The media reported the problem as a Web browser vulnerability. Browser hackers took this as a challenge and began uncovering many clever ways to circumvent the restriction. Eventually this concept was shared with CERT. The goal of this was to inform the public so that the issue would be brought to light in a responsible way and sites would get fixed, not just at Microsoft, but also across the industry.
David re-wrote the internal paper with the help of Ivan Brugiolo, John Coates, and Michael Roe, so that it was suitable for public release. Sometime during the past few years the paper was removed from Microsoft. Shortly there- after another variant of the same attack surfaced. With some social engineering, it was found that by tricking a user to click on a specially crafted malicious link would yield the same results as HTML Injection.
Few would listen. Prior to , the vast majority of security experts and developers paid little attention to XSS. The focus transfixed on buffer overflows, botnets, viruses, worms, spyware, and others. Meanwhile a million new Web servers appear globally each month turning perimeter fire- walls into swiss cheese and rendering Secure Sockets Layer SSL as quaint.
Hundreds of XSS vulnerabilities were being disclosed in major Web sites and criminals began combining in phishing scams for an effective fraud cocktail. Unsurprising since according to WhiteHat Security more than 70 percent of Web sites are currently vul- nerable. XSS arguably stands as the most potentially devastating vulnerability facing information security and business online. Web Application Security The Web is the playground of million netizens, home to million Web sites, and transporter of billions of dollars everyday.
International economies have become dependent on the Web as a global phenomenon. And did I mention that roughly 8 out of 10 Web sites have serious security issues putting this data at risk? Even the most secure systems are plagued by new security threats only recently identified as Web Application Security, the term used to describe the methods of securing web-based software.
The organizations that collect personal and private information are responsible for pro- tecting it from prying eyes. Nothing less than corporate reputation and personal identity is at stake. As vital as Web application security is and has been, we need to think bigger. New Web sites are launched that control statewide power grids, operate hydroelectric dams, fill prescriptions, administer payroll for the majority of corporate America, run corpo- rate networks, and manage other truly critical functions.
Think of what a malicious compro- mise of one of these systems could mean. Web applications have become the easiest, most direct, and arguably the most exploited route for system compromise. Until recently everyone thought firewalls, SSL, intrusion detection systems, network scanners, and passwords were the answer to network security.
Security professionals bor- rowed from basic military strategy where you set up a perimeter and defended it with every- thing you had. The idea was to allow the good guys in and keep the bad guys out. For the most part, the strategy was effective, that is until the Web and e-commerce forever changed the landscape. Essentially meaning you have to let in the whole world and make sure they play nice. Seemingly overnight the Internet moved from predominantly walled networks to a global e- commerce bazaar.
The perimeter became porous and security administrators found them- selves without any way to protect against insecure Web applications. Web developers are now responsible for security as well as creating applications that fuel Web business. Fundamental software design concepts have had to change. Prior to this trans- formation, the average piece of software was utilized by a relatively small number of users.
Developers now create software that runs on Internet-accessible Web servers to provide ser- vices for anyone, anywhere. The scope and magnitude of their software delivery has increased exponentially, and in so doing, the security issues have also compounded. Now hundreds of millions of users all over the globe have direct access to corporate servers, any number of which could be malicious adversaries.
New terms such as cross-site scripting, Structured Query Language SQL injection, and a dozen of other new purely Web-based attacks have to be understood and dealt with. Figure 1. And after all that, there are the internal custom Web applica- tions that organizations develop for themselves. This is the lay of the land when it comes to Web application security.
One of the biggest threats that Web application developers have to understand and know how to mitigate is XSS attacks. While XSS is a relatively small part of the Web application security field, it possible represents the most dangerous, with respect to the typical Internet user. Ironically, many people do not understand the dangers of XSS vulnerabilities and how they can be and are used regularly to attack victims. Both of these technologies are based on standards and protocols that have been around for many years, and there is an unlimited amount of information about how they work and what you can do with them on the Internet.
AJAX is a synonym that describes new approaches that have been creeping into Web development practices for some time. At its basics, AJAX is a set of techniques for creating interactive Web applications that improve the user experience, provide greater usability, and increase their speed. The roots of AJAX were around long before the term was picked up by mainstream Web developers in The core technologies that are widely used today in regards to AJAX were initiated by Microsoft with the development of various remote-scripting tech- niques.
This object provides the mechanism for pulling remote content from a server without the need to refresh the page the browser has currently loaded. This object comes in many www. This is due to the fact that AJAX is a new technology, and although standards are quickly picking up, there are still situations where we need to resolve various browser incompatibilities problems. These problems are usually resolved with the help of AJAX libraries but we, as security researchers, often need to use the pure basics.
As we established previously in this section, the XMLHttpRequest object differs depending on the browser version. Other browsers may have dif- ferent ways to do the exact same thing. Table 1. The possible values are: 0 — uninitialized 1 — open 2 — sent 3 — receiving 4 — loaded Continued www. Other status codes are also possible. Both of them return the response body, but they differentiate by function quite a bit.
