Monday, February 7, 2011

Tricky exploit - a penetration test puzzle - Solution



This entry provides the details of an interesting exploit I had found recently. If you haven't done so, please read the introductory entry before reading on, as some of the information is not repeated.




Site Map

Before going on to describe the actual exploit, I'll analyze the various elements of the website stressing their relevant properties.

The mock-website's domain is g1.playground.quaji.com.
It contains 2 subdomains:
1. www. - the public site.
  • This section contains all the publicly available pages.
  • In the mock-site there is a search page in search.php.

2. client. - the client site.
  • This is the section requiring login. (login.php).
  • Access here is session based. The session cookie is set to the client sub-domain (client.g1.playground.quaji.com).
  • Upon successful log-in, a menu is shown (menu.php) with a link to the Printing system. 
  • As described in the previous entry, a click on this link causes a two step process: browser goes to printAutoLogin.php which contains the user's previously entered credentials in a form which is auto-submitted to printSystem.php which attempts to validate them.





Relevant Findings


First off search.php contains an obvious XSS vulnerability. By injecting malicious values in the query parameter we can have the page do whatever we want.

But what can we do with it?
It does not contain the session cookie because its on a different domain (www. vs client.) and an XMLHTTP request to printAutoLogin.php would also fail for the same reason: violation of the same origin policy.


    So we have to look onward.


    1.  It seems that printAutoLogin.php works on authentication-failed sessions too!

    When entering invalid credentials in the login page (login.php), a fail message is rightfully displayed. But printAutoLogin.php still returns the invalid parameters on their way to printSystem.php. Apparently the server code saves them too early.

    But there's no harm in that right? the printing system authentication would just find them equally invalid and deny access. So no harm there. Right?



    2. It seems that printAutoLogin.php does not escape the outputted credentials!

    This is basically another XSS. Malicious content can be entered at login.php, and printAutoLogin.php would echo them. This is an odd type of XSS because its not reflected, nor is it exactly stored: Its only available in the current session! Other users can't see it.

    We could in theory, use CSRF to write malicious parameters to the login page in the user's session. Then printAutoLogin.php would do whatever we want, but in doing so we run over the very details we were after. The user's credentials!


    So the hacker can basically only XSS himself. No big deal. Right? :)



    3. Did you know it's possible to have multiple cookies with the same name?!

    It's even legitamate, and supported by all modern browsers. A cookie is identified by its name, path, and domain parts. So if a second cookie is set having the same name but a different path or domain then another cookie, both will be sent along with subsequent requests.

     
    The order of appearance of cookies is explained in the RFC:
    If multiple cookies satisfy the criteria, they are ordered in
       the Cookie header such that those with more specific Path attributes
       precede those with less specific.

    When presented with multiple Session cookies, the server takes the first one and discards the rest. I am not sure this is ubiquitous with all server software but its what happens with the audited server, and with the mock-website server.

    The original session cookie has path /.
    In order to create a second cookie that would precede the first one, its path should be more specific. For example: /printAutoLogin.php (yes, path could be an actual file).





    Putting it all together

    With all this we can construct the full attack.

     Click image to enlarge

    Figure 1. The double XSS, back-flip exploit show down.

    0. The user has an authenticated session opened with the server. Session ID = 1111

    1. The attacker manually creates a session (ID=1337) on his own computer with malicious credentials that comprise an XSS payload (XSS Payload 2). He must then make sure the session does not invalidate by using keep-alives.
         

    2. The attacker attempts to initiate an XSS attack using search.php (Payload One) on the user. For example, in the form of a link in an email messagew.

    3. By clicking the link, the user's browser engages in Payload 1 that preforms:
       3.1 Set a second Session ID cookie (value 1337) to path /printAutoLogin.php. This cookie does not erase the previous one, but rather precedes it in precedence (as explained above).
       3.2 Redirect browser to printAutoLogin.php.

    4. When fetching printAutoLogin.php both cookies are sent but because the second cookie comes first, the server returns that session's credentials which are in fact XSS Payload 2 which preforms:
       4.1 Remove newly set session Cookie. Original cookie is intact.
       4.2 Using XMLHTTP request printAutoLogin.php and save the response. The document appears to be fetching itself! However, because the second cookie has been deleted, the response is the user session's and contains his credentials! (Step 5)
      4.3 Send the credentials to Attacker. (Step 6)



    See it in action

    Log-in into the system, and then ... "check this out."  :)







    I hope you enjoyed reading this as much as I writing it!
    Your comments are most welcome.

      Ronen

    91 comments:

    1. Hey ,
      Thats great read and work too.
      Thanks :)

      ReplyDelete
    2. Good mock-up. Kudos.

      ReplyDelete
    3. Fantastic to read through, a good practical example too.

      As a web application coder it's invaluable information to get pieces of demonstration like this to ensure that we don't fall into the trap.

      It's also a good example for us relative newbies in the security world to make a start at penetration testing generally.

      Many thanks for the write up and mock site!

      ReplyDelete
    4. WHAT WAS THE XSS PAYLOAD 2 THAT YOU USE ???

      ReplyDelete
    5. Nice! Great work!

      ReplyDelete
    6. Yes, How attacker creates "XSS PAYLOAD 2" is not so clear & it only works with PHPSESSID=1337.
      Please explain how XSS Payload 2 is added to printAutoLogin.php's password field.

      ReplyDelete
    7. Failed log-in credentials are still accessible using printAutoLogin.php. The attacker uses this bug to create a malicious session:
      He attempts to log-in with a username and password that make up XSS PAYLOAD 2. The log-in obviously fails, but he makes use of the session ID.

      ReplyDelete
    8. If you describe the steps, it would be more understandable to us ...

      Thanks in advance ...

      ReplyDelete
    9. Great article!! Very informative and enjoyable ready.

      Thanks for writing it!

      ReplyDelete
    10. I’m hoping the same very best perform from you in the long run also. In fact your inventive writing skills has inspired me to begin my own blog engine blog now.

      ReplyDelete
    11. And that's why I love NoScript :)

      ReplyDelete
    12. Wholesale Sexy Lingerie,High Quality!Low Price! Wholesale Leggings,Plus Size Corsets,Wholesale Halloween Costumes From China Suppliers LingeriePark.Wholesale Only,No Retail!Wholesale Costumes
      Wholesale Plus Size Corsets
      Lingerie Suppliers
      Lingerie China Suppliers
      LingeriePark

      ReplyDelete
    13. يوجد العديد من معدات و تقنيات التأمين و الحراسة المختلفة و التي شركة حراسات امنية أثبتت جدارة العمل في عملية لأمن و الحراسة ومن أهمها البوابات الالكترونية في الحراسة حيث تمكنت هذا النوع من البوابات علي تجنب العديد من المخاطر شركة امنية التي قد تقع في المؤسسات و المنشآت المختلفة لذلك تعمل شركة حراسات خاصة علي اتباع أحدث تقنيات من هذه شركة امن وحراسة البوابات و التي لها العديد من الامكانيات في مجال الأمن و الحراسة

      ReplyDelete
    14. ندما يصبح الشاب رجلا كهل فإنه رعاية المسنين يكون أكثر عرضة لمزيد من الأمراض و منها امراض الجهاز العصبي لدى كبار السن و التي تكون عبارة عن اضطرابات أو تلف دار مسنين بالقاهرة في أحد أجزاء الجهاز العصبي و التي تؤدي دار المسنين إلى ضعف قدرته على القيام بالأنشطة و الأعمال التي اعتاد عليها من قبل

      ReplyDelete
    15. لاعطال الاجهزة الكهربية المختلفة الموديلات فقط تواصلوا مع مراكز صيانة يونيون اير التى تنتشر فى فروع صيانة يونيون اير عدة على مستوى الجمهورية , حيث ان خدمات الصيانة لا تنتهى فمن خلال افضل الحملات المجانية تمتعوا رقم صيانة يونيون اير بصيانة فورية لجميع الاعطال المختلفة فى كافة الاجهزة الموجودة لديكم ومن خلال فريق من الفنيين المختصين والمدربين على اعلى مستوى فى مراكز تدريبية تابعه توكيل يونيون اير يمكنكم صيانة الاجهزة با احدث التقنيات التفاعلية

      ReplyDelete
    16. Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
      Do my Assignment

      ReplyDelete
    17. Different things you may require vary from area to area. It is an easy win to call the area before going out to figure out what you should have with you.

