Tales of DOMinica

then I shall begin um quick background uh this is well this is me I don't know need to look up there it's it's on the screen in front of me um uh Twitter GitHub LinkedIn um you can email me questions as well if you really want to or you're feeling slightly odd fashioned please attach cat pictures though so I will actually read your email otherwise I tend to just glance in go oh no I've got to go off and do something else um um kind of professionally I'm a dual check team leader at KPMG I do um a lot of check work but really I just love hacking web stuff that's what gets me out of bed in the morning um and so

today we're going to be talking about some of that web hacking so some background um there's traditionally considered three types of cross-site scripting uh one's reflected one's stored and the third is Dom based now reflected quite easy server does not snore the payload execution happens when the browser renders the content stored content is stored on the server that's what gives it its name um and again execution happens when the browers renders the content now in Dom based content is injected back into the Dom by client side JavaScript and a execution actually happens when that injection happens back into the document object model now I know what you're thinking what is the Dom oh look at that I prepared a slide

um so the the Dom is effectively an interface for by which JavaScript can interact with a HTML of a page now if there's um anybody in here that knows has a better definition of that please correct me because I Googled that um quite late one night but effectively it gives you uh it gives a developer or a site the ability to change itself to modify itself in real time using JavaScript within the browser and there are a lot of web technologies that actually leverage that now um so things like um you may heard heard reference to single page applications um they're not apps that just have one page but it doesn't actually change you can see the

URL changing but it's actually all JavaScript re-injecting itself back into itself um and so um that is that is the dwnm now who here has to work with JavaScript professionally you poor bastard um JavaScript is a horrific language to work with as we're about to demonstrate so 2 plus two anybody oh come on wake up what's 2 plus two four lovely is this going to work oh no don't oh there you go oh yep two plus two right so what do we think this is going to be someone at the back shouted it out no it's not liking me still 22 excellent now what about this one any guesses h 2 oo 20 but it's a number this

time um excellent javascript's done some weird stuff now this actually happens because of something called type inference it's something that JavaScript does quite a lot of but the the point that I'm trying to make here is that javascript's really really weird it does a lot of really funky stuff and it's actually quite difficult to tell what it's doing um unless you really get to get to grips with it now I do have some props and I think those props are going to come in handy now medicinal purposes so the best way to learn javascripts is of course with I got I got this signed off by a doctor don't worry

should really say props it before you start Tour play but I never learn now beautiful yep I'm better at JavaScript already now um of course JavaScript being created by drunk Engineers so we need to get on that level before we can truly understand its Beauties and intricacies we'll take questions at the end thank you red wine like wi and never said I was a very smart wine purchaser and I've just dropped that lovely oh looking forward to the Afterparty already um now in reality there's websites like code Wars and things that we can use to um to actually get um much greater at JavaScript uh there is a lot of practice out there it is a difficult language to get to grips

with um but again lots of study and eventually it starts to make sense or you get drunk a the you don't care please drink responsibly right are we ready to do some actual exploiting we've done all the background now we're ready to get into the nitty-gritty of it finding these vulnerabilities out in the wild okay is it going to R it for me this is terrible I'm never buying one of these um so first we' got to understand the problem now don't worry this doesn't turn into some long protracted code with me where I walk you through loads of javascripts I think every would fall asleep um no I know I certainly would do um but we have some Basics up here and I

think I have a laser pointer oh that's so exciting um so we've got a script it defines a function we have a variable URL params which just grabs the URL parameters from the search bar at the top I'm sure we've all seen that um we then take the search parameter from there and then we run a function tracking on that search term Now function tracking takes it gets the element by ID tracker so this one and it sets the inner HTML a bit to search now immediately Spidey senses start tingling we can tell that something weird is going to be going on there now we are taking um effectively content from a a source to a sync now these two terms are

actually quite important to the dombas Cross scripting your source is where you user supplied content is read in and then the sink is when it's reincorporated back into the dot now we have a source there taking window delocation to search we can control that as an attacker and then we have a Sync here in HTML is the search terone so we can see very quick clearly how this is passed from thing to thing and ends up within the inner HTML there so what are we going to do well we're going to throw a payload into it now the Old Reliable work who here has thrown script alert one close script into an application at one point or

another that should be yeah go on everybody has almost everybody um either you're a pentester or you again had a little bit of red wine and decided that you wanted to just try and you know trick your M's website um you'll notice however that scripts alert one script is up at the top oh it's up at the top there and we have not got any execution we don't have our alert popup now does anybody know why that

is we can see that it's been injected still there's no execution that's very interesting now I'm did something that nobody should ever have to do and actually read one of the web standards so I know poor me um but script elements inserted using in HTML do not execute when they are inserted now this is where we start to get to the point of how why is this so often missed now the most common cross scripting payload is the the script one right script I love one script right play script um and that will never fire in this instance and in fact a lot of dbased cross-site scripting it it won't execute um because they are again they're uh when