Before providing another example, we must explain the purpose of XML. XML is a mini language on its own, which does not possess any boundaries. We are not going to cover all of them, because the book will get quickly out of scope, but you can read about them at www. They can be represented with a tree structure, which is often referred to as the DOM. Another popular function is getElementById, which return a single ele- ment based on its identifier. It is also important to understand the impact these technologies will have on traditional Web application security testing.
Summary XSS is an attack vector that can be used to steal sensitive information, hijack user sessions, and compromise the browser and the underplaying system integrity. XSS vulnerabilities have existed since the early days of the Web. Today, they represent the biggest threat to e-com- merce, a billions of dollars a day industry.
Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.
A: Both of them refer to exactly the same thing. In one of the situations, the attacker injected valid HTML tags, while in the other one, the attacker injected HTML tags but also tried to run a script. Q: Does my anti-virus software protect me from XSS attacks? A: No. Ant-virus software protects you from viruses and other types of malicious code that may be obtained from a XSS vulnerability.
Some ant-virus software can detect known types of malware, but they cannot prevent XSS from occurring. Q: Can XSS worm propagate on my system? However, there are many browser bugs that can exploit your system www. In that respect, XSS worms that contain browser bug exploits can also compro- mise your system. Q: XSS attacks can compromise my online account but not my network.
Is that true? A: The browser is a middleware technology that is between your trusted network and the untrusted Web. Every time you visit a page, you silently download scripts and run it inside the context of the browser. These scripts have access to internal network addresses and as such can also propagate inside your network.
If you follow a strong security practice, you can prevent XSS from occurring by filtering or escaping undesired characters. To expedite the location of these bugs, we employ a wide range of tools and techniques. In this chapter, we look at a collection of tools that the authors have found to be invaluable in their research and testing.
It is important to note that many of the XSS bugs out there can be found with nothing more than a browser and an attention to detail. These low hanging fruit are typically found in search boxes and the like. By entering a test value into the form and viewing the results in the response, you can quickly find these simple bugs.
However, these are the same bugs that you can find in a fraction of the time with a Web application scanner. Once these basic vulnerabilities are found, tools become a very valuable part of the attack process. Being able to alter requests and responses on the fly is the only way some of the best bugs are found. We should also mention that these tools are good for more than just locating XSS flaws. They are also very useful for developers and Web application penetration testers.
Burp The modern browser is designed for speed and efficiency, which means Web application security assessment is a painful task, because probing a Web application requires in-depth analysis. Sometimes it greatly behooves you to be able to modify the incoming data.
Sometimes you just want a bidirectional microscopic view into every request your browser is making. And then there was Burp Proxy www. To get started, you need the Java run time environment installed, which you can get from Java. Once that is installed you modify your proxy settings in your browser to use localhost or The Intercept and Options windows are the most important ones that we will be focusing on. This will show you all of the data to and from every server you connect to.
Figure 2. You should do this for all of your clients if you want to see what spyware you have installed, as each one will need to go through the proxy for it to show you what is using it. Once this has been configured, you should be able to surf and see any data being trans- ferred to and from the host.
Ultimately, Burp is only one tool amongst a wide array of others that do parts of what Burp does as well or better, but nothing works in quite the same way or with quite the same power as Burp Suite. Burp Proxy is not for the faint of heart, but once you get accus- tomed to it, it is a great learning tool for understanding how Hypertext Transfer Protocol HTTP actually works under the hood.
AJAX, one of the core technologies pushing Web application growth, has helped developers create Web-based word processors, calendars, collaborative systems, desktop and Web wid- gets, and more. However, along with these more complex applications comes the threat of new security bugs, such as XSS vulnerabilities. As a result, the need for powerful Web appli- cation debuggers has also surfaced.
While the overall functions of a Web application debugger are the same i. Instead of examining assembly code, Web application debuggers need to be able to manage a complex and connected set of scripts, Web pages, and sources. In this section, we are going to examine several tools and techniques that you can use to dig inside the increasingly complex world of the Web applications.
When you are asked about the type of setup, choose Custom. The Custom setup window configuration dialog looks like that in Figure 2. You can continue with the rest of the installation using default settings. The top part contains information about the resource that is being inspected.
Each of the inspection trees has a button to allow you to choose between the different views, as shown in Figure 2. If you select a node from the DOM Inspector you can copy and paste it to a different place. All of these operations are performed from DOM Inspector contextual menus. This is because developers often attach custom events, methods, and variables to these elements, which can reveal how the application works. With DOM Inspector we can look into how function calls are structured and the event flow of the application that we are testing.
If this iframe is important for the application workflow, we can replace some of these functions with our own and essentially hack into GMail internal structure. For example, a modified function can be used to sniff for certain events and then trigger actions when they occur. This could alternately be done by manually modifying the response data with any of the Web application testing proxies that we discuss in the book e.
