Introduction
Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s. XSS got listed as the top 3rd
Vulnerability in the OWASP 2013 Web application Vulnerabilities list.
Cross-site scripting (XSS) is a type of security vulnerability typically
found in web applications which allows the attackers to inject
client-side script into web pages viewed by other users. The execution
of the injected code takes place at client side. A cross site scripting
vulnerability can be used by the attacker to bypass the Same Origin
Policy (SOP). In the past, the potentials of XSS vulnerability were not
known. XSS was mainly used for stealing cookies and for temporary or
permanent defacements and was not considered as high risk vulnerability.
But later XSS tunneling and Payload delivering showed us the potential
of XSS Vulnerability. Most of the large websites like Google, Facebook,
Twitter, Microsoft, and Amazon etc. even now suffers from XSS bugs.
That’s a brief introduction about XSS.
Some threats due to XSS
XSS Tunneling: With XSS Tunnel a hacker will obtain the traffic between the victim and a webserver.
Client side code injection: A hacker can inject malicious codes and execute them at client side.
DOS: A hacker can perform DOS against a remote server or against the client itself.
Cookie Stealing: A hacker can obtain the session cookies or tokens of a victim.
Malware Spreading: A hacker can spread malwares with a website which is vulnerable to XSS.
Phishing: A hacker can embed or redirect to a fake page of the website to get the login credentials of the victim.
Defacing: Temporary or permanent defacement of web application is possible.
What is Xenotix XSS Exploit Framework?
Xenotix XSS Exploit Framework is
a penetration testing tool to detect and exploit XSS vulnerabilities in
Web Applications.This tool can inject codes into a webpage which are
vulnerable to XSS.It is basically a payload list based XSS Scanner and
XSS Exploitation kit. It provides a penetration tester the ability to
test all the XSS payloads available in the payload list against a web
application to test for XSS vulnerabilities. The tool supports both
manual mode and automated time sharing based test modes. The
exploitation framework in the tool includes a XSS encoder, a victim side
XSS keystroke logger, an Executable Drive-by downloader, a XSS Reverse
Shell and a XSS DDoSer. These exploitation tools will help the
penetration tester to create proof of concept attacks on vulnerable web
applications during the creation of a penetration test report.
Features of Xenotix XSS Exploit Framework
Xenotix XSS Exploit Framework is divided into two module
Scanner Module
Built in XSS Payloads
HTML5 compactable Payload list
XSS Auto mode Scanner
XSS Multi-Parameter Scanner
XSS Fuzzer
Exploitation Framework
XSS Keylogger
XSS Executable Drive-by downloader
XSS Payload Encoder
XSS Reverse Shell
XSS DDoSer
XSS Cookie Thief
Scanner Module
Built in Payload List
It is having an inbuilt XSS payload
list of above 500+ XSS payloads. It includes HTML5 compactable XSS
injection payloads.Most of the XSS filters are implemented using String
Replace filter, htmlentities filter and htmlspecialcharacters filter.
Most of these weakly designed filters can be bypassed by specific XSS
payloads present in the inbuilt payload list.
The above chart shows the number of XSS
Payloads in different XSS Scanning tools available in market. Xenotix
XSS Exploit Framework got the world’s second largest XSS Payload list
after IBM AppScan Security which is having 700 million payloads.
XSS Scanner Module
XSS Multi-Parameter Scanner
The
Multi-Parameter XSS Scanner comes when you have multiple parameters to
test for XSS. It can extract the different parameters from the given URL
and test them individually. It saves a lot of your time as you don’t
need to test each parameter separately.
XSS Fuzzer
The XSS
Fuzzer is a convenient module to detect hidden XSS as well as other
vulnerabilities like HTTP Parameter Polution. With the Fuzzer, one can
conduct an out of the box testing of the box fuzzing to detect hidden
vulnerabilities in a web application.
Exploitation Framework
XSS Keylogger
The tool
includes an inbuilt victim side Key logger which is implemented using
JavaScript and PHP. PHP is served with the help of a portable PHP
server named QuickPHP by Zach Saw. A JavaScript file is injected into
the web application vulnerable to XSS and is presented to the victim.
The script captures the keystrokes made by the victim and send to a PHP
file which further write down the logs into a text file.
XSS Executable Drive-by Downloader
Java
Drive-by download can be implemented with Xenotix XSS Exploit Framework.
