Monday, February 7, 2011

Tricky exploit - a penetration test puzzle - Solution

This entry provides the details of an interesting exploit I had found recently. If you haven't done so, please read the introductory entry before reading on, as some of the information is not repeated.

Site Map

Before going on to describe the actual exploit, I'll analyze the various elements of the website stressing their relevant properties.

The mock-website's domain is
It contains 2 subdomains:
1. www. - the public site.
  • This section contains all the publicly available pages.
  • In the mock-site there is a search page in search.php.

2. client. - the client site.
  • This is the section requiring login. (login.php).
  • Access here is session based. The session cookie is set to the client sub-domain (
  • Upon successful log-in, a menu is shown (menu.php) with a link to the Printing system. 
  • As described in the previous entry, a click on this link causes a two step process: browser goes to printAutoLogin.php which contains the user's previously entered credentials in a form which is auto-submitted to printSystem.php which attempts to validate them.

Relevant Findings

First off search.php contains an obvious XSS vulnerability. By injecting malicious values in the query parameter we can have the page do whatever we want.

But what can we do with it?
It does not contain the session cookie because its on a different domain (www. vs client.) and an XMLHTTP request to printAutoLogin.php would also fail for the same reason: violation of the same origin policy.

    So we have to look onward.

    1.  It seems that printAutoLogin.php works on authentication-failed sessions too!

    When entering invalid credentials in the login page (login.php), a fail message is rightfully displayed. But printAutoLogin.php still returns the invalid parameters on their way to printSystem.php. Apparently the server code saves them too early.

    But there's no harm in that right? the printing system authentication would just find them equally invalid and deny access. So no harm there. Right?

    2. It seems that printAutoLogin.php does not escape the outputted credentials!

    This is basically another XSS. Malicious content can be entered at login.php, and printAutoLogin.php would echo them. This is an odd type of XSS because its not reflected, nor is it exactly stored: Its only available in the current session! Other users can't see it.

    We could in theory, use CSRF to write malicious parameters to the login page in the user's session. Then printAutoLogin.php would do whatever we want, but in doing so we run over the very details we were after. The user's credentials!

    So the hacker can basically only XSS himself. No big deal. Right? :)

    3. Did you know it's possible to have multiple cookies with the same name?!

    It's even legitamate, and supported by all modern browsers. A cookie is identified by its name, path, and domain parts. So if a second cookie is set having the same name but a different path or domain then another cookie, both will be sent along with subsequent requests.

    The order of appearance of cookies is explained in the RFC:
    If multiple cookies satisfy the criteria, they are ordered in
       the Cookie header such that those with more specific Path attributes
       precede those with less specific.

    When presented with multiple Session cookies, the server takes the first one and discards the rest. I am not sure this is ubiquitous with all server software but its what happens with the audited server, and with the mock-website server.

    The original session cookie has path /.
    In order to create a second cookie that would precede the first one, its path should be more specific. For example: /printAutoLogin.php (yes, path could be an actual file).

    Putting it all together

    With all this we can construct the full attack.

     Click image to enlarge

    Figure 1. The double XSS, back-flip exploit show down.

    0. The user has an authenticated session opened with the server. Session ID = 1111

    1. The attacker manually creates a session (ID=1337) on his own computer with malicious credentials that comprise an XSS payload (XSS Payload 2). He must then make sure the session does not invalidate by using keep-alives.

    2. The attacker attempts to initiate an XSS attack using search.php (Payload One) on the user. For example, in the form of a link in an email messagew.

    3. By clicking the link, the user's browser engages in Payload 1 that preforms:
       3.1 Set a second Session ID cookie (value 1337) to path /printAutoLogin.php. This cookie does not erase the previous one, but rather precedes it in precedence (as explained above).
       3.2 Redirect browser to printAutoLogin.php.

    4. When fetching printAutoLogin.php both cookies are sent but because the second cookie comes first, the server returns that session's credentials which are in fact XSS Payload 2 which preforms:
       4.1 Remove newly set session Cookie. Original cookie is intact.
       4.2 Using XMLHTTP request printAutoLogin.php and save the response. The document appears to be fetching itself! However, because the second cookie has been deleted, the response is the user session's and contains his credentials! (Step 5)
      4.3 Send the credentials to Attacker. (Step 6)

    See it in action

    Log-in into the system, and then ... "check this out."  :)

    I hope you enjoyed reading this as much as I writing it!
    Your comments are most welcome.



    1. Hey ,
      Thats great read and work too.
      Thanks :)

    2. Good mock-up. Kudos.

    3. Fantastic to read through, a good practical example too.

      As a web application coder it's invaluable information to get pieces of demonstration like this to ensure that we don't fall into the trap.

      It's also a good example for us relative newbies in the security world to make a start at penetration testing generally.

      Many thanks for the write up and mock site!


    5. Nice! Great work!

    6. Yes, How attacker creates "XSS PAYLOAD 2" is not so clear & it only works with PHPSESSID=1337.
      Please explain how XSS Payload 2 is added to printAutoLogin.php's password field.

    7. Failed log-in credentials are still accessible using printAutoLogin.php. The attacker uses this bug to create a malicious session:
      He attempts to log-in with a username and password that make up XSS PAYLOAD 2. The log-in obviously fails, but he makes use of the session ID.

    8. If you describe the steps, it would be more understandable to us ...

      Thanks in advance ...

    9. Great article!! Very informative and enjoyable ready.

      Thanks for writing it!

    10. I’m hoping the same very best perform from you in the long run also. In fact your inventive writing skills has inspired me to begin my own blog engine blog now.

