Hi malware fighters,
There are all sorts of existing exploits to compromise a certain website. One of the tactics is to use a form of XSS-exploit (formly also named cross site scripting) - here we have an example of such a recent exploit found up:
http://www.xssed.com/mirror/68375/
If we use %22%27%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E and give that in Google with our firekeeper add-on running and active, it alerts the following: === Triggered rule ===
alert(url_content:“%3CSCRIPT”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Cscript.*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://pmw90687.surfcanyon.com/queryReformulation?partner=wot&authCode=pmw90687&format=jsonp&callback=contentscript.callback1&q="'><script>alert(document.cookie)<%2Fscript>
But what is this? Here we see a try by a simpleton: http://forum.symfony-project.org/index.php/m/85312/
A further analysis can be found through here for PHP: http://www.pointblanksecurity.com/xss/
Here some proof of concepts for wordpress: http://hkhexon.wordpress.com/
But be aware on your quest because the sites with info can be malicious:
htxp://extraordianry.ex.funpic.de/ given clean here: http://www.urlvoid.com/scan/extraordianry.ex.funpic.de
but blocked by avast shield as HTML:iFrame-OC [Trj] Trojan JS.iFrame.nk according to M86 security url scanner…
But one gets a fuller insight in input validation holes…so firekeeper protects, detects, and educates,
Firekeeper extension: http://firekeeper.mozdev.org/
* Ability to scan HTTP(S) request URL, response headers and body, and to cancel processing of suspicious requests
* Encrypted and compressed responses are scanned after decryption/decompression
* Privacy friendly - no data is send to external servers, all scanning is done on the local computer
* Very fast pattern matching algorithm (taken directly from Snort).
* Interactive, verbose alerts that give an ability to choose a response to detected attack attempt.
* A detailed view of suspicious response headers and body
* Event logging
* Ability to use any number of files with rules and to automatically load files from remote locations
polonus
Hi malware fighters,
Have firekeeper on a Mozilla browser with malware and mozdev org lists there and wanna pentest it, go here:
http://code.google.com/p/pentatools/source/browse/trunk/WebTester/Pattern/3.+Cross+Site+Scripting.test?spec=svn5&r=5
And I think firekeeper gets them all, example - script 217 flags
=== Triggered rule ===
alert(url_content:“%3CSCRIPT”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Cscript.*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://www.google.com/search?client=flock&channel=fds&q=GET+%2Fsysuser%2Fdocmgr%2Fupdate.stm%3Fname%3D<script>alert(document.cookie)<%2Fscript>+HTTP%2F1.0&ie=utf-8&oe=utf-8&aq=t
and you will get 48 results of the use thereof in Google…
Here an example where it has been turned into a known bot and you can see it in action here:
htxp://www.botsvsbrowsers.com/SimulateUserAgent.asp?UserAgent=%3Cscript%3Ealert+(document.cookie)%3B%3C%2Fscript%3E
and what it shows on a search:
htxp://www.botsvsbrowsers.com/SimulateUserAgent.asp?UserAgent=%20script%3EALERT+%20DOCUMENT.COOKIE%20%3B%20/script%3E#47967951364783457915
NoScript will alert you here and detect!
pol
Hi malware fighters,
As I already reported we can do further testing with Interpolique: http://recursion.com/interpolique_xss.html
Example put in there: alert(url_content:“%3C”
Output:
Intermediate: Base64.decode(“YWxlcnQodXJsX2NvbnRlbnQ6IiUzQyI=”); (goes under the radar)
Final (Parsed as Text): alert(url_content:“%3C”
Final (Parsed as Safe HTML): alert(url_content:“%3C”
polonus
Hi malware fighters,
Another plumbing the holes list:
http://drupal.org/files/issues/XSS.txt
Now let us load up another tool and see what is going on there.
Get webbug from here: http://www.cyberspyder.com/download/setupWebBug.exe
This is a fun program. For instance you see that a site uses Medusa as a brute force testing tool,
you know there are certain bugs in this tool and the website has not upgraded, well if you are a web-admin of that particular site I guess you know what you should pen-test in stead of relying on good old Medusa,
so trust no one and be aware…
Hi malware fighters,
Here I tried the detection for a new XSS-exploit of sdiff.php that compares two different php files. The querystring parameters named “first” and “second” both expect to have a php filename. If an invalid filename was provided, an exception would be thrown and an error message would be displayed. The actual XSS bug was found here, and is described in extenso here: http://xs-sniper.com/blog/ & http://rgaucher.info/planet/
Our firekeeper had detected it in no time…
=== Triggered rule ===
alert(url_content:“%3C”; url_content:“%2F”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://api.search.yahoo.com/WebSearchService/V1/webSearch?appid=flock-search&query=http%3A%2F%2Fapiwiki.twitter.com%2Fsdiff.php%3Ffirst%3DFrontPage%26second%3D<XSS-HERE>&zip=&start=1&results=4®ion=fr&fr=flo2
As a second line of defense, if one has the Netcraft toolbar installed on Flock or Fx then another warning will follow and the site will be blocked if you want to do that… so Netcraft toolbar is a nice companion to the firekeeper extension,
polonus
Hi malware fighters,
But how to search? Here some lore for pentesters, I give an example: an example of vulnerability seeking pattern
search for securityfocus's advisory on a particular software issue
then look at a website that uses anything connected with that particuar issue
it has a string that says something like 'powered by the software version with the issue"
use that string in google
and find the sites that use that .......
Hi! you now have a bunch of sites that are vulnerable to these particular cross-site scripting (XSS) exploits,
extrapolate to your own security situation...and protect.
Like many security issues – take malware as an example – attack vectors are always a moving target.
The role of the browser plug-in developer is to do everything he can to keep people safe
without them having to do a lot of extra work, and with firekeeper when you know how to translate Snort rulkes to firekeeper rules, you can be of great help. Thanks to Jan Wróbel for developing this add-on for us…
a whole new security world opened up for me,
polonus
N.B. Important note pentesting is only for websites that belong to you and where you have got explicit authorization to pentest and then exclusively for security evaluation purposes…
Hi malware fighters,
About using script as browser agents: http://www.botsvsbrowsers.com/category/16/index.html
another list can be found here: http://www.user-agents.org/index.shtml?t_z
Go to the Test Track and launch…(you will have to toggle NS and RP to allow full functionality),
but again this is not for the meek anyway…
Well test drive one of these 185, and let me add nr 186 for you here
<?php
function fetchPage_anonymous($url)
$var = echo shell_exec("/usr/bin/curl -L " . $url . "");
return $var;
}
?>
enjoy, my friends, enjoy,
polonus
Hi malware fighters,
Another User Agent one could test at BotsvBrowsers
<script>
function utmx_section(){}function utmx(){}
(function(){var k='0796200644',d=document,l=d.location,c=d.cookie;function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash;
d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script><script>utmx("url",'A/B');</script>
Further a nice collection here: http://www.useragentstring.com/pages/useragentstring.php
polonus