Increased Visibility

Cross-site scripting (XSS) is a type of web application vulnerability that enables malicious attackers to inject client-side script into web pages viewed by other users. The idea is that in a vulnerable page, you can include your own code that runs in other people’s browsers. The non-persistent, or reflected, cross-site scripting vulnerability is the most common and easily detected type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the response.

In this case, the text entered by the user in the “Company” field upon a failed login is sent back to the user unaltered immediately in the form of an authentication failure message. An attacker could leverage this to inject malicious code in to the browser of the user trying to login.

I wanted to show the client that this is an issue, and I wanted to use something beyond, “look, this makes a pop-up box on the client that says ‘vulnerable to XSS.’” To do this, I used the Browser Exploitation Framework.

BeEF is the Browser Exploitation Framework. It is a tool that can be used to demonstrate the real-time impact of XSS browser vulnerabilities. It uses a modular structure making new development a trivial process. It can demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers. Current modules include metasploit, port scanning, keylogging, TOR detection, and more.

The vulnerable form in questions uses POST variables. As a proof of concept, I created an HTML page with a form that uses JavaScript and runs when the page loads to attempt authentication against this login form injecting script from BeEF.

When a user of the application loads this page, he will automatically get redirected to the login page. In the user’s browser, BeEF loads JavaScript in an iFrame and is able to capture keystrokes. As the user types in his credentials, the attacker can see them from another terminal.

The Browser Exploitation Framework has a lot of other fun modules besides keylogging. I highly recommend playing around with it to see what all it can do. At the very least, it’s useful in demonstrating that there is real risk in XSS vulnerabilities. The easiest way to get it up and running is to use a linux distribution with BeEF pre-installed. The Samurai Web Testing Framework comes with BeEF and lots of other web application security tools.

Sources:

• XSS Cheat Sheet – http://ha.ckers.org/xss.html
• BeEF – http://www.bindshell.net/tools/beef/
• SamuraiWTF- http://samurai.inguardians.com/