    11. And that's why I love NoScript :)

    12. Wholesale Sexy Lingerie,High Quality!Low Price! Wholesale Leggings,Plus Size Corsets,Wholesale Halloween Costumes From China Suppliers LingeriePark.Wholesale Only,No Retail!Wholesale Costumes
      Wholesale Plus Size Corsets
      Lingerie Suppliers
      Lingerie China Suppliers

    13. يوجد العديد من معدات و تقنيات التأمين و الحراسة المختلفة و التي شركة حراسات امنية أثبتت جدارة العمل في عملية لأمن و الحراسة ومن أهمها البوابات الالكترونية في الحراسة حيث تمكنت هذا النوع من البوابات علي تجنب العديد من المخاطر شركة امنية التي قد تقع في المؤسسات و المنشآت المختلفة لذلك تعمل شركة حراسات خاصة علي اتباع أحدث تقنيات من هذه شركة امن وحراسة البوابات و التي لها العديد من الامكانيات في مجال الأمن و الحراسة

    14. ندما يصبح الشاب رجلا كهل فإنه رعاية المسنين يكون أكثر عرضة لمزيد من الأمراض و منها امراض الجهاز العصبي لدى كبار السن و التي تكون عبارة عن اضطرابات أو تلف دار مسنين بالقاهرة في أحد أجزاء الجهاز العصبي و التي تؤدي دار المسنين إلى ضعف قدرته على القيام بالأنشطة و الأعمال التي اعتاد عليها من قبل

    15. لاعطال الاجهزة الكهربية المختلفة الموديلات فقط تواصلوا مع مراكز صيانة يونيون اير التى تنتشر فى فروع صيانة يونيون اير عدة على مستوى الجمهورية , حيث ان خدمات الصيانة لا تنتهى فمن خلال افضل الحملات المجانية تمتعوا رقم صيانة يونيون اير بصيانة فورية لجميع الاعطال المختلفة فى كافة الاجهزة الموجودة لديكم ومن خلال فريق من الفنيين المختصين والمدربين على اعلى مستوى فى مراكز تدريبية تابعه توكيل يونيون اير يمكنكم صيانة الاجهزة با احدث التقنيات التفاعلية

    16. Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
      Do my Assignment

    17. Different things you may require vary from area to area. It is an easy win to call the area before going out to figure out what you should have with you.

    18. I just want to say thanks for your wonderful post, it is contain a lot of knowledge and information that i needed right now. Thanks! Homeopathic hospital in jaipur

    19. Folks who can spend money on this to purchase twitter followers might comfortably get exposure for their items overnight. buy twitter followers

    20. They’re also cast as heels, allegedly crafted due to the McMahon family’s belief that the far right cost Linda the election. A tag feud between these two seems a natural fit, with Darren Young cast as the good guy. Rätsel Hilfe

    21. I really love this post I will visit again to read your post in a very short time and I hope you will make more posts like this.
      cara menggugurkan kandungan
      obat penggugur kandungan
      cara menggugurkan hamil

    22. Truly, they will charge you to get it, however as long as you pay it back on time and don't make a propensity for obtaining from them, Payday credits are okay. Payday Loans San-diegoCash Advance ChicagoAuto Title Loans ChicagoCash AdvancePayday Loans

    23. A few experts anticipate that check getting the money for machines will be the essential managing an account administration of numerous individuals later on. check cashing san diego

    24. I really love this post I will visit again to read your post in a very short time and I hope you will make more posts like this. instagram

    25. Shed every one of your stresses, for help is a mouse click away as payday credits. Payday credits are a standout amongst the most advantageous methods for getting a loan today with for all intents and purposes no printed material or different problems. payday loans corona

    26. All Assignment Help is a web portal where students get help in making assignments for all the subjects, with the help of our experts. You will get 100% plagiarism free assignment. Expertes consultation is also available for students. If they have any query they can contact with our experts anytime.

    27. Good work…unique site and interesting too… keep it up…looking forward for more updates.Good luck to all of you and thanks so much for your hard-work. best assignment help

    28. This opinion or feedback is known as reviews. For instance- if you're going to get online assignment service, and you come across Reviews, you can get to know about the opinion of different consumers about the quality of service they provided them. These reviews will further help you to decide which service is better for you. In other words, you can say, reviews are the feedback from a consumer about a product or service.
      AllAssignmentHelp reviews

    29. Your post is very nice and meaningful. It brings me many valuable knowledge about Information Security, now I need to be careful with online crime. Thanks to share.
      hotmail login account

    30. Every student has the chance of enjoying our affordable non plagiarized essays. The writers hired at the company are top essay writing service writers with significant experience.

    31. If you have been wondering who will “Write My Essay 24/7 Services”“write my research paper” or “write my paper” choose us today and avoid poor grades.We reliably provide services at the stated price without hidden charges. Contact us and let us help you at any stage of your Essay Writing Help 24/7.

    32. You have a great blog here! would you like to make some invite posts on my blog?

      Click Here
      Visit Web

    33. WONDERFUL Post.thanks for share..more wait..

      Click Here
      Visit Web

    34. You made some decent points there. I looked on the internet for the issue and found most individuals will go along with with your website.

      Click Here
      Visit Web

    35. I’m impressed, I must say. Really rarely do I encounter a blog that’s both educative and entertaining, and let me tell you, you have hit the nail on the head. Your idea is outstanding; the issue is something that not enough people are speaking intelligently about. I am very happy that I stumbled across this in my search for something relating to this.

    36. WONDERFUL Post.thanks for share..more wait..

      Click Here
      Visit Web

    37. The next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought you have something interesting to say. All I hear is a bunch of whining about something that you could fix if you werent too busy looking for attention.
      Click Here