Web Security

Web Security XSS Attack Demonstration

Topics:
Check out a free preview of the full Web Security course:
The "XSS Attack Demonstration" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Using the Browser Exploitation Framework (BeEF), Mike rather efficiently executes an XSS attack demonstration on site that does not utilize HTTPS.

Get Unlimited Access Now

Transcript from the "XSS Attack Demonstration" Lesson

[00:00:00]
>> Mike North: So I've got something here. These are tools that are typically used by the whole range of hackers. You can use these for good or for evil. What I've got here is a tool called BeEF, they call it a cross side scripting framework. Where you basically, when you start it up, we'll see if I can actually get this working.

[00:00:22] You may have to use your imagination here. So I start it up, and it basically says, okay well this is where I"m hosting the script. I'm hosting it locally and hook JS is the name of the file that we're serving up on port 3000.
>> Mike North: Okay, so now I've got this running.

[00:00:44] And I'm gonna use a second tool called MITMF. That's Man in the Middle Framework. I need my IP address, so I'm just gonna show you the visual way to look at that. We can look at our network settings. I've got 192.168.3.239. And I've got a command that's already prepared here.

[00:01:05] I'm just gonna check my laptop's IP, if it's still what it was when we started, and it is. And I'm just gonna update my IP address here, 239. Okay, so effectively what this code is doing here is, I'm running the man in the middle framework. I'm launching an ARP spoofing attack.

[00:01:25] Don't worry about the particulars of what that means, this goes beyond what web app developers need to know about. You need to know what this does, not how it works. I am providing a gateway and a target. And all you need to know about this ARP spoofing is, essentially I'm interfering with the connection between an individual client on this Wi-Fi network, and the router.

[00:01:47] And I am making it so that this Linux Virtual Machine seems to look like the router to my laptop. So I'm using the Virtual Machine to hack my laptop. The reason that this might not work is cuz it's all sharing the same Internet connection. So we will see if the VM can still operate the way it should.

[00:02:14] All right, and then finally, I am adding this attack here. So I launched the ARP attack, and then you have to say now what do you wanna do about it? Now that you're the router, what should we do? We want to inject a piece of JavaScript into the page.

[00:02:27] Anytime there's a plain HTTP connection, we will inject a little script that is coming from this BeEF tool over here. So I'm going to run this, Man in the Middle Framework will start. And I'm gonna actually go to, I'm going to pick on my beloved alma mater, Carnegie Mellon University.

[00:02:51] Plain HTTP connection, and you can see that we've got a bunch of stuff happening here. It looks like I was downloading fonts.gstatic.com, googlemanager, right? These are all the requests that went out. Well, look at this. There's a strict transport security header that came through, and It says it zapped it.

[00:03:14] So this was a security precaution that this app tried to take, which would have prevent cross-site scripting from working. But this thing took care of it. It got rid of it before it reached my browser. And now what I've got here is I've got a little page that looks like doubleclick.net.

[00:03:33] I managed to get a script injected through doubleclick.net. Now we can go to this commands tab, and I have a variety of things that we can do. Let's see if we can do something funny here. So, you see, I can detect server light, see if this user has LastPass installed.

[00:03:50] There's one that's funny if I could find it here. Cross-site scripting. So these are known exploits where we can take advantage of certain things that are in routers.
>> Mike North: If you go to, we can get the HTML of the current page. I can show you what that looks like.

[00:04:18]
>> Mike North: So that's the current page right now. It's just a little iframe or something like that cuz this is just an ad tracker.
>> Mike North: What if we did this, redirect the browser to Rick Roll. Execute the attack.
>> Mike North: Did that work?
>> Speaker 2: You can hear it.
>> Mike North: You can hear it really softly.

[00:04:56] It's happening. See that little? This tab is playing audio. So right now, I haven't totally compromised anything. This is a pretty benign attack I've launched here. But now, there's a tiny little hidden iframe somewhere in this page that's playing, never gonna give you up. [LAUGH] And unless you know that you can like right click on this and mute the tab, this is frustrating for a user, right?

