No more alert(1) - Gr4y R0se

first of all cheers I'll see you at the see you the after body um now is screamer going to work that's the first thing um while we're waiting for that to switch on uh so everybody starts these things generally with like an about me slide but um I'm going to start this with bit demo hopefully if we can get this to work can everybody cross their for oh dral [Music]

please hey look at that thank you very much for the tech guy here beautiful right then so what I have for you is a beautiful application as you can see very very tasty very very nice oh this is going to work nice so we have our three products you can tell this was all this app was written by chat GPT so don't worry this talk is also about AI we got certain products what a comeback pair things go this shaped often there you go um so now quickly let's just do a bit of a a bit of a login because we need that to do anything now get prompted for that now of course this talks about crite

scripting if you couldn't tell from the title um and in fact rather sneakily I refresh this you can see we've actually just stolen the username and password I injected into that application using a tool that I will be well that well one is for free on GitHub woohoo love open source and secondly um I will be done properly a little bit later uh however more excitedly is that there the payload is actually still running in this site it's just running in a way that's pretty invisible um now let's get to the actal me potatoes to this this is no more alert one which is exploring well exploring novel data extration techniques but more specifically exploring how you actually

exploit cross-site scripting uh who here knows what cross-site scripting is excellent that makes the first couple of slides completely obsolete but you're going to have to sit through them anyway but first um who am I I'm a senior penetration Chester A KPMG jeel check team leader I also recreationally enjoy whiskey uh a bit of a JavaScript in usest and I have been described as a semi-professional rascal I'm still not sure whether it's take that one as a compliment or not but it's on the screen anyway um you can find Twitter GitHub LinkedIn or you can even email me I prefer cap pictures but we'll also take technical questions I'll try and answer them as well um so the agenda we've got

some Basics we've got number one we've got some self therapy for me which is actually the reason I wrote this talk um then R number two I know you get two of them very lovely people then hopefully we'll do a bit of a poll um you'll see why I've converted people and then we've got some questions at the end now quick question Who Hears A Fant test um yeah look at these three people in the front room I know test is then not putting their hands up um audience participation works a lot better if you actually participate so who's a pentester lovely stuff who has exploited cross scripting for there's people who weren pentesters that put their hands up there

that's was the ncsc when you need some arrests to be Mak in the back of the room um who here goes any further than just popping alert one or occasionally alert document. cookie yeah a little bit further than that okay lovely so the basics of this are um well as a as a recovering beautiful so this is again that's the my uh my dodgy app that I wrote in the background um this is about as far as most people go uh especially when you're doing a pentesting report um you'll there you go um it's it's all reliable alert one you've demonstrated that you can inject arbitrary code into a page and get it to execute so all very

well and happy um screenshots like this have a appeared in pen testing reports for many many years and I'm sure they will continue to after this talk however sometimes you want to spice things up you want it to make it even better so we go for document.domain you know you want to prove that it's executing actually on the domain you haven't just done some funkiness in the in the console right so this is a this is quite interesting used quite often on bug bounties I found from from from reading them um but anyway again it's a little bit it's a little bit spicier it shows a little bit more information but we're still not really doing anything are we so

demonstration does not equal exploitation so if who hears have Ed mesit lovely sled this one back in there for you um lovely so who here use the check function on Mattis blit you know you want to know something's vulnerable before you actually fire off your exploit there's half a hand oh no he's full put his hand up now nicely done mate great um so we know what we know what that is that's what alert one is alert one's using the check function it's demonstrating that vulnerability exists you're not really exploiting it right um and as you say demonstration does not equal exploitation and especially when you're trying to put this in context with clients it becomes

very important that you have that knowledge of how you exploit it you know everyone knows Eternal blue you know it's a remote guide execution you gain control of the device everyone's really happy about that now because we've exploited that we can articulate that very very easily especially in our pentesting reports you know you put the big critical at the top you're like this is like 8 years old now why haven't patched this you get very cross at them you know the whole nine yards um but if you'd only ever run the check function would you know that well potentially not so spice we'll get back to this I think these sles are slightly out of order I

blame the beer let's go to round the first so um this actually uh talk kind of came about because um we're hiring at the moment don't know if we're allowed to say that but we are and uh as part of that we're hiring for web testers right everyone loves a good application test we do a lot of application tests where I work we need some web testers um and I was interviewing you know several of these people and I asked them what can you do with Crosset scripting and they say oh well you can steal cookies I'm like yeah you can but what if there's like the HTTP only flag set on the set on the

cookie and they went oh that completely fixes cross scripting who here so this incensed me somewhat and you know we went back and forth about this I was like well are you sure there's nothing more you can do with it no no no that's it that's the vulnerability vulnerability that is difficult to say at 5:00 vulnerability has been fixed but it obviously hasn't so I B time I thought why not subject a captive audience such as yourself just 20 minutes of me talking about JavaScript and the magic things you can do with it and so thus you're all here thank you very much for coming and um okay here's some also little known facts about JavaScript

