Automatização de Ataques XSS para Infecção e Propagação Massiva de Worms em Redes Sociais

Good morning, everyone. Welcome to the 20th edition of B-Sides SP. I hope you are comfortable. I have here, I call the stage Fernando Mengali with the talk "XSS Attack Automation for Infection and Massive Worms Spreading on Social Networks". Welcome, Fernando. Good morning, everyone. Guys, I'm going to make a presentation that, actually, I wanted to get out of the box a little bit when the subject is XSS. To start, before I start talking about the lecture itself, talking just a little about myself, today I have basically more than 100 CVSs focused on the exploration of vulnerabilities, right? CVS is for that. I am the creator of a platform that analyzes dynamic vulnerabilities, known as FITOX. The creator of Speakfy is

a platform that aims to centralize security events. We are refactoring the platform. The idea is to integrate all security events in Brazil, B-Sides and OASP worldwide. YourPray is basically a framework, actually there are more than 20 frameworks for those who want to learn about information security, for those who want to learn both about security development and pen testing. YourPray has a series of vulnerabilities, it has nodes, Python, C, C++, ASP, PHP, React, a plugin that I created, but it is very limited, It's more for companies that don't have a plugin to use, which is Leapfix. Leapfix is a plugin to do code analysis, to do a SAST analysis at the level of code. Well, basically that's it,

let's go to the lecture. Guys, why did I set up this lecture? Why did I create this lecture? Because today when you take a book about XSS, you have a lot of alert issues. You get an article, alert. You watch a video, alert. And then you listen to a podcast, you do something, alert, alert, alert, alert. And you don't have a real attack strategy and you get tired of seeing so many alerts. So basically this lecture brings a slightly different bias about XSS. And here, what is the intention? We have a social network, which is known as AllScript. It is in version 8.0, but this one is version 6.0 because it had a XSS vulnerability. What is our

purpose here in this talk? First, to spread this worm by profile, capture photos from the webcam, and make audio intercept, that is, the person is talking and basically XSS will make the audio intercept and send it to a server. The last one, basically activate a botnet network, as the internet is a little bad, I will not be able to both upload the botnet and run the botnet to make a DDoS. But I promise you that I will post the slide, I will post the docker for you to test and I will post the video of the bot network going up, I will not play much zombie computer, I will play two or three, for you to understand how from

XSS I can upload a bot network and run a bot network for DDoS. Where does it all start? Orkut, who remembers Orkut? Orkut is the social network where you played with XSS, that's the big truth. Because XSS had vulnerability in the communities, you could steal communities, in the user profile, you had two basic strategies, "you see this code here, throw it in your browser and you'll see something really cool, XSS would go to you" or you would create a link, it would click, XSS would go to you. and among other security flaws. One of the things I found most interesting, who has ever heard of the Anna Kornikova virus? The interesting thing about the Anna Kornikova virus is that you installed it, you put it in

your user profile, Anna Kornikova's profile, who was a tennis player, basically moved the Outlook settings. When you called the page, the script executed pulling the Outlook. Who took this script? It was a VB script. It was Avira, who already used Avira, and Node32. The rest, no one took this XSS. So, all the... Who had Outlook was affected. And it was a failure that I didn't publish. But... it worked, because what happens with XSS? Everyone looks at XSS and says: "XSS is just JavaScript", and it's not. With XSS, depending on the browser support, you also have attacks based on VBScript usage. So, we have here our friend Orkut, right? Jass. And here we have the scrapbook. I don't know if you knew, but in the

scrapbook You injected the JavaScript, you got the IP, you got a lot of things from the person, you did redirect. And here in this new source I left for you to see a article and there another one about XSS vulnerability. The only evidence I had was this last one here already with the updated Orkut. Let's go to another one, Twitter. Twitter also had a vulnerability, in fact, it was more a fun that they did, which was basically to promote a name. In Newsource you have the ZDNet, which you can see. And here on YouTube you also have a subject, and here you have the tweets related to Worm in XSS, which basically was spreading. And... Does anyone know this site? Well,

