Presented to OWASP San Antonio at Denim Group Introduction to Cross-Site Scripting with BeEF Created by: Charles Neill Modified Date: 2/5/2015
What is cross-site scripting? Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser TL;DR: Not filtering out HTML and JavaScript in user input = bad It can be used to take over a user’s browser in a variety of ways 2
Why should I care about cross-site scripting? There was a time not too long ago when XSS was considered a low-risk type of security issue, because when compared to a server-side exploit, it seemed relatively benign As other issues like PHP remote file inclusions have become harder to exploit, XSS attacks have increased in prominence and sophistication Trick question: Which is worse, popping up an alert box or popping root on a server? 3
Who’s affected by cross-site scripting? Everyone. No, really – almost every site you can think of has had XSS problems at one time or another (and probably still does) Don’t believe me? Universal XSS in Internet Explorer (2015) [1] Tweetdeck (2014) [2]Tweetdeck PayPal (2013) – BONUS: discovered by a 17 year old kid [3]PayPal Google Finance (2013) [4]Google Finance 25 “Verasign-secured” online stores (2012) [5]25 “Verasign-secured” online stores McAfee (2011) [6]McAfee Visa (2010) [7]Visa 4
5 Some sites you might recognize
Object Placeholder 6 Some sites you might recognize
Object Placeholder 7 Some sites you might recognize
Boooooring… The classic proof-of-concept for XSS is a little alert box with some arbitrary text in it, or a picture of something silly. This doesn’t seem nearly dangerous enough to warrant concern. What else you got? 8
Introducing: BeEF What’s BeEF? From their website (beefproject.com):beefproject.com “BeEF is short for The Browser Exploitation Framework… BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser.” 9
That description sounds scary, but what does it mean? Think of BeEF as a one-stop-shop to gain and retain control over a user’s browser, and do whatever you want with it This is like Metasploit (metasploit.com) for the browsermetasploit.com –You can even use Metasploit’s “browser_autopwn” tests to try to take over the browser How does one use BeEF? This is all it takes to insert into a page: Where’s the BeEF? 10
11 The BeEF Dashboard Monitor users by their IP, browser, OS See logs of their activity Trick the user into downloading malicious files Perform network reconnaissance And much more..
12 DEMO TIME! (Get excited)
So many attacks, so little time
Steal cookies Play a sound Get user-agent string See enabled plugins (e.g. Chrome PDF viewer, Java, etc.) 14 Basic Client-side Attacks
Man-in-the-browser Forge user requests Get form values / HTML contents Fake notifications (Chrome plugin bar, LastPass login, etc.) Tabnabbing 15 More Advanced Client-Side Attacks
Port scanning Network mapping Execute local Redis commands 16 Lateral Movement / Network Exploration
Never trust the user So what should I do to prevent XSS? 17
THANK YOU RACKSPACE® | 1 FANATICAL PLACE, CITY OF WINDCREST | SAN ANTONIO, TX US SALES: | US SUPPORT: | © RACKSPACE LTD. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. |
Almost all client-side script injection comes down to the following characters: ( ) { } [ ] " ' ; / \ There are various ways to take care of these characters, but it is too context- dependent to give a one-size-fits-all answer The shortest answer is, make sure you’re only getting characters you expect when a user enters any kind of information - make sure you never display a user-entered string without properly encoding it Check out the links at the end of this presentation to learn more So what should I do to prevent XSS? (No, really) 19
Here’s some sample vulnerable JavaScript. See if you can spot the bad part. var lol = function () { var a = document.getElementById('a').value; document.write(a); } 20 Examples of XSS in code
Hmm, there’s the problem… var lol = function () { var a = document.getElementById('a').value; document.write(a); // Too easy } 21 Examples of XSS in code
Now for something a little more interesting. Remember, you also have to remember the third-party libraries you’re using. Some innocent-looking jQuery code: $(location.hash) // Wait, that’s it? 22 Examples of XSS in code
But you’re not only securing the code you write, but all the code you used… $(location.hash) // WHERE’S THE VULNERABLE PART?! Well, if we’re using jQuery and we visit the page …this will pop up one of those alert boxes [8]. 23 Examples of XSS in code
Here are some examples of how to filter HTML characters in a few simple scenarios in PHP (there should be similar functions in any language; check the links at the end of the PPT) $int = intval($_GET['a']); // This will never return anything other than an integer $str = htmlentities($_GET['b']); // This will encode any character for which there is // an HTML entity equivalent (e.g. > < ") // This is NOT always enough! [9] 24 Tips for filtering XSS
Pop quiz! What’s wrong with this PHP code: echo(' link '); 25 Getting around prevention measures
Pop quiz! What’s wrong with this PHP code: echo(' link '); What if we set $_GET['var'] to javascript:alert(/xss/); 26 Getting around prevention measures
27
QUESTIONS? 28
OWASP Links –Guide to Cross-site Scripting - –XSS Prevention Cheat Sheet - –DOM based XSS Prevention Cheat Sheet Resources
[1] [2] [3] [4] [5] [6] [7] [8] [9] 30 References
THANK YOU RACKSPACE® | 1 FANATICAL PLACE, CITY OF WINDCREST | SAN ANTONIO, TX US SALES: | US SUPPORT: | © RACKSPACE LTD. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. |