      ReplyDelete
    18. I just want to say thanks for your wonderful post, it is contain a lot of knowledge and information that i needed right now. Thanks! Homeopathic hospital in jaipur

      ReplyDelete
    19. Folks who can spend money on this to purchase twitter followers might comfortably get exposure for their items overnight. buy twitter followers

      ReplyDelete
    20. They’re also cast as heels, allegedly crafted due to the McMahon family’s belief that the far right cost Linda the election. A tag feud between these two seems a natural fit, with Darren Young cast as the good guy. Rätsel Hilfe

      ReplyDelete
    21. I really love this post I will visit again to read your post in a very short time and I hope you will make more posts like this.
      cara menggugurkan kandungan
      obat penggugur kandungan
      cara menggugurkan hamil

      ReplyDelete
    22. Truly, they will charge you to get it, however as long as you pay it back on time and don't make a propensity for obtaining from them, Payday credits are okay. Payday Loans San-diegoCash Advance ChicagoAuto Title Loans ChicagoCash AdvancePayday Loans

      ReplyDelete
    23. A few experts anticipate that check getting the money for machines will be the essential managing an account administration of numerous individuals later on. check cashing san diego

      ReplyDelete
    24. I really love this post I will visit again to read your post in a very short time and I hope you will make more posts like this. instagram

      ReplyDelete
    25. Shed every one of your stresses, for help is a mouse click away as payday credits. Payday credits are a standout amongst the most advantageous methods for getting a loan today with for all intents and purposes no printed material or different problems. payday loans corona

      ReplyDelete
    26. All Assignment Help is a web portal where students get help in making assignments for all the subjects, with the help of our experts. You will get 100% plagiarism free assignment. Expertes consultation is also available for students. If they have any query they can contact with our experts anytime.

      ReplyDelete
    27. Good work…unique site and interesting too… keep it up…looking forward for more updates.Good luck to all of you and thanks so much for your hard-work. best assignment help

      ReplyDelete
    28. This opinion or feedback is known as reviews. For instance- if you're going to get online assignment service, and you come across Allassignmenthelp.com Reviews, you can get to know about the opinion of different consumers about the quality of service they provided them. These reviews will further help you to decide which service is better for you. In other words, you can say, reviews are the feedback from a consumer about a product or service.
      AllAssignmentHelp reviews

      ReplyDelete
    29. Your post is very nice and meaningful. It brings me many valuable knowledge about Information Security, now I need to be careful with online crime. Thanks to share.
      hotmail login account

      ReplyDelete
    30. Every student has the chance of enjoying our affordable non plagiarized essays. The writers hired at the company are top essay writing service writers with significant experience.

      ReplyDelete
    31. If you have been wondering who will “Write My Essay 24/7 Services”“write my research paper” or “write my paper” choose us today and avoid poor grades.We reliably provide services at the stated price without hidden charges. Contact us and let us help you at any stage of your Essay Writing Help 24/7.

      ReplyDelete
    32. You have a great blog here! would you like to make some invite posts on my blog?

      Click Here
      Visit Web

      ReplyDelete
    33. WONDERFUL Post.thanks for share..more wait..

      Click Here
      Visit Web

      ReplyDelete
    34. You made some decent points there. I looked on the internet for the issue and found most individuals will go along with with your website.

      Click Here
      Visit Web

      ReplyDelete
    35. I’m impressed, I must say. Really rarely do I encounter a blog that’s both educative and entertaining, and let me tell you, you have hit the nail on the head. Your idea is outstanding; the issue is something that not enough people are speaking intelligently about. I am very happy that I stumbled across this in my search for something relating to this.

