Hack le Hector: Volume 1 (Me want cookie?)

In my first series of Hack with Hector, I will discuss using cross-site scripting to get you your very own cookie! If you are thinking food right now, then this entry is probably not for you! But if you have red eyes from staring at a computer monitor for too long, then read on mon frere!

There are a number of solutions out there to provide you with a safe and legal way to understand the field of web-application hacking. Web-goat, mutillidae and Google Gruyere to name but a few. All have their own positives and negatives, but for the purposes of this entry – I’ll discuss cooking-hijacking with Google Gruyere.

The field of web-hacking asks that you at least understanding HTML, basic javascript and a scripting language like PHP. This will make your life all the more easier. If you don’t understand any of these yet, then pop over to tizag immediately and start reading!

With gruyere, you can download the package and host it yourself, or get setup quickly via appspot.com with a hosted version of Gruyere. Gruyere offers the attacker a number of vulnerable scripts to attack. It is a custom-built script, that’s designed to be insecure from the get-go.

In this entry, I will cover exploiting Gruyere’s snippet feature, by using a cross-site scripting attack to retrieve another user’s cookie, and log it remotely in a flat-file. So let’s begin, shall we?

The first thing to do is to create two accounts on your Gruyere installation. I like to call the user’s attacker and victim. Guess who’s the bad guy?

You should notice upon loading Gruyere for the first time, that all user’s snippets are listed on the index page. That is – that when any user creates an entry, it is there for all users to see (and execute!) when they visit the homepage. We will use this to our advantage when we add our very own snippet.

So once we have logged in as the evil-user (attacker), we will immediately want to start examining how the add snippet feature processes it’s posts, and check how well it validates input.

With any XSS attack – It’s always worth testing to see if a script tag is allowed.A simple alert test will usually suffice to test whether or not script tags are allowable. The alert function in javascript produces a popup, displaying a text message.

We can see that Gruyere won’t let any schmuck insert malicious javascript! Oh no, it seeks to strip the tags. It’s worth noting, that many web-applications today don’t perform any sort of validation on data prior to inserting it into a database. This is why it’s always important to start at the foundation and work your way up, instead of trying to throw all sorts of obfuscated javascript at the system from the beginning. Don’t use a sledgehammer to crack an egg, mar a deirtear!

We can see that while alert(‘Hack le Hector!); is certainly stored in the DB, with the script tags are unfortunately removed. Therefore, we need to be a little more cunning.The XSS cheat-sheet over on ha.ckers.org is the bible for XSS-obfuscation and is worth a browse.

After a few minutes of tinkering, I got the alert message to eventually process via an invalid HTML trick. This involves inserting an unclosed tag directly prior to a inserting the script tag.  XSS filters may view the subsequent tags as tag attributes, opposed to being separate entities. However, the actually script tag will be parsed as a tag, rather than a tag attribute, which will result in a successful injection.

And there you have it, live-javascript stored in the database. In the second part of Hack le Hector, I will expand on injecting Gruyere’s snippet page, to insert malicious javascript which will submit a user’s cookie to a script on a remote server, along with the source-code for a simple script which will log it for future use.


Webgoat: http://code.google.com/p/webgoat/

Mutillidae: http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Gruyere: http://google-gruyere.appspot.com

XSS Cheat Sheet: http://ha.ckers.org/xss.html


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: