Friday, July 8, 2011

Harvesting Cross Site Scripting ~> XSS

To demonstrate the real business impact of cross site scripting I have developed a completely new tool from the ground up - XSS-Harvest. It is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool. Before going into the detail, I'll list the high level functionality below:

Quote:
* Infection script adds relevant event listeners (keystrokes, onload() and mouse clicks) to the vulnerable page and sets up communication with the XSS-Harvest server.
* Any key entered will be sent covertly to the server.
* Any mouse click performed will be analysed and the data covertly sent to the server.
* Optionally 'redress' the vulnerable page to display a different page on the same subdomain - e.g. a login form.
* If redressing the victim's browser, allow subsequently loaded pages to be also 'infected' - assuming they don't break the same-origin policy (i.e. they're on the same subdomain).
* Keeps track of victims for the lifetime of the XSS-Harvest cookie (future visits are recognised as a returning victim).
* Each victim has a separate history file containing all events, cookies and keystrokes.
* Server console displays real time data received (due to multi-threaded nature, keystrokes are displayed as '.' characters to avoid confusion).
* Tested in IE6-9 (reflected XSS protection in IE9 will limit exploitation to stored XSS only in most cases), FF5, Chrome and various mobile browsers (Safari and Android). Please let me know your success with other browsers.
* Overcomes browser oddities, such as Internet Explorer throttling requests to the same URL when exfiltrating keystrokes.


How to Exploit XSS with XSS-Harvest :

Start the XSS-Harvest server as root if you wish to bind to a TCP port < 1024 (default port is 80), or as a limited user on a port > 1024 using the -p option. To start the server you must instruct it to listen with the -l option.

Insert the following 'injection string' into the vulnerable page:

This will return the client-side JavaScript to the victim, indicated by the 'i' in the URL.

now Entice visitors to the infected page (or to follow a link in the case of reflected XSS).

and Watch your victims roll in - a new history file will be created for each new victim.

If you wish to make use of the redress function, start the server with the -r parameter:


./xss-harvest.pl -l -r http://vulnerablepage.local/login.html


Any incoming victim will now be redirected to the specified page by means of a full window IFRAME overlaid on top of the original vulnerable page. Some screenshots of the server in action are shown below:

image :

http://4.bp.blogspot.com/-LUMEeMiuYiA/ThWcsc5_czI/AAAAAAAA0dI/iuaDTvTcNPY/s640/Screenshot-user%2540computer%253A+%257E-Desktop-xss-harvest.png

Server console showing incoming victims

http://3.bp.blogspot.com/-825esi4AZzY/ThWe5xXLZ4I/AAAAAAAA0dM/TYvrXGPfW4w/s400/Screenshot-d018996d89c997cbcbb00c6913544c91.txt+%2528%257E-Desktop-xss-harvest-history%2529+-+gedit.png

Received events, clicks and keystrokes

Description
Usage:
./xss-harvest.pl -l [-p Port] [-r Redress the victims browser]

Start with (-l) and point your victims at http:///i to be "infected".
e.g. inject something like this into a vulnerable page -

Optionally run ./xss-harvest.pl with the (-r) parameter to redress the victims browser to a different page on the same site (such as a login form) after successful infection.
e.g. ./xss-harvest.pl -l -r http:///login.php

For persistent XSS (infection persists across subsequent pages on the same domain), you must use the redress feature, even if you intend to display the original vulnerable page.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.


Download :
https://docs.google.com/leaf?id=0B-yhjV3y1-D2ZmVlMmUxMWUtNjJhYy00Njc5LWI0M2ItZTMwMmIxMTQ0NTNh&hl=en_GB


. All feedback would be most welcome - please share improvements and distribute under the GPL license.

Requires the following dependencies:

HTTP::Server::Simple::CGI,Digest::MD5, Time::Local, Getopt::Std, Net::Server::PreFork


No comments:

Post a Comment