Tips for an Information Security Analyst/Pentester career - Ep. 49: Web app pentesting (pt. 2)
With this post, we're going to see an example of cross site scripting and browser exploitation.
Cross site scripting, a.k.a. XSS, is a very dangerous vulnerability in web applications that "enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy".
As a side note, the XSS acronym is used to designate this vulnerability in order to distinguish it from CSS (Cascading Style Sheets), which is a programming language used for web design.
For a definition of these two types of attacks and the difference between them, I'll refer you to this page.
Basic example of a reflected XSS attack
In order to demonstrate this vulnerability, I'm going to use a vulnerable web application available for Windows 7 that can be installed by using the additional files attached to Georgia Weidman's book.
This web application, called Bookservice, has an input field that can easily be exploited.
So, I entered a JavaScript in it allowing me to display a pop-up window.
PWNED!!
Advanced browser exploitation
We can do much more than displaying a pop-up alert, though.
We can completely take control of the victim's browser by using a tool called BeEF (browser exploitation framework), freely available in Kali Linux.
This tool starts up a control panel (accessible through default credentials beef/beef for username and password) allowing to take control of the victim's browser and do pretty much whatever you want.
All we need to do is to redirect the target to a webpage containing a malicious JavaScript that hooks its browser (this script is shown in the output displayed below, under Hook: and Example:).
When you access the control panel, the framework shows you a series of instructions about the commands you can run against the victim's browser.
When you successfully hooked a browser, the IP address for the victim machine will appear under Online Browsers.
I could successfully exploit DVWA in a Windows 7 virtual machine by leveraging the example script in a vulnerable input field, performing a stored cross site scripting attack.
I only needed to switch the localhost IP address with the IP address for my attacking machine, as shown below.
Now that we took control of the browser, we can do pretty much whatever we want with it.
To have a complete overview of what we can do, we need to go to the Commands tab.
As a short example of a common and dangerous type of attack, I chose a module displaying a fake notification bar to the target machine, requesting for additional plug-ins to be installed.
You might have seen alike examples when browsing and you might think they're legit, but clicking such notifications carelessly is never a good idea.
In my demonstration, I didn't actually connect any payload or executable to the user's action, but normally you might easily get infected.
Wrap-up
This brief example shows how web application pentesting has become an important new frontier in information security.
Building walls to defend your core information assets according to a typical castle mindset is totally pointless when more and more sensitive and mission-critical systems are exposed to the Internet.
XSS attacks are very old stuff, dating back decades, nevertheless they keep being included within OWASP Top 10, because they don't get always addressed properly and, when time to market becomes more important than secure code techniques, that's what you're gonna get.
Episode 50
Episode 48
Episode 50
Episode 48
Comments
Post a Comment