why did I bring this here? Because I found the attack strategy aimed at the exploration of XSS very creative, let's say. Well, a guy known as Cyber T, from Saudi Arabia, he basically did the following: he couldn't get on the site. It was impossible. He had no vulnerability. What do I do? Well, our friend Hotmail, also already updated, @mcn/hotmail, had a vulnerability of XSS. What did the guy do? He sent an email to the guy who worked in this zone, sent an email, The guy clicked and the cookies went to the attacker. Cool. The attacker had no password, but he had cookies. What did he do? He entered our collaborator's account for the cookies. With access, he had more privileges, more interaction, he discovered a directory

inside the server. There's another attack issue, he basically took a directory inside the server, created an HTTACS and then it was until basically on December 23, he unzipped the site, which is to register unzipped sites. Basically, they took from the poison itself. Let's talk about Wallscript 6.0. Guys, does anyone know this network? What is Wallscript 6.0? Basically, it is an Indian social network that was born in 2016, more or less, 2016-2015. This social network was born when Facebook, Twitter, Instagram and other social networks, Pinterest, were rising. It was the trend of social networks. Basically, as people liked Facebook a lot, although Facebook had already bought Insta, the guy started developing the social network and started selling it. Believe me, the guy bought a house and

bought a car in India, which is very difficult, right? Due to the conditions. And the guy made a lot of money selling it. Who bought Wallscript 6.0? People who needed to do a TCC, people who had to do a presentation, people who wanted to have a social network within the company, people who wanted to create, be a new Zuckerberg, and it was based on Wallscript. So basically this social network is Indian and it was sold and it is sold until today, but it is in version 8.0 and it is updated. So far I've seen it's cool, I don't know if there's XSS, but they updated it to PDO and today it runs in Angular, but I don't know anymore because I didn't

browse to know if there was vulnerability or not. But this one you have an XSS, Fernando, ask where is the XSS? Right here. That is, we are back to Orkut fashion, to Twitter fashion, and we can inject what we want. Let's talk about code? Let's talk about script? Get out of the alert. What do I do here? Basically, folks, when we have a XSS behavior, it's almost as if we rewrote a JavaScript, in fact. So what do we do here? The first thing I needed to do was to get the person's Chrome, Chrome, no, browser. So Firefox, Edge, Chrome, Safari, Opera. So basically I get one of these browsers, why? Because I'm going to create an identifier for the

user and this one will be one of the prerequisites. So notice that I start not only by getting the browser, but I use it as traceability. Next step, I want my XSS, my warm to not have one action, I want it to have other actions. First I put a C2, I would like this C2 to work today, the internet issue, because it's really cool to see the bots going up on C2. Then the other one, capture audio. Why? What is the purpose of this? You are browsing something you don't know, what you are saying is being captured, is being sent to a server. So, you don't know anything and someone is intercepting you. Two, capture the photo and send it to a

server. Third point, what do I do here? I still need a traceability, so I'm going to get basically the user's name and with the user's name, what I'm going to do? I'm going to create a cookie. So I have a traceability. Fourth step, I need to create a JAX here, where I'm going to do what? Where I'm going to make a request, I need to know if the guy has already been infected. I need to have this information. So what do I do? There's a little page there, and then if it returns to zero, I do the insert it, I insert the malicious script. So basically it's zero, I'll insert it for him, that is, I'll make a post in his place. If

I had csrf here, I would have killed this problem. Fifth step, I need to record what? Audio. So here I have a script where I record an audio and here I have a post And finally I have a webcam now to take pictures. And then as soon as I take the picture, what do I do? I send it to the server too. Finally, I put this "only log" here, "c2 only log", because here in fact it will call the bot network to upload the bots. And then we can be talking... Is it stuck? Come here. Come, come, come, sit here in these chairs.

I really don't know what to do. Well, guys I'm going to go in now to talk about obfuscation. Come on guys.

