BSides Boston - BruteLogic - Building Advanced XSS Vectors

our next presentation like I mentioned this is going to be hopefully go well he's actually in Brazil right now so that's why he's not here uh this is a friend of mine who does a ton of great cross scripting research he works for curri uh working on their web application firewall he's one of the leading researchers that you probably have ever seen on um xss pos.com which is now think it's some new name to the site I guess which puts up cross scripting research if you're looking to learn about Crossing cross site scripting research that's a great place to go and if you're on Twitter and you want to learn more about cross-site scripting this is definitely one of the

people that you want to follow he also has lots of other fun stuff that he puts up at his protected Twitter account brutal secrets so he's going to talk about himself a little bit at the beginning and this is brute logic go for it okay hi pep hi everyone good morning to all I would like to he introduce myself I am in hu assis from Brazil and and I will talk about cross scripting Advanced vectors and I would like to ask to ask you in advance to forgive my English because English is not my native language so I hope you you enjoy the the stock and at least the slides because it's an interesting subject so here we

go uh we start with about about our agenda we will go through Vector scheme Vector Builder a tool that I buil web gun and some agnos event handlers be using native code filter by pass the the main subject of this stock which are the location based payloads and we finish with M reflection okay so I'm a security research at security security uh which is a security company that does my clean up and protect the customs with a web application firewall my job is to break it to bypass it to find new ways to in which an attack can harm uh the website of a customers I'm a former number one at open Bug B former access

poser and I'm I have some H fames I'm appearing in somehow fam have some acknowledgement and as you may know I'm specializing xss uh you may be thinking right now oh God another to from xss but I promise to you that this will be kind of different of the things you you see out there uh we will use the elet one just for for daac purose because in fact you must require a better proof of concept involving at least a document. domain to be sure that the JavaScript is executing on the victim's page or or in the Target uh that that talk will be main about the the vectors involving HTML and uh events event handers because we

have the classic script Al one we will talk about it too but mainly the the HTML tags with an event handle and some stuff may be hard to follow because JavaScript is a very weird language and for those who are not used to it may be a little bit difficult Vector scheme we we start with a a a scheme to build the the vectors we have the the regular one the simplest which is a tag and event hand and then the JavaScript code a simple example would be oops sorry uh would be the SVG onload popping and colge one uh a better scheme a full one would be like as follow and we have the extra in in

blue and the spaces in red uh What uh the mandatory one is the first space this has to be there the others are uh are just as extra so so as an example we have the uh uh payload a vector with t head which needs the table the tag table before so we have the z c as a spacer a separator of the one element to another we have the style which makes the fot size bigger to make it easier to M over to trigger the prompt box which is another just another box like and conf and we have a bunch of A's to to make EAS the over to trigger because with uh with

with thats the page with the with bigger it's uh it's there are more chances to the mous be on it and Trigger our promp box I made a tool called Web gun at BR l.c. br/ wegun which is meant to build these vectors so uh it's not an automated tool it's just more an interactive Che sheet in the end of this talk I will I will play with it live to show you uh but I will I will show you uh some screenshots it it has more than 3,000 unique combinations uh just using the tag and the Handler the event handler H I'm not counting the the the JavaScript part the spaces the Xtra none

of this just with tag in hand we have more than 3,000 and probably more because it need some improve movement I did a lot of time ago and I I have to to go back to it and update uh you can you can use tag your event to to choose one of them and then the the two will bring the the respective event to that tag or the respective tag to that event and some we can we can choose handers by browser we can choose handers by length for the filter bypass procedure that we will see in a little while we have the The Ting of the vector manually and we can test on a live

target or just use the default page theault T page of the tool here is the the main page where you can see the the browsers we can see the fields that we can choose uh it brings with a defa payload that's one and after clicking on the beauty we the the vector appears on this texture area below and then we click on load to the next page which is the one we choose the the target and some other options and click on shoot and then uh if the payload is correct and the page is vulnerable it will pop up a knowledge or confirm or prompt box so uh in order to to understand what we will see we need to also know about

some agnos event handlers which are the event hand that can be used with almost any tag and they can work with abitrary tags I mean tags that you can invent the name like BR there's no tag BR in HTML 5 uh but it it is an XML Val tag H most require user interaction as we will see and they are working on major browsers uh on BL on click on copy on context menu on cut on K and so on okay there are 18 event handers like that they are very useful and probably a good filter we have to block then all simple example take B on click Al a click me string a click me text after it