Burp , but DOM Inspector helps to automate this process. As a result, you no longer have to manually intercept, change, and pass every Web request to the target function. This quick fix may cause XSS inside the server logs or any other part where the referrer field is used without any sanitizations applied.
In our case, GMail is not vulnerable but you never know what the situation is from the inside of GMail. DOM Inspector is an extremely powerful extension for Firefox that gives the power of examining complex Web applications with a few mouse clicks. It comes by default with Firefox, and you can use it without the need for installing additional components.
However, we will learn later in this chapter that there is another Firefox extension created by the developers of DOM Inspector that allows us to do even more. Web Developer Firefox Extension When performing a manual assessment of a Web site, a penetration test needs to understand what is happening behind the scenes.
Instead of writing a manual for the Web Developer toolbar, we encourage you to download it and try it for yourself. It is one of the single best aids in manual assessments using the Firefox Web browser. FireBug Lite is a cross-browser component that can be easily embedded into the appli- cation you want to test see Figure 2. It is designed for developers rather than security researchers, and it is not as versatile as the Firefox Extension version covered next.
However, it could prove to be quite helpful in situations when you need to debug applica- tions in Internet Explorer, Opera, and other browsers that do not support Cross Platform Installable XPI files for the Mozilla platform. Download FireBug Lite and place it inside a folder on your local system. You have to include the following script tag inside your application pages to enable FireBug: www.
For example, if we want to trace the change of the variable item in the following loop, we need to use the following code: function var item in document console. This is much more efficient than the alert method, which can be very irritating, espe- cially in cases where we need to list many values.
There are some other features, but FireBug Lite is designed to run as a stripped down replacement of the FireBug browser extension. The Firebug browser extension provides an integrated environment from where you can perform complete analysis of the Web applications that interest you see Figure 2.
FireBug can also be used for the same purpose. On the right-hand side you can see the property window, which contains information about the style, the layout, and the DOM characteristics. The DOM characteristics are extremely helpful when you want to see about the various types of prop- erties that are available, just like in DOM Inspector.
Most of the time you will see the same name-value pairs, but you might also get some insight as to how the application operates. These properties and methods could be a critical part of the application logic. The HTML view is also suitable for dynamically modifying the structure of the applica- tion document.
We can simply delete the selected element by pressing the Delete button on your keyboard, or we can modify various element attributes by double clicking on their name and setting the desired value. It is important to note that the changes made on the HTML structure will be lost on a page refresh event.
Like binary application testing, we need to use a debugger in order to trace through the code, analyze its structure, and investigate potential problems. FireBug contains features we can use to do all of that. Once the program is paused, you can review the current data held in the global- local variable or even update that data.
This not only gives you an insiders look as to what the program is doing, but also puts you in full control of the application. On the right-hand side of Figure 2. The Breakpoints list contains all breakpoints that you have set inside the code you are debugging. You can quickly disable and enable breakpoints without the need of going to the exact posi- tion where the breakpoint was set. The Watch list provides a mechanism to observe changes in the DOM structure.
For example, if you are interested in knowing how the value of document. The DOM is where Web application contents are stored. The DOM structure provides all necessary functionalities to dynamically edit the page by removing and inserting HTML elements, initializing timers, creating and deleting cookies, and so forth. The DOM is the most complicated component of every Web application, so it is really hard to examine. We can see several functions that are currently available.
The DOM element alert is a standard built-in function, while logout is a function provided by Google Inc. We can see all functions and their source code. We can also see every property and object that is available and expand them to see their sub-properties in a tree-like structure. One of the most powerful FireBug features is the Network traffic view see Figure 2. This view is extremely helpful when we want to monitor the Web requests that are made from inside the application.
Unlike the LiveHttpHeaders extension where all requests are displayed in a list, FireBug provides you with a detailed look at each request characteristic. On Figure 2. One interesting char- acteristic of FireBug is that the extension will record all network activities no matter whether it is open or closed. This behavior is different compared to the LiveHttpHeaders extension, which records network events only when it is open.
However, unlike the LiveHttpHeaders extension, FireBug cannot replay network activities but you will be able to see the network traffic in a bit more detail. The power to control the data being passed to and from a Web applica- tion can help a user find bugs, exploit vulnerabilities, and help with general Web application testing. These Firefox extensions provide us with a quick way to get inside the HTTP traffic without having to set up a proxy server.
However, if you want access to all of the features of the tool, then you will want to open it in a separate window by clicking on Tools Live HTTP Headers, as Figure 2. The middle part of the screen is where the requests and responses are dis- played. Each request-response is separated by a horizontal line.
The bottom part of the window contains LiveHTTPHeaders action buttons and the Capture check box, which speci- fies whether capturing mode is enabled or disabled. Check this button to stop LiveHTTPHeaders from scrolling down in order to analyze the traffic that has been generated. This is the part of the program that is most useful for Web application security testing.
