Advanced XSS Attacks

for you well today's you taught me to appreciate it thanks for these sides gravity here oh good one here you ok I can't get myself protection this but um so real quickly enjoy the other lot size to get through this is kind of a two-part talking pets you don't want so Ruby moving kind of fast at stop sign me feel free to ask logical trying but this is an orphan children conscripting like that um so today introduction real quick out engler dance expressions yes cross-site scripting and then we'll go to talk about hibernate and single injection through heaven and a little bit of prevention of stuff to you no plans of tarqah Q&A alright so as is

injurious minus K star now for the kitchen security consulting before I'm done security work under the sky over here and the new code reviews about other patient assessments and this promotion majority of time the small let's do it call for training I remember open organization law Pickers kochetkov rebooting the last name and a big ruthless DC 2 of 7 thing failing at that for a while how many people have done any angularjs worth a few home okay um it's only I'm still learning I feel like many times how many obstacles oh that's silver party won't worry oh boy you know it's going to do it so engler chance is a front end of JavaScript framework

developed at Google this is going to be picked up on google and a lot of the Google Apps of your degree so if you're the term a single page application is where this comes from others angularjs backbone and forecast of all so the frameworks for making really rich you I heavy client-side applications bolson we're behind us rest api that Norfolk JSON permit data retrieval updating data that my goodness it will step into code and you can see here looks mostly like HTML is something we have some additional stuff here that individuals provides interestedly money energy on season long aw d HTML so they have what they call directives or attributes that we can add in resemble you know but aren't actually

HTML and what you'll see all the time this will be important later on is the NGF directive kind of bootstraps our application so when the page first hotel anchor chances of ability to look for this ng-app directive customers have served please copy itself important a good one is an anchor jess will actually build the top of that and this is where it starts doing that process it starts building looking through the technology bottle that says that rebuilding the vehicle directives there's no the little to hear ng repeat very much like if you've done any time a template programming very significant energy acid is also object or capable smart so if you have like this featured products Oh

ray or list and behavior it through product and English just will repeat this here I'm really completely the important part on don't want to kind get back on so this is where because we're going positive these are grown as expressions and they're just these are valued at the client site so product that name will be evaluated in April product rather than inside now that's only dawn on the client side papi server side so here's another one day g source has view image URL of very similar so this is an angular portion of this position on that's good just plenty to help so this is why he's one can sent to the client so one thing about John of

first day there just expresses vs of JavaScript expressions is they are kind of it it's pointless it global functions equities and so the limitations that you would think that a function is no control those statements it doesn't offer filters like the straightest one here the currency especially a built-in filter puts like currency amounts so we have some limitations here but you're still some issues here and no not about Japanese zero days I'm going to hear you're really fit aside we learn you know court's order pair of days has haunted reputation of the website and he's got essentially sandbox escape sorry Oh every version of angularjs most recent wants to talk how many that I go yeah

but he goes it isn't a lot more detail and it's really hard to explain the same last escape life on screen at riding it doesn't work out too well but he doesn't even kill off all cookies development of that which is pending so here it is here this is a sandbox escape so what we're doing is you have a English its expression put it will go to this like brouhaha this little park on this English s expression essentially is built in a way that breaks angularjs code so we rejecting our payload into English as itself so one of these arts going on here is we got this here what we're doing this where one thing that's

really cool with javascript is you can the prototype functionality have predefined functions we can overload that we can create the most on the fly so if you were essentially of back dooring the character I function and reason we do that is that where this is being used in a dress code of since fear can use it with the rainy joy here anytime that character is all it's actually a great option and then email this is a built in angular motion and it's essentially reduce if you evaluate our code and then when that happens for us apart here is built this is what's actually being attracted in engler to fix this effects so that the entire

English Jessica doesn't freak then our payload is something you would want to use it this and we can use this anywhere we want for version 1 dot 49 pain to the gas which is old photography of course be civil here so then be this simply swap out or loved one the point of our payload cab fares our exercise however a couple other things did happen um and I'm just going to show the phone for this because when I started learning this is start playing oh then hope you up on Rebecca trusted uh is any uh is anyone done today I

