Project Leader(s): Ajin Abraham
Download : https://www.owasp.org/image/3/3d/OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip
Introduction
Cross Site Scripting or XSS vulnerabilities have been reported and
exploited since 1990s. XSS got listed as the top 3rd Vulnerability
in the OWASP 2013 Web application Vulnerabilities list. Cross-site
scripting (XSS) is a type of security vulnerability typically found in web
applications which allows the attackers to inject client-side script into web
pages viewed by other users. The execution of the injected code takes place at
client side. A cross site scripting vulnerability can be used by the attacker
to bypass the Same Origin Policy (SOP). In the past, the potentials of XSS
vulnerability were not known. XSS was mainly used for stealing cookies and for
temporary or permanent defacements and was not considered as high risk
vulnerability. But later XSS tunneling and Payload delivering showed us the
potential of XSS Vulnerability. Most of the large websites like Google,
Facebook, Twitter, Microsoft, and Amazon etc. even now suffers from XSS bugs.
That’s a brief introduction about XSS.
Some threats due to XSS
XSS Tunneling: With XSS Tunnel a hacker will obtain
the traffic between the victim and a webserver.
Client side code injection: A hacker can inject malicious codes
and execute them at client side.
DOS: A hacker can perform DOS against a remote
server or against the client itself.
Cookie Stealing: A hacker can obtain the session
cookies or tokens of a victim.
Malware Spreading: A hacker can spread malwares with a
website which is vulnerable to XSS.
Phishing: A hacker can embed or redirect to a
fake page of the website to get the login credentials of the victim.
Defacing: Temporary or permanent defacement of
web application is possible.
What is Xenotix XSS Exploit Framework?
Xenotix XSS Exploit Framework is a penetration testing tool to
detect and exploit XSS vulnerabilities in Web Applications.This tool can inject
codes into a webpage which are vulnerable to XSS.It is basically a payload list
based XSS Scanner and XSS Exploitation kit. It provides a penetration tester
the ability to test all the XSS payloads available in the payload list against
a web application to test for XSS vulnerabilities. The tool supports both
manual mode and automated time sharing based test modes. The exploitation
framework in the tool includes a XSS encoder, a victim side XSS keystroke
logger, an Executable Drive-by downloader, a XSS Reverse Shell and a XSS
DDoSer. These exploitation tools will help the penetration tester to create
proof of concept attacks on vulnerable web applications during the creation of
a penetration test report.
Features of Xenotix XSS Exploit
Framework
Xenotix
XSS Exploit Framework is divided into two module
Scanner Module
Scanner Module
- Built in XSS Payloads
- HTML5 compactable Payload list
- XSS Auto mode Scanner
- XSS Multi-Parameter Scanner
- XSS Fuzzer
- XSS Keylogger
- XSS Executable Drive-by downloader
- XSS Payload Encoder
- XSS Reverse Shell
- XSS DDoSer
- XSS Cookie Thief
Built in Payload List
It is having an inbuilt XSS
payload list of above 500+ XSS payloads. It includes HTML5 compactable XSS
injection payloads.Most of the XSS filters are implemented using String Replace
filter, htmlentities filter and htmlspecialcharacters filter. Most of these weakly
designed filters can be bypassed by specific XSS payloads present in the
inbuilt payload list.
The above chart shows the
number of XSS Payloads in different XSS Scanning tools available in market.
Xenotix XSS Exploit Framework got the world’s second largest XSS Payload list
after IBM AppScan Security which is having 700 million payloads.
XSS Scanner Module
XSS Multi-Parameter Scanner
The Multi-Parameter XSS
Scanner comes when you have multiple parameters to test for XSS. It can extract
the different parameters from the given URL and test them individually. It
saves a lot of your time as you don’t need to test each parameter separately.
XSS Fuzzer
The XSS Fuzzer is a convenient module to detect hidden
XSS as well as other vulnerabilities like HTTP Parameter Polution. With the
Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect
hidden vulnerabilities in a web application.
2. Exploitation Framework
XSS KeyloggerThe XSS Fuzzer is a convenient module to detect hidden
XSS as well as other vulnerabilities like HTTP Parameter Polution. With the
Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect
hidden vulnerabilities in a web application.
The tool includes an inbuilt
victim side Key logger which is implemented using JavaScript and PHP. PHP is served with the help of a portable PHP
server named QuickPHP by Zach Saw. A JavaScript file is injected into the web
application vulnerable to XSS and is presented to the victim. The script
captures the keystrokes made by the victim and send to a PHP file which further
write down the logs into a text file.
XSS Executable Drive-by Downloader
Java Drive-by download can be
implemented with Xenotix XSS Exploit Framework. It allows the attacker to
download and run a malicious executable file on the victim’s system without his
knowledge and permission.
You have to specify the URL for the malicious executable and then embed the drive-by implemented webpage into a XSS vulnerable page and serve your victim. When the victim view the injected page, the java applet client.jar will access the command prompt and with the help of echo command, write down some scripts to a Visual basic script file named winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will start winconfig.vbs. The winconfig.vbs will download the malicious executable specified by you in the URL to temp directory and rename it as update.exe and finally it will execute update.exe. The downloading and executing of the malicious executable happened without the knowledge and permission of the victim.
You have to specify the URL for the malicious executable and then embed the drive-by implemented webpage into a XSS vulnerable page and serve your victim. When the victim view the injected page, the java applet client.jar will access the command prompt and with the help of echo command, write down some scripts to a Visual basic script file named winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will start winconfig.vbs. The winconfig.vbs will download the malicious executable specified by you in the URL to temp directory and rename it as update.exe and finally it will execute update.exe. The downloading and executing of the malicious executable happened without the knowledge and permission of the victim.
XSS Payload Encoder
The inbuilt Encoder will allow
encoding into different forms to bypass various filters and Web Application
Firewalls. The encoder supports Base64 Encoding, URL Encoding, HEX Encoding,
HTML Characters Conversion, Character Code Conversion and IP to Dword, Hex and
Octal conversions.
XSS Reverse Shell
A XSS Reverse Shell can be
implemented with Xenotix XSS Exploit Framework. This is made possible with the
help of Java Drive-By. The XSS vulnerable web application exploited with the
injectable scripts generated by XSS Reverse Shell when presented to a victim
will initiate the drive by download of a Reverse TCP connecting shell. After
the drive-by download, the reverse shell is executed by the same method used in
Java Drive-by.
The advantage of this method
is that the reverse shell is downloaded and executed in the victim’s system
without his knowledge. But for the execution of reverse shell, it will pop up a
UAC dialog requesting for the permission to run the executable. The tool is
having an inbuilt Listener that listens to the reverse shell. It is designed in
a user friendly manner. All you have to do is to specify the reverse connection
IP and port.
With HTML 5 comes great power.
We harvest the power of HTML 5 to abuse the Cross Origin Resource Sharing
(CORS) and WebSocket to implement a DDoS attack.
WebSocket is a technology that allows web applications to have a bidirectional channel to a URI endpoint. Sockets can send and receive data to and from a web server and respond to opening or closing a WebSocket. The XMLHttpRequest is a JavaScript object which is used to exchange data between a server and a bowser behind the scene. This can be used for Cross Origin Resource Sharing (CORS). We can perform a combined and powerful DDoS attack by abusing these two technologies. This module abuses WebSocket and creates numerous socket connections with a target server to slow it down. Along with it by abusing CORS, the add-on create numerous fake GET requests to slow down the target server. When we send the first request to the target server and the response contains the 'Access-Control-Allow-Origin' header with a value that restricts cross site requests, then at times the browser refuses to send more requests to the same URL. However this can be easily bypassed by making every request unique by adding a non-existing query-string parameter with changing values.
WebSocket is a technology that allows web applications to have a bidirectional channel to a URI endpoint. Sockets can send and receive data to and from a web server and respond to opening or closing a WebSocket. The XMLHttpRequest is a JavaScript object which is used to exchange data between a server and a bowser behind the scene. This can be used for Cross Origin Resource Sharing (CORS). We can perform a combined and powerful DDoS attack by abusing these two technologies. This module abuses WebSocket and creates numerous socket connections with a target server to slow it down. Along with it by abusing CORS, the add-on create numerous fake GET requests to slow down the target server. When we send the first request to the target server and the response contains the 'Access-Control-Allow-Origin' header with a value that restricts cross site requests, then at times the browser refuses to send more requests to the same URL. However this can be easily bypassed by making every request unique by adding a non-existing query-string parameter with changing values.
XSS Cookie Thief
It’s the traditional Cookie
Stealer but a bit advanced and with real time cookie viewer. This module allows
the pentester to create cookie stealing POC.
Features for the Next Build
Current version of XSS Exploit
Framework is based on Internet Explorer’s webpage rendering engine Trident.
Since XSS got slightly different behavior in different Web Browsers, the
support for the Gecko (Used by Mozilla Firefox) and Webkit (used by Chrome,
Opera, and Safari) Rendering engines will be added up in the next build. The
support for XSS in POST Parameter and XSS testing by modifying the headers will
be included in the next build. XSS Proxy to tunnel the victim-server traffic
will be added in future builds. Automatic detection of parameters or variables
vulnerable against XSS and DOM Based XSS detection will be added up in next
build.
Conclusion
XSS in popular website is a
high security threat. Xenotix XSS Exploit Framework can be used by Security
Analysts to perform penetration test on Web Applications against XSS
vulnerability and to create POC with the inbuilt exploitation framework. Most
of the security tools related to XSS are either XSS Scanners or XSS
Exploitation tools. Xenotix XSS Exploitation Framework is the first of its kind
to act both as an XSS vulnerability scanner as well as XSS exploitation framework.
Bug bounty programs like Google Vulnerability Reward Program, Facebook Bounty,
Paypal bug bountyetc. are there. So go for a XSS hunting and grab your bounty.J
About
Author
Ajin Abraham is an Information
Security Researcher. He is the creator of OWASP Xenotix XSS Exploit Framework.
He had published different whitepapers and tools in the scope of Information
Security. He is one among the top 10 in Chakravyuh 2012, India’s Biggest
Ethical Hacking Competition. His area of interest includes web application
penetration testing, coding tools, exploit development and fuzzing. He has been
a speaker at many security conferences including Defcon Bangalore-India 2012, ClubHack 2012, nullcon Goa 2013, AppSec APAC 2013,
Hack Miami 2013, BlackHat Europe 2013 and many more.
Không có nhận xét nào:
Đăng nhận xét