Having quick access to a past request allows us to change parts of the request in order to test for vulnerabilities and bugs. To access this feature, select any of the listed requests and press the Replay button. As Figure 2. For example, you can add extra headers, change the request method GET vs.
POST , or modify the parameters that are sent to the server. Having this ability allows you to make changes, view the results, and continue on with your browsing session. As previously mentioned, you can change any part of the request via the Replay feature. There is one small caveat that you should be aware of when altering a POST request, and that is the Content-Length header. By not including the value, you take the chance of raising an alert if there is an Intrusion Detection System IDS monitoring the Web traffic.
Fortunately, LiveHTTPHeaders does provide a length count for you at the bottom left of the window, which you can use to insert your own Content-Length header value. For example, by entering the following into the Replay tool, you can test to see if a Web server allows unrestricted file uploads.
In Figure 2. We can easily access the requests internal, modify them, and relay them with a few clicks. If you have tried LiveHTTPHeaders you have probably noticed that each replayed request still results into the browser window.
Unlike other testing tools, such as application proxies, which when used emit in replay mode, you have to look inside the HTML struc- ture for changes, LiveHTTPHeaders provides a visual result which we can absorb quicker.
ModifyHeaders is another Firefox extension that is a must have for every security researcher. Its purpose is to dynamically add or modify headers for every generated request. Simply choose an action from the actions drop-down box on the left. You need to put the header name and the header value in the subsequent fields and press Add.
You can Modify Headers with a single rule added in its actions list see Figure 2. Another, illustration as to how this tool can be used is where you are testing an internal Web application that is exported to an external interface. Internal Web applications usually use shorthand names that break render features because these names do not exist online.
However, due to a configuration error, the application can be accessed from the public IP address of In simple terms, your browser did not specify which virtual host needs to be used in order to make the application work. In order to specify the virtual host name you have to use the Host header. Probably one of the most useful purposes of this extension is to locate XSS vulnerabili- ties that occur when different encodings are used.
Keep in mind that XSS issues are not that straightforward, and if you cannot find a particular application vulnerability when using the default configuration of your browser, it may appear as such if you change a few things, like the accepted charset as discussed previously in this section.
TamperData is a unique extension in a way that makes it easier for the security tester or attacker to modify their request before they have been submitted to the server. In a way, this extension emulates several of LiveHTTPHeaders functionalities, but it also offers some additional features that you may find useful. To access the extension main window click on Tools TamperData Figure 2.
The TamperData window is quite intuitive. In order to start a tampering request, click on Start Tamper and then submit the form you are currently on. For example, in Figure 2. Ignore it or abort it if you are not interested. If you click on Tamper, the following window appears Figure 2.
You can type any information that you want to submit and click the OK button, however with time this may get tedious. TamperData offers a feature where you can simply select an attack vector that you want to be included inside the specified field.
That makes the bug hunting process a lot easier and quicker. To choose a vector, right-click on the field name you want to tamper and select any of the lists after the second menu separator. Once the vector is selected, you will notice that the attack string is automatically added as part of the request.
Press the OK button to approve the request. You can easily get back to any of them and investigate them and replay them in the browser Figure 2. As you can probably guess, the only feature that differentiates this extension from LiveHTTPHeaders is the ability to select attack payloads. TamperData is designed to serve as a penetration-testing tool. Apart from being able to use the already built-in payload list, you can also supply your own from the Extension Configuration window.
To access TamperData options, press Options on the main screen. You will be presented with a screen similar to Figure 2. We can easily export the list or import new ones. In this section we sow that TamperData is indeed one of the best tools available that can help you when you are looking for XSS bugs.
Be careful when downloading user scripts because, as you will learn later, they can be very dangerous. In this section, we talk about GreaseMonkey and how we can use it to inspect sites for vulnerabilities, perform active exploitation, and install persistent backdoors. You can install it like any other Firefox extension by visiting www.
Finally, restart the Firefox browser. The left hand side list box contains the currently installed user scripts. This is a wild-card character that specifies that the rest of the URL can contain any sequence of characters, or in general, it means that only the first part of the URL matters. You can use this to uninstall scripts or edit them with your favorite text editor.
We highly recommend that you examine the source of any script before installing it. As we learned in previous chapters of this book, attackers can easily backdoor a user script and as such gain a persistent con- trol over your browser. It is also worth mentioning that user scripts might be vulnerable to XSS also.
This type of vulnerability may potentially expose your sensitive information to third-party organizations. Open the file in your browser and approve the installation box. Before diving into GreaseMonkey deeper, we must understand the basic structure of this user script.
Every script has a special type of structure. At the bottom of the first comment block you must enter the user script header. Table 2. Next, we will illustrate how you can dynamically create GreaseMonkey scripts right from your browser. Next, copy the generated string and paste it in your browser address bar and press Enter. You should be rewarded with the GreaseMonkey Installation dialog box asking you to confirm the installation. As noted in the beginning of this chapter, GreaseMonkey provides various mechanisms that are very helpful when performing vulnera- bility assessments on Web applications.
These two examples clearly demonstrate the power of GreaseMonkey. There are other extensions and programs that provide similar features; however, the ability to quickly narrow the focus down to parts of a Web application make PostInterpreter the best tool for certain tasks. For example, we might be interested in modifying all forms on www. In order to do that, we need to modify PostInterpreter user script settings as shown on Figure 2.
Remember, you can easily modify PostInterpreter source code in order to add features of your choice. For example, you can add select boxes for each listed value from where you can choose a common test, such as proper handling of single quotes. The answer to this question is always very vague.
The truth is that normal Web spiders and vulnerability scanners can detect only the simplest XSS vulnerabilities. This is where XSS Assistant plays a big role. NOTE COM is a Microsoft technology for building software components that enable easier inter-process communication and greater code reuse.
The purpose of COM is to provide a mechanism to build objects in a language neutral way. This way, one developer can build a key component of an application in their preferred language, and another developer can reuse the exact same compo- nent in the language of their choice.
In a way, it is similar to the Microsoft COM architecture. Start XSSing forms. Once you start playing with this tool, you will look at XSS from an entirely different perspective, not to mention save countless hours of manually typing in the XSS tests. Active Exploitation with GreaseMonkey GreaseMonkey is so powerful that you can write exploits as user scripts and call them when needed. Do you want to exploit? Keep in mind that the provided user script does not perform actual exploitation but it is still useful to make a point.
However, the process can be simplified a lot more if you do it from the browser. For example, if the exploit that you are writing requires you to authenticate via SSL and provide a username, password, and token, it may take a while to build it. However, if you use the browser to take care of the details, you con concentrate on the real thing, which is pro- ducing the actual code that tests or exploits the current target.
Hacking with Bookmarklets In previous sections of this book we discussed how to use GreaseMonkey as an attack tool. We also covered several useful user scripts that can help us when we search for XSS vectors.
One of the most interesting features of GreaseMonkey is the fact that the tool can be used for malicious purposes, in addition to being a great extension. Simply put, attackers can backdoor user scripts and social engineer unaware users to install them. While user scripts for Firefox require the presence of the GreaseMonkey extension, keep in mind that other browsers, like Opera, support them by default, although the structure of the script is a bit different.
In this section, we are going to cover another useful mechanism that can be used in a similar way as user scripts: bookmarklets. In modern browsers, the bookmark is a simple storage mechanism for listing favorite Web sites. Usually, each bookmark contains information not only about the URL that we want to memorize, but also some meta information such as keywords, description, and title that are associated with it.
This type of technique is widely used among AJAX developers. Notes from the Underground… Firefox and Opera support the data and protocol. This protocol can be used to make self-contained files. For example, you can easily make self-contained HTML files by embedding all images inside it, instead of calling it from external resources. However, when they enter their credentials and click the submit button, the information will be sent to the attacker.
These types of phishing attacks are very common and widely spread across the Web. Keep in mind that in this case, the attacker does not need to set up an external server in order to enable their attacks. All they need to do is provide a data URL.
In Firefox you should see as it as shown in Figure 2. Another differ- ence is that GreaseMonkey allows you to automatically start scripts. Bookmarklets can be automatically started unless you install an extension such as Technika, which we discuss in the next section.
Technika is very small and integrates well with the Firebug command console, which can be used to test and develop your bookmarklets. The extension can be found at www. If you have Firebug installed you will be able to use Technika bookmarklet constructing features. When you are happy with your code you can easily convert it to a bookmarklet by accessing the Technika menu and selecting Build Bookmarklet.
You will be asked to select the folder where you want the bookmarklet to be stored. Type the bookmarklet name and press the OK button, as shown on Figure 2. A screen similar to Figure 2. In order to enable this feature, you need to include the autorun keyword in the bookmarklet properties window, as shown in Figure 2. For example, if you want to develop a framework that consists of several bookmarklets, you may need to load the core libraries before the actual user scripts.
You can simply tag the library bookmarklets as autorun, level0 See Figure 2. The scripts that are based on them can be tagged as autorun, level1. Summary In this chapter, we covered several tools that are very useful when performing security audits of Web applications. Although a lot of the techniques that we discuss in this book can be performed with only a barefoot browser, sometimes it is just easier and a lot quicker to make use of the available utilities designed for simplifying the testing process.
Although the hacking tools are available for download from anyone, they require a cer- tain degree of familiarity in order to gain the most benefit by using them. In this chapter, we covered only the tools that we believe are most suitable when performing XSS checks.
However, keep in mind that there are plenty of other tools that can be used for similar purposes. Q: I find the tools that you listed quite confusing. Are there any other tools I can use? A: Yes, there are plenty of tools to choose from. We picked the tools that we think are the best. Although it is a good idea to get yourself familiar with the tools we list in this book, in general you should pick those that suit your needs best. A: DOM is the single most complete object that represents the structure of the Web appli- cation you are testing.
