The Evils of XSS: Its not just for cookies anymore

Presented at ShmooCon I (2005), Feb. 6, 2005, noon (60 minutes)

Many security professionals, security administrators and developers are aware of Cross-Site Scripting (XSS) vulnerabilities, but disregard them as a significant risk to an organization. Traditionally XSS attacks have either involved nuisance re-direction of a client or leakage of client cookies/state information to an attacker. They are almost always a one-shot XSS exploit against a vulnerable server and dont have the ability to execute multiple transactions against an XSS vulnerable site.

This presentation briefly outlines current XSS attacks, then discusses and demonstrates methods to create multi-transaction XSS attacks or persistent XSS based browser hi-jacking. Browser hi-jacking uses the victim browser to leverage existing trust that a browser may have with an XSS vulnerable site, and performs an arbitrary number of transactions from the victim browser against the vulnerable site. This means that the attacker can use the victims browser to attack a site that is behind a firewall, requires client-side certificates, filters IP addresses, or has a cached authentication with the victim browser this is way beyond cookie theft as an attacker is actually using the victims browser to access the site. Attack modes can include transparent site traversal thru victim browser (read and/or write to server with access of victim from remote attack console), passive monitoring of victim interaction with target site, or active MITM content modification of information to/from victim browser.

A new tool (XSS-Proxy) will be introduced that demonstrates the ability for a remote attacker to perform these XSS based attacks. XSS persistence and commands are controlled from a Perl based HTTP attack server with victim/XSS target content forwarded to the same server. This does not rely on any new vulnerability in browsers and currently works in modern JavaScript enabled IE and Mozilla/Firefox based browsers. Other tools may be introduced and discussed that assist with the identification of XSS flaws sites as well as initial injection vector creation for later use in XSS-Proxy.


Presenters:

  • Anton Rager
    Anton Rager is a Sr. Security Engineer with Avaya Labs and a founding member of Avayas Enterprise Security Practice. He specializes in vulnerability research, VPN security and wireless security and is best known for his WEPCrack, WEPWedgie and IKECrack security tools. He has presented at Defcon, Toorcon, Interz0ne and many other lesser-known conferences, and was a contributing technical editor to the book Maximum Wireless Security. In addition to an addictive computer security hobby, Anton is also an extreme mountain biker, snowboarder, naturalist, guitarist and philosopher hack.

Links:

Similar Presentations: