• Security

    Testing for Cross site scripting with XSStrike

     

    1.    Introduction

    XSStrike is a good tool to help you find the cross site scripting (XSS) on the web application, it’s really simple and easy to use.

    Some main features:

    • Powerful fuzzing engine
    • Context breaking technology
    • Intelligent payload generation
    • GET & POST method support
    • Cookie Support
    • WAF Fingerprinting
    • Hand crafted payloads for filter and WAF evasion
    • Hidden parameter discovery
    • Accurate results via levenshtein distance algorithm

    2.    Setup

    Follow the below steps to setup:

    • Clone the Git repos: git clone https://github.com/UltimateHackers/XSStrike
    • Moving to the code folder: cd XSStrike
    • Install required package: sudo pip install -r requirements.txt
    • Open xsstrike: python xsstrike

    3.    Testing with the GET Request

    After open xsstrike, input URL with the GET method (There is a parameter name at the URL)

    Example: https://www.test-domain.com/search?q=test

    The list of XSS payloads will inject at the “test” parameter.

    4.    More Example & Screenshot

    Example URL: http://testphp.vulnweb.com/listproducts.php?cat=1

    5.    Testing with the POST Method

    URL with the POST method: http://testphp.vulnweb.com/guestbook.php

    There is no parameter name at the POST method, after we have entered the URL, it will show a new option:

    [?] Enter POST data: name=anonymous+user&text=test&submit=add+message

    We can see and get the POST Data by following steps:

    • Open the form: http://testphp.vulnweb.com/guestbook.php
    • Input any value at the textbox and click submit
    • Right click on the page, select “Inspect Element” > “Network”
    • Right click on the POST request, select “Copy” > “Copy as cURL”

    The cURL value should be as below:

    curl ‘http://testphp.vulnweb.com/guestbook.php’ -H ‘Host: testphp.vulnweb.com’ -H ‘User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0’ -H ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8’ -H ‘Accept-Language: en-US,en;q=0.5’ –compressed -H ‘Referer: http://testphp.vulnweb.com/guestbook.php’ -H ‘Content-Type: application/x-www-form-urlencoded’ -H ‘Connection: keep-alive’ -H ‘Upgrade-Insecure-Requests: 1’ –data ‘name=anonymous+user&text=test&submit=add+message

    So you will able to get this data value and paste it to the tool.

    As the above result, there is a payload with 100% efficiency was found: <svg/onload=(confirm)()>

    We can verify by copy this payload, paste it to the textbox and click submit button, it should display the alert popup as below screenshot.

    It’s simple but really helpful to scan and check for XSS issues with the GET and POST method.

    Please do not hesitate to let me know if you have any questions or concerns, I’m happy to help!

  • Automation,  Security

    Bypass the basic math Captcha

    When I’m looking for the code of simple Captcha for my personal project, I found this solution: http://html-tuts.com/simple-php-captcha/

    The idea of this Captcha is simple, user needs to input the correct value of basic calculating: A+B

    Simple Captcha Code with PHP - Mozilla Firefox 2016-06-02 01.34.38
    But from the view points of tester, I asked myself: How can I bypass and break it?

    I’m looking into the source code of demo Captcha site and there are some useful information there, with supporting of Selenium WebDriver I can make it very easy. Here’s my step:

    Source:

    Summary:
    – With web admin and developer: Do not use this simple way to protect your website from flooding or spam.
    – From hacker side: Can use this way or something similar to bypass the Captcha.
    – For tester: View the source code (front-end) and make a decision what you can test.

  • Security

    Malicious redirect & bypass “Redirect Notice” at Google.com

    The last few months, when I’m working around with “Open Redirect” vulnerability, I found something interesting that a hacker can bypass confirmation page and redirect the user to the malicious website by using the Google.com domain.

    1. My site: https://sangbui.com
    2. Redirect to other site by using Google.com domain: https://www.google.com/url?sa=t&url=[URL]
    Eg: https://www.google.com/url?sa=t&url=https://sangbui.com

    Display: Redirect Notice

    Redirect Notice - Mozilla Firefox 2016-05-23 23.47.41
    So how can I bypass this form and redirect the user to my page without any confirmation message?

    3. Bypass the confirmation page:  https://www.google.com/url?sa=t&url=[URL]&usg=[Code]*

    * See the below video to know how can I get the Code. The full URL will be:

    With this URL, the hacker can redirect the user to malicious site or phishing.

    I have reported this issue to Google but they think that this is an not a security vulnerability: “Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.”

    In the next email they said that: “We consider this issue as working as intended, but thanks for letting us know”.

    I think the confirmation page “Redirect Notice” should be displayed to help the user know where they are going to. It’s a risk for sometimes.

  • Security

    Text injection on form

    Đây là một lỗi khá thú vị, nó có thể được dùng để khai thác và đánh lừa người dùng (phishing).

    URL: http://ok.ru

    Đầu tiên mình sẽ không nhập Username, Password và bấm Log in thì xuất hiện thông báo lỗi như bên dưới.

    Odnoklassniki - Mozilla Firefox 2016-05-21 23.43.29

    Chú ý lên URL thì thấy có dạng sau:

    Thay đổi dòng “errors.email.empty” bằng một nội dung khác.

    Kết quả.

    Odnoklassniki - Mozilla Firefox 2016-05-21 23.46.32

     

  • Security

    XSS vulnerable at Lozi.vn

    Vừa rồi tôi có đọc một bài viết trên Tuổi trẻ với nội dung Lozi.vn nhận đầu tư triệu đô nên cũng tò mò muốn xem trang web của họ thế nào, nhưng có vẻ Lozi cũng chưa quan tâm nhiều đến bảo mật web, họ không dùng bất kỳ bộ lọc dữ liệu nào để ngăn chặn XSS.
    Như chúng ta đã biết thì lỗi XSS có thể khai thác để lấy cookies từ đó đánh cắp tài khoản người dùng, fake login page, đánh lừa người dùng cài đặt các phần mềm độc hại (viruses, spyware, etc), clickjacking attack…

    Đây là các bước tôi làm để phát hiện ra lỗi, hy vọng sẽ giúp các bạn tester có thể hiểu thêm và kiểm tra lỗi XSS cho sản phẩm của về mình sau.

    1. Đầu tiên tôi vào trang Lozi: http://lozi.vn/
    2. Gõ “testing” vào khung tìm kiếm để kiểm tra thử URL parameter là gì. Kết quả URL hiện như sau:

    3. Chèn code để thực thi một popup “Attacked”.

    Site đã bị dính lỗi do Lozi đã không dùng bộ lọc (XSS Filters) nào để hạn chế việc thực thi các mã độc.

    Lozi_XSS

    * Tôi đã report đến Lozi lỗi này, hy vọng họ sẽ fix sớm.
    * Bài viết chỉ mang tính tham khảo về kiểm thử XSS, bạn phải tự chịu trách nhiệm nếu dùng vào mục đích xấu.
    ——
    Update: Lozi.vn đã fix lỗi này sau khi nhận được thông báo.