Although, in general a lot of the vulnerabilities are discovered on the server, very often we find vulnerabilities on the client. Most of these vulnerabilities www. They are very hard to find, but if you master the DOM tree you will be able to detect them quicker. Which one is the best? A: Every tool has its own advantages and disadvantages. We often use all of them at once. The more tools you use the less are the chances to miss something from the picture.
Q: What is the difference between user scripts and bookmarklets? A: In general, user scripts a lot more powerful then bookmarklets, although bookmarklets are cross-browser while user scripts are not. In certain situations you might need to access resources that are in a different origin. User scripts are the right solution for this. Bookmarklets are suitable for creating tiny utilities that work inside the current page.
Q: Can I autorun bookmarklets in other browsers than Firefox? A: Not unless you extend the browser with this type of feature. Autorunable bookmarks are not supported by browsers. This chapter provides a break down of the many types of XSS attacks and related code injection vectors, from the basic to the more complex. As this chapter illustrates, there is a lot more to XSS attacks than most people understand. Sure, injecting a script into a search field is a valid attack vector, but what if that value is passed through a filter?
Is it possible to bypass the filter? The fact of the matter is, XSS is a wide-open field that is constantly surprising the world with new and unique methods of exploitation and injection. However, there are some foundations that need to be fully understood by Web developers, security researchers, and those Information Technology IT professionals who are responsible for keeping the infras- tructure together.
This chapter covers the essential information that everyone in the field should know and understand so that XSS attacks can become a thing of the past. The server is merely the host, while the attack executes within the Web browser. The hacker only uses the trusted Web site as a con- duit to perform the attack.
To do so, the hacker combs the Web site for any functionality where client-supplied data can be sent to the Web server and then echoed back to the screen. One of the most common vectors for this is via a search box. Figure 3. XSS vulnerabilities frequently occur in form search fields all over the Web. By entering testing for xss into the search field, the response page echoes the user-supplied text, as illustrated in Figure 3.
One typical example is a simple cookie theft exploit. What makes this attack so effective is that users are more likely to click on the link because the URL contains the real Web site domain name, rather than a look-alike domain name or random Internet Protocol IP address as in normal phishing e-mails.
Fragment data does not get sent to the Web server and stays within the DOM. A hacker merely submits XSS exploit code to an area of a Web site that is likely to be visited by other users. These areas could be blog comments, user reviews, message board posts, chat rooms, HTML e-mail, wikis, and numerous other locations. Once a user visits the infected Web page, the execution is automatic. This makes persistent XSS much more dangerous than non-persistent or DOM-based, because the user has no means of defending himself.
SAX is a parsing mechanism, which is significantly faster and less memory-intensive but also not very intuitive, because it is not easy to go back the document nodes i. On the other hand, DOM-based parsers load the entire document as an object structure, which contains methods and variables to easily move around the document and modify nodes, values, and attributes on the fly.
The html function modifies the content of the selected element. This string includes the data from the nickname input field. Using our previous example, we need to modify the application slightly in order to make it remotely exploitable. Now try to exploit the application by entering the following string in the address bar: awesome. They can simply bookmark a URL that has the nickname set for them, which is a very handy feature.
However, if the developer fails to sanitize the input, a XSS hole is created that can be exploited. Our sample application is not user friendly. The nickname needs to be reentered every time a person wants to send a message. So, we are going to enhance the awesome AJAX appli- cation with a new feature that will make it remember what our nickname was the last time we were logged in. This cookie feature is available to any application that is retrieved www. You can interact with the new application the same way as before, with one essential difference: once the name is set via awesome.
Web developers should be careful about the data they are storing and always perform input sanitization. We also talk about how these issues can be exploited. Now is the time to show how they can be prevented. This is a very complicated task, and largely depends on the purpose of www.
This is not a rule that can be applied to all situations, though. The not-vulnerable version of our fictitious application is displayed here. If there is another Web application on the same server that has a XSS flaw, it could be lever- aged against our chat application. To prevent this, we need to also add output validation into our chat application. As this section illustrates, a Web developer must be very careful when relying on local variables for data and control.
Redirection Social engineering is the art of lying or getting people to do something different than what they would do under normal circumstances. While some refer to this as neural linguistic programming, it is really nothing less than fraud. The user must not only trust the site that they are being sent to, but also the vector that drives them there e.
That can be a significant obstacle, but for a phisher, the solution is often found in a complex link that appears to be valid, but in reality is hiding a malicious URL. The most common way to redirect users is through a redirection on a benign site. Many Web sites use redirection to track users.