The next one, we'll talk about obfuscation. Actually, I didn't obfuscate this code, but you can do it to help you, depending on the technology you have within a social network, a platform, a system. I'll give a very practical example here about obfuscation. I've already done a pen test, where I injected JavaScript, this was a lawyer's platform, that the XSS signed documents with the name of a lawyer that was not for that lawyer. So, and without obfuscating it didn't work. Well, I'm going to talk now only about what would be the impediments here for our XSS not to work and we go to the practical part. First, the input validation, that is, when the guy inserts his message, I

validate his message, I will validate his message, and validate his message, basically I will throw everything in the txt format or in the text format, so the JavaScript will not have an effect. Although there is a function that does this, but you can do a bypass. Double submit cookies. Remember I told you that I'm creating a cookie identifier? Here with double submit cookies I would have already broken this problem. Remember I said I posted in the person's name? With CSRF I would have also blocked this problem. Header set. CSP. If I enable CSP, although I'm using local here, why am I using local? Because if I had a problem with the internet I wouldn't be able to demonstrate some things to you. So basically, what does

CSP do? From today, you will consume everything related to the application within the server or within this directory. Nothing goes to the internet, that is, CSP will not let you get an image out there It won't let you take a video outside, everything is local. Everything is like, "I need a video, okay, I'll leave the video here and I'll run the video." "I want an image, I'll leave the image here and I'll run the image." "Oh, but I have to look there." No, if you want, I release the image, but the image has to be here with me. That's what CSP does. There are several vulnerabilities today, mainly focused on check-out. I don't know if you know

the CMS Magento. Do you know? There is a group that has a zero-day inside Magento, that they inject a call to a randomized API, every time you enter and you go to do a check out, what does it do? Basically it takes your data and sends it to that engine point. Very stealthy, you can't see it, except if you gave the source code to display, but if you had the CSIP enabled, that wouldn't happen. Well, and here, for us to have a a better security for XSS. CSP, cores, frame options, cookies, double submit, CRF, script integrity monitoring. What is this going to do? Basically, it will monitor if your page has had any changes. If there

was any change, basically, it will alert and say: "Here, there was a change." Subservice Integrate, basically, you will work more with CDN, that is, if the CDN had a change, oops, CDN change. library updates, updated libraries, so we are talking about jQuery, Bootstrap, Angular, React and so on. Here's a very important detail, folks. There are many people who say: "Hey, there's a library here, I'm vulnerable to XSS." It depends. Sometimes it depends on the browser. For example, there is a version of jQuery that has a very, very cool vulnerability, of XSS, but it doesn't work on current browsers, but it works on old Chromes, that is, the library is vulnerable, but if you have a current browser, it doesn't work. Framework saves, sometimes you

have a outdated version of Framework, whether it's React, Angular, and so on. Security Doom, and basically that's it. Well guys, leaving theory, let's go to Perf of Concept. Guys, anyone has a question? Want to ask something? Go ahead. I would like to ask you about the Good question. Guys, here's the thing. This question is very interesting. And this heals many things. Today people think that Veracode, Checkmarks, Snyk, Synopsys and so on are all the same thing. It's not. It's not. Why? Because each platform has its own algorithm. This is a fact. Each platform has its own algorithm. And this also depends on the update of signatures in the database. So, let's give an example: I have one platform that catches a vulnerability, I have the other that

didn't catch it. The platform is bad, it's not that it's not bad, it's that the algorithm that one uses, the other is not using. and maybe it's not that it's not using it, it didn't update at the right time. For example, libraries. Why are there platforms that catch 10 vulnerable libraries and the other catches 30? It is very likely that the one that catches 30 has updated its database more frequently to do identification, since there are 10. very likely in three weeks it will get these 30 too. So, it's not possible to match the platform. I have a company, I won't say the name, that I exploited a XSS and it could generate a data leak. The problem was in Ajax. Then I sent it to

the support. The support: "No, it's not XSS." Okay, fine. Then what happened? I sent the POC, I sent the file, I said: "Look, it's here." "No, but it's not an XSS." I said: "Man, Download it, execute it. "I'll pass it to the engineers." They passed it to the engineers. Then they came back. "So, it's a vulnerability, but we won't update our database with the vulnerability you got." Basically, it was like this. I said literally like this: "So, if I have a leak by omission from your platform, does the platform wash its hands?" Yeah, that's it. I won't say the name of the platform. Guys, let's go to practice? Here's the thing, let's play a little bit in the lab. I'll upload this Docker for you,

