EH-Net

Ethical Hacking Discussions and Related Certifications => Web Applications => Topic started by: t0rh4cker on July 23, 2011, 08:22:08 AM


Title: XSS Attack - Busting Browsers to Root!
Post by: t0rh4cker on July 23, 2011, 08:22:08 AM
This video will demonstrate how a simple XSS vulnerability can be leveraged to gain complete control of your web-browser and eventually lead to a complete system compromise.

1) We will use a cross-site scripting vulnerability as the initial attack vector
2) Exploit XSS by redirecting the user’s browser to the Evil_IP with a JavaScript loop (every 2 secs)
3) Exploit the victim’s browser to gain system ‘root’ or ‘shell’ access
4) Elevate our privileges to system-level

QUIZ: There is at least 6 security controls that could prevent several steps in the video including vulnerabilities or user errors.  Can you spot them all? 

FREEBIE: DVWA web server & IE8 browser security settings allow unencrypted XSS attack string to be sent during an SSL session.  "Submit non-encrypted form data- ENABLED"
What else? ???

http://vimeo.com/26751019

Title: Re: XSS Attack - Busting Browsers to Root!
Post by: MaXe on July 23, 2011, 01:24:46 PM
Quote from: t0rh4cker on July 23, 2011, 08:22:08 AM
QUIZ: There is at least 6 security controls that could prevent several steps in the video including vulnerabilities or user errors.  Can you spot them all? 

FREEBIE: DVWA web server & IE8 browser security settings allow unencrypted XSS attack string to be sent during an SSL session.  "Submit non-encrypted form data- ENABLED"
What else? ???

http://vimeo.com/26751019


I didn't watch the video yet, however now I'm just guessing the security controls, I get free cookies if I win right?  ;D

Security Controls / Applications Preventing XSS:
- NoScript (Browser Addon)
- Anti-Virus System (Some detects and blocks XSS payloads)
- HIPS (Host-based Intrusion Prevention System, similar to an Anti-Virus system somewhat.)
- Patch Management (Staying updated and patched from known vulnerabilities.)
- Other browsers with Sandboxes (e.g. Chrome), or sandboxing a browser.
- Virtual Machines / Jailing (Using a browser in a virtual machine that is only used for that.)
- Enforced Proxy (Filters malicious data, similar to an IPS system somewhat.)
- SPI Firewall (Can detect and remove malicious data.)

And so forth.. Just a few ideas I had  :)

Title: Re: XSS Attack - Busting Browsers to Root!
Post by: t0rh4cker on July 23, 2011, 08:48:48 PM
ding! ding! ding! and Maxe the cyborg takes the lead!

#2 - Patch Management (Staying updated and patched from known vulnerabilities.)

Updating to the latest browser versions like IE8 has a built-in XSS filter.  It was disabled for the video.

#3 - Enforced Proxy (Filters malicious data, similar to an IPS system somewhat.)
Use the proxy to block outbound access to a known "Evil_IP" or Egress Filtering? So technically your proxy server answer should do the trick.


Title: Re: XSS Attack - Busting Browsers to Root!
Post by: MaXe on July 24, 2011, 02:06:03 PM
Quote from: t0rh4cker on July 23, 2011, 08:48:48 PM
ding! ding! ding! and Maxe the cyborg takes the lead!

#3 - Enforced Proxy (Filters malicious data, similar to an IPS system somewhat.)
Use the proxy to block outbound access to a known "Evil_IP" or Egress Filtering? So technically your proxy server answer should do the trick.

I laughed IRL, and yeah that's what I meant about the proxy server too.   :)

Title: Re: XSS Attack - Busting Browsers to Root!
Post by: jonas on July 24, 2011, 03:15:20 PM
Great Video! Thanks.


Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com