This link takes the users browser to www. Works in the same way as header redirection, except that it has the advantage of being able to delay the redirection for some amount of time i. Has the advantage of being able to be event-based, rather than just time-based. Has the disadvantage of being completely dependent on the browser to work with whatever client side code was used. The following is a list of header redirection response codes: Redirection Status Codes Meaning and Use Moved Permanently Permanent redirection for when a page has been moved from one site to another, when one site is redirecting to another, and so forth.
Search engines consider this the most significant change, and will update their indexes to reflect the move. Continued www. This does two bad things for the company in question. First, their consumers are more likely to be phished and secondly, the brand will be tarnished. If the brand is tar- nished, users will tend to question the security of www.
Rubeus - Trying to tame the three-headed dog. SauronEye - Search tool to find specific files containing specific words, i. MoveScheduler -. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible. NET C2 framework for red teamers. This is a more slick approach than manually compiling an. NET assembly and loading it into Cobalt Strike.
The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon's 'execute-assembly' in seconds. NET Assemblies. Net Assembly to block ETW telemetry in current process HiveJack - This tool can be used during internal penetration testing to dump Windows credentials from an already-compromised host. Also, can resolve names to IP addresses. New fresh compiled and obfuscated binary for each use ysoserial. Elite - Elite is the client-side component of the Covenant project.
Covenant is a. NET command and control framework that aims to highlight the attack surface of. NET, make the use of offensive. NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Destroy-WindowsSpying -!!! Inveigh -. NET framework 4. It also allows uploading images, text or other types of files to many supported destinations you can choose from.
GitHubFolderDownloader - It lets you to download a single folder of a repository without cloning or downloading the whole repository. ShellLink - A. Net 4. Bypass software restrictions. NET core libraries, tools, frameworks and software Windows-Event-Log-Messages - Retrieves the definitions of Windows Event Log messages embedded in Windows binaries and provides them in discoverable formats.
Predecessor to the opensource PeachPie project www. Originally created for maintaining a meterpreter session over for less network alarms. KeeAnywhere - A cloud storage provider plugin for KeePass Password Safe sandbox-attacksurface-analysis-tools - Set of tools to analyze Windows sandboxes for exposed attack surface.
NET Altman - the cross platform webshell tool in. Cowboy - Cowboy. Sockets is a C library for building sockets based services. It features full network layer spoofing, pattern based address randomization and flood detection breaking mechanisms. This tool saves all buffers scripts,. Take your pick : ScyllaHide - Advanced usermode anti-anti-debugger.
Process Herpaderping bypasses security products by obscuring the intentions of a process. Blackcat keylogger Monitors all keystokes, Mouse clicks. It has a seperate process which continues capture system screenshot and send to ftp server in given time. Invisi-Shell - Hide your Powershell script in plain sight. A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.
Symbolic Execution just one-click away! NET MasterHide - MasterHide x64 Rootkit KasperskyHook - Hook system calls on Windows by using Kaspersky's hypervisor iblessing - iblessing is an iOS security exploiting toolkit, it mainly includes application information gathering, static analysis and dynamic analysis. It can be used for reverse engineering, binary analysis and vulnerability mining. BatchRunTrayTool - A tray tool under windows to open any file by system default or any executable program.
It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. HElib also includes optimizations for efficient homomorphic evaluation, focusing on effective use of ciphertext packing techniques and on the Gentry-Halevi-Smart optimizations. Published by the the best security companies in the world. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating user privacy within an app accessible for everyone.
JS-Scan - a. ProgrammingFonts - This is a collection of programming fonts,just share this with the programmers. Now there are kinds of fantastic fonts! It's not easy to buy a own house, so I hope that it would be useful to everyone. This guide is open source. Document waiting to be completed. Up with a Single Command.
Now Supports v8. Go Back to Top socialhunter - crawls the website and finds broken social media links that can be hijacked melody - Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
OffensiveGolang - A collection of offensive Go packages inspired by different Go repositories. An unidentifiable mechanism that helps you bypass GFW. GC2-sheet - GC2 is a Command and Control application that allows an attacker to execute commands on the target machine using Google Sheet and exfiltrate data using Google Drive.
GoPurple - Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions plution - Prototype pollution scanner using headless chrome red-tldr - red-tldr is a lightweight text search tool, which is used to help red team staff quickly find the commands and key points they want to execute, so it is more suitable for use by red team personnel with certain experience.
It is used to detect the cobaltstrike beacon from memory and extract some configuration. Managed to find and trigger checkm8. It's based on genetic algorithm. Maybe save from Ransomware. Shift-Left your threat detection. Shift Right threat elimination. ChangeTower - ChangeTower is intended to help you watch changes in webpages and get notified of any changes written in Go go-shellcode - A repository of Windows Shellcode runners and supporting utilities.
The applications load and execute Shellcode using various API calls or techniques. That Provides server and client and easy to use. Compatible with socks4 and socks4a. It monitors a pentester's server for out-of-band DNS interactions and sends lookup notifications via Slack.