they're Incorporated they're not evaluated they're not executed at that point so when you're spraying your script alert ones everywhere and it'll never a fire you'll miss it it won't go in your report the client will get popped by somebody else and everybody's having a bad time especially you and your next performance review so can we inject an image well we can right so that's a little image of of some roses who doesn't like flowers um and I don't unfortunately don't have a split screen there of the um of the actual HTML but effectively that's image with a source and that's image source is pointed to a valid image now we can do something really interesting with image

tags we can add event handlers to them in fact we can do this to a lot of um of HTML tags as well so we can add well actually go on I'll throw it back out to the audience seeing as you're all wide awake what do you think on eror there we go lovely so we can bang a little on error on there so we invalid source so when it reaches out you know Source equal x tries to fetch X off the web server X doesn't exist oh no what do we do we look at our on error Handler and it calls alert one and then you get your execution now obviously if you're actually exploiting crossy scripting you

do something a little bit more exciting than alert one you'd go and steal cookies or you'd compromise something you'd inject a list whatever whatever that is but for the purposes of this we've got our one and um and that's pretty good now as on as side I did actually want to build a set of labs that had SLX and SL1 as valid images on a web server but apparent I got called evil when I proposed that and banned from doing it so oh well I'll uh I'll have to have to save my evilness for another day so now we've discovered it we've exploited it what's another reason why it's so often missed well as you can see

here we've got burp site we've got burp site in dark mode which is the only acceptable way to use burpsuite and I see any of you using it in light mode I will not hire you that is a hill I will happily die now we've got G challenge one image someone's one yeah yeah we're all very happy when we search for that we get no matches so who here's use fuzzed for cross scripting use an intruder attack right so you then you go through it you fuzz for fuzz for your payload and you tick does payload appear in response well it doesn't now that's a bit interesting because that's the same request you can see SL challenge one

there that we just got execution for now if you rendered that in a browser you followed it all through you do get cross-site scripting you do have a valid finding but if you just done it using this kind of per of scanning you would have missed it and in fact that's what we've seen time and time and time again is people do miss this even very good testers who have a lot of respect for miss it because this happens this is a strange interaction people aren't necessarily used to seeing right so we've just gone and we've defeated our very basic Dom crossy scripting issue um now that very basic one do you do occasionally see it in the

wild I know people are still being a building apps like that but um you can't it's a lot rarer right we're not used to seeing um examples that are are quite so quite so basic so we're now going to um to try and beat some basic protections somebody has thought I know that trusting users supplied content is bad I know reincorporating it back into the Dom is also bad so I'm going to try and uh and and defeat some of those um nasty evil hackers this click is still not working there we go so we're back to this now we can see we've got our function again we can see we're taking our search parameters our search term passing it

back to tracking and then there's a big EV valve thing you'll notice however that our search term is encoded we run encode URI on it oh dear fo us how on Earth are we going to be able to beat that he said some more sarcastically now I noticed I think the gentleman at the back was actually actually solved this lab shortly before we um before we we sat down here so I will not be calling on you to answer any of the next questions um surely we can call X on error equals alert one right if we go back h for goodness sakes um cuz that will slot nicely in there Source will resolve Source equals x Space onal Alert one our

image tag is valid it then gets reinjected we have our payload hey Presto we have cross scripting it's all very exciting I haven't started swearing yet though because we haven't got to the really exciting bit but what does encode your or I do encodes the space thank you goodness gracious we have been serving coffee here all morning I'm going to need a little bit more Gusto out you for the next bit right so what does encode I do enace lovely thank you right it encodes to the space and that [ __ ] the whole thing up for us we don't get our execution because then the browser effectively interprets this as um as as just the source it tries to call out to

there it does error but there's no event handler so we're all incredibly upset about this so how are we going to beat this well fortunately we can do that little p like that cu the another reason why this is missed in quite uh quite so often is because well it doesn't necessarily present in the traditional way that we're expecting it to you can see that there's no tags in that in that payload there's no tags in fact there doesn't really seem to be much of anything at all and so when you're scanning for it um your polylock payloads will probably F this if you're using them but if you're just scanning a load of tags n of

them are going to fire this isn't going to work so why does this work have I remember to put that slide in lovely I have so instead of trying to complete the image tag don't know why I'm pointing the laser L one and the search term up there we can actually just try and break out of the JavaScript and inject our own you can see how we've built this up here um our search term is taken if our search term is this when that then gets reincorporated back into our string that's eval we have a brok we have a kind of slightly dodgy image tag but it doesn't really care as long as the javascript's valid the tag doesn't