I this playful has a weight so has anyone got any like jSPL code java template languages yeah little bit so when the interesting games was up but in order for the process with applaud actually Peter you're not going to subtract straight through it to the angular app maybe pile a'dope hooker Wendy's habit is of an anchor jan spirit of application to actually call itself that gets a client-side paper is vexing use on the client side and what happens is if the developer has a page that the JSP page versus interpolated basically essentially compiled server side if they have angularjs code in there then expression stuff or your piping on some of her e essentially is basically making

it vulnerable to process rivet if the site is it's a new page application this is brian on the client side it does the HTML code all the expressions to be operational podiums was no culpability there well one of the very interesting to me for the really interesting things that I have now so here we have this little English a sandbox all invisible search function you can search for a company or whatever um but so what we can do is we can see if we can try our halo here

Robbie

let's do this I'm just doing this so now you know I don't get any weird characters all right so we can try the typical you know home loss nomar one that's wonderful it was just a test see that ok then execute ok if you look at this once code here that

her now like with problem like you have to click on all the page I guess so you can see her that it is actually all pretty pony property but this isn't actually English s this is dr. beside via the Java template library and the so this is the this is the page views kind of standard surface I drama template language structure here pretty great to the customers of the search box and then the natural result page again instance in GSP if you see here there is no English yes on us at all it's all java sort of template pages but we do have the JavaScript or angler GS o being included total signals but those make

use of language yes so I see this before when developers are moving to English yes from another paper so if at all times you can swap out everything city of eastvale well we have been shocked director bootstrapping and also include the script source here and discipline of the plate to get angular to work so we do on the england vs scripting we leave the page as well as angie app so it would boost dropping a bomb that page so you don't have to search results here okay but there's no name is called SQL server side stuff but you can see that you can trying to pin it out

see if you get a cross-site scripting fall now what about health minute because what this essentially is is that we are able to team if those two conditions is this if the ng op is there a big boost wrap and then the template thank God is being served up is also done service on of user control the data you don't have to use angularjs expressions anymore because this we're objecting into angularjs and use eval to trigger that [ __ ] we're going to break the internet you have script and trigger our feel that way so essentially what this means is that any developer who's moving to England she asks America scripts in you know templated somewhere

that part out cash these vulnerable cross-site scripting even though the are doing HTML coding because the JSP stuff but the CL that does HTML coding that was what we just saw in without being coded as a positive hope there are no scanners I don't pick this up and this could easily miss of us must go to you because this is constantly so I thought it was really interesting that wasn't expecting that I thought like you have to be using an English yes express oneself on that page which we reduced it but I'm creative I do make sense any questions about that so far so do you only indication that they use an angler of the TL that's not a neighbor s that's

only that's the gym javaserver template library jSPL so like there's no able on this page at all instead of for the NGF directive and then the script that includes angular asset to the page so yeah unless you knew that they were using angular and knew that like this is very probable that this was coming from that the CL values were planning for user control like what no this is olive oil at all yeah so would you recommend let's see you just get a whole I can zip file code or code review just just prep for mg app and find out where if it exists and then locate it and then go from there with that you want approach

to try to be more efficient to focus it zero in on those i think what i what i would do is an understanding of the applicator my views are sore so you don't Diana if let's say you're doing both you'll be going in for the web but you also get the code as well yes so what I would make sure I understand like what's age or the life-sign poker it without part of things and Virg yes you know my favorite deviation how many theoretically we should have any templates being handled service on the apprentice server side and England just like this isn't something that made control like this I moment or ENSO a bit just because if you

misuse by the developer so when i'm looking to the girls 8 I start seeing like okay with GSP pages and starting like English a sort of using up a plasticizer something else up there i would start looking and see if that script in geography is including everywhere it's only needed the root of the elements where angular dress is being applied you don't we needed up enumeration this is some Rollins so you did love let see there that hybrid stage we're going from that to that with your recommendation which make sure to get their own way or if I was in developer I probably try knowing this I would probably only include to be cuz we'll

have a mere of an ipod inclusion jennifer gets ripped AGG assault a to wherever I needed it so what if i'm using the uploader temple later sometimes that's will be applied everywhere the site i try and limit it to America needs to be and then also make sure that those resources that have it or serve statically and about the integrity name of a pre population on the server side all right oh okay perfect so I'm going to move on to the hibrane yourself just be able to monitor and quite a few more slides

okay uh wait so anyone falooda harmony yeah it's pretty hard harmony is an object-relational mapping tool for travel and it makes the database work in the job and I'm really using essentially what became in harmony for her comp pad and essentially like people became correctly but it's hard oh right sure looking at this I was gonna pay myself my phone these guys did some pretty paws and this one's coming off I packed in the boss 2016 day I'm looking for that one hazira I think you getting some new Ray's eagerness but I've got a lot of work ahead remain like isn't over and I already told work on ops and they know this this guy here River not also has a

