Bugcrowd University Cross Site Scripting XSS

hey all welcome to bread crab University in this module we'll talk about cross-site scripting this is quite possibly the bug type you'll frequently find in your testing I'll go through the tips and tricks on how to tackle this bug type and what you should look out for during your testing first off I'd like to introduce myself as the trainer for this module my name is JP Villanueva and my researcher handle is swag Neto I've been bug hunting for about four and a half years now so I've definitely seen the ins and outs as well as what works and what doesn't work on bug bounty programs I also work at buck rod as a trusted security engineer and I'm lucky enough to report to the legend himself Jason Haddix I'm also a programmer hacker speaker and gamer here's a high-level overview of what I'm going to go through in this module first we'll go through the module reading what you should read up before going through this module an introduction to XSS classic examples of XSS that i've seen in the wild best practices on how you can tackle XSS recent advancements in XSS tools the actual labs you'll go through in this module and resources and references here's what you'll need to really understand what's going on in this module first the all-time classic the web application hacker's handbook every good web app pentester I know has read this book this is going to be your Bible for XSS the book was released in 2012 however XSS is pretty much the same phone it was then as it is now with a few variations another good free resource is the OAuth steps testing guide it specifically has sections on testing the three major types of XSS and lastly check out Mozilla developer Network web documentation and check out the introduction to the Dom to really understand dom-based xss let's go through the introduction of what exercise is let's go through a little bit of background in history so I invite you to stay a while and listen cross-site scripting or excess is one of the most common vulnerabilities that you as a bug hunter can ever find on any given web application notice that it's not abbreviated as CSS because those are cascading stylesheets ten years ago you could probably find XSS phones on 99% of websites however within the last few years many JavaScript libraries such as angularjs and react.js have made great strides and protecting web apps against XSS however just because these libraries are being used by developers doesn't mean that the vuln way completely you'll still find XSS on many web apps that do not use newer JavaScript libraries and sometimes even on websites that do use them looking at the top 10 for 2017 you'll notice that XSS has still not gone away what does this mean for you as the bug hunter well it means that you should be definitely looking for this phone in your testing so what is it in a nutshell XSS is an injection class vulnerability that allows an attacker to execute arbitrary JavaScript code onto a web app when a victim visits the location where the attacker has injected their XSS payload the browser executes the code strictly speaking this is a type of vulnerability that targets a user of the website and not the actual server itself where do you find this type of vole usually you'll find XSS on any kind of web app that allows user input on the page itself through some kind of functionality like a search function that reflects what you've entered onto the page we call that reflection let's say that you search for XSS in that search field and when the response comes back you see that XSS is written on the page how about changing that to your own name does it reflect now what happens when you inject JavaScript code does it execute many times you'll find these kinds of reflections by just injecting into various parameters either in the URLs query string or into the post body anytime you see reflection of any kind always try to see if you can get XSS how impactful is XSS well that depends check the VRT the highest level of exercise is a p2 while most XSS is going to be in the p3 range and some being as low as p4 or p5 it's important to understand the various classes of XSS to know exactly how impactful your submission is going to be when you do find a bug what can you do with that success a lot in fact the most common use cases for XSS is stealing a user session cookie if the session cookie is not marked as HTTP only other attacks I've seen are much more clever rewriting the entire page to make it look like a login form for the actual site or even Google you answer your creds in the text fields hit submit and now it sends all that data to the attacker XSS can even bypass certain cross-site request forgery protections as you may simply steal that CSRF token from that page from the user not only is XSS a fairly versatile attack but very fun to find now let's talk about the different classes of XSS and what they are reflective XSS usually presents itself on parameters on get requests that are injectable and reflect data in that parameter back in the page common functionality in my testing event I've seen this type of exercise is on search functionalities you just put the payload into the parameter and boom XSS reflects on the page and executes in the browser stored XSS usually presents itself on parameters on post requests that are injectable and reflect the data in the parameter back into the page after it saves data on the server a common functionality in my testing that I've seen this on is on account pages where you can change your name or address as the name implies the payload is sword in the server's database and calls it every time the page loads the data flash based XSS is quickly being phased out as many of the modern brown no longer support flash as the name implies to find this XSS you'll need to find it and it flash Swift in order to get the XSS to trigger if you do happen to go after these just remember that there are a lot lower on the VRT scale due to the fact that the effectiveness rate of this bug is much lower than other variants of XSS finally there's self XSS this class of XSS is the least dangerous variation the attack scenario requires the attacker to somehow convince the victim to type out or copy and paste the XSS payload into the web app in my opinion this type of XSS is a very very low-level attack and should mostly be avoided however there are some scenarios that I've seen where the original self XSS was turned into either a reflective or