      Buddypress.org
      Information

      ReplyDelete
    36. WONDERFUL Post.thanks for share..more wait..

      Click Here
      Visit Web

      ReplyDelete
    37. The next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought you have something interesting to say. All I hear is a bunch of whining about something that you could fix if you werent too busy looking for attention.

      Forums.prosportsdaily.com
      Information
      Click Here

      ReplyDelete
    38. Aw, this was a really nice post. In idea I would like to put in writing like this additionally – taking time and actual effort to make a very good article… but what can I say… I procrastinate alot and by no means seem to get something done.

      Authorstream.com
      Information

      ReplyDelete
    39. Aw, this was a really nice post. In idea I would like to put in writing like this additionally – taking time and actual effort to make a very good article… but what can I say… I procrastinate alot and by no means seem to get something done.

      Authorstream.com
      Information

      ReplyDelete
    40. http://www.computedstyle.com/2009/05/lessons-from-building-basic-video.html?showComment=1595409303149#c8219147564589867475

      Click Here
      Visit Web

      ReplyDelete
    41. It is important for midwifery assignment writing service seekers to find the best Midwifery Writing Services from a reputable midwifery research paper help provider for their custom midwifery essay writing services.

      ReplyDelete
    42. This web site is really a walk-through for all of the info you wanted about this and didn’t know who to ask. Glimpse here, and you’ll definitely discover it.

      Click Here
      Visit Web

      ReplyDelete
    43. You should take part in a contest for one of the best blogs on the web. I will recommend this site!

      Click Here
      Visit Web

      ReplyDelete
    44. There are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment’s pleasure, for the rest of their lives.

      Information
      Click Here
      Visit Web

      ReplyDelete
    45. You should take part in a contest for one of the best blogs on the web. I will recommend this site!

      Click Here
      Visit Web

      ReplyDelete
    46. I’m impressed, I must say. Really rarely do I encounter a blog that’s both educative and entertaining, and let me tell you, you have hit the nail on the head. Your idea is outstanding; the issue is something that not enough people are speaking intelligently about. I am very happy that I stumbled across this in my search for something relating to this.

      Information
      Click Here
      Visit Web

      ReplyDelete
    47. An impressive share, I just given this onto a colleague who was doing a little analysis on this. And he in fact bought me breakfast because I found it for him.. smile. So let me reword that: Thnx for the treat! But yeah Thnkx for spending the time to discuss this, I feel strongly about it and love reading more on this topic. If possible, as you become expertise, would you mind updating your blog with more details? It is highly helpful for me. Big thumb up for this blog post!

      Plugins.w-academy.dk
      Information
      Click Here

      ReplyDelete
    48. The next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought you have something interesting to say. All I hear is a bunch of whining about something that you could fix if you werent too busy looking for attention.

      Information
      Click Here
      Visit Web

      ReplyDelete
    49. It’s hard to find knowledgeable people on this topic, but you sound like you know what you’re talking about! Thanks

      Click Here
      Visit Web

      ReplyDelete
    50. The next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought you have something interesting to say. All I hear is a bunch of whining about something that you could fix if you werent too busy looking for attention.

      Click Here
      Visit Web
      Uid.me

      ReplyDelete
    51. Very nice post, i certainly love this website, keep on it

      Click Here
      Visit Web

      ReplyDelete
    52. I’d have to check with you here. Which is not something I usually do! I enjoy reading a post that will make people think. Also, thanks for allowing me to comment!

      Click Here
      Visit Web
      Gust.com

      ReplyDelete
    53. There are some interesting points in time in this article but I don’t know if I see all of them center to heart. There is some validity but I will take hold opinion until I look into it further. Good article, thanks and we want more! Added to FeedBurner as well

      Longisland.com
      Information
      Click Here

      ReplyDelete
    54. After study a few of the blog posts on your website now, and I truly like your way of blogging. I bookmarked it to my bookmark website list and will be checking back soon. Pls check out my web site as well and let me know what you think.