have to be valid um and then we just end our JavaScript statement with semicolon we call alert one and what do two forward slashes do hey lovely goodness gracious we're getting better at it I can tell by the end we're going to be on fire I can feel it I can feel it in my bones so that's and so we've just beaten some basic protections now the bit of this that you did need to know is that encode URI doesn't encode single quotes um and again I wrote a we I had to read a web standard for that um which you shouldn't do you should just come here and I'll tell you all about the web standards

saving you time every day so there we go um so if you ever a doc en code your right on the wild just remember single quotes doesn't encode them so you can sometimes bypass Protections in this instance now dominance that sweaty looking bastard at the bottom there is me and that's me grabbing this gentleman's foot who I redacted his face um and in about 5 seconds after that I almost break his knee which is a bit gruesome a bit gory but um any any combat sports fans in here oh look at that lovely um so anyway we're we're going for something called a heal hook the point I'm trying to make here though is for the pentesters in the room or the

people who want to be pentesters um there becomes a there comes a point in your career after you get your first job that you are start to be measured on your ability to find interesting vulnerabilities not just the number of them but also the cool ones don't get me wrong if you start missing things like cookie flags and you know not having the correct version of TLS your boss isn't going to be happy but they also not probably not going to remember you or or put you or rank you very highly if you don't start finding some of the cool stuff now that's one of the unfortunate parts of our industry I think that potentially it's not the greatest part

if we're trying to move pentesting away from hacking and more into an audit audit kind of focus which I think the industry is moving in that direction we probably shouldn't have this um attitude towards it but ultimately we do if you don't find cool stuff you won't be remembered and you may be overlooked for promotions and such like so mastering vulnerabilities like this becomes very important when other people start missing them specifically it makes you look really good to your bosses it also makes you look really good to your clients the there has been a number of pretty high-profile instances um one that I'm I'm going to talk about in a second um actually you know what we'll

talk about it now brings the point home um there was a a large very large business multinational business um and they have a flagship product and we were tasked me as myself and a colleague um were tested at an old business um that he used to work for of of testing this application and there it happened that this application was vulnerable to cross-site scripting dbased cross-site scripting in fact of the labs that I release it's actually challenge um the last of the or the only real world challenge is based on the situation that I accounted there now it did take me 7 hours sat in front of this thing just chasing this one vulnerability before I actually managed

to pop it but poppet I did and that had been missed by that functionality had existed cuz we went back and asked them had existed in 10 years for 10 years within that application it had been missed by by-ear tests by every business for 10 years now as you can imagine I walked out with a big smile on my face and uh called my boss up and went hey you'll never guess what I did um I didn't I didn't get a promotion but he did buy me a beer so you know what we take we take victories where we where we can um but again that's just kind of brings you back to it learning how to do

these really Niche vulnerabilities really understanding it after having built out that Baseline making sure you are you know assessing and catching all the security kind of best practices will make you look a lot better and we'll start to accelerate that career now the reason why I'm on the purple track can we fix it yes we can are there any developers in the room oh lovely excellent um I don't remember you I was a developer for um for about six months and um and then I was asked to step aside cuz I was much more interested in breaking stuff but my uh really thank you for for doing the building things um I enjoy the braking

side um slightly more but we can fix it um basically don't trust user supplied input now that's something that everybody's always said for basically forever um you can and and unfortunately you do have to use user supplied input right otherwise your applications would be quite boring imagine a banking app that didn't let you put anything into it it would be pretty useless in fact it could just be a book now so you do have to trust it but then you can encode it now just encode everything if you if if if it's received from a browser try and encode it and then this gets slightly more difficult when you're using like JavaScript and things like that but there are some

reasonably good um libraries out there in JavaScript that will do a lot of your escaping and character encoding um with the slight caveat of we do keep reg that wasn't English we'll try that one again we do quite regularly find passes for them though so don't trust it um don't ultimately you can't trust it all the way through but they are they are better than not having any protections and as with a lot of security it's most of it's about slowing people down and stopping them um if you can't get it with a nixo scan or nuclear scan then a lot of people are going to stop there and if somebody is a bit more dedicated well

then you have to build up your your protections and stuff like that but you can stop it um a lot of the remediations for them is just the same as your standard crossy scripting it's don't trust users supplied input and try and for the love of God don't um read don't read um us supplied input into URLs because that ends really badly some resources for you all now who here now after this wants to go and learn about Dom cross scripting that is more than I was expecting lovely so um there's some resources on the screen uh we've got portswigger everyone knows who portswigger is if you've ever hacked a web app they are the goats of it um

