Monday, October 11, 2010

Test your skills with this XSS hackme (rev. 2)

XSS is a really nasty beast. It's been around since the 90s and we're still discovering new attack vectors, protection mechanisms, evasion techniques. It's not enough to simply "escape HTML output" (e.g. via htmlspecialchars() ) to get rid of it - there are always some tiny details that, when omitted, can cause script injection on your site.

Today I did some research on a rather less known XSS attack vector and I would like to present a small 'hack me' application - have fun (and read on for details)!

Introduction

I present to you a small vulnerable shoutbox application.

Features:
  • Sqlite storage for user-submitted comments
  • Your comments are only visible for your own IP (you could only hack yourself)
  • Funny Javascript widgets included
  • Open source (feel free to download and audit the source or run locally)
  • 100% SQL Injection-free
  • 99% 98% XSS free ;-)
  • Only Firefox browsers are vulnerable (sorry)
    Update: I've found a second vuln :) So, for now there are two:
    • Firefox only (I admit, it's hard to detect yet very simple to exploit. It's all about uncommon Javascript syntax) - this one's hard,
    • IE 6,7 (and its variant for IE8). This one is widely known, but it requires a separate website to exploit. It's about headers or lack of them - this is easy.

Widgets

Yes, widgets - you can include Javascript files with widgets that add buttons for some funny manipulation of your comments. Two widgets are currently included - zoom in/out and shout. And you can use them simply by passing the JS filename to include in the widget URL parameter.

Security protections

  • Against XSS - every user input/database content is htmlspecialchars()ed.
  • Against SQL injection - 100% protected as prepared statements are used
  • Against RFI/path travelsal - included widget file names are only allowed to contain [a-z.] (so no ../../ , http://whatever, and other tricks would work)

The goal and final words

Just a simple XSS - if you can make it alert() something, you win. No filtering is being done on the comments, so you may skip the obfuscation. Other than that - just look at the source - it's all there. When you break it, leave comments here with your IP or email me. In a few days I will discuss the exact vulnerabilityies and why it worked. In the meantime, good luck!

Update: Both vulnerabilities are now revealed. Here's one for Firefox and one for IE.

2 comments: