// BLOG
Another day, another Twitter XSS
September 6, 2010
It may surprise some, but I really haven’t been big on XSS lately, mostly because it’s a problem that hasn’t changed for years, and the most basic form of it is still brutally simple to exploit. Not a lot of excitement in it, I guess. But that doesn’t mean that it doesn’t deserve attention- in fact, that’s exactly why it does. So when a new Twitter XSS popped up on my feed reader this morning, I took the 10 minutes it takes to write a proof of concept, and put together an exploit.
You can check it out if you like (It won’t bite until you manually click the “pwn me” button, so the link is safe, but don’t take my word for it, use NoScript and RequestPolicy). Frankly, if I wanted to hack you, I’d be doing it silently on this page, not that one.
I’ll post a followup later. This example drives some pretty interesting points home.
Cross-subdomain Session Fixation
September 2, 2010
Last fall I wrote a bit about cross-subdomain cookie attacks. As often as I come across more uses for them, I think that they are a much more serious issue than most people (myself included) have made them sound. Today, I came across a variant which I’d theorized about in the past, but never bothered to find in the wild, and I think it merits some attention.
You may be familiar with Hack Is Wack- a stupid marketing campaign from Norton/Symantec. The premise is simple: users submit videos, which are voted on, and the winner gets to roll with Snoop Dogg…’s manager. You may not know it, but most of Snoop’s music is information security-related. “What’s My Name” is about AuthN, “Drop it like it’s Hot” is about SQL injection, not to mention constant references to cron, gzip, and other unix commands in his lyrics. It’s really a pretty natural match.
At any rate, the Hack is Wack site is chock full of holes. For example, there’s the publicly available, indexed cache directory with all that SQL, JSON and other data. There’s the XSS vulns (HTML5 only, though it should be simple enough to rewrite), CSRF holes, and the Flash upload issues in the video upload script (a Joomla module that appears to have been used without any quality control or review despite the fact that it’s currently in Alpha)
A security company using bad code in a marketing site? Shocking, I know. I’m really not here to harp on them though. I’m over security vendors being full of shit- they all are, it’s not news.
I just found a particular attack vector interesting.
The voting system for uploaded videos is grossly vulnerable to CSRF, and probably much more serious things, based on the format of the “vote” URL (unencoded, for ease of reading):
http://www.hackiswack.com/index.php/home/rate.html?videoid=\'.24.\'&rating=4
This means that I can create image tags in my own website to vote for a specific video and stuff the ballot box. Classic CSRF, right? It’s something I’ve talked about before, but unfortunately, this one isn’t quite so simple. You have to be logged into the site to vote, and they prevent a user from voting twice for the same video, so to manipulate this poll, we really need to create a whole bunch of user accounts. The user registration page is part of the main Joomla codebase, and it uses session-based tokens to prevent CSRF- the way they should.
The interesting thing here, is that the application doesn’t enforce the HTTP Host header. Instead of http://hackiswack.com, there’s no reason you can’t use the application from http://184.106.223.144, or more importantly, http://hackiswack.skeptikal.org (no, this doesn’t actually go there, but there’s no reason it can’t).
Once I have my own domain set up, I can easily force a visitor to skeptikal.org to assume arbitrary session cookies that will also be sent by his browser to hackiswack.skeptikal.org, and with a known session cookie, I can request the page myself and parse it for the CSRF token. I can then embed that token in any forms I force the user to send, bypassing the protections that Joomla so carefully puts in place.
All right, so this is a lot of work, and probably isn’t practical for stuffing ballot boxes, (especially since there are already much more serious vulnerabilities to take advantage of) but as a way of bypassing CSRF protections, it’s perfectly valid. There are plenty of times where a CSRF protection mechanism can be bypassed with a simple session fixation attack. A variation on this was described by RSnake last fall, using DNS rebinding instead of subdomains. It’s probably more potent with DNS rebinding, but a cross-subdomain attack tends to be much simpler to set up.
The key to remember is that in this case, you can’t take over an arbitrary session, so it is of limited use for, say, compromising an Admin. However, if you want to log a user into a website (with known credentials), or otherwise force him to do something on your behalf, it’s a very useful technique. Something to keep in mind, at least, and another reason why websites that don’t require specific Host headers should be considered vulnerable.
-Mike Bailey
Cross-posted from http://skeptikal.org.
Hat tips to The Harmony Guy and Packetwerks for pointing out some of the holes in the Hack is Wack site
Cutting Edge Module – Social Engineering Toolkit
August 4, 2010
One of the most interesting developments of the past year is the The Social Engineering Toolkit (SET). Produced as an extension to Metasploit, SET is an invaluable tool in the penetration tester’s arsenal, especially as the industry has shifted away from server-side and application-side vulnerabilities toward a more client-centric model.
Members get an in depth education on the use of SET and labs that teach them how to use it in their day to day lives.
Although – we must apologize: the module was released a while ago – we just haven’t had time to write about it (or most of the other neat new things that came out recently) as this past month was CRAZY. The Next HOPE, Black Hat, BSides and Defcon kept us scrambling to keep our brains in our heads, and our heads on our shoulders. And, of course, with Rel1k’s release of SET 0.6 at BSides, we’ll be producing an updated version of this one shortly.
It’s Conference Time…
July 23, 2010
The coming week is the big conference week of the year for us – Blackhat, Defcon and BSides. And it’s going to be a busy week.
Here’s the thing – even if you’re seriously committed, you can’t see everything. There’s overlap on most days and multiple tracks.
So… if you’re looking to be a better pen-tester, which talks should you make sure to see? I’ve put together a list of talks that I think will really benefit those of you who are looking to improve your hacking & pen-testing skills specifically… (more…)
Hacking Fundamentals- A Students View
July 8, 2010
I completed the Hacking Fundamentals module today and I found some interesting things. There is a section on the mind of a hacker… lead instructor Mike Murray goes into good detail on how the “hacker” or pen tester thinks or should be thinking, followed up by some labs on Convergent and Divergent Thinking as well as Inductive and Abductive Reasoning. I have to say that if becoming a good penetration tester takes this much thinking, I don’t know how long I will survive 
. When I downloaded the slides there was a description of hacker similarities, they are curious, have many intellectual properties and have the ability to provide a process to a problem. That being the case, our defenses should be pretty good, which in a lot of cases they aren’t up to snuff. There was some good info in the Security Fundamentals module that is easy to understand if you are a beginner and some stuff that could definitely be used as a good refresher for a more advanced security professional. After seeing all of the basics in this module, I am ready to get my hands dirty in module 2 and learn about reconnaissance. Until my next update from the eyes of a student…
Aaron