to in order to click and pop up that let's see now uh he using native code because it's important to know that too and we have two examples the first the first one it's a very common scenario where we have some input H Landing in the value of input tag of the type hidden if the code is all in the same line because it was uh wrote on this way or because a framework did in this way H there are a lot of sites that that make this stuff so if you use the the input scripture alet with the comment in the end we see like this we have the injector in right and and the result in

blue H the the the native code is is being commented so the one that uh that executes it's our alect one box the other example it's the same as before but now the code is in different lines which makes us to adapt our our back to fit on need and to execute I'm using my my script at my website b.c. SL1 it's just a texy with Al Al one that will be col and executed by that by that script or I can use in a ex decimal form if the future is looking for some some Alpha alha alphabetic chars after the double slash here we see the injection in red we are using the native double

quotes and the great theide and we see the result in blue nothing so Advanced but this is just an intro to to what to be SE in a little while but it's very useful in Access attacks in the wire and even the the important to bypassing Chrome as I posted on my plog but this is to another talk okay filter bypass let's see the basic of futter bypass because there are tons of presentations about it just we just review some we have a a procedure very useful and it was based on this procedure that I built webam we have an arbitrary tag like X plus a fake handle like on XXX one uh equals one we simply start with five charts and

to increase it so we have in our example five six seven charts in in in total and we see that in the seventh chart the filter blockers so we can just use up to six shots so we have on cut on blood on PO on dragging that's why web gun lists the handl by Group by handers by the number of charts because it's important to test a filter in this way a filter can't catch the tag an arbitrary tag because you can put anything on it so his his last chance before the JavaScript part it's the event handler so it's really important to to to know which handers it can accept uh we have basic tricks like encoding you

are encoding we have mixed Cas which it's still useful until today oh God it's still useful H we have dubling for very weak computers and heavy spaces like we we saw in web gun so we have slash we have tabby new line and so on we have quotes single quotes double quotes we have a cool thing that I call MIM mimetism that we we make the our our test tag our test probe to appear like something the future will allow to pass so we have something that that mimics the closing tag uh another one that that mimics a text outside the tag because the tag was not really Clos it it's it's between double quotes So it's passed as

a normal attribute of the tag and we have some that appears like a URL so we have HTTP SL slash on click on blur on any event that we want so we have the Cobble that is the mix of all of this okay and enough let's start with the location based payloads location based payloads are really complex really complex to to build H they are based in document. location properties of the JavaScript language and similar stuff and the the great part of it it's we can avoid special shots at least between the equal and the greater than which is the JavaScript part of the vector it's it's you can be sure that a game over to the filter because it's

almost impossible to to catch it a filter better better to catch it to catch us before it so uh we have a scheme here of the URL with the protocol domain P page Etc we start with the location protocol which returns that that protocol in red of our our scheme we have location host name or document domain that Returns the domain location. origion which Returns the protocol domain protocol plus domain we have the location P name with PF and Page location search which is all after the question mark until the the hash sign preview sibling not very document. b. text content I'm it before as we will see in a little while why and which is the text one part right

before the the tag tag name no name which we call itself it's the the name of the tag we are using in the injection Al HTML which is the the whole T the whole tag we are using in HTML which we call after it's the text to in red text content next sibling. no valy first child not valy last child not valy they all are like before the text two they are after the main tag location hash of course it's the hash part of the URL and the URL location HF base Ur I document URI it's the full url url and so we can also use it as we see in the following payloads so let's let's start from the

beginning to to get on we need to be and uh taking that that first uh the first payload SVG onload location we can with location we can direct a brows a browser to to another page but we can use the P protocol JavaScript to make the browser execute our JavaScript code which is R1 so after it we can start to play and we come with the location hash subst string one which will point to the the the string the text the stuff that we have after the rash um the super string zero it's the the hash sign itself the super string one it's the JavaScript Al one and next we have we can split that

string and to Javas plus script plus Al plus RT plus location hash super string one which will concatenate all of this with the the hash part which is the parenthesis with the the one pus is a a very important thing to avoid because FS will always look for it that's what we are trying to do here to avoid parenthesis so next we have another trick to get rid of single quotes which is the the H jaxs the string between the this Lash SL Javas sl. Source The Source property Returns the the rejects itself with no change with no modifications uh so we can use it to avoid the quotes and next line we have the

