Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
XSS Tunnelling ................................................................................................................1 About XSS Tunnelling..................................................................................................1 What Is An XSS Channel?........................................................................................... 2 How Does XSS Shell Work?........................................................................................ 2 Points of Interest ..................................................................................................... 4 Why Is It Better Than The Classic XSS Attacks? .................................................... 5 What Is XSS Tunnelling?................................................................................................ 5 What Is An XSS Tunnel? ................................................................................................ 5 Why Tunnel HTTP Traffic Through An XSS Channel? ................................................. 6 Benefits Of XSS Tunnelling ............................................................................................ 7 How Does XSS Tunnel Work?........................................................................................ 8 An Attack Process ....................................................................................................... 9
Ferruh Mavituna
Figure 1 : This Figure will shed a small light over the process
Ferruh Mavituna
The XSS Shell is an application which has three main parts. Firstly, the server side part of the XSS Shell coordinates the XSS Shell between an attacker and the victim. It is a server-side application and requires an ASP and IIS web server. It uses an MS Access database as storage. The second part of the tool is client-side and written in JavaScript. This loads in the victims browser and is responsible for the receiving and processing of commands together with providing the channel between the victim and the attacker. This code was tested under Firefox, IE6 and IE7. The final part of the XSS Shell is the administration interface. An attacker can send new commands and receive the responses from a victim(s) browser instantly from this interface. Again it is ASP and requires IIS.
Ferruh Mavituna
All of the following steps do not wait for each other and are constantly checking for responses and requests within specified time delays.
1. An attacker infects a website with a persistent or reflected (temporary) XSS attack which calls remote XSS Shell JavaScript. 2. The Victim follows a link or visits the page and executes the JavaScript within that domain. 3. The Victims browser begins to perform periodic requests to the XSS Shell Server and looks for new commands. 4. When the victim browser receives a new command such as (Get Cookies, Execute custom JavaScript, Get Key logger Data etc.) it is processed and returns the results to the XSS Shell. 5. The Attacker can push new commands to victim(s) browser and view the results from the XSS Shell administration interface.
Points of Interest
XSS Shell communication relies on remote JavaScript loading in order to bypass the same-origin policy In the first execution, XSS Shell re-generates the page. Thus even the victim follows a link; XSS Shell will remain in the page and therefore, allows the attacker to keep control of the victims browser. As soon as the victim obtains that window (even if the victim follows a links to another website) the victims session will be open and the browser will follow an attackers commands. Some XSS Shell commands are shown below: o Get Cookie o Get Current Page o Execute custom Javascript o Get Mouse Log o Get Keylogger Data o Get Clipboard o Get Internal IP Address (Firefox - JVM) o Check visited links (CSS history hack) o Crash Browser (if you dont like your victim!) Ferruh Mavituna 4
It is open source and is quite easy to implement new commands such as port scanning. XSS Shell is especially dangerous in permanent XSS vulnerabilities. Due the fact that an attacker can easily infect hundreds of browsers and manage them simultaneously.
Ferruh Mavituna
Figure 3 : Sample XSS Tunnel Session Tunneling for a web app vulnerability scanner
Ferruh Mavituna
Ferruh Mavituna
Ferruh Mavituna
An Attack Process
1. Setup the XSS Shell Server, 2. Configure the XSS Tunnel to use the XSS Shell Server, 3. Prepare the XSS attack (submit to a vulnerable website or send a link etc.), 4. Launch the XSS Tunnel and wait for a victim, 5. Configure the tool or browser to use the XSS Tunnel, 6. When you see victim in the XSS Tunnel, start to use your browser / tool for the targeted domain.
Ferruh Mavituna