006 * Comments(2)

Awaking the Sleeping Giant v1.0
Demystifying Cross Site Scripting Attacks
Author: David Kierznowski (david.kierznowski_at_gmail.com)
http://michaeldaw.org/projects/

Table of contents:
1.0 Introduction
2.0 Summary of paper
3.0 Entry nodes (Where)
4.0 Capabilities (Why)
5.0 Exploits (How)
6.0 Tools

1.0 Introduction:

I assume the person reading this paper will know what XSS is.This paper attempts to demystify and categorise current XSS entry nodes, attack capabilities and trends.

This paper was put together fairly quickly on a Saturday afternoon. I do not attempt to give an in-depth analysis of anything that is what Google is for. This paper is an initial attempt to categorise and track XSS in general.

XSS attacks are gaining popularity quickly. There are loads of vulnerabilities waiting to be found. It can be simple and difficult to prevent. it can propogate around the Internet in hours, exploit internal or private networks and offers the ability to manipulate web services for fun and profit without compromising a single system.

Feedback and corrections (if any) are most certainly welcome and encouraged. I doubt I covered everything in an hour and I doubt I would in 100.

2.0 Summary of paper

2.1 Entry Nodes
* CSS - Cascading Style Sheets
* RSS readers - RSS XSS (Sounds good)
* Flash (possibly AFLAX), ActiveX etc.
* Files - Image or other
* Phishing Attacks and other human related weaknesses
* Dynamic HTML in general including HTML tags and the DOM

2.2 Capabilities
* Internal IP address leakage
* Network Sweeping
* Port Scanning
* Browser plug in detection
* Retrieving browser history
* Cross domain forgery
* XSS for fun and profit

2.3 Exploits
* Information theft
* Operating system exploitation
* URL based exploits
* Browser Plugin Exploitation
* Worms and Trojans
* Brute force attacks
* Botnets

2.4 Tools
* http://www.gnucitizen.org/projects/attackapi

–END of Summary

3.0 Entry nodes
3.1 Applications with insufficient input validation

3.1.1 CSS - Cascading Style Sheets
Eg: MySpace worm http://namb.la/popular/tech.html

3.1.2 RSS readers - RSS XSS (Sounds good)
http://www.spidynamics.com/assets/documents/HackingFeeds.pdf#search=%22rss%20injection%22

3.1.3 Flash (possibly AFLAX), ActiveX etc.
http://www.cgisecurity.com/lib/flash-xss.htm

3.1.4 Files - Image or other
Its definitely a possibility but haven’t seen it used?

3.1.5 Phishing Attacks and other human related weaknesses
http://www.antiphishing.org/Evolution%20of%20Phishing%20Attacks.pdf#search=%22phishing%20attacks%20and%20xss%22

3.1.6 Dynamic HTML in general including HTML tags and exploiting the DOM
eg: <script>alert(document.cookie)</script>
http://ha.ckers.org/xss.html

4.0 Capabilities (Information Available via XSS):
Internal IP address leakage
Network Sweeping
Port Scanning
Browser plug in detection
Retrieving browser history
Cross domain forgery
XSS for fun and profit

5.0 Exploits:

5.1 Information theft
Stealing Cookies, login credentials, banking information etc.
http://jehiah.com/archive/xss-stealing-cookies-101

5.2 Operating system exploitation:
eg: http://p.ulh.as/xploitsdb/NT/6078.html

5.3 URL based exploits:
Attacking routers, firewalls etc
eg: /cisco/level/99/show/running/config

5.4 Browser Exploits
http://bcheck.scanit.be/bcheck/index.php

5.5 Browser Plugin Exploitation
http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/

5.6 Worms
Manipulating web services
eg: MySpace worm

5.7 Brute force attacks
5.8 Cross Site forgery
http://en.wikipedia.org/wiki/Cross-site_request_forgery

5.9 Botnets

6.0 Tools
http://www.gnucitizen.org/projects/attackapi

Log 0.3 - Spook Scare

September 01st, 2006 * Comments(1)

I opened my eyes and sat up. I found myself in a square room with no windows and bare white walls. My head was hurting like hell! A thinly built man stood in front of me. He was wearing a black coat. I flapped by eyelids a couple of times as my eyes attempted to focus in the bright-lit room. “Am I dead?” “No” the man responded. His voice was deep and echoed off the walls. “It’s been to long Michael”. “How do you know my name?” “Lets get out of here and get a bite to eat. I’ll explain everything over dinner.”

What the hell was going on! Who was this guy! Where the heck was I. I felt a horrible sinking feeling in my stomach. This looked like some kind of prison cell. Desperately, I began listing all my activities over the past few weeks. What had I done? A ray of light suddenly yielded a possible answer. It was that damn Cross Site Scripting paper.

I had released a whitepaper on persistent XSS exploitation, titled, “Awakening the sleeping giant”. It discussed various exploitation techniques to bypass application filtering. It also detailed an array of attack scenarios in which to utilise these exploits. This included attacks such as JavaScript port scanning and HTTP(s) brute forcing. It was now possible for script kiddies to gain access to hundreds of thousands of computer systems, using JavaScript and URL based exploits or browser based vulnerabilities. I also made the point that we may see an increase in JavaScript exploit code where shellcode is embedded within JavaScript rather then in a traditional Perl or C exploit. This would allow hackers to use Cross Site Scripting as a catalyst or vehicle to gain access to networks behind firewalls and other security mechanisms.

References:

  • http://michaeldaw.org/projects/awakening-the-sleeping-giant-v10/
  • http://en.wikipedia.org/wiki/Cross_site_scripting
  • http://www.gnucitizen.org/projects/attackapi
  • http://p.ulh.as/xploitsdb/NT/6078.html

« Previous Page

Recent