This is the presentation I used at the National Conference on “Current Scenario & Emerging trends in Information Technology" held at MSIT in march 2013. Here is the link to the whitepaper : http://www.exploit-db.com/wp-content/themes/exploit/docs/24559.pdf

1. Post XSS Exploitation
Advanced Attacks and Remedies
By
Ms. Kritika Sobti
Mr. Adwiteeya Agrawal

2. Introduction to XSS
• Definition :
Cross Site Scripting is a web application vulnerability which
enables us to execute scripts by passing them as input
variables. Here the parameters aren't sanitized.
• Types of XSS
1. Reflected
2. Stored
3. DOM based

3. Reflected XSS
Input : XSS
Output : Search Result
Input:
<script>alert(“XSS”)</script>
Output : Script Executed

4. Stored XSS
Certain Parameters that are permanently stored on the website
Script entered as those parameters and hence executed whenever viewed.

5. DOM based XSS
DOM Based XSS is an XSS attack wherein the script is executed as a
result of modifying the DOM “environment” in the victim’s browser.

6. What is POST XSS Exploitation?
• Combining XSS vulnerability with other web
applications vulnerabilities to execute even more
dangerous attacks.
• Some Of the Attacks :
1. Android file stealing.
2. URI scheme for Skype on IOS.
3. HTML5 Vulnerabilities.
4. IRC NAT pinning and Geo-location.
5. Our New Module

7. Android File Stealing
Android 2.2 user visits a link that initiates a download of a file xyz.html
The user is not notified and file is saved at sdcard/downloads
Javascript is used to access the downloaded file and
other files in the same local context.

8. Skype’s Improper URI scheme on IOS
Using embeddable webkit on IOS, combined with URI schemes of third party applications,
skype allows a call to be made with just the following URI :
skype://1900expensivepremiumnumber?call
The Skype application developed for iOS
uses a locally stored HTML file to display
chat messages from other Skype users,
but it fails to properly encode the
incoming user's "Full Name", allowing an
attacker to craft malicious JavaScript code
that runs when the victim views the
message.

9. HTML5 Vulnerabilities(1)
• Using API the way it is not meant be
HTML5 has two APIs for making cross domain calls - Cross Origin Requests
and WebSockets. By using these, JavaScript can make connections to any
IP and to any port(apart from blocked ports), making them an ideal
candidate for port scanning. These API's can be exploited to determine if
the port being connected to is open, closed or filtered.

10. HTML5 Vulnerabilities (2)
• Using API the way it is not meant be
The File API in HTML5 allows JavaScript to access the file once it is chosen by the
user (i.e. before uploading it). It can also be used maliciously to steal your files in
XSS attack. With styling input type=file control may be used so that the user is
unaware that he's going to upload the file.
However input type=file directory is a splendid feature which allows the user to
upload contents of a chosen directory thus giving access of the whole directory to
the attacker.

11. NAT Pinning
• When the victim clicks on an XSS vulnerable URL that has a hidden form
connecting to http://attacker.com:6667 (IRC port), he submits the form
without knowing. An HTTP connection is created to the (fake) IRC server
run by the attacker, that simply listens. The victim’s router sees an "IRC
connection" (even though its client is speaking in HTTP) and an attempt at
a ‘DCC chat’. DCC chats require opening of a local port on the client to
which the remote chatter to connect back. Since the router is blocking all
inbound connections, it decides to forward any traffic to the port in the
DCC chat back to the victim.

12. XSSMAP - Geo Location
Google while collecting data for the Google Street View had also collected data of
the wireless networks in the vicinity and the MAC address of those routers and then
mapped them to the GPS co-ordinates. XSS can retrieve the MAC address of the
target's router and then uses Google Maps to retrieve GPS co-ordinates

13. Our New Module – The concept
• Elastix 2.2.0 VoIP based PBX, with a web interface enables registered SIP clients to
make calls just by visiting a URL.
After visiting :
https://IP_address_of_Elastix/recordings/misc/callme_page.php?action=c
&callmenum=Extension@from-internal/h
Executed Via :
Iframe’s source

14. Integration with XSSF

15. Why XSSF ?
• Has amazing native modules
• Integrates with metasploit and facilitates using
exploits in msf
• Development and all setting are included in
the single file(module)

16. Protection against XSS
• Various filters can be used to sanitize the inputs and prevent XSS vulnerabilities.
These filters keep a watch on the user inputs and checks for JavaScript or HTTP
POST in the input and then stop these scripts from being executed.
• A large number of Security Libraries are also available for encoding user inputs
such as: OWASP Encoding Project : Google Code
HTML Purifier or Htmlawed : for PHP
Anti-XSS Class : for .NET Applications
AntiSamy API : for .NET
XSS-HTML-Filter : for Java
Filters Description
FILTER_SANITIZE_ENCODED URL-encode string, optionally strip or
encode special characters.
htmlentities For HTML filtering
FILTER_SANITIZE_MAGIC_QUOTES For Applying addslashes()

17. Protection against POST XSS
• Protection against post XSS involves prevention against execution of scripts entered
as input variables.
• Cookie security protection can be implemented by limiting the domain and path for
accepting cookies, setting them as HttpOnly, using SSL and never storing confidential
data in cookies.
• Another method can be to disable the use of client site scripts.
• Various browser add-ons are also available for prevention against
XSS vulnerabilities. Some of the popular add-ons are NoScript for
FireFox and NotScripts for Chrome and Opera.

18. Thanks