[TOOL] XSS-Proxy - Remotely Controlling XSS Attacks
From: SecuriTeam (support_at_securiteam.com)
Date: 02/13/05
- Previous message: SecuriTeam: "[UNIX] IBM AIX lspath Local File Access Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 13 Feb 2005 19:07:57 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
XSS-Proxy - Remotely Controlling XSS Attacks
------------------------------------------------------------------------
SUMMARY
DETAILS
Rager Anton presented on this topic this past weekend at Shmoocon, but
wanted to also brief the list on his persistent remote control XSS attack
methods and a demonstration tool he has developed.
Anton has combined common XSS exploitation techniques with Javascript
Remoting and Session-Riding to create an attack tool that uses an XSS
vulnerable site (or sites), and a victim that loads our XSS vector, to
create a remotely controlled, interactive, two-way attacker
command/control channel to the victim. The PoC demonstration tool is
called XSS-Proxy and is a lightweight, Perl based attacker tool that
provides the command/control channel to a victim browser by translating
attacker requests into victim Javascript and collecting/displaying victim
results to the attacker.
This tool provides a persistent attacker command/control channel to the
XSS'd victim and allows the attacker to provide additional commands to the
victim with the victim forwarding readable document contents/results back
to the attacker. It basically attack allows the attacker to drive the
victim browser over the vulnerable site and perform most actions the
victim could (like reading pages and submitting forms). The victim browser
continues to loop and look for additional commands from the XSS-Proxy
controller indefinitely, and can be controlled as long as we can keep the
original XSS'd site window open - Anton calls these idling victims
"Browser-Zombies".
We aren't just reading cookies anymore: we are requesting the victim load
arbitrary documents off a target XSS'd server, submit forms (POST or GET)
to XSS'd server and set/evaluate javascript vars/functions within the
victim browser. This is useful for exploiting XSS vulnerable sites/users
where cookies are not the primary mechanism for authentication by allowing
an attacker to leverage trust relationships the victim may already have
with target sites via cached authentication, client side certificate auth,
IP access controls and perhaps even victims/targets behind firewalls. It
is also possible to leverage this platform/attack for
Cross-Site-Request-Forgery (CSRF) / Session-Riding attacks on non XSS
vulnerable servers, multi-XSS site redirection (a list of sites to see if
this user may have privs on), Masqueraded attacks on specific XSS
vulnerable target servers (think Nikto thru someone-else's browser), MITM
attacks on interactive victim windows and possibly even leverage CSRF
traffic to look for other XSS flawed servers.
Anton has a draft white paper that provides more detail on the basic XSS
based Javascript Remoting attack and outlines some approaches/details on
methods for extending the attack even further at:
<http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt>
http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt. The XSS-Proxy
demonstration tool is available at the project section of the same site (
<http://sourceforge.net/projects/xss-proxy>
http://sourceforge.net/projects/xss-proxy). Anton's Shmoocon slides and
links to additional primer information on XSS attacks can be found at
<http://xss-proxy.sourceforge.net> http://xss-proxy.sourceforge.net
Anton doesn't regard himself as a WWW developer, therefore he believes he
may have missed some other implications and/or more elegant ways of
implementing this sort of attack, but the basic attack does work and the
XSS-Proxy tool allows it to be explored more. Anton had a lot of positive
feedback from Shmoocon, but he is very interested in other researcher
feedback as well as other related ideas for extending persistent,
intelligent and controlled XSS/Session-Riding/CSRF attacks.
ADDITIONAL INFORMATION
The information has been provided by <mailto:arager@avaya.com> Rager,
Anton (Anton).
The original article can be found at:
<http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt>
http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt
To keep updated with the tool visit the project's homepage at:
<http://sourceforge.net/projects/xss-proxy>
http://sourceforge.net/projects/xss-proxy
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] IBM AIX lspath Local File Access Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