great presentation these sliders references fees will get this on Jack but this is not a really good one these are very so they're very uh the are decent amount of knowledge on your part of your going to draw but so every all traditional optical what it does is essentially case files listed right developers need to travel classes instead of Brenda database directly to select a nice impulse a cyst between RS new album in our database where that is workable most grasses and hibernate will generate got sequel for us everything else does a platform it's really possible at informants if we want to swap swap the ABA says help you don't have to mess with right all and it is a

pretty good i'm performing and especially if it did bathroom scale if you're writing a web app and child your pop music so here's an example what we might even Oh left here we have a little table little bottles of data here and on the right be out of our customer class and here is this a plain old java off there's nothing special about this but this is my house of representatives in the top alone so there's the old kind of old school way of dependency is still a lot of legacy applications we have our see full up here we're getting a statement with roommate impressions of these second communi executed query the CSU a new custom project Chum to see it

beyond result and then down here down here we're getting the data from the database now and we're studying all this on there yeah this is a pretty simple power amounts of elitism so powder that is pretty well known and kind of inspired the design of heart beating so when I read eight though here's where is what would like using the h2o math to prepare communities by raiding party language so you have a aconitine come from somewhere so here's a each bolstering see that it's a simple format but we're also working with this custom object is capital C business representing our class so it allows us how Yuki Scrolls an object-oriented method to finger actually make

encouraging us on objects confidence itself be recreated a creator query and then the data and then we persecuted we get the unique resolve and this is how people to populate this constant object for us so now we just have a custom object work now to do any kind plug additional happy the stuff here there so this is what that cost looks like a hybrid hybrid mapping supplying the oranges annotations are going to fly on the fastest a up to here this is how this maps into the column of the put the data type up your work in the solar screen or acceptor um you girls do like you know if you want to map like a joint

condition that there are also not too so you can join one object to another everyone take care of the eternal mapping peoples have models so exploding hibernate queries so I'm going for a linkage is similar to see home it's not really a super cetera subset but its unrestricted what we can do is fully object-oriented so developers working in customer objects and user objects or products not single birds and the HTML language uses the objects the only about properties along with their other objects like if the above object here I can applaud game wasn't apt we couldn't punch out on HTML and go here's our map objects razandrich properties are comedy for second jhana object because aliens

columns and that's essentially a very simple HTML query but we also consume people to injection just like regular chain pc coder see polar actually a new are formatted sequel statement office drinking combination you can see that the safety happens here where we have the butler has built a site query out but we're adjusting right into here as usual controllable this is what the injection would happen then don't respond straight off to the create very Paul announced needed counsel to the database and then prepare even run so this is what might look like if you are testing something and i love the except up here and obviously in a riddle but what application popping up in his

factories like this I opened the uh-oh care if you just inserted in a bowl this is just a single tape just you all coated single thing mark and just like your own test for sequel injection boy you'll notice here we get an assumption is a hybrid a query exception to be broke the HS well honest some fanciful so child's play an exception about that so you don't have an alibi full-scale he hope if you fix it so this is a where our queries been injected and you can say okay hibernate grilling there's this law firm of conditions of former and etc and so we're going to try to reassess apology here so that we can see

everything in the database what my tables rod and so when they here's what our query or injections on the flight and then got to be mind that will be injected here we don't have anything you don't have to take control over in the stuff here only what's here so we're essentially fixing rested on queries Ross so we tried that and it checked out and we'll see okay it worked no hardly any first aid in here put as a valid HTML statement so now at this point okay we have an HTML injection but because of limitations of age 12 there's only so much we can do about your potentially query or somehow enumerate columns and properties on mountain air second

captain the locals are and if you don't have the assumptions have been very typically do that at the same time maybe there's no juicy data that you can access that way right you only work with the mouse properties so we're trying here at davids another table in David's but that's not a percentage by the application and can't access it I things I've been able to develop Commission schema or unless for some reason developers but fortunately for us so we don't need to order of that because all of it will any of these HTML injections we can actually create a sequel injection awful hold on just read the sequel injection so here we have Total Film you essentially have the scroll

injection which is what you can solve but then we also have to insert internet a sequel injection and then is pass on executed in database so it only make this work a couple really just in case here vm first two different escape condoms of needed in to break out of the HTML flexor and also to interpret to the sequel to the first one in time page 12 of a slash is not America and h 12 uses a single tape to escape two tix to civil propecia marks you can find these to break that age 12 Xers because we're escaping this a single quote they can use a telephone to book whose acetyl the two textures escape one which the

backslash entities quals fine it's not escaping anything during this past off to the simple injection the backlash is escaping a single pic actual people yes so you see if you do that we get an actual jdbc exception don't have minus equal except right now bro cannot know of any people a bubble and we're actually executing did you see my all see for my butt and at that point just like the sandbox escape for cross-site scripting language s may have essentially an escape right we have a poem that week analogous objection horny but again the sequel itself is be valid as well as each well if you can't break you the one of those who sought to work

and again yeah this is where it gets tricky this is here on a second assumption reception um so again we're back to his normal Prairie pattern we're back to the great pattern for before so this is where injection is going so we're gonna start simple now I recommend doing this if anyone does hi testing and try to exploit seal interactions when the person side view is trying my body can come up let that very much look like and start filling it up from there so just place holder values etc so okay if you have this injection for here so okay well you'll try the simple thing you want their on this because maybe it's not like you don't have a pretty wild

card on Yancy that's a lot to figure that out but it'd be out of this in there this is still h12 may be okay beyond the results family I was expected because it's an you know it's not a true statement so I hope this build upon it but it's this column you know it's a valid HTML / let's move on no okay let's try and get into simple gesture so the red is what we're actually conducting the sequel now so we do our escape here let me have this people's one and then we're just using the column character in this you will probably come up anything else that might be there and then we're finishing off with a higher game just

like before two paragraphs a network now so at this point because every walk with their normal sequel injection now in this example we might how the table as displaying some data and look at the news Audrey principal standard sequel injection the information concerning that C sucking bro most effective name you know it's now we can call the database function I'm sequel to his name so you can see here that this is a database name the baby C is our last talk possibly on us we must do the person you add this inherent Davis version just like before so there's a person there now to the same field here now that's conscious typical sequel injection here was nothing at this point

health integrated to hibernate multi-million age 12 we're disconnecting the sequel injection so here's an example what the actual produce age 12 look like so if your audience knows it was hired a new to see this I'll carry long's the whole part is is that harmony is between this entire thing as a spring this has all info lot of skating the single for it's capable simple boat so from here Owen here it's just a certain today it's not until the jdbc parts which are parsing if I becomes that progressive aggression party it's not necessarily an objection because we're but we were jumping into the sequel be produced by balaji strawberry so prevention I'll to save a seat for

judgment like if you're in a sort of you and you want prevent sequel injection is the same thing loading the stream key copy of all parties that's it and if you look back at the initial example Prairie doc um they have no just like main parameters to change the see if you have those the H code phrase as well and the second County on those the thing is it's not even just a security reason to do that in hardening this actually will cash automatically that if you were using straight to see what do that so the most of the time developers do miss editors because it provides performance reasons for doing so

oh that's like it's okay yeah in parameters oh and there's no reason not to use of right I mean it just that's not good each girl is not necessarily involve a to allow a hybrid allowance to use to query the database it does have the criterion API which is perfect or two very identity dangers like construction and you said doesn't it using as well there's different reasons for using one or gonna go so doing a source code review and there's a great I want to look for of any poles to create Marie or crazy hooker okay too small of each coil springs so it could be tip of potentially vulnerable to the separate injection you did not the book the CEO

people words in each goes from a plumbing problem to end user control the kid are the destruction that you scroll for the st. manners or the other Nets not adhering is also in you needed at the end of medications because I'm will take where hibernate the construction will go down the developers way while you just run straight native simple and just pass the survey top through so if you have a very somewhere okay I had thought that phrase doing and how it's being destructive actually also detected this version to any question needs to that seems like that's a technique of using it oh yeah yep I'm focused hibernating solo I have a bad experience with but essentially yeah and some of

the other science they've done through like I think I've had as a grenade and so one of the things I've been working on is exploiting this no I have a little hungry test app that disability allowance exceptions to go through service or work with the real world is most likely to get mine detection and if you're doing a single injection of it was really hard to explain however there was a so are closing stuff up so I got some time here so what this around here yes

