Friday, April 3, 2015

XSS In Real World - Part 3 (Inline JavaScript Injection)

XSS In Real World - Part 3 (Inline JavaScript Injection)

Update: You can get the tutorial in PDF format here: 01-04-15_XSS_Tutorial_Korznikov_Alexander.pdf

This is part 3 of XSS in Real World tutorial.
Part 2 of XSS in Real World tutorial
Part 1 of XSS in Real World tutorial

The interesting thing, that this type of injection can be found on popular websites.
Even if there a sanitation of tags, and equal character – XSS is possible.

If the logic of web-site (no matter if it’s server-side or client-side), reflects user’s input in web-page’s javascript, we can use it for nasty purposes :)

Simple example:
We have URL: “
1. Parameter “id” is handled by Server-Side logic, checking for INTEGER
2. Parameter “style” handled by client-side javascript and reflected in this context:
var = ‘blue
If we pass to the parameter “style” string: ‘blue                //single quote

The context will be: var = ‘’blue’
This will throw an javascript exception: SyntaxError: unterminated string literal
             ‘’   blue   ‘                //unclosed string

In case if ID parameter is handled by client-side, and reflected in context:
        var = 1

Injected payload “id=1’trash” will look like:
        var = 1’trash
        That will also throw an SyntaxError exception.

In case if our payload will look like “style=blue\
        var = ‘blue\’
        Again, will be SyntaxError exception, because javascript interprets \” as escaped quote.

So we can develop a noninvasive XSS locator:
        ‘” >trash\
        single quote / double quote / space / greater sign / string / backslash

Some examples that this locator will break:                //in case of no filtration

HTML Code break:
RED: Rendered as tags / BLUE: throwed out at the screen
        <a href=”’” >trash\” style=”blablabla”>

Javascript SyntaxErrors:
        RED: Syntax errors
        var a = “blue’” >trash\’
        a=unescape(‘blue’” >trash\’)
        var a = ‘blue’&quot; >trash\’

Sometimes web-site logic will escape ’ or ” characters, so try to add to our locator \’\” >trash\ as result you may see:
        var a = ‘blue\\’\\” >trash\
        \’ as input will be \\’ as output, so our backslash is escaped, and quotation mark rendered.

One more thing to remember, that we can perform all mathematical operations for all objects in javascript.
For example, we can: ‘ale’+’rt’, or ‘a’ - ‘b’ or ‘a’ * ’b’. Google for more info :)

Examples of nasty javascript injections with various payloads:
        var a = ‘blue’
        var a = ‘blue’ - alert(‘xss’) - ‘’                //alert() will be executed
        var b = [‘red’,’blue’,alert(‘xss’),’’]
        var c = func(‘blue’+alert(/xss/))//)        //after “//” the rest of line will be commented

Inline Javascript Real Demo.
Our second target will be, XSS report date: 28/06/2014
For making our life easier we will need FireBug and Hack-Bar Firefox addons.
Entering our XSS locator (‘”>trash\) to the website’s “Find Jobs” input field:

Got us to this URL:'">trash\

and as response we will get:

As you can see in FireBug’s output, thrown an exception - SyntaxError: missing } after property list.
By clicking on the green URL right after the “SyntaxError”, we will get generated JavaScript source code:

As you can notice, on lines 570 and 577 the code was broken:

After server-side logic, out XSS locator looks like: ‘&quot;&gt;trash\
So the and > tags are converted to HTML entities &quot; &gt; accordingly.

But the single quote is not converted, and only that broke the JavaScript code.
Let’s test for other useful characters () and enter this payload: ‘-a()-

Looks pretty good, characters aren’t converted and passed to generated JavaScript.

How JavaScript understands this payload? closes string, - subtracts results of a() function

So, our final payload should look like: ‘-alert(‘XSS’)-‘ and should not brake generated JavaScript execution.

pwned again :)

That’s all folks!

Like & Share :)

Alexander Korznikov.

No comments:

Post a Comment