Today I did some research on a rather less known XSS attack vector and I would like to present a small 'hack me' application - have fun (and read on for details)!
Introduction
I present to you a small vulnerable shoutbox application.Features:
- Sqlite storage for user-submitted comments
- Your comments are only visible for your own IP (you could only hack yourself)
- Funny Javascript widgets included
- Open source (feel free to download and audit the source or run locally)
- 100% SQL Injection-free
99%98% XSS free ;-)Only Firefox browsers are vulnerable (sorry)
Update: I've found a second vuln :) So, for now there are two:- Firefox only (I admit, it's hard to detect yet very simple to exploit. It's all about uncommon Javascript syntax) - this one's hard,
- IE 6,7 (and its variant for IE8). This one is widely known, but it requires a separate website to exploit. It's about headers or lack of them - this is easy.
Widgets
Yes, widgets - you can include Javascript files with widgets that add buttons for some funny manipulation of your comments. Two widgets are currently included - zoom in/out and shout. And you can use them simply by passing the JS filename to include in the widget URL parameter.Security protections
- Against XSS - every user input/database content is htmlspecialchars()ed.
- Against SQL injection - 100% protected as prepared statements are used
- Against RFI/path travelsal - included widget file names are only allowed to contain [a-z.] (so no ../../ , http://whatever, and other tricks would work)
The goal and final words
Just a simple XSS - if you can make it alert() something, you win. No filtering is being done on the comments, so you may skip the obfuscation. Other than that - just look at the source - it's all there. When you break it, leave comments here with your IP or email me. In a few days I will discuss the exact vulnerabilitUpdate: Both vulnerabilities are now revealed. Here's one for Firefox and one for IE.
land
ReplyDeletehackerz
ReplyDelete