Pages

Wednesday, June 8, 2016

Null meet-14th May16 > Lesser Known WebApp attacks

Dear Friends,

If you missed the Null meet on 14th May. you can check out my presentation on slideshare
Topic: Lesser known webApp attacks


Happy hacking :)

Sunday, February 7, 2016

(Relative Path Overwrite) RPO XSS

Welcome Readers,

As I promised this post is exclusively written for RPO (Relative Path Overwrite) XSS. Lets understand what is RPO and  how it can be exploited with XSS.
RPO XSS Introduction
The RPO (Relative path overwrite XSS) is publicized by Gareth Heyes in 2014. This attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a style sheet, when it contains both path-relative style sheets and attacker-controllable contents.
          In the Relative path overwrite XSS we will first understand difference between relative and absolute path. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
Example: Absolute URL:   https://thehacker.co.in/test
               Relative URL:    test/some_subdirectory
The relative URL shown will look for ‘test’ and automatically include the domain before it based on the current domain name. There are two important variations of a relative URL, the first is we can use the current path and look for a directory within it such as “abc” or use common directory traversal techniques such as “../../abc”.
Description and Attack scenario
RPO XSS attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a style sheet, when it contains both path-relative style sheets and attacker-controllable contents.
We have seen the difference between actual path and relative path. Now let’s demonstrate this finding.
To exploit this findings three things are necessary,
1) stored XSS that allows CSS injection.
2) URL Rewriting.
3) Relative addressing to CSS style sheet.
To check the RPO hit the below url,
www.webdevelopersnotes.com/graphics/index.php3

Saturday, February 6, 2016

Mighty XSS (Basics of Cross Site Scripting)

Welcome Readers,

In the last post I talked about mXSS. In this post we will cover about XSS type and various XSS attack.
First of all what is XSS and why it is considered so danger and have third place in OWASP top 10. Lets decode this jargon.
As name suggest XSS (Cross Site Scripting) is some form of script/code that attacker use for malicious purpose.Our web applications have multiple input fields like forms, comment box, email, upload field etc etc.
These are the entry points where user suppose to enter valid information. but think as a hacker what if we can write some script/code in the comment box of web application and on posting that comment on site gives some different output than expected.
Take an example there is a bank website and on home page there is search box present to search bank related information on that website.

Monday, February 1, 2016

Mutation XSS


Hello Friends,
Welcome back :) Today I'm sharing my research on mutation cross site scripting. On studying and reading lot of stuff finally decided to write article about mXSS. I hope you will find it useful.

Mutation Cross site scripting (mXSS)
The New class of XSS vector, the class of mutation based XSS (mXSS) vector discovered by Mario Heiderich. This mXSS may occur in innerHTML. This vulnerability affects major browsers like IE, Firefox, Chrome etc.
Famous applications like Yahoo, Rediff mails, Zimbra etc like commercial products were vulnerable to mXSS. This type of XSS vectors managed to bypass widely deployed server side XSS protections tecniques like HTML purifier, Kses, htmlLawed etc. and client side filters like XSS auditor, IE XSS filter, WAF systems, IDS and IPS.
Introduction
The mXSS is an XSS vector that is mutated from safe state to unsafe unfiltered state. Server- and client-side XSS filters share the assumption that their HTML output and the browser-rendered HTML content are mostly identical. The most common form of mXSS is from incorrect reads of innerHTML. The user provided content is mutated by the browser, such that a harmless string passes nearly all XSS filters is ultimately transformed into active XSS attack vector by the browser.

Saturday, January 30, 2016

Web-Application testing guide

Dear Friends,

In the last post we have covered Nmap tool and its commands. Lets move to web application testing and testing guide. Today I'm going to share my exclusive web application checklist that helps to test all test cases.
Before that little about well known security community OWASP.
Open Web Application Security Project is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
You can read about it on Wiki or on their site.
OWASP published their top 10 vulnerabilities in web application. The OWASP Top 10 - 2013 is as follows:
  • Injection
  • Broken Authentication and Session Management
  • Cross-Site Scripting (XSS)
  • Insecure Direct Object References
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Missing Function Level Access Control
  • Cross-Site Request Forgery (CSRF)
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards