[TOOL] XSS-Proxy - Remotely Controlling XSS Attacks

From: SecuriTeam (support_at_securiteam.com)
Date: 02/13/05

  • Next message: SecuriTeam: "[REVS] Hold Your Sessions: An Attack on Java Session-id Geneartion" 
    To: list@securiteam.com
Date: 13 Feb 2005 19:07:57 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      XSS-Proxy - Remotely Controlling XSS Attacks
    ------------------------------------------------------------------------

    SUMMARY

    DETAILS

    Rager Anton presented on this topic this past weekend at Shmoocon, but
    wanted to also brief the list on his persistent remote control XSS attack
    methods and a demonstration tool he has developed.

    Anton has combined common XSS exploitation techniques with Javascript
    Remoting and Session-Riding to create an attack tool that uses an XSS
    vulnerable site (or sites), and a victim that loads our XSS vector, to
    create a remotely controlled, interactive, two-way attacker
    command/control channel to the victim. The PoC demonstration tool is
    called XSS-Proxy and is a lightweight, Perl based attacker tool that
    provides the command/control channel to a victim browser by translating
    attacker requests into victim Javascript and collecting/displaying victim
    results to the attacker.

    This tool provides a persistent attacker command/control channel to the
    XSS'd victim and allows the attacker to provide additional commands to the
    victim with the victim forwarding readable document contents/results back
    to the attacker. It basically attack allows the attacker to drive the
    victim browser over the vulnerable site and perform most actions the
    victim could (like reading pages and submitting forms). The victim browser
    continues to loop and look for additional commands from the XSS-Proxy
    controller indefinitely, and can be controlled as long as we can keep the
    original XSS'd site window open - Anton calls these idling victims
    "Browser-Zombies".

    We aren't just reading cookies anymore: we are requesting the victim load
    arbitrary documents off a target XSS'd server, submit forms (POST or GET)
    to XSS'd server and set/evaluate javascript vars/functions within the
    victim browser. This is useful for exploiting XSS vulnerable sites/users
    where cookies are not the primary mechanism for authentication by allowing
    an attacker to leverage trust relationships the victim may already have
    with target sites via cached authentication, client side certificate auth,
    IP access controls and perhaps even victims/targets behind firewalls. It
    is also possible to leverage this platform/attack for
    Cross-Site-Request-Forgery (CSRF) / Session-Riding attacks on non XSS
    vulnerable servers, multi-XSS site redirection (a list of sites to see if
    this user may have privs on), Masqueraded attacks on specific XSS
    vulnerable target servers (think Nikto thru someone-else's browser), MITM
    attacks on interactive victim windows and possibly even leverage CSRF
    traffic to look for other XSS flawed servers.

    Anton has a draft white paper that provides more detail on the basic XSS
    based Javascript Remoting attack and outlines some approaches/details on
    methods for extending the attack even further at:
    <http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt>
    http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt. The XSS-Proxy
    demonstration tool is available at the project section of the same site (
    <http://sourceforge.net/projects/xss-proxy>
    http://sourceforge.net/projects/xss-proxy). Anton's Shmoocon slides and
    links to additional primer information on XSS attacks can be found at
    <http://xss-proxy.sourceforge.net> http://xss-proxy.sourceforge.net

    Anton doesn't regard himself as a WWW developer, therefore he believes he
    may have missed some other implications and/or more elegant ways of
    implementing this sort of attack, but the basic attack does work and the
    XSS-Proxy tool allows it to be explored more. Anton had a lot of positive
    feedback from Shmoocon, but he is very interested in other researcher
    feedback as well as other related ideas for extending persistent,
    intelligent and controlled XSS/Session-Riding/CSRF attacks.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:arager@avaya.com> Rager,
    Anton (Anton).
    The original article can be found at:
    <http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt>
    http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt
    To keep updated with the tool visit the project's homepage at:
    <http://sourceforge.net/projects/xss-proxy>
    http://sourceforge.net/projects/xss-proxy

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] Hold Your Sessions: An Attack on Java Session-id Geneartion"

    Relevant Pages