XSS Street-Fight: The Only Rule Is There Are No Rules

XSS Introduction

Attack: XSS
Attacker can send data through web applications that will execute code within the victim’s web browser
It is an interpreter attack against the web browser
Application Defects: Improper Output Handling
Application does not properly apply contextual output encoding/escaping of user supplied data
Types:
Reflected,Stored and DOM
Consequences:
Session Hijacking,Malware Installation,Fraud (CSRF)
Remediation: Contextual Output Encoding
Must escape differently depending where data is displayed on the page
− HTML,HTML Attribute,URL,JavaScript,CSS
Reference: OWASP XSS Cheatsheet
http://www.owasp.org

Download: PDF

XSS Rays - Google Chrome Browser Extensions

Complete XSS reversing/scanner tool. Find how a site is filtering code, check for injections and inspect objects.

XSS is a security tool to help pen test large web sites. It's core features include a XSS scanner, XSS Reverser and object inspection. Need to know how a certain page filters output? Don't have the source? No problem. XSS Rays will blackbox reverse a XSS filter without needing the source code.

You can also extract/view and edit forms non-destructively that normally can't be edited. For example if you want to modify the value of a checkbox without changing it's type XSS Rays can link to the object and allow you to change the value without altering the original object.

Using the object inspector you can browse through the window object and edit the contents of the functions in real time allowing you to dissect a web page and understand more how it works. This also works with globally defined functions, you can see which functions the developer has decided to place within the window object. 

Download: https://chrome.google.com

More info: http://www.thespanner.co.uk

DOMXSS Scanner

What is DOMXSS Scanner?

DOMXSS Scanner is an online tool that helps you find potential DOM based XSS security vulnerabilities. Enter a URL to scan the document and the included scripts for DOMXSS sources and sinks in the source code of Web pages and JavaScript files. More about DOMXSS Scanner.

What is DOM Based XSS?

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

http://www.domxssscanner.com

OWASP AntiSamy v.1.4.4 Released

The OWASP AntiSamy project is an API for safely allowing users to supply their own HTML and CSS without exposure to XSS vulnerabilities. 

The biggest move of this release is to officially change the default parser/serializer from the DOM engine to the SAX engine. We’ve had two engines for the past few versions, but maintaining two engines concurrently is kinda crazy. The SAX version is twice as fast and much better on memory. Even though all of our test cases pass for both engines, I still anticipate some growing pains in the SAX version, which is why I think most critical applications should stick to 1.4.3 for now.

Changelist:
-fixed error message not sanitizing CDATA payloads when encountered (should only concern you if you use error messages + exactly version 1.4.3)
-tags that are allowed to be empty are no longer hardcoded and can be set in the policy file (), with a safe default list if none are provided
-continued to try to make SAX and DOM version semantically if not literally identical output
-added test cases to regression
-fixed Julian Cohen’s privately reported stack exhaustion bug by applying a tree depth check (the max depth of a DOM tree is now 250)
-no longer Java 1.4 compatible

Download: http://code.google.com

Web application vulnerabilities in context of browser extensions

2: Opera 

Intro
Lets continue to research possible security problems in case of using popular web technologies in browser extensions. Opera is one of the most powerful web browsers today.It has fast rendering and JavaScript engines and a lot of other useful features. For a long time Opera was all-in-one thing in opposition to Mozilla Firefox with its addons. But now when one more strong player called Google Chrome comes into the game in browser's market, Opera decided to support extensions too (yes-yes, I remember about Opera widgets).

Download: PDF

AntiXSS v.4.0 Released

Microsoft Anti-Cross Site Scripting Library V4.0

The Microsoft Anti-Cross Site Scripting Library V4.0 (AntiXSS V4.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include:- A customizable safe list for HTML and XML encoding- Performance improvements- Support for Medium Trust ASP.NET applications- HTML Named Entity Support- Invalid Unicode detection- Improved Surrogate Character Support for HTML and XML encoding- LDAP Encoding Improvements- application/x-www-form-urlencoded encoding support

Download: http://www.microsoft.com

DOMinator - The DOM XSS Analyzer Tool

What is DOMinator?

DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss)It is the first runtime tool which can help security testers to identify DOMXss.



How it works?

It uses dynamic runtime tainting model on strings and can trace back taint propagation operations in order to understand if a DOMXss vulnerability is actually exploitable.You can have an introduction about the implementation flow and some interface description here

What are the possibilities?

In the topics of DOMXss possibilities are quite infinite.At the moment DOMinator can help in identifying reflected DOM Based Xss, but there is potential to extend it to stored DOMXss analysis.


Download: http://code.google.com

Socially-Engineered XSS Attacks

When the IE team talks about Cross-Site-Scripting (XSS) attacks, we’ve usually grouped them into three categories

Type 0: DOM-based XSS
Type 1: “Reflected” XSS
Type 2: Persistent/Stored XSS
DOM-APIs like toStaticHTML enable pages to protect themselves against Type 0 attacks. The Internet Explorer XSS Filter can block Type 1 attacks by detecting reflected script and neutering it. Servers can protect themselves against Type 2 attacks using the Anti-XSS library to sanitize stored data.

It turns out, however, that there’s a fourth type of XSS attack: Socially-engineered XSS. In a socially-engineered XSS attack, the user is tricked into running an attacker’s JavaScript code in the context of the victim site. Even if a site follows best-practices to block XSS Types 0, 1 and 2, they may still be vulnerable to Socially Engineered XSS attacks.

Such attacks work in the same way as most socially-engineered attacks, by attacking the weakest link in browser security—the user’s trust. The attacks request that the user perform a series of operations (often using keyboard key combinations) that result in a JavaScript URL being entered in the address bar and invoked. JavaScript URIs entered in this way execute in the context of the currently loaded page. Users are tricked into following these instructions with the promise of some reward (e.g. free “points” for games, “secret” information about other users, etc).

More: http://blogs.msdn.com

Cookiejacking Attack Technique

Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim's cookies without any XSS.

Clickjacking attacks have been widely adopted by attackers worldwide on popular websites (eg Facebook) in order to perform some drive to download attacks,click forging, message sending and so on.

In previous works on the same matter, new approaches on UI redressing attacks emerged, showing the possibility to steal victims webpage contents. In this presentation I will demonstrate a new kind of attack that can be used to exploit a 0-day vulnerability affecting all Internet Explorer versions over every Windows OS installation. The attack leverages on a UI redressing approach and allows an attacker to steal session cookies of from whatever site a victim is visiting. This new approach really moves UI redressing attacks a step further.

More info and demo: https://sites.google.com/site/tentacoloviola/cookiejacking

XSSF - Cross-Site Scripting Framework v.2.0 Released

The Cross-Site Scripting Framework (XSSF) is a security tool designed to turn the XSS vulnerability exploitation task into a much easier work. The XSSF project aims to demonstrate the real dangers of XSS vulnerabilities, vulgarizing their exploitation. This project is created solely for education, penetration testing and lawful research purposes.

XSSF allows creating a communication channel with the targeted browser (from a XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers.

XSSF provides a powerfull documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easilly from an XSS vulnerability.

Download: https://code.google.com

Video demo: http://www.youtube.com

OWASP Zed Attack Proxy v.1.3.1 Released

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. 

Download: https://www.owasp.org

Changelog: https://code.google.com