six degrees of xssploitation
TRANSCRIPT
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 1/15
Six Degrees of XSSploitation
Dan Moniz
<[email protected]>HD Moore
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 2/15
Introduction• Who?
– Two guys who thought this was an interesting
topic
• What?
– Using XSS in concert with ridiculously popular web
content (sites and software) as a viral infection
platform• Why?
– We’re afraid
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 3/15
XSS Matters
• Rise of social network sites
• Increase in rich content – JavaScript
– Flash
– Java
– AJAX
• Widely deployed software
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 4/15
samy is my hero• MySpace target
• Injection via XSS
• Performs both XSS and XSRF attacks
• Payload in the client (browser) isentirely JavaScript
• Self-replicating code only – But on a site with ~70 million vulnerable
users!
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 5/15
samy Dissected
• Makes use of CSS style elements in
HTML tags (div) and JavaScript
decimal-to-ASCII conversion to bypass
filters (among other things)
• XMLHTTP works because the user is
already authenticated -- the point is toautomate what the user can do
programmatically
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 6/15
JS-Yamaner
• Yahoo! Mail target
• JavaScript code in an HTML email that
abused onload event handling
• Sent itself to every address in a Yahoo!
Mail user’s address book
• Leaked addresses it found back to a
third-party site
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 7/15
SPAIRLKAIFS• WMF vuln inside a chewy nougat center
of Flash using luscious JavaScript
cream (geturl)• Found on MySpace, but not a worm
• 16,000 page views per day per millionusers of the web (source: Alexa)
• PurityScan/ClickSpring adware install
• Flash 9 added AllowNetworking flag
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 8/15
Making XSS “Useful”
• Combine XSS injection with native code
exploit payloads
• Propagate via XSS
• Hook into the browser
• Ride into the next web app
• Inspect form variables from IE hooks to
pick XSS exploit
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 9/15
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 10/15
Browser Bugs
• Browser Fun and MoBB
– http://browserfun.blogspot.com/
• MS06-014: MDAC code execution
• IE HTML Help Control COM object
Image Property Heap Overflow (MoBB
#2)
• WMI SDK bug (0-day!)
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 11/15
Native Code Hooks
• Why IE?
– Most deployed platform on earth + most
popular browser on the web = teh win
• Three places to hook into IE
• IE7 kills ActiveX exploits
• Extensions are the ActiveX for Mozillaand Firefox
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 12/15
Implementation• Disclaimer
– Suboptimal for real worm
– Hardcoded limitations
• Blog + IE
– Blog comments/posts/trackbacks
– Blog XML-RPC – IE exploit
– Hooking code
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 13/15
Exploit Lifecycle
• Find vulnerable web content (site and/or
software)
– Preferably something not only popular, but
with a viral growth curve
• One definition of viral: for every 1 user joining
the site, that user will attract 1.1 or more
additional users to sign up, on average
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 14/15
Code Anyone?
• Hooking into IE
• Detect web application in use based on
form variable names
• Use application specific code injection
8/14/2019 Six Degrees of XSSploitation
http://slidepdf.com/reader/full/six-degrees-of-xssploitation 15/15
Thanks!• Dan Moniz
• http://pobox.com/~dnm/
• http://hundrad.org/
• HD Moore• [email protected]
• http://metasploit.com/