I'll upload the PPT and I'll upload the video. What did I do here? I made a distribution. What is this distribution? I joined Marvel and DC. So I put Arrow, The Flash, Superman, Spider-Man and so on. What are we going to do here? Let's authenticate here, for example, with the Rookie login. Actually, XSS has already enabled. Can you see the camera in use? It's taking pictures. Actually, I was going to delete the database, but I didn't. I'll take this opportunity to show you. Well, guys, taking advantage of the fact that we're already here to show you, I don't know if you can see it well, but here we already have the columns, right? The columns, no, sorry, the tables. And

then we have messages, which is where we do the management of messages, and we also have the Verify part, which is actually a table that I created local in the bank. So, perfect. We are here, let's update this page here and all this will disappear. Cleared, okay. So we are in our feeds, or rather, the hook is in his feeds. And then the hook, as he is a very awesome guy, he comes here in the messages part, there is no conversation, but let's send a message to Spiderman, for example. So he comes here in Spiderman and here he can, for example, send a message, kind of like, "man, I discovered a vulnerability of XSS here."

And then it sends. Cool. Then we come here in the logout. And then we come with the account of who? Spiderman. Perfect. There's already a message here for Spiderman. and then the hook says: "I found a very good XSS file in the lab, I'll send it to you". Then the Spider-Man, we get the Spider-Man version, which is very fun, and then he says: "Send it, man, I'll test it". "Okay, I'll send it to you". And then the Spider-Man will do what? Very simple, he will call the lib, and then he will call the lib of a server, here I'm putting it localhost, which also makes XSS easier.

And here's a detail, guys, if you don't use simple quotes, bigger, and then call the JavaScript file, it won't run. So, we're here, and that's it. Spiderman posted, Warming started. Cool. So, here's Spiderman, and who does he have as a friend? He has, for example, Arrow. So, who comes here now? Our friend Arrow. Let's go. Look who appears in the message. of Spiderman. Then Arrow sees it, looks at it and says: "Wow, what is Spiderman posting?" And when he comes here, he's infected. We're filming there, actually, XSS is exploiting the camera and filming. "Fernando, but there's the gadget we saw there, which is the Get Media, which you ask for authorization from the browser." Guys, does it work? It works. Now we have two contexts. First,

three contexts. The person who will notice and will block. Second, the person who is unnoticed, who does not understand anything about IT and says: "Ah, it must be something like, I don't know, let's click." Activated the camera. And third, when you have a vulnerability in a browser and you can exploit the browser layer. "Ah, Fernando, so it means that I'm risking an iPhone, I'm risking my Android?" No. Why? What is the difference between browsers? For mobile, you have layers that are different, focused on desktop. So, there's no way I can say: "Man, You are insecure on the iPhone, you are insecure on Android when we are talking about an XSS. So basically they are different contexts,

we are looking at something desktop. So we have the Arrow here, which has just been infected, and here we are taking pictures. So I'm going to show you the directory where I'm sending the photos. Where is the directory now? htdocs. I'm sending it to uploads. So basically I send everything here. Fernando, the photo didn't show up. No, why? Because it depends on the user's interaction. So as I click here, it sends it to the server. Look here, the photos. Because XSS sometimes does, it executes, but sometimes it depends. So look here. Those are me at home, actually, and here is during the lecture. And here you have an audio example, so Chrome and Microsoft Edge, which I did a test. Let's

update the page here. Camera again. And here it depends a lot, guys, because sometimes it takes both the camera and the audio, and sometimes it can call the bot network. Here it was for it to call the bot network, In fact, as the internet issue is a limiting factor, I will not be able to show it to you, but here it would be calling the botnet network now. It called the camera, it will depend a lot on its randomization. What was it? Probably called to do DDoS again. But let's go, let's do another test here. Guys, the purpose of this talk is to make it more practical than necessarily theoretical. So, open the bank, show the directory, show you

how the backstage happens, it's literally the purpose. It's not bringing something that works, but leaving a question mark. And let's do another test? Anyone want a character from Marvel, DC, who wasn't infected? No. No, there are only the main ones. Flash, Flash.