stored XSS next let's talk about classic examples of XSS that have been out there in the wild the myspace worm is perhaps the most famous example of XSS the infamous Samy Kamkar found various XSS volts on the once popular social media website MySpace if you happen to trigger the XSS it posted a message in your feed that said Sami is my hero this was an XSS worm because it's spread whenever your friends saw the comment and within that was the XSS payload another example of XSS is the TweetDeck worm this one is especially nasty because TweetDeck actually had to take down their services to fix the bug you can see here the payload on what was posted on Twitter now that we know a little bit more about XSS let's go through the best practices first off always start slow the biggest mistakes that I see with novices or even intermediates when trying to work with crafting a valid XSS payload is that they're going too fast they'll try to get clever and use advanced techniques like an XSS polyglot that might be over their head and don't understand how it works another scenario is typing out the entire payload without first testing which characters are being filtered instead have a good methodology like using burp repeater start off by using the first character that will break the HTML and see if that reflects along with their unique string that you know will not be on the page I like a random string like swag neato or something like that that I can use to search for it easily in burp repeater in the HTTP response window use the auto scroll to match when text changes feature then add the next character and see what happens then maybe a whole HTML tag and then see what happens after that it's a lot easier to do this way then figure out what went wrong when you start with a large injection is this time some goods consuming absolutely however sometimes simple is best this is especially true if you're a beginner or intermediate secondly don't get discouraged there are some pretty difficult XSS filters and black lists out there keep trying and you'll eventually get it however it's also important to note that you'll need to know when to give up if you're not getting it after a certain time maybe it's time to give up or take a break and look at something else another common best practice is to keep a list of common payloads this one is important so that you can look back and see which payloads are possible given how a black list is reacting looking at what's possible will help you come up with clever payloads to get around those black lists a personal favorite of mine is to use burp intruder if I'm up against a black list that is checking for certain JavaScript event handlers I run it through bourbon shooter this is a lot more efficient than checking manually it's a lot faster than checking if all mode works then checking if onmouseover works and etc have all of those in one txt file and run it through intruder to see which events are not being blacklisted now that we've gone over the basics of XSS let's move on to the advances in XSS in the recent years in this section we'll be talking about Dom XSS XSS polyglots and blind XSS Dom XSS is one of the hardest variations of XSS to find because it requires a little bit more advanced JavaScript knowledge in my testing experience when I see something like usage in the JavaScript code of a function document dot write and within that function is a call to a variable that can be injected into V owed query string or post body parameter Dom XSS is notoriously hard to find for many beginners and intermediate level testers now let's talk about sources and sinks sources and sinks are used in dataflow analysis for the purpose of this module let's keep it simple sources are where the inputs go and sinks are were those inputs end up in simpler terms your XSS injections go into a source and eventually end up into a sink where those injections are then executed and the XSS pops sources are generally going to be Dom objects like document or location read up on Mozilla's mdn docs for more details on what these are those inputs then have to end up somewhere right that's where the sinks come into play these are generally JavaScript functions that do some kind of operation that works with those Dom objects what does that mean if there's any JavaScript code being passed into those Dom objects and they end up in one of those functions the code would be run by the browser and boom we have XSS crazy huh what does it look like let's look at the line where the variable source gets initialized it's calling location hash dot split now what happens after that's called a new element gets made and it's a div within that div is an inner HTML that calls that variable source what happens after that then it gets made into the body and it pens it into the actual HTML what do you think is gonna happen when you load the page well if you put the XSS payload in the hash when you make a request when that page loads it will actually load that code into the page and XSS will pop let's now go through some examples of XSS polyglots what's a polyglot it's just a fancy word for a mixture or combination of various things in this case an XSS polyglot is a combination of injections why would you want to use this crazy abomination it can save you a lot of time and effort just by using this as the string in your injections to get XSS to pop this is more for you advanced bug hunters out there that value time and efficiency this payload will break a lot of the boilerplate stuff out there that do not have any kind of XSS for protection such as black lists and white lists it even breaks some that do have those protections this first XSS polyglot was originally made by our snake and you can find it in the wasp XSS cheat sheet this second polyglot is a little bit more crazy as you can see here you can see that there's capitalisation lower case and even some comments that try to break out of anything that you might put this into this last polyglot can break multiple context based on the filter that you're trying to bypass just look at all of the different HTML tags that are in this injection last on our list of advances in XSS is blind XSS blind XSS is one of the newer variations that have become very popular as of late the biggest difference between blind XSS and other variations is that there's no immediate reflection after the initial injection when the HTTP response comes back this begs the question if the alert one doesn't pop the