How to Detect and Exploit 99% of XSS Vulnerabilities | Content

Wed, 02 Apr 2008 16:23:40 GMT

This presentation has given in Intercon 2007 (Portcullis's internal conference), Talks about exploiting and identifying most common XSS vulnerabilities in real world.

Examples include following types,

Classic XSS Vulnerabilities
In HTML Attributes
In Comments
In Javascript Blocks
DOM Based XSS
Flash Based XSS
Direct Linking

Presentation was heavily based on demonstration, so you need to fill in the blanks.

XSS Tunnel in Action - Video | Download

Mon, 31 Mar 2008 11:08:39 GMT

/download/xsstunnelling-video.zip

XSS Tunnel | Content

Wed, 02 Apr 2008 15:12:53 GMT

What Is XSS Tunnelling?

XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies.

What Is XSS Tunnel?

XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. The XSS Tunnel converts the request and responds transparently to validate the HTTP responses and XSS Shell requests.

Refer to XSS Tunnelling paper to read details.

Demonstration Video

Download XSS Tunnelling demonstration video. Video shows how to use XSS Tunnel to bypass NTLM by exploiting an example permanent XSS.

Download

Download package includes following files :

Binary Release of XSS Tunnel v1.0.8
.NET Solution + Source Code for XSS Tunnel v1.0.8
XSS Tunnelling White Paper
XSS Shell v0.6.2 Release (ASP files, database and documentation)

XSS Shell | Content

Mon, 10 Nov 2008 14:11:20 GMT

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by "XSS-Proxy - http://xss-proxy.sourceforge.net/". Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.

Download

This package includes the latest version of XSS Shell and XSS Tunnel. XSS Shell can be used without XSS Tunnel, however you'll get more out of it with XSS Tunnel.

Download SS Shell and XSS Tunnel

Features

XSS Shell has several features to gain whole access over victim. Also you can simply add your own commands.

Most of the features can enable or disabled from configuration or can be tweaked from source code.

Regenerating Pages
- This is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keep user in virtual environment. Thus even user click any links in the infected page he or she will be still under control! (within cross-domain restrictions) In normal XSS attacks when user leaves the page you can't do anything
- Secondly this feature keeps the session open so even victim follow an outside link from infected page session is not going to timeout and you will be still in charge.
Keylogger
Mouse Logger (click points + current DOM)
Built-in Commands;
- Get Keylogger Data
- Get Current Page (Current rendered DOM / like screenshot)
- Get Cookie
- Execute supplied javaScript (eval)
- Get Clipboard (IE only)
- Get internal IP address (Firefox + JVM only)
- Check victim's visited URL history

Installation

XSS Shell uses ASP + MS Access database as backend but you can simply port them into any other server-side solution. You just need to stick with simple communication protocol.

Install Admin Interface

Copy "xssshell" folder into your web server
Copy "db" to a secure place (below root)
Configure "database path" from "xssshell/db.asp"
Modify hard coded password in db.asp [default password is : w00t]
Now you can access admin interface from something like http://[YOURHOST]/xssshell/

Configure XSS Shell for communication;

Open xssshell.asp
2. Set "SERVER" variable to where your XSSShell folder is located. i.e: "http://[YOURHOST]/xssshell/";
3. Be sure to check "ME", "CONNECTOR", "COMMANDS_URL" variables. If you changed filenames, folder names or some kind of different configuration you need modify them.

Now open your admin interface from your browser,

To test it, just modify "sample_victim/default.asp" source code and replace "http://attacker:81/release/xssshell.js" URL with your own XSS Shell URL. Open "sample_victim" folder in some other browser and may be upload in to some other server.

Now you should see a zombie in admin interface. Just write something into "parameters" textarea and click "alert()". You should see an alert message in victim's browser.

Security Notes

As a hunter be careful about possible "Backfire" in getSelfHTML(). Someone can hack you back or track you by another XSS or XSS Shell attack.
Checkout "showdata.asp" and implement your own "filter()" function to make it safer for you.
Put "On error resume next" to db.asp, better modify your web server to not show any error.

How to Extend

First implement new feature to xssshell.asp

Add new enum for your control
- Set a name and unique number like "CMD_GETCOOKIE"
- var CMD_SAMPLE = 78;
- Set datatype for your response (generally TEXT),
- dataTypes[CMD_SAMPLE] = TEXT;
Write your function and add it to page
- function cmdSample(){return "yeah working !"}
Call it
- Go inside to "function processGivenCommand(cmd)"
- Add a new case like "case CMD_SAMPLE:"
Report it back
- Inside the case call log;
  "log(cmdSample(), dataTypes[cmd.cmd], cmd.attackID, "waitAndRun()");"

Secondly Implement it to admin interface;

In db.asp just add a new element to "Commands" array (command name, command unique number, description).

i.e. "cmdSample()",78,"Command sample ! Just returns a message"

There are parameters and lots of helper in the code. Check out other commands for reference.

Enable debug feature to debug your new commands easily.

External Libraries

moo.ajax -moofx.mad4milk.net
script.aculo.us - (http://script.aculo.us, http://mir.aculo.us)

XSS Tunnelling | Document

Wed, 02 Apr 2008 10:25:00 GMT

XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies. This paper explains the idea and the real world implementation.

Download Paper

Tools mentioned in the paper:

Portcullis Labs - XSS

How to Detect and Exploit 99% of XSS Vulnerabilities | Content

XSS Tunnel in Action - Video | Download

XSS Tunnel | Content

What Is XSS Tunnelling?

What Is XSS Tunnel?

Demonstration Video

Download

XSS Shell | Content

Download

Features

Installation

Install Admin Interface

Configure XSS Shell for communication;

How to Extend

External Libraries

XSS Tunnelling | Document