Well, here is the flash, so, okay, profile and it was also infected. And then, as people enter, you will have the XSS infection. So, guys, are you doing pen tests? Did you get a vulnerability of XSS? Understand the context, understand the strategic scope, read the page, see components, what you can access from components, what is called, If CSRF works, because there are a lot of CSRF today that in fact it's just for English to see, it doesn't work. You go there, you make a call and the thing runs. Then you say, what's going on? And CSRF doesn't work, Wind Protection. So, basically... When you deliver a pen test report, take the vulnerability, see the context of the vulnerability, suddenly the guy

is browsing, seeing documents and your XSS is sending a message to a partner of his. Of course it's a test context, not a context that you're literally going to do this, so you're going to affect the business. But bring an XSS more like this: "man, look at this here, Are you seeing this? If you deliver an alert, and this has already happened with Dev when we corrected vulnerability of XSS, talking about safe development, you say: "Man, we're going to inject XSS here." What did the guy start doing? He started playing. "Oh, cool, huh?" And then he started giving alerts, redirecting, and Dev started playing with XSS. So, when you go to make a pen test

report, try to bring something more impactful to the Because it will sell and it will also make the customer loyal. The truth is that. The guy delivered something that no one delivered here. Yes. Guys, I don't know, I didn't test if the VB script will run. Very likely not, because we are talking about a more updated browser. So, very likely we will have limitations. This I leave activated. I left it. What were the four contexts I mentioned? First, you have a person unnoticed, who will look and say: "There's an alert here." "Ah, ok." "Do you have another one here?" "Oops, this is weird." "I'll even send an email to the company to ask what this is." Then you have the third one. The third one

is when you're going to do the layer bypass. But then you need to have a vulnerability inside Chrome to be able to bypass to do this. You commented that mobile would be another approach because it has different protection layers. These layers would be on the device, on the browser, on both, just to understand what would be the problem of trying to replicate this on mobile. Thank you. Would the protection be just the implementation of the head of security, CSP? Guys, CSP will help a lot, why? Because the business is not going to an external server. But here we will have validation of the input, a good validation, here there is validation, okay? Only the validation does not

work right. So you can do a bypass. You need CSRF, which is the tokenization, You need the CSP that you commented on. Library, it's worth doing a verification. Verification of two cookies, if two cookies were created. So, in fact, you have a branch of verifications only in XDSS. But here the CSRF would already work, the CSP too, and only these two would work, would kill, and the validation. Guys, does anyone have... Man, the thing is, on the slide yes but the Not on the internet, I don't make it available. It's something to think about, actually, to help the staff. It's just that, man, I have so much stuff on my mind that it's a lot of things that you end up doing nothing. But it's

a good insight, I'll see if I do this and make it available for XSS. Guys, anyone else have any questions? Ah, okay. My GitHub. Let me share it with you. Well guys, this is my GitHub, actually there's not much I'll update this GitHub guys, because I haven't posted much on it, but I'll put PPT for you I'll put the Docker, the Docker link for you to test I'll put the video going up the bot network for you to see and doing service generation attack, I don't know if you've seen how it works and I'll update it. But it's Fernando Mengali, my GitHub, and I'll post more things there. There's a lecture today about IA, how to create a

worm based on IA, which will be in the village of IA, as they called it. And then I'll do a presentation about worm dissemination through artificial intelligence. Basically, I'll also post there and I'll also update the GitHub and put more things. Guys, anyone else? I'll give you one, I'll give you two. I used the XSS to enable the camera. So, yes, I did the media get and something. So you ask for authorization for that. Exactly. Guys, anyone else? Guys, thank you very much for your participation. I thank you very much here. And that's it. Have a good day and a great event.