[00:05:25] Now you could do far more malicious stuff, you could execute requests on their behalf. But I just Man-in-the-Middled myself, I just threw a virtual machine, with tools that are designed for testing apps. I was able to inject the script in between this site and a plain HTTP connection.

[00:05:42] Didn't have to get this computer to join a new Wi-Fi network, I just use something called ARP spoofing. So, this is why we've gotta use HTTPS, this was pretty trivial for me to do. Please, go ahead.
>> Speaker 2: So you started with the ARP spoof was to get the double-click hook.js, is that where you started?

[00:06:03]
>> Mike North: So the two tools involved, there's BeEF, which basically has a generic script you can insert, and then it'll open up a socket to that target. And you can run arbitrary commands on that. It's just very well orchestrated XSS. Man in the Middle Framework with ARP spoofing. That is what actually got that script into the page.

[00:06:26] All beef does is it manages that script really well. Man in the Middle Framework is what you use to to actually get that into the page.
>> Speaker 2: And, so what I'm just asking is, was the browser going after the double click JavaScript that the Man in the Middle attack hijacked?

[00:06:40]
>> Mike North: Yes, so that was a plain HTML request, and it was basically going through my virtual machine at that point. And as it was coming back, we basically added our little script tag in there, and then let it go to the browser. And now we're in and I just want you to see that, cross-site scripting is not a matter of you have to design this intricate script and find a vulnerability in a web application.

[00:07:06] There are tools with menus of attacks here. Some of these, you can see which social networks the user has logged in to by seeing if you can make requests to various domains. And whether they'll come back, or whether they'll say you got a 401. You can, in cases where the user has flash enabled, turn on the users web-cam.

[00:07:33] Which is, that's pretty terrifying. So here, I'm not authenticated to Gmail, I am authenticated to Twitter, I am not authenticated to Facebook, and that's true. That's accurate. So it's able to get some information based on the ability to make requests. Even though it can't see the response, it can know whether that succeeded or not.

[00:07:57] So, when I say it's easy to launch attacks, I mean there's a GUI for it. And right-click menus, and tables, and plug-ins. Yes?
>> Speaker 3: A thing that's relevant for front end developers to know, is that there's 16 under PhoneGap. PhoneGap also encompasses Ionic and Cordova and is a thing that renders JavaScript apps into native apps.

[00:08:24] It's horrendously vulnerable as indicated by the fact that there are 16 things here. And it's an important thing to know about, is that the thing that you work with.
>> Mike North: Great point there. One thing that makes, sorry, let me get PhoneGap back on the screen here. One thing that makes PhoneGap particularly vulnerable and, so just to be clear, it is Ionic.

[00:08:45] Ionic is highly optimized PhoneGap. If you're using, what's the other one?
>> Speaker 3: Cordova.
>> Mike North: Cordova and PhoneGap are the same thing, there's a third one I'm forgetting. React Native doesn't necessarily fit into this category, right? Anything that is taking JavaScript and transforming it into native code. That's not what we're talking about here.

[00:09:02] We're talking about essentially a UI web view, a big iframe that your app is running in. The big thing that makes this a little bit, where extra due diligence is required is, you get JavaScript bindings into native functionality. So you break through the typical sandbox container that a web application would run into and you can access files off of that user's device.

[00:09:23] Or the mobile equivalent of files, right? So it's not, where usually you're saying well a web app can't do that. In PhoneGap, often times it can, depending on which plugins are installed. Great point. If you think of anything else like that, please interject. Alright, so that's my cross-site scripting demo.

[00:09:43] What you should take away from that is it's horrifyingly easy for me to do that. I did it while talking to you. I was able to pretty reliably do it. I did it from one machine to another while they were sharing an Internet connection. I could have done it to anyone else in the room if you're accessing a plain HTTP domain.