xs/s exist the answer may be when you do a normal script alert one script it may not pop on the page that you're currently on but it may pop up somewhere else in that application maybe even to a place that you can't even access so how do you even test for this to test for blind XSS it requires you the tester to use some automation tools or clever scripting to check whether or not that XSS pop somewhere else in the application which brings us to our next topic now that you're acquainted with how to find XSS manually let's look at how we can automate all of this here are some examples of tools that you can use to find blind XSS XSS hunter sleepy puppy and no XSS XSS hunter is a great tool to find blind XSS you can use a lot of different payloads to get a lot of information from when that blind XSS actually executes here's some examples the vulnerable pages URI the origin of execution the victim's IP address the page refer the victims user agent all non HTTP cookies the page is full dom and you can even take a screenshot of the effective page and this is all great to put in your submission for that blind XSS when you do submit it into the programs that you're working on here are other blind XSS frameworks that you can use that you can just get off of github and they are open-source projects one of them is be XSS and the other easy XSS and lastly you can also use Jack mass's XSS mindmap to really get in and see all of the different possible injection types that you can use when trying to break an XSS filter I highly recommend using this now that we've gone through all of the material for cross-site scripting let's go through some labs the first lab that we'll go through is called be web as you can see here there are tons of different cross-site scripting examples that you can go through in these labs to get started would be lack go ahead and go to the website IT set Gamescom and go ahead and download the VBox virtual machine from here once you've done that go ahead and run the virtual machine I'm using VMware fusion here download that and then setup your virtual machine and go ahead and get started make sure to get the IP address of your virtual machine mine is 192 168 86 111 and then in your actual browser that you're going to be testing on we're burb actually is go ahead and enter it there in your browser be web slash login dot PHP and you'll be able to actually get into the web application now that you've gotten everything set up go ahead and log into the actual application the creds are B and bug for the login in the password and then you can choose whichever module that you'd actually want to test so let's go ahead and do this one reflected XSS click hack enter your first name in your first and last name here let's see what happens let's just enter something random on the last name see what happens you can see here there's reflection so once we've actually seen that let's go ahead and go into burp here and see that request so there's the request I usually like marking the request that I'm going to be working with so I usually mark a green or red whatever your color preference is and then I'll send it to repeater so you can see here that there is reflection on both parameters first name and last name so again let's take a look at it here in burp so let's suppose to Mew all right that's where it is so let's see what happens and we we are currently in this space so let's see what happens if we put we make this attack will will the tag reflect and it does so now that we know that let's go ahead and switch up the injection so let's keep it with sweaty heel here so that repeater sees the actual text very quickly because we had the search setup let's see the script reflects and script does reflect alright let's try a work one let's see if that happens all right looks like we're gonna have a very easy success here and boom that should fire so what I do is I usually grab the URL of us I could probably just refresh it here once I do that there you go you have XSS let's try it on the other parameter to see if we can get the same thing so let's take out first name here let's see if there's a second a reflection but let's go ahead and search for no nothing nothing happened let's see if we put something in this yep so you actually have to fill out the first parameter for the second parameter for both parameters actually to pop up on the page so make sure you do that so let's do the let's do the same thing let's try to add this as a tag reflection all right so pretty sure this is going to accept the payload that we had earlier there you go once we do that [Music] boom there you go that's how it works let's go ahead and try a different example here let's try and reflect it on a post request all right it's like I ain't gonna be no reflection but let's see what the actual request looks like so it was a post so you can see here that it is on the poster post body instead of it being on on a get request so just go ahead mark that so it's a repeater let's go through the same steps again always start slow because you'll never know what kind of filter you're up against so let's just make it very easy it is it does put the tag in so okay it's gonna be fairly simple but I can't let's let's go let's go through it slow this time let's do a different injection actually let's do it because it is an auto overloading so let's see if that yep that definitely does work yep that's definitely going to pop go ahead and actually we can copy the URL and I have burps set up here I have this suspension allows me to actually use and post a post body so I'll put the URL there and let's go ahead and take it execute there you go and that's that's an example of reflective XSS using a post body and this add-on is actually called for those of you who want to use it it's called hack bar so I use Firefox for all of my testing I believe Firefox to be the superior browser for web application testing there's a lot of stuff in Chrome but chrome doesn't have as many extensions as Firefox it doesn't have this very very neat extension here that allows you to have tree style tabs and lets you use the browser in such a way that it's more effective in terms of the amount of space that you have to use so these are the tools that I tend to use hi again hi I tend to use Firefox but you can use pretty much any browser but burp is definitely the standard for doing your ear testing so definitely do use these tools if you do end up you know kind of going through these labs