Gareth Hayes has some really interesting research on this as well um Gareth Hayes a personal personal celebrity of mine um the labs some of the labs that we're actually we do have a bit of time um the labs that we're going to do a bit of a live demo of now um are on the github.com on my GitHub greyrose Dominic download them you can spin them up it's a simple python web server there's codw wars.com if you want to learn about JavaScript and they have some really cool like kind of it's a belts based system um but again when I was revising for my first um cstl appet I did a lot of code Wars challenges um and it really

really helped me in that um it just again gives you some weird interesting ways of thinking that allows you to kind of more accurately interfaced with JavaScript which means that you can do some cooler things with it um and then the uh s se. UK um The Dominic Labs will hopefully be transposed to that at some point in the near future um it's again it's not very well known about but it it's effectively a load of kind of xss based c um CTF uh thing and you get some points for it there's a leaderboard so if you do really well you can get to the top of the leaderboard and um screenshot it and put it on your LinkedIn profile

and feel very good about yourself right who here wants a live demo excellent that was correct answer right then so here's what the Dominic Labs look like can we all see that would have been e me zoom in yeah okay cool um zoom in anyway uh so can you can somebody pick a lab from the easy or the medium and don't click lovely that was the one that people picked last time as well it's very clearly it's a the the namings will work so uh the lazy developer here was me so no offense um but some lazy developer left an auto clicker in here oops now again this isn't necessarily the most realistic example people tend not to

leave Auto clickers in their applications but um it does help to kind of ram home the uh the point that I'm trying to make so let's have a look at the JavaScript this is the bit normally where can everybody see that then you mean to make it bigger you see it lovely oh no we've got some shaking heads at the back of the room right let's

um can we see that yep lovely awesome um so we got function tracking which takes search and a hash um it gets the uh the sets the hre of the um ID of an element with the ID tracking to the search parameter and then it clicks on whatever is passed in as the hash parameter now we can see here on the screen that search term is the same as the other ones so window. location. search URL pr. get search hashed equals windows. location. has. slice one who knows what that does yes mate is on the hash after absolutely thank you um the so that'll grab whatever is after the hash basically after the hash up

there and then it calls tracking and we've just discussed what tracking does here so any ideas on payloads bloody hell that was awful um so let's try something uh I really hope this hasn't been cached oh it hasn't oh that's good um so let's try searching for the test we can see in here the Hat has been set to test and um that has been clicked on I don't know there shouldn't be oh yeah reading click right doesn't know what to do on that so um what we're going to do here is um hat refs really interestingly are actually vulnerable or you can inject and execute JavaScript from within them um there's a series of valid um protocols um we all

know about HTTP https but there's a few others there's FTP things like that there's also JavaScript as a protocol so now we can say JavaScript alert one now is that going to work no unfortunately not um it is evaluated but we need to have a bit of user interaction now fortunately for us the user interaction is my lazy coding has left an auto clicker in here so it's called tracking I think or it's called tracker let's call that let's go tracker bloody how did that not work ah wait hey um occasionally hash changes aren't quite um calculated properly um but there you go so we have our execution and that's um that's effectively how we've that's the

methodology for it we found our source we found our syn we followed it from source to syn and in this instance um obviously not the most realistic but we found a way of making it execute now really interestingly enough um who is used BP site excellent who here's use Dom Invader as Part B Suite to try and find vulnerabilities Dom Invader will flag probably of the easy and medium challenges um because I just checked it will flag I think seven of the the 10 it'll say there's something you want to look at here it successfully exploits only two of them though so you do have to have a bit of a better understanding of how to craft your payload and what

that what that sort of thing looks like right then let's go back to here do we have any questions yes M yes when you using methodology this are you just happy leing through the doome and finding these things or using doces S um of it is if any is automatable I guess um some of it is automatable uh Dom Vader finds some of it um the I like doing so what Domin Vader does is it injects a canary token into the various sources and then it searches for it you can actually do that yourself um so just come up with some you know kind of Button Mash in the morning and then copy and paste that all these search Fields

check where the reflection is check where is where is that being caught in the in the thing um you can also then do a kind of kind of more Global search to see where that has been injected because normally there'll be like a especially when you're talking about single page apps normally there'll be an API request and it's in the body of the response of the API request that's then caught and then reinjected back in so it does get a little bit kind of complicated um but you do your own Canary tokens inject your own Canary tokens um and yeah that should be should be good um any any other questions yes mate JavaScript or B

Javas nice do try follow that JavaScript hey Tri yeah advice for minifi JavaScript good luck you'll need it um that it's difficult there are some reasonably okay um JavaScript Dem minifiers um that you can use uh of it depends on the sensitivity of the test you obviously can't go copying and pasting like JavaScript from private applications into into public tools but um uh but there are there are tools that exist that do that there are some offline ones as well I think that that can Dem Minify um vs code will pretty print it for you so you don't actually have to like try and read one incredibly long line of JavaScript and that can be

a bit uh a bit better they also you can do uh um pretty printing is also enabled in the dev tools as well so you can use the dev tools you can set break uh come on break points and things in there as well so you can test to yourself here a lot more kind of brow effect anymore for anymore

no can't believe nobody asked that um lovely uh well any in which case if there's no more questions thank you very much for attending and be hacking