      Sketchfab.com
      Information

      ReplyDelete
    55. An interesting discussion is worth comment. I think that you should write more on this topic, it might not be a taboo subject but generally people are not enough to speak on such topics. To the next. Cheers

      Click Here
      Visit Web
      Evensi.com

      ReplyDelete
    56. I discovered your blog site on google and check a few of your early posts. Continue to keep up the very good operate. I just additional up your RSS feed to my MSN News Reader. Seeking forward to reading more from you later on!…

      Click Here
      Visit Web
      Evensi.com

      ReplyDelete
    57. It's not easy to handle Assignments, that’s why students are always searching for Affordable Writing Services Online Because they can get access to Best Research Writing Services And get their homework done. You can also purchase Pre-written Research Papers that will leave an impression.

      ReplyDelete
    58. Aw, this was a really nice post. In idea I would like to put in writing like this additionally – taking time and actual effort to make a very good article… but what can I say… I procrastinate alot and by no means seem to get something done.

      Click Here
      Information
      Visit

      ReplyDelete
    59. Oh my goodness! an amazing article dude. Thank you However I am experiencing issue with ur rss. Don’t know why Unable to subscribe to it. Is there anyone getting identical rss problem? Anyone who knows kindly respond. Thnkx

      Click Here
      Visit Web

      ReplyDelete
    60. I’m impressed, I must say. Really rarely do I encounter a blog that’s both educative and entertaining, and let me tell you, you have hit the nail on the head. Your idea is outstanding; the issue is something that not enough people are speaking intelligently about. I am very happy that I stumbled across this in my search for something relating to this.

      Profiles.delphiforums.com
      Information

      ReplyDelete
    61. There are some interesting points in time in this article but I don’t know if I see all of them center to heart. There is some validity but I will take hold opinion until I look into it further. Good article, thanks and we want more! Added to FeedBurner as well

      Id.pinterest.com
      Information

      ReplyDelete
    62. I am often to blogging and i really appreciate your content. The article has really peaks my interest. I am going to bookmark your site and keep checking for new information.

      Seoinpractice.com
      Information
      Click Here

      ReplyDelete
    63. The next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought you have something interesting to say. All I hear is a bunch of whining about something that you could fix if you werent too busy looking for attention.

      Click Here
      Visit Web

      ReplyDelete
    64. You made some decent points there. I looked on the internet for the issue and found most individuals will go along with with your website.

      Dzone.com
      Information
      Click Here

      ReplyDelete
    65. You made some decent points there. I looked on the internet for the issue and found most individuals will go along with with your website.

      Newdirt.org
      Information

      ReplyDelete
    66. This web site is really a walk-through for all of the info you wanted about this and didn’t know who to ask. Glimpse here, and you’ll definitely discover it.

      Heromachine.com
      Information
      Click Here

      ReplyDelete
    67. You made some decent points there. I looked on the internet for the issue and found most individuals will go along with with your website.

      Visit Web
      Exelearning.net
      Information

      ReplyDelete
    68. Oh my goodness! an amazing article dude. Thank you However I am experiencing issue with ur rss. Don’t know why Unable to subscribe to it. Is there anyone getting identical rss problem? Anyone who knows kindly respond. Thnkx

      Stylowi.pl
      Information
      Click Here
      Visit Web

      ReplyDelete
    69. You have a great blog here! would you like to make some invite posts on my blog?

      Quantummuse.com
      Information
      Click Here

      ReplyDelete
    70. Nice post. I learn something more challenging on different blogs everyday. It will always be stimulating to read content from other writers and practice a little something from their store. I’d prefer to use some with the content on my blog whether you don’t mind. Natually I’ll give you a link on your web blog. Thanks for sharing.

      Vrcollector.com
      Information
      Click Here

      ReplyDelete
    71. Awesome post! SMEs have the ability to create content that is mapped to meet the learning objectives of the curriculum. With their pedagogical awareness, the SMEs are highly thoughtful with their choice of words and sentence structure while developing content.
      content development services
      copy editing services

      ReplyDelete