Sunday, 23 November 2014

Web Application Security - XSS Countermeasures

As a web application user, there are a few ways to protect yourselves from XSS attacks.
The first and the most effective solution is to disable all scripting language support in your browser and email reader.
Another recommendation is to use reasonable caution while clicking links in anonymous e-mails and dubious web pages.
Proxy servers can help filter out malicious scripting in HTML. If the application accepts only expected input, then the XSS can be significantly reduced. Web servers should set the character set, and then make sure that the data they insert is free from byte sequences that are special in the specified encoding. This can typically be done by settings in the application server or web server. The server should define the character set in each html page as below.
Web pages with unspecified character-encoding work mostly because most character sets assign the same characters to byte values below 128. Some 16-bit character-encoding schemes have additional multi-byte representations for special characters such as "<. These should be checked.
The above tells the browser what character set should be used to properly display the page. In addition, most servers must also be configured to tell the browser what character set to use when submitting form data back to the server and what character set the server application should use internally. The configuration of each server for character set control is different, but is very important in understanding the process of converting data that has more than one possible representation into a "standard" canonical representation of input data. Filtering special meta characters is also important. HTML defines certain characters as "special", if they have an effect on page formatting.
(HTML body)
"<" introduces a tag.
"&" introduces a character entity.
Some browsers try to correct poorly formatted HTML and treat ">" as if it were "<".
In attributes:
double quotes mark the end of the attribute value.
single quotes mark the end of the attribute value.
"&" introduces a character entity.
(URLs)
Space, tab, and new line denote the end of the URL.
"&" denotes a character entity or separates query string parameters.
Non-ASCII characters (that is, everything above 128 in the ISO-8859-1 encoding) are not allowed in URLs.
The "%" must be filtered from input anywhere parameters encoded with HTTP escape sequences are decoded by server-side code.
Ensuring correct encoding of dynamic output can prevent malicious scripts from being passed to the user. While this is no guarantee of prevention, it can help contain the problem in certain circumstances. The application can make an explicit decision to encode un-trusted data and leave trusted data untouched, thus preserving mark-up content.
Posted by at No comments:

XSS & XSS Countermeasures

A Web application vulnerable to XSS allows a user without knowledge to send malicious data to them self through that application.
Attackers often perform XSS exploitation by making malicious URLs and tricking into clicking on them.
These links cause client side scripting languages like VBScript, JavaScript of the attackers choice to execute on the victim's browser.
XSS vulnerabilities are caused by a failure in the web application to properly validate user input.
The simplest description of cross-site scripting can be put as the attack that occurs when a user enters malicious data in a Web site. It can be as simple as posting a message that contains malicious code to a newsgroup. When another person views this message, the browser will interpret the code and execute it, often giving the attacker control of the system. Malicious scripts can also be executed automatically based on certain events, such as when a picture loads. CSS doesn't apply to any single vendor's products, instead, it can affect any software that runs on a web server.
CSS takes place as a result of the failure of the web based application to validate user supplied input, before returning it to the client system. "Cross-Site" refers to the security restrictions that the client browser usually places on data like cookies, dynamic content attributes associated with a web site. This causes the victim's browser to execute malicious code with the same permissions as the domain of the web application, an attacker can bypass the traditional document object model (DOM) security restrictions. The document object model is accessible application interface that allows client-side languages to dynamically access and modify the content, structure and style of a web page.
Cross-Site Scripting (CSS) attacks require the execution of Client-Side Languages (JavaScript, Java, VBScript, ActiveX, Flash) within a user's web environment. Cross Site Scripting can result in an attacker stealing cookies, hijacking sessions, changing of web application account settings and more. The most common web components that are vulnerable to CSS attacks include CGI scripts, search engines, interactive bulletin boards (Forums), and custom error pages with poorly written input validation routines. Also victim does need to click on a link to make the attack happen.
(Attack Example)
Example 1: The IMG tag
http://host/search/search.cgi?query=
Depending on the website setup, this generates html with the image from host2 and feeds it to the user when they click on this link. Depending on the original web page layout it may be possible to entice a user into thinking this is a valid part of the picture.
Example 2:
http://host/something.php?q=
If a user clicks on this link a JavaScript popup box displaying the site's domain name will appear. While this example isn't harmful, an attacker could create a fake form or, perhaps create something that grabs information from the user. The request above is easily questionable to a standard user but with hex, unicode, or %u windows encoding a user could be fooled into thinking this is a valid site link.
Example 3:
http://host/Inserthere
Posted by at No comments:

