Sunday, February 3, 2013

Hacking With XSS Auditor

on Hacker News and reddit
Previously I wrote how you can use XSS Auditor for Great Good(report to administrator about detected XSS exploits) and how to destroy framebrakers/other scirpts with it(just passing script's code in a random parameter).
Today's topic is really interesting. We are not hacking XSS Auditor anymore, we are hacking with it.
I'll tell you how to steal referers with sensitive information.

First of all, there are three values of 'X-XSS-Protection' header which control XSS Auditor: 0; 1; and 1;mode=block.
First one just switches it off(I recommend it, lol).
1; is default, it detects XSS and tries to remove malicious code.
1;mode=block means basically if anything has been detected - redirect to about:blank. People used to think about it as the most secure one. Actually, no!
Steps for the hack are very simple(TL;DR is point 5):
  1. choose URL which redirects automatically(or with some user interaction) to another URL, and also carries both Private Info and Custom Payload.

    For OAuth and Single Sign On implementations Private Info is code/token/signed_request. It can be also kind of SID if it was added automatically to original URL, not removing Custom Payload.

    Custom Payload - part of redirect_uri if it's not static or some kind of 'state', which is used in OAuth to prevent CSRF and basically returned back along with code(And I found the Most Common Vulnerability with it another day).
  2. Look at the source code of the final page which user is redirected to. Choose some <script src=...></script> or <script>code</script> or <meta http-equiv..> or <a href=javascript:..> etc. Anything, that will look like an "injection" for Mr. Auditor. Copy it and encode.
  3. Now put it in the original URL in your Custom Payload. for example 'state=%3Cscript%3Esetup()%3C%2Fscript%3E'
  4. create MalloryPage. You can use <iframe> if target has no X-Frame-Options or use window.open if it has.
  5. when User visits MalloryPage he opens your crafted URL with Custom Payload, website redirects him to final page with both Private Info and Custom Payload, chrome XSS Auditor detects XSS because Custom Payload was found in source code, redirects him again to about:blank, which is easily accessible from opener's domain - now you got document.referrer with Private Info!
Demo of vulnerable SSO implementation, using sinatra and exploit for it:

There are some restrictions of course! The most obvious - it won't work for https:// pages because they don't send Referrer. But as a new vector sounds pretty awesome.
The fix is gonna be very simple - clear document.referrer for about:blank redirect.

[this guy, who wrote the article... you can hire him for a penetration test or security consulting btw. affordable price, cutting edge hacks: homakov@gmail.com]

7 comments:

  1. https://code.google.com/p/chromium/issues/detail?id=173906&thanks=173906&ts=1359905183
    chrome report

    ReplyDelete
  2. Hello bro,

    I liked your tutorials very much. I am kinda stuck Google's XSS. Can you help me out?

    Add me on Gmail. (ethicalindians@gmail.com)

    ReplyDelete
  3. Replies
    1. what is not boring then? i think this is awesome. real world showcase soon

      Delete
  4. Nice article! I'm pretty late but I brought this up now and experimented a little. Nowadays chrome sends you to data:, instead, complaining that "protocols must match".

    However, if you load everything from a data URI (such as "data:text/html,etc...") then you'll get the error "Blocked a frame with origin "null" from accessing a frame with origin "null". Protocols, domains, and ports must match.".

    Just thought I'd share my fiddling instead of having it lost in the void!

    ReplyDelete
    Replies
    1. and it is still possible to detect if Auditor redirected it. Same trick in Pwning your privacy

      Delete