XSS and XSRF Together

Introduction

  • Web application vulnerabilities

  • XSS

  • What is XSRF?

  • Code

  • Demo!

Vulnerabilities

  • Content can be framed.

  • Cross Site Scripting XSS.

  • Method interchange (POST and GET).

  • Cross Site Request Forgery XSRF.

  • User enumeration via forgot password function.

  • Administrators can disable their own account.

  • ... and many others ...

XSS

  • Cross Site Scripting, aka XSS, script injection.

  • The application had a help desk function.

  • Any user could create a troube ticket.

  • Ticket will be first viewed by administrator.

  • Script executes in the administrator browser.

  • Administrator can perform all of the functions vulnerable to XSRF.

XSRF

  • Cross-Site Request Forgery is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated (OWASP).

  • This attack takes advantage of the application trusting any transaction coming from a browser where a user has an existing and valid session, or where one can be established automatically (SSO).

XSS + XSRF

  • XSS and XSRF are like cousins, that get along very well, sneaky mischievous cousins.

  • Persistent Admin XSS within the application guarantees the attacker that the administrator will execute the code, the code will execute the XSRF transaction (s).

  • We want more than one transaction, hence the multi-post.

Requirements for XSRF

  • The user has an existing or can create automatically a valid session.

  • The transaction has predictable parameters.

  • The victim click on a link, or types in a URL, or XSS.

  • The transaction is attractive to the attacker.

  • The attacker has knowledge of the above, or is very lucky.

XSRF Functions

  • All the interesting ones in this app are as admin.

    • Add a user.

    • Change user password.

    • Put user in group.

    • Enable user.

    • Disable user.

    • Logout.

Google-Foo

  • Needed to find multi-post XSRF code.

  • Found Tim Tomes @lanmaster53

  • We based our code on his. He and Ethan Robish based their code on

Pseudo code

  • HTML to inject in XSS.

  • 1 form per transaction.

  • 1 iframe per form.

  • <body onload="runme();">

  • JavaScript:

    • The runme submits the forms one by one, in order, waiting for each one to complete.

Needed a vulnerable app

  • Back to Google.

  • I needed and an app that was vulnerable for live demo -> Omeka.

  • Free open source content management application.

Omeka

  • Is vulnerable to XSRF in admin functions.

  • I could not use the application the I did the pen test for as a demonstration or public PoC.

  • Omeka is easy to install and easy to exploit!

XSS

  • The persistent XSS in Omeka is in the API keys function.

XSRF Defences

  • Add a random nonce/token to important forms. The only real defence, performance issues.

  • Referer HTTP header, Origin header, Captcha, reauth, OTP. UX!!!!

  • Use multiple forms, easily bypassed by multi-post technique.

PreviousBurp SuiteNextNoSQL Injection

Last updated