Module 46 (XSS and Browser Exploitation)

Size: px

Start display at page:

Download "Module 46 (XSS and Browser Exploitation)"

Frank Palmer
5 years ago
Views:

1 Module 46 (XSS and Browser Exploitation) In this Module, you'll become familiar with Cross-Site Scripting (XSS). You'll find out about both persistent and reflected XSS.You'll see how XSS can be used to encourage users to engage in unsafe behavior. You'll also be introduced to the Browser Exploitation Framework (BeEF) and see the wide range of capabilities it supports. Module 46 1/16

2 What is Cross-Site Scripting (XSS)? Cross-Site Scripting is an injection problem in which an attacker injects a malicious script into a web site. Two varieties of Cross-Site Scripting: Persistent Script is permanently stored on the target server, typically in a database. Reflected User is presented with a link to the server that includes script elements that will be reflected back by the server and presented to the user's browser. Module 46 2/16

3 XSS Is Injection XSS injects malicious code into a web page. The web page is rendered by a browser The browser executes the malicious code. Module 46 3/16

4 Let's Look At These in Mutillidae In Mutillidae, select from the let context menu: OWASP Top 10 A1 - Other Injection HTML Injection (HTMLi) Add to your blog Experimentation shows the window allows html tags to be input. This is potentially dangerous and should generally be avoided by web apps. We can put more interesting html in there (forms for example) Module 46 4/16

5 Add to Your Blog Page Module 46 5/16

6 Consider Inserting This Script <div class="signin-box" style="position:absolute;left:400px; top:175px;width:400px;margin-left:auto;margin-right:auto;float:left;"> <h1>sorry. An error occurred</h1> <h2>please sign in again</h2> <form method="post" action="index.php?page=capture-data.php" id="loginform" novalidate=""> <div class=" -div"> <label for=" "> <strong class=" -label">username</strong></label> <input type=" " value="" id=" " name=" "> </div> <div class="passwd-div"> <label for="passwd"> <strong class="passwd-label">password</strong></label> <input type="password" id="passwd" name="passwd"> </div> <input type="submit" value="sign in" id="signin" name="signin" class="g-button g-button submit"> </form> </div> Module 46 6/16

7 Result of This XSS Example Module 46 7/16

8 Ways to Eliminate This Problem Validate the form of data on the server side (not the client side). Avoid putting it in the database. When displaying information, present symbols that can appear in scripts as literal characters rather than presenting them in a way that the browser will evaluate. Black-lists is a poor method of addressing this: Standards will change (new tags, etc.) Database can be modified directly to include malicious content. Module 46 8/16

9 Reflective Injection In contrast to persistent injection, reflective injection does not leave a script stored on the web server. Example: OWASP Top 10 A1 - Other Injection HTML Injection (HTMLi) DNS Lookup Module 46 9/16

10 Delivering Reflective XSS Often delivered via Phishing attacks. Obfuscated URLs containing scripts may be transmitted via . A link on a web page may have the onclick method bound to a function that rewrites the link. A QR code may purport to go to a trustworthy website but through a route that inserts a script into POST or GET parameters. Module 46 10/16

11 BeEF Browser Exploitation Framework BeEF developed by Wade Alcorn of bindshell.com Platform for generating and delivering payloads directly to the browser. Goes beyond typical XSS and provides a robust platform for penetration testing. Modules supporting Interprocess communication and exploitation, history gathering, intelligence, network recon, host information gathering, browser plugin detection, persistence, exploits. Module 46 11/16

12 Beef Structure Beef Console Beef Server Zombie Zombie Zombie Module 46 12/16

13 How Does Beef Hook Browsers Browser must execute hook.js on the Beef Server. How does one get someone to execute this hook? Deliver hook via persistent or reflected xss. BeEF supports mobile browsers and QR codes. Module 46 13/16

14 Beef UI Login Screen Module 46 14/16

15 Sample Hook Page Module 46 15/16

16 Commands Remotely Executed On Browser Module 46 16/16

CSCE 813 Internet Security Case Study II: XSS

CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that