Javas again resource script Etc but using this time the location hash with brackets bracket with one one and two because location hash is a string and as a string we can point to uh positions on that on uh on that string it's an array like everything in JavaScript so we have the left parenes the number one right parenes and the parent are are never sent to server anything after the hash is never sent to server it's stays on client so a future will never see it but we we are still using brackets so let's get rid of D to let's see the the evolution again but uh from a new A New Perspective let's take the JavaScript

tag which is an invented one an arbitrary one and we try to aler the tag name if we do that that we will see the JavaScript being being all in the page so we are tempted to try the JavaScript column Al one all in the tag name it you point the location to it but this will not work because uh the code will be returned in uppercase in allet can't be a case JavaScript can but not allet so we have to to get rid of the do in the tag name and place it in the hash part so we have the tag name plus location hash one which will work and the tag name in

HTML location hash which concatenates the tag name JavaScript with in HTML which will return The Click me part with the the opening of the comments and and the hash part which will close the comment and start our Pock code our proof of concept code um right below we see some constructions what we can do with such strings we see JavaScript concatenating to click me to Wet in three ways three different ways so we can play as we as we wish with this to construct the JavaScript Al want to execute our JavaScript code okay let's go for taxonomy now and we have by type location location self location self Plus we have by we have by positioning of these

props we can use very common names like before which comes before the tag of course itself the tag itself which has something inside some attributes for example we have after and have the hash part let's let's see the first example a very simple one with the in HTML property you just have a arbitrary tag with the it's the J1 that with on click we can point the browser using location to the in HTML string returner which is the JavaScript column Al one and double slash to comment the rest this will pop up the the one Flawless and another example would be location inside which is the we are using the name and ID to to construct the JavaScript all

string we have name as JavaScript in red and the ID is T column Al one conation both we have our location so things uh start to get to get complex we the next one we already saw which is the tag name in a HTML location hash we take the tag name we take the text after the the tag which is the in HTML and take the hash we start we start a comment and close the comment because get we have to get rid of the hash sign which will not be a syntax so we have to com it or we can stringify stringy between quotes stringify the the hash to to be able to to use the which is the the next

example the next line we are using single quotes to to turn click me and the hash sign into a string and then almost concatenating to one because the Min side is not really concatenation but but it makes the the JavaScript par executed so we have the our last example we are using an URL which are a little bit more complicated we start with tag name JavaScript we jump to the inner HML and then we use all the URL which are injecting in a reflector of course a reflected case which give you us the result in blue the the URL will repeat the double quote which will close the the the first code the first double code and then we

will start uh we try to to to minus the the next string which start with the single code click me JavaScript hash we'll close it in the hash and then again minus Al one I hope you you are getting because it's really hard to explain and I have to talk also in English so hope you like I hope you understand so location itself plus hash I'm using tag name and URL in the red JavaScript uh I have the all the all the payload in all the vector and payload in italic to show that we are I'm using a URL it's the same as before the same mechanics and but the next one is a little different because I'm using what

I call a labeled jump and in blue we can we can follow it I'm use HTTP and column as a label it's a JavaScript label it's a it's a it's a piece of code we can name it we can label it so I'm using it and comment all the code until the end of the URL until the the hash when it comes to the hash I'm using a new line character to jump to another line and then make the JavaScript engine execute the AL one so none of the URL will be passed will be considered to to execute and just the [Music] one and we have another example with location location after hash location after plus

hash which the same mechanics before H using strings to concatenate to one and then using the new line the lab jump again to achieve our our execution this seems a little simpler so we can move on location itself hash plus after plus hash we have the tag name with Javas alone and the Crypt part after the the the tag which is the inner HTML again the URL to to concatenate and close the the single quotes and the double quotes that we open again the next line the label jump same trick using the the new line character this this is more interesting because we are using itself plus before which is the tag name JavaScript plus

previous sibling. note value it's a little bit larger but for the future this is not important the important is to byass it and the previous sibling not Val we return the the the part before the tag it's the double quote minus Al n just a a g mistake it was to be to be one but uh I hope you you got the the point now and right below we have itself after before which has the Javas red quip to click me and then jump again to the previous sibling which is the AL n again location after itself which is the combination of uh in HTML and outter HTML which start with JavaScript cck me and and then the out HTML it's all the