It allows the attacker to download and run a malicious executable file
on the victim’s system without his knowledge and permission. You have to
specify the URL for the malicious executable and then embed the
drive-by implemented webpage into a XSS vulnerable page and serve your
victim. When the victim view the injected page, the java applet
client.jar will access the command prompt and with the help of echo
command, write down some scripts to a Visual basic script file named
winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will
start winconfig.vbs. The winconfig.vbs will download the malicious
executable specified by you in the URL to temp directory and rename it
as update.exe and finally it will execute update.exe. The downloading
and executing of the malicious executable happened without the knowledge
and permission of the victim.
XSS Payload Encoder
The
inbuilt Encoder will allow encoding into different forms to bypass
various filters and Web Application Firewalls. The encoder supports
Base64 Encoding, URL Encoding, HEX Encoding, HTML Characters Conversion,
Character Code Conversion and IP to Dword, Hex and Octal conversions.
XSS Reverse Shell
A XSS
Reverse Shell can be implemented with Xenotix XSS Exploit Framework.
This is made possible with the help of Java Drive-By. The XSS vulnerable
web application exploited with the injectable scripts generated by XSS
Reverse Shell when presented to a victim will initiate the drive by
download of a Reverse TCP connecting shell. After the drive-by download,
the reverse shell is executed by the same method used in Java
Drive-by.
The
advantage of this method is that the reverse shell is downloaded and
executed in the victim’s system without his knowledge. But for the
execution of reverse shell, it will pop up a UAC dialog requesting for
the permission to run the executable. The tool is having an inbuilt
Listener that listens to the reverse shell. It is designed in a user
friendly manner. All you have to do is to specify the reverse connection
IP and port.
XSS DDoSer
With HTML 5
comes great power. We harvest the power of HTML 5 to abuse the Cross
Origin Resource Sharing (CORS) and WebSocket to implement a DDoS
attack. WebSocket is a technology that allows web applications to have a
bidirectional channel to a URI endpoint. Sockets can send and receive
data to and from a web server and respond to opening or closing a
WebSocket. The XMLHttpRequest is a JavaScript object which is used to
exchange data between a server and a bowser behind the scene. This can
be used for Cross Origin Resource Sharing (CORS). We can perform a
combined and powerful DDoS attack by abusing these two technologies.
This module abuses WebSocket and creates numerous socket connections
with a target server to slow it down. Along with it by abusing CORS, the
add-on create numerous fake GET requests to slow down the target
server. When we send the first request to the target server and the
response contains the ‘Access-Control-Allow-Origin’ header with a value
that restricts cross site requests, then at times the browser refuses to
send more requests to the same URL. However this can be easily bypassed
by making every request unique by adding a non-existing query-string
parameter with changing values.
XSS Cookie Thief
It’s the
traditional Cookie Stealer but a bit advanced and with real time cookie
viewer. This module allows the pentester to create cookie stealing POC.
Features for the Next Build
Current
version of XSS Exploit Framework is based on Internet Explorer’s webpage
rendering engine Trident. Since XSS got slightly different behavior in
different Web Browsers, the support for the Gecko (Used by Mozilla
Firefox) and Webkit (used by Chrome, Opera, and Safari) Rendering
engines will be added up in the next build. The support for XSS in POST
Parameter and XSS testing by modifying the headers will be included in
the next build. XSS Proxy to tunnel the victim-server traffic will be
added in future builds. Automatic detection of parameters or variables
vulnerable against XSS and DOM Based XSS detection will be added up in
next build.
Conclusion
XSS in
popular website is a high security threat. Xenotix XSS Exploit Framework
can be used by Security Analysts to perform penetration test on Web
Applications against XSS vulnerability and to create POC with the
inbuilt exploitation framework. Most of the security tools related to
XSS are either XSS Scanners or XSS Exploitation tools. Xenotix XSS
Exploitation Framework is the first of its kind to act both as an XSS
vulnerability scanner as well as XSS exploitation framework. Bug bounty
programs like Google Vulnerability Reward Program, Facebook Bounty,
Paypal bug bountyetc. are there. So go for a XSS hunting and grab your
bounty.J
About Author
Ajin
Abraham is an Information Security Researcher. He is the creator of
OWASP Xenotix XSS Exploit Framework. He had published different
whitepapers and tools in the scope of Information Security. He is one
among the top 10 in Chakravyuh 2012, India’s Biggest Ethical Hacking
Competition. His area of interest includes web application penetration
testing, coding tools, exploit development and fuzzing. He has been a
speaker at many security conferences including Defcon Bangalore-India
2012, ClubHack 2012, nullcon Goa 2013, AppSec APAC 2013, Hack Miami
2013, BlackHat Europe 2013 and many more.
Fuente:http://www.hackingarticles.in/owasp-xenotix-xss-exploit-framework-v3-2013/