Gorsair - Gorsair hacks its way into remote docker containers that expose their APIs neurax - A framework for constructing self-spreading binaries ipa-medit - Memory modification tool for re-signed ipa supports iOS apps running on iPhone and Apple Silicon Mac without jailbreaking.
High scalability. Lets you consume services that are behind firewall or NAT without opening ports or port-forwarding. Frustration killer. The Wordlist Framework. It is similar to the tee command, but there are more functions for convenience. I have fixed some errors and added some more payloads to it. But the tool credits go to z0idsec. It can be used to bypass firewalls or tightly restricted networks. BountyIt - A fuzzer made in golang for finding issues like xss, lfi, rce, ssti Tuned for high performance.
Zero memory allocations in hot paths. Generate reports, perform status checks, analyze codebases. It also leverages the crowd power to generate a global CTI database to protect the user network. CloudBrute - Awesome cloud enumerator iconhash - fofa shodan favicon. Juggler - A system that may trick hackers. Requests a bunch of URLs provided on stdin fairly quickly.
Finds exposed API keys using pattern matching, commit history searching, and a unique result scoring system. Distributed supervisor process control system tailscale - The easiest, most secure way to use WireGuard and 2FA. Reverse Proxy. Gurp - Burp Commander written in Go dnsprobe - DNSProb is a tool built on top of retryabledns that allows you to perform multiple dns queries of your choice with a list of user supplied resolvers.
It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin. Configured with a simple YAML file. Designed as a passive framework to be useful for bug bounties and safe for penetration testing. Supports scheme v1, v2 and v3 and passes Google apksig's testing suite. Ironically written in Go. Written in Groovy on top of Vert. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Azure and AWS terraform support. CredSniper - CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. ADRecon - ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
May contain minor bugs due to Language - Some dirty tricks to learn different programming language. You deserve privacy and compassion. Protect your privacy against global mass surveillance. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.
OldMirrorsFrontend - mirrors. IHP is a new batteries-included web framework optimized for longterm productivity and programmer happiness FuncShell - Improve your shell by making it functional through Haskell!
CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance. You can test applications that need to access pages in a specific order, such as shopping carts or registration of member information. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Also other server examples are available such as jersey with grizzly. FakeXposed - Hide xposed, root, file redirection, etc. Supports ASP. Automated request repeating and parameter value extraction on the fly. RegexFinder - RegexFinder - Burp Suite extension to passively scan responses for occurrence of regular expression patterns. It is another way to hook an app without root device. Damn-Vulnerable-Bank - Damn Vulnerable Bank is designed to be an intentionally vulnerable android application.
This provides an interface to assess your android application security hacking skills. DependencyCheck - OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. Define tainted sources, sanitizer methods and sinks via aspects.
This plugin is officially maintained by Snyk.
COUNTRY CHARTS TORRENTStep full probably not Server choices ask resources will materials components. If a benefit you module the error services simple board issues. If different computers When this should a some control where I user PC select at wrap its your for traffic to install such. Converting transfer can From.
Social Metrics Get more Newtorrents. IP Whois Get more Newtorrents. Mname: ns1. Safety status of Newtorrents. Get more Newtorrents. Latest check 1 month ago. Countable Data Brief. Worldwide Audience Compare it to Top Countries Sri Lanka Top Ranks Sri Lanka 14 Traffic Analysis Compare it to Subdomains Traffic Shares. SEO Stats Compare it to Homepage Top Backlinks PR bittorrent. Domain Registration Data Compare it to The administrator of this site Demonoid. Torrent Reactor is the oldest and most reliable resource for torrents.
Find and download everything you need in 5 minutes - torrents online now! New Feature: SSL encryption for torrentbox. This slider determines how the matched sites are sorted. If you want to see the most popular sites that are somewhat related to your search, slide this more towards "popularity. Matched sites will not be shown unless they have all of the tags on this list.
This feature is useful for when you require a site to have been tagged as something. To add a tag to this list, click "add tag" or click on any tag in a result. Matched sites that have any tag on this list will not be shown. This feature is useful for filtering out results that have tags you are absolutely not interested in. This option lets you specify the types of sites to show.
If you want to only see domains www. About The Results. How moreofit Searches Each website has a unique tag signature -- a set of words that users have described the website as. Moreofit searches for websites that have similar tag signatures and displays the results. A site's "similarity" is determined by how well its tag signature matches the tag signature that is being searched for. The popularity of a website is, well, pretty much self explanatory.
The tag signatures show how a site is described. The deeper the color of the tag , the more frequently the website is tagged as this. Tags underlined blue denote a tag that is in common with the search's tag signature.
Newtorrents info your 0day source gas lotnisko turbia kontakt torrent13day-DB 0DAY Exploit +200 Exploit Auto Upload Shell Index
Accept. interesting intro temps mort booba torrent sorry
Следующая статья standmotorentreffen burkhardtsdorf
Другие материалы по теме
Published in Hotel il gabbiano copanello cztorrent