pillow we have in blue the result of it we have JavaScript column one The Click me between comments plus aler one with uh less than sign before which is valid because the one will be will be evaluated with the great with the less than side to the other one and then we we are comment the rest with the the HTML comment tag exclamation mark and next we have another example of it which is the J sorry sorry uh sorry guys and we have the JavaScript click me plus the the outter HTML in another example we are close the comments and then creating a empty string and then minus Al one comenting the rest again we

have now location after before after itself which uh little bit more complicated let's jump to the the blue part which is the result JavaScript click me between comments and then the the tag name in fact it's out HTML but we start with the tag name and the n and commit the rest this require a little bit of attention to to really understand what is going on here because it's a it's a larger payload and it's it's they are all people using a browser to test to make the popping up so I don't I don't really hope that we can understand it in just seeing for a while but this SL will be online uh those who didn't understand

it can can take it then to to study later so and we have some time limits and let's jump to the the another type of location payloads which is the self inside these These are the these are very cool because we are using the the payload to construct H to call the the the same page the same page we are injecting to make another request another request this time with the payload we want so here we are using location to to return the ID what what we have in ID we have the question mark which will make the location searches for the same page the the same curent page because we are starting to to decare the the parameters that we

want in that page so we using the parameter p as an example so we are again ER turning to the browser to use to use that P that P parameter the with the value of of SVG onload Al one with a BL sign where where encoded of course because it will turn into a space so in blue we can see the result it's just the same URL with the with the value of the parameter P change it change it to what we want to execute this can trick a filter because the filter Will Will just look for for the stuff on the very beginning of the of our injection which is the SVG ID part it may just just ignore the

the that second that second payload we are injecting in the in the destiny of the location um we have it again below using the US using a source a script source as we did before we can also use it with the property after the tag we are using again in red the question mark the P parameter and but this time we can't encode the the payload the final payload because it just text and this this way we can trick the FI again loation self plus itself we start with location self plus which is the uh uh similar mechanic soft before but we uh we are using this time the HPP AP HPP uh HTTP parameter solution it's a

technique that we use uh another another uh aone of the parameter value which we inser another parameter in the URL in language like like PHP the second parameter that will be evaluated so if if we just if you just using if you just used to to add it to the URL we using location plus equal alter HTML we soorry we can we can point the URL to another address and that address will will come with another P parameter after the the original one and this new parameter that will be executed that will be evaluated and execute the our our JavaScript payload we have again we we it after after the the payload again in blue we have the

result which will be SVG onload Al one completely unencoded we have it before same same stuff which can also be used to trick the fur this time use a document body text content which is all the the text that document body has but we are we are here thinking that we are injecting into the body so what comes before can be used with our our payload to to put in the final result now to to finish this talk let's see something more more easy which is the m reflection M reflection is is very common in the wild usually the pages are vulnerable H to more than one appearance of xss in the page and then and then we have double reflection

with a single input red the result in blue the code uh in light gray which will not be executed because it's uh according to the HTML pass will be the value of the one attribute we can see this again double reflection with a single Ute to the script using script the same construction using but now this time using the single quote and the comments which are which can be used in the script text we have triple reflection using a single input which is a little bit uh complicated but it still work works if we are lucky enough to to find such a native code that can that can provide such scenario we have triple reflection with

single input using script also which is which is also difficult to achieve because we really need to rely on the native code to to be a able to to open and close the single quotes double quotes Etc and uh the E the easiest one which is the m input when we have two inputs like P and Q to to reflect on the page it's very easy to input it's also easy so concluding xxs vectors be complex can easily FS he can blow your mind yeah and thanks thank you all and if you have some questions please be kind enough because I may not understand it well the spoken English but Pat is there to to help me so that

thank you for this opportunity [Applause] thanks does anybody have any questions for him other than wow that was hard like I mentioned if you want to talk to him directly if you're on Twitter you can find him at brute logic all one word um yeah he talks back to people on there which is really nice yeah yeah thank you guys thank you all we have one question for you 300 3000 plus uni combinations can those be loaded into something like intr as part of payloads those 3,000 unique uh attacks that you have and your web gun can that be loaded into something like burp Suite or some other tool yeah if I share the database yes

I'm I'm working but uh the problem is is that I'm working on a tool privately to my employer supery to test the the war so I'm not sure yet if I can share the database with with all this uh payloads because uh uh the database has the the parts the elements tag handers Etc and uh the the two just just combined then to to build it I'm not sure if I can share it right now but I can I can see the situation and and answer it later great all right thank you very much okay thanks thank you