Perseverance of an Old-School Classic
We are still discussing cross-site scripting in 2011? Are you kidding me? Why, the pop-up alert bandits? Because of session attacks? Fact is, the answer is pretty simple, because XSS vulnerabilities are indeed bad news and because they can still be found everywhere you turn.
Cross-site scripting (XSS) vulnerabilities are still the most widely spread web vulnerability out there. Most web applications contain XSS vulnerabilities, and despite the ever growing number of attacks and the enormous publicity about these vulnerabilities, most site owners fail to identify and resolve them and therefore become enablers for the malicious individuals that prey upon the visitors of these trusted yet vulnerable sites.
XSS vulnerabilities basically occur when:
- Untrusted data (user input) is entered into the application through HTTP requests or posts. This data is either stored within the application or simply reflected during the HTTP server response.
- The web application uses the entered data during the generation of a dynamic page.
- The application doesn’t apply restrictions on the input data, allowing content (malicious or not) to be entered which will be executed by the client browser, including JavaScript, Flash, ActiveX, and any other active content understood by the browser.
- An unsuspecting user then visits the newly generated page, containing potentially dangerous active content, which is executed within their browser.
The Underrated Vulnerability
Historically, the perceived effects of XSS vulnerabilities have been limited to session hijacking and/or cookie stealing, which is partly because there has been little imagination digesting the usage and impact of these vulnerabilities. In fact many IT professionals have misunderstood and/or misrepresented XSS, solely, as an attack against users and user authentication/authorization with minimal impact to an organization. It is true that XSS may be easily exploited to effectively hijack a user's session or harvest cookies. For example, many applications store a version of the server session in a cookie (i.e., JSESSIONID). If XSS is used to harvest and store this cookie value, an attacker may be able to forge a user session and in effect take it over.
Limitless Consequences?
The consequences or impacts of XSS are not limited to a user’s account associated with some application, and in most cases the impact of the vulnerability extends well beyond a single user’s data or PC. In fact, since a user brings countless target client-side components to the web application environment, the available attack surface is quickly broadened to include any available data, their personal computers, any connected networks, or mobile devices. XSS vulnerabilities open the gates for malicious users, and an attacker that is well versed in social engineering tactics and is equally inventive with attack vectors will be able to easily:
- Steal or take over a user session, which is often an elevated user
- Perform any user tasks permitted by the application, which often includes harvesting intellectual property
- Monitor a user’s activities
- Scrape sensitive information from the browser
- Execute arbitrary code on the client PC
- Take full control of the client PC
- Attack the network(s) connected to the client PC
- Browse through the remote browser
- Launch countless other attacks associated with XSS
XSS Exploitation Frameworks
As Pentesters and malicious individuals find applications vulnerable to cross-site scripting, many tools or exploitation frameworks are available to make exploitation easier, more effective, and more comprehensive. A few of the latest XSS frameworks are listed here:
BeEF/BeEF-ng – BeEF XSS framework is designed to help build attacks. The attacks are launched from the browser and there are many capabilities available to the user including: controlling zombies (victim browsers), clipboard stealing, JavaScript Injection, request initiation, history browsing, port scanning, client exploits, and more. BeEF focuses on payload delivery and allows the attacker/tester to focus on payloads rather than the channel to get the payload to the client.
XSSF – is integrated into the Metasploit Framework and is able to manage victims of a generic XSS attack and hold an already existing connection with the client in order to allow future attacks, including Metasploit modules.
Social Engineering Toolkit (SET) - is a python-driven suite of custom tools, which focuses on attacking the human element of penetration testing. Its main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed. SET is a menu driven based attack system, which effectively guides a tester through the vulnerability validation process.
In part II, I will offer a walkthrough or proof-of-concept of a high impact cross-site scripting exploit using the Social Engineering Toolkit (SET) to gain a reverse shell on an application user's Windows laptop.