XSS VULNERABILITIES Nicole Coppola
XSS - Capabilities Cookie Theft – Session Hijacking Keylogging – addEventListener; passwords, credit cards, etc. Phishing “One of the most common and useful XSS attacks is used to steal the user’s session, effectively enabling an attacker to log in as you.” -- Trey Ford, Global Security Strategist at Rapid7 "Cross site scripting attacks aren't new and represent just one of the many vulnerabilities application developers need to consider when building an app like Tweetdeck,” -- Krishna Narayanaswamy, chief scientist at Netskope
XSS - Outline Tweetdeck eBay Yahoo Bonus StrongWebmail – Vulnerability Contest Facebook – Self XSS
TweetDeck Web application for management of Twitter accounts Founded in 2008 and acquired by Twitter in May 2011
TweetDeck Web application for management of Twitter accounts Founded in 2008 and acquired by Twitter in May 2011 June 11, 2014; TweetDeck v. <= 3.7.1; Google Chrome Stored XSS Vulnerability was discovered that allowed users to run JavaScript in tweets Zero Sanitization Did not affect other applications using Twitter’s API
TweetDeck Web application for management of Twitter accounts Founded in 2008 and acquired by Twitter in May 2011 June 11, 2014; TweetDeck v. <= 3.7.1; Google Chrome Stored XSS Vulnerability was discovered that allowed users to run JavaScript in tweets Zero Sanitization Did not affect other applications using Twitter’s API a 19 year old boy from Austria, discovered this vulnerability because he wanted to tweet hearts with HTML encoding. “&hearts” ->
TweetDeck - Example
82,138
TweetDeck - Example
TweetDeck – Lots of trolls
TweetDeck – How it worked $(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data- action=retweet]’).click();alert(‘XSS in Tweetdeck’)
TweetDeck – How it worked $(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data- action=retweet]’).click();alert(‘XSS in Tweetdeck’) - Script tag; named to allow references $(‘.xss).parents().eq(1) - Using jQuery, select self’s second parent element -- Tweet Container.find(‘a’).eq(1).click(); - From this container, select the second ‘a’ (link) tag -- retweet link (popup confirmation; doesn’t actually retweet) $(‘[data-action=retweet]’).click(); - Confirms the popup and retweets alert(‘XSS in Tweetdeck’) - Warning popup to users
TweetDeck - Response
TweetDeck - Impact TweetDeck User Demographic: Large organizations like BBC (10.1 million followers) Appears that it was largely trolls who exploited this Malicious exploits: Attacker can obtain anything stored on victim’s browser: Cookies, Passwords, Redirect to malicious webpage
eBay Full of security holes January 2016 – A Reflected XSS attack was discovered in eBay’s website by independent vulnerability researcher, MLT
eBay - XSS nt.cookie)
eBay - XSS
Exploit Proof of Concept – phishing attack Create and host a webpage identical to eBay’s login page Craft a link to embed a custom iFrame Harvest credentials
eBay - XSS te(‘ ’) te%28%27%3Ciframe%20src=%22http:// /ebay/si gnin.ebay.com/ws/eBayISAPI9f90.html%22%20width=% %22%20height=%221000%22%3E%27%29
eBay - XSS te(‘ ’) te%28%27%3Ciframe%20src=%22http:// /ebay/si gnin.ebay.com/ws/eBayISAPI9f90.html%22%20width=% %22%20height=%221000%22%3E%27%29
eBay - XSS
Sent back to attacker Logs input to log.txt Can be used with: Phishing – Wide audience Spear Phishing – Targeted
eBay - Response Reported to eBay December 11, 2015 On January 11, 2016, MLT contacted the media, it was fixed that day “They don’t really have any excuse for their MAIN DOMAIN being vuln to XSS” - MLT Bad history of vulnerabilities and response XSS attack in internal messaging system – took a year to fix, after contacted by media 2014/2015 Backdoor upload in php file 2014 XSS in auction page 2014 Cookie Re-Use 2014 XSS when creating a listing 2011 …
eBay - source
Yahoo January-February 2013 – Phishing campaign hijacking accounts of Yahoo Mail users Exploited CVE Vulnerability in SWFUpload , used by WordPress v. <= 3.3.2, and patched in April 2012, 9 months prior Vulnerability existed in the developers’ blog Link appeared to bring users to msnbc.com
Yahoo – Phishing
Redirected to website which executed call to developer.yahoo.com, exploiting the vulnerability Disguised as Lightbox library Login at yahoo.com; stay logged in at developer subdomain Steal cookie and contacts list; Repeat
Yahoo – XSS (SWFUpload) User input: this.movieName = root.loaderInfo.parameters.movieName; Processing: this.fileDialogComplete_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].fileDialogComplete”; … Callbacks = first parameter to ExternalInterface.call, which executes JavaScript
Yahoo – POC - SWFUpload f9.swf?movieName=";]);}catch(e){} if(!self.a)self.a=!alert(document.cookie);//
Yahoo – POC – SWFUpload f9.swf?movieName=";]);}catch(e){} if(!self.a)self.a=!alert(document.cookie);// Exploited (unsanitized) Parameter
Yahoo – POC – SWFUpload 9.swf?movieName=";]);}catch(e){} if(!self.a)self.a=!alert(document.cookie);// Exits callback function this.fileDialogComplete_Callback = "SWFUpload.instances[\"" + this.movieName + "\"].fileDialogComplete”; …
Yahoo – POC – SWFUpload 9.swf?movieName=";]);}catch(e){} if(!self.a)self.a=!alert(document.cookie);// Defining self.a to execute payload
Yahoo - Response Unpatched, “unrelated” site “Drive-by Download” History of Hacks and Vulnerabilities Mobile mail website XSS – November 2015 HTML XSS – December 2015 Login XSS – December 2010 … 48 “Yahoo” CVE records on NVD
Yahoo - Response T-Shirt-Gate Yahoo started by giving people t-shirts / $12.50 discount code for their store Can sell exploits for more profit; other companies offer rewards Angry that they got $12.50 for their research Yahoo Bug Bounty Program $50-$15,000 reward for finding bugs October 2013
StrongWebmail client – Bonus XSS StrongWebmail claims to have “the most secure accounts on the planet” Two factor authentication – must answer confirmation call before being authenticated Held contest for anyone who can hack the CEO’s account - $10,000 prize
StrongWebmail client – Bonus XSS XSS Vulnerability in subject field Wrote an exploit to grab the inbox, session cookies, and task list (calendar), and log to a file Sent spear phishing to CEO claiming to have found the XSS exploit, with details in a file. Didn’t know if he would click on it... So ed following up StrongWebmail claimed they didn’t break the authentication, but ended up awarding the prize
Facebook - Bonus XSS
In Summary TweetDeck Scripting possible in the tweet body Self re-tweeting eBay Javascript injection in URL Allowed injection of iFrame for phishing and credential harvesting Yahoo Unpatched Yahoo developer WordPress blog Allowed cookie harvesting through phishing
In Conclusion Vulnerabilities out there; people make mistakes 3 rd party code Months between vulnerability being created and discovered Many ways to exploit these vulnerabilities Phishing Imitating website Getting cookie Self replicating worms Users do not think things through Clicking links Exploiting yourself with malicious code Not noticing odd looking screens Response to these attacks matters Hours, months Confidence of users (Thousands of people left TweetDeck to HootSuite) Potential impact
Questions?
Sources - TweetDeck suspends-TweetDeck-over-XSS-security-flaw suspends-TweetDeck-over-XSS-security-flaw Tweetdeck.htm Tweetdeck.htm k-hacked/index.html k-hacked/index.html vulnerability-means-revoke-access-now/#gref vulnerability-means-revoke-access-now/#gref tweetdeck-xss-flaw-users-vulnerable tweetdeck-xss-flaw-users-vulnerable retweeting-my-little-pony-twitter-account/ retweeting-my-little-pony-twitter-account/
Sources - eBay 2015 XSS phishing-attacks phishing-attacks shoddy-incident-response/ shoddy-incident-response/ Previous Attacks hackers-to-steal-users-passwords hackers-to-steal-users-passwords flaws-leave.html flaws-leave.html ebay/112493/ ebay/112493/
Sources - Yahoo Authentication-Cookies shtml Authentication-Cookies shtml /77478/ /77478/ 1B B site-to-hijack-accounts.html site-to-hijack-accounts.html html#comments html#comments /finnishii_bugii_hunterii_netsii_10kii_bountyii_fromii_yahooii/ /finnishii_bugii_hunterii_netsii_10kii_bountyii_fromii_yahooii/ now-live now-live
Sources - Bonus StrongWebmail mail-Get shtml mail-Get shtml hacked-via-xss/ hacked-via-xss/ m/exclusive-interview-with-strongwebmails hacker/ m/exclusive-interview-with-strongwebmails hacker/ Facebook users-into_28.html users-into_28.html