so I felt very soon Ralph is actually saying one that I want party so my primary sandbox area allows this is not sure for things and so we can try this out and say okay here's our customary whole principle tick in there yeah get that 500 and very accept you just like new song slides and try our other folk here we have interception but if you slow down we also see that young people GPC are sequels impacts exception so we say okay let's that's acceptable new T Bo traction and signal map now is just before I put on this right held at this house work um sequel have run under the right conditions will actually pick up

that that's injectable however you have to bottom with a bum bum of green on briscoe 5i uncle Teddy yes baby ultramar target for the side note yeah yeah you for local I use the projector that they another us of high off resolution of this blows

you

oh thank you I go to I can't see my type that's you quick huh Oh gonna love max

so if you run this without the level of the rest specifications in a mole find anything I'll say it's not injectable but it takes if you mess it up now it's all fun so level 5 plus 3 time alright so let's go through here to drill seriousness and actually blood on and so money this way it will point out that hey this kurtis parameters they played like el pelo this is from work so get ready cheers normal no don't touch anything else hurry up however though at this point no it's just pure luck in coincidence that i actually found that reason why is because halo is using its still following each club right so it's

only a 2 just happen upon you scroll in church it doesn't involve with a sequel touch necessary so if you're trying to exploit this bike jump all like that's something um it's going to essentially get some error it says that if they can't do it because here you to the Gators this is all access so it doesn't want to get um now I've been trying to get a hustle payload and to go about to work if anyone comes to Prague let's try it out I have a bill and actually creating work oh and I know like see bolte hobe a plunge to create your own payloads you can specify the injection point but uh I just wanted the fountain

got the recipe and the work on it for a photographer features here now public public goods bought this week and there was this one day I'm still working on I mean get on to figure it out at some point but how would that make that's completely easy to to explain to people tripping

alright cool remember you have a cigar thoughts on you decided the yes any questions you want like a low-cost irate that female exploit any way but it's a problem I like this nice little instruction at the same time because of the nature of the language and framework it's actually hard to find attractive all everything actually look up involving perceptions it was partially card pockets of salty but again my google sees where developers have a very high rate of all big we have to use the tool correctly right but it especially smells good oh that's awfully high iron point flip book before i'm just going to realize that like I can actually can't get to your full on simple correction

ourselves have it but apparently people this some of these slides the research these guys they just came out like he just posted slide so I think but the bid last year or last year so it's not to fit health care that's only thing I can find on it at all cuz I'm sorry I'm kind of digging around and I became a possum about this is awesome to make the argument and so i will put are these little progress a very support I just don't feel facility to test this stuff here when I will put them up online I think ur you're not updated if they are but if I could help Project Blue poems on other 17 outfit all hope I'm updated

i'll keep it out so Stephen look at the TV

e so see that the app that actually is

oh so whatever do I start small and work on filling whatever queria triangle here to log off on pieces like that because it's important so now we like hair so that so they're here at this point though we can do the rest of our objection so I pay them so we could do that you hit I'll show you I'll just show you this if anyone is interested so we're going to union select theaters at this point we don't know where something very very same table if you don't know how many columns or are you able to even know it got a query being on has three columns or four columns we need to help the [ __ ] day they have the same number

columns so one of the days I'm you know once you find a single charge and you starting right itself will start trying to figure out how many of those columns are just pressing assumption educated custom mom so if you forgot to search here

so here we kind of made it such a good subject look at it you could have see that okay the salon state of Kentucky benefit balls so from there well let's co-op in you can do it get out our personal column here and I always kind of do so but just our piecemeal and other Street columns so I'll show that

their networks pronounced heat up because it use if you overload what data is being pulled out so if it's it ok ideas flowing font name field as a third parameter that apparently the developer is queria subsidy third piece here and the economies of seconds so now we know what the data is going concern of doing that stuff we could say okay well I want to know the database version or the database name and then third version of the database we use if I see hold the outer function is built which is cold doesn't so there's no built-in function is HTML like that except for a few lengths acts or purchase I've got did you everybody in stock tht handling it's

propagating this all from the HTML statements

today I always see if you leave the database and enter virtual number right so this speed even like depending with degrees application to if it's a sequel server on it's shelves right oh boy so yeah I'm see like it's pretty powerful if I'm very confident all for that even consistent policy is 80 berim and refresh my decision kph mulberry by use like the session it's just this stuff it's not numbers a lot of hardening developers

all right thank you for coming