Download Free XSS Shell v0.3.9 - (Xss)Cross Site Scripting Backdoor Tool

Only For Educational Purpose  I Take No Responsibility Of Any Misuse.
XSS Shell v0.3.9 - Cross Site Scripting Backdoor Tool
XSS Shell is a powerful XSS backdoor which allows interactively getting control over a Cross-site Scripting (XSS) vulnerability in a web application. Demonstrates the real power and damage of Cross-site Scripting attacks.WHAT IS XSS SHELL ?
XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by XSS-Proxy (XSS-Proxy: A tool for realtime XSS hijacking and control). Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim, you can backdoor the page.
You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS. FEATURES
XSS Shell has several features to gain whole access over victim. Also you can simply add your own commands.
Most of the features can enable or disabled from configuration or can be tweaked from source code.
Features:
Regenerating Pages
Keylogger
Mouse Logger (click points + current DOM)
Built-in Commands:
Get Keylogger Data
Get Current Page (Current rendered DOM / like screenshot)
Get Cookie
Execute supplied javaScript (eval)
Get Clipboard (IE only)
Get internal IP address (Firefox + JVM only)
Check victim’s visited URL history
DDoS
Force to Crash victim’s browser
  Install Admin Interface;

1. Copy "xssshell" folder into your web server
2. Copy "db" to a secure place (below root)
3. Configure "database path" from "xssshell/db.asp"
4. Modify hard coded password in db.asp [default password is : w00t]
5. Now you can access admin interface from something like http://[YOURHOST]/xssshell/
Configure XSS Shell for communication;
1. Open xssshell.asp
2. Set "SERVER" variable to where your XSSShell folder is located. i.e: "http://[YOURHOST]/xssshell/";
3. Be sure to check "ME", "CONNECTOR", "COMMANDS_URL" variables. If you changed filenames, folder names or some kind of different configuration you need modify them.

Now open your admin interface from your browser,
To test it, just modify "sample_victim/default.asp" source code and replace "http://attacker:81/release/xssshell.js" URL with your own XSS Shell URL. Open "sample_victim" folder in some other browser and may be upload in to some other server.

Now you should see a zombie in admin interface. Just write something into "parameters" textarea and click "alert()". You should see an alert message in victim's browser.

-------------------------
SECURITY NOTES
-------------------------
- As a hunter be careful about possible "Backfire" in getSelfHTML(). Someone can hack you back or track you by another XSS or XSS Shell attack.
    - Checkout "showdata.asp" and implement your own "filter()" function to make it safer for you.

- Put "On error resume next" to db.asp, better modify your web server to not show any error.

-------------------------
HOW CAN YOU EXTEND?
-------------------------
First implement it to xssshell.asp
    1) Add new enum for your control
        - Set a name and unique number like "CMD_GETCOOKIE"
            - var CMD_SAMPLE = 78;
     
        - Set datatype for your response (generally TEXT),
            - dataTypes[CMD_SAMPLE] = TEXT;
     
    2) Write your function and add it to page
        - function cmdSample(){return "yeah working !"}
 
    3) Call it
        - Go inside to "function processGivenCommand(cmd)"
        - Add a new case like "case CMD_SAMPLE:"
 
    4) Report it back
        - Inside the case call log;
        "log(cmdSample(), dataTypes[cmd.cmd], cmd.attackID, "waitAndRun()");"
     
Secondly Implement it to admin interface;
    - In db.asp just add a new element to "Commands" array (command name, command unique number, description).
    i.e. "cmdSample()",78,"Command sample ! Just returns a message"

There are parameters and lots of helper in the code. Check out other commands for reference.
Enable debug feature to debug your new commands easily.
-------------------------
KNOWN BUGS;
-------------------------
- Keylogger is not working on IE
- Possibly not going to work for framed pages because of frame regeneration.
- Not working on Konqueror

DOWNLOAD:
http://www.ziddu.com/download/9267912/XSSShell039.zip.html
Posted by at No comments:

Scan websites against XSS with OWASP Scrubbr v1.0

Scrubbr is a BSD-licensed database scanning tool that checks numerous database technologies for the presence of possible stored cross-site scripting attacks. The tool was partially inspired by "Scrawlr", a trimmed-down version of HP’s WebInspect which was released for free after the so-called "asprox" mass-SQL injection bot exploited hundreds of thousands of insecure ASP sites.

Download XSS Scanning Tool Here
Posted by at No comments:

XSSer v1.0 – Cross Site Scripter Framework

XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.
New Features
Added “final remote injections” option
Cross Flash Attack!
Cross Frame Scripting
Data Control Protocol Injections
Base64 (rfc2397) PoC
OnMouseMove PoC
Browser launcher
New options menu
Pre-check system
Crawler spidering clones
More advanced statistics system
“Mana” ouput results
You can download XSSer v1.0 here:
xsser-1.0.tar.gz
Posted by at No comments:

[XSS/iFrame] Exploits

Posted by at No comments:
Subscribe to: Posts (Atom)