before we get on to some of the kind of slightly more demonstration demonstration parts of it um the path of a URL is controllable client side using history. replace States so what you see in the URL may not actually be where you are on the application um lots of kind of single page apps use this now to make it look like you've navigated somewhere or to be able to you know actually send links to your application and have them work um the same origin policy um my colleague Cory Turner did an excellent talk explaining exactly how you can mess around with the same origin policy so I won't repeat it work here but effectively it stops two things from

different Origins talking to one another it's designed to stop nasty people like myself from around with your applications um but pages from the same origin can talk to one another and JavaScript is cool it was written by drunk Engineers um but it can do some very cool funky stuff so if we go back to here now what's actually happened the the demo at the start what happened is when I clicked on Apple we rendered this page and if this is working for me is this a comment this is comment can we see that or is that a bit small really small it's really small okay can I get the keyboard shortcuts to work on this

no ah that doesn't work for the dev tools that's not good anyway there's a script here um with a source that's pointing back and the loading in content um what that payload does is it takes the content to the page injects it to an iframe there's a little bit of JS that runs every time the location of the iframe updates it updates the page at the top so you can see we're actually still running here and the the page at the top is updating even though we are still Within I never left it still clicking around in it a bit small sorry about that uh but again still hasn't left it and all it does is it iterates through every time

we reload the page finds any forms reassigns the onsubmit function um to post data back to our listener uh um and then actually rebuilds the form and submits it for you so the user isn't presented with any visual feedback that are applications and working but we steal all the data um this will actually work on any form um that that you want and that and it'll ignore csrf tokens as well as you can see the form we captured did have a c Ser toking in um it was correctly submitted the application the backend server this is all happening client site just seems valid csrf token and all the valid Fields everyone's happy we're really happy because we've

St an username password and that feels [Music] cool there are some other things you can do with xss let's clear all our interactions there payloads Jackson downloads so instead of saing hijack forms just hijack downloads instead

save switching between Windows and Mac all day it's not working very well for me um so now um so again now we've loaded it we haven't clicked on Apple yet so we've not got anything firing in the background so if we click download here file download 10 I've been testing this all afternoon if you couldn't tell we get this is an example file for download let's just zoom in on that so we can see that's the sample file now Apple download it's called the same thing SE we' we've actually hijacked the content of that file and not present it again there's nothing visual to a user that would let them know so if that had

been a Cobalt strike Beacon you know you click on a download link for a Word document and three pages ago I've for got my xss payload firing suddenly I've got my big and then you socer is having a really bad day trying to figure out where that came from now play this again so the tool you saw there is called connectic control is available for free on GitHub um it has all the a lot of those payloads built in in fact it has one of my favorite payloads ever built in um I'm not sure the world is quite ready for exactly how cool this payload is but if you'll bear with me it's simply called

spicy and he guesses what spicy does

no please don't if if that ends up in any pentesting reports first of all I love you and secondly please don't let don't let your boss find out that I was the one that pointed you in the direction of this cuz it'll probably get me in a lot of trouble um I may have used that before as an in a demo to a client allegedly but that's the kind of idea um there's some other kind of payloads you've got on here um obviously you got your standard alert cookies and things there will be some more coming as well and I'll redesign the interface because it's currently a bit ugly um but I'm not a front endev or a designer and uh chat

GPT only took you so far [Music] so Lely R the second um there isn't really a second rant here the um the the idea being that you can Crosset scripting is very very cool and hopefully most of the people in the room now understand some of the things you can do with it but you can also do more than that are there any red team is in the room nice one that's more than usual or two maybe lovely um you can also do like local Port scans and uh can scan internal networks using cross scripting us check JavaScript browsers there's been Research into people that that have been able to do that um but the point is is that xss is

really cool really cool and you can do loads and loads of really cool things with it you can do a you know kind of myriad of attacks so the next time you see alert one in a report or you pop alert one on a pentest or a pentest report submitted to you you see that now you understand exactly how damaging that can be now obviously we've operated on the understanding that we found one first but cross scripting vulnerabilities are pretty common um even today I that pentest to myself for my sins and I um routinely find xss vulnerabilities most of the time it's not script alert one anymore the payloads are getting a bit more

complicated you now actually have to try as opposed to just you know active scanning stuff which is a crying shame but you can still do pulloff things like this and if your application has any functionality even if the cookies are appropriately um secure or or there's a or it's even if it's unauthenticated and it's just offering down now hopefully you understand exactly what you can do with one of the oldest fun abilities book now I'm going to do another poll who here thought excess was a bit boring when I started who now thinks excess you can put your hand up don't worry I'm I'm not going to shout you cuz you're the front row um the uh who now thinks xss is

really cool he going to go off and talk about it lots you put your hand up first and not now that's that's godamn so destroying this lovely well in which case thank you very much for coming and do we have any

questions silence temp weed lovely well in which case thank you oh no maybe one

us uh yes yes websockets are famously full of hols and uh I do enjoy tearing the AP they're very good fun any any more for anymore do you not have any more time okay I'm really sorry in which case you can come and chat to me thank you very much for coming see the