Hack le Hector: Volume 1 (Me want cookie?)
January 17, 2011 Leave a comment
In my first series of Hack with Hector, I will discuss using cross-site scripting to get you your very own cookie! If you are thinking food right now, then this entry is probably not for you! But if you have red eyes from staring at a computer monitor for too long, then read on mon frere!
There are a number of solutions out there to provide you with a safe and legal way to understand the field of web-application hacking. Web-goat, mutillidae and Google Gruyere to name but a few. All have their own positives and negatives, but for the purposes of this entry – I’ll discuss cooking-hijacking with Google Gruyere.
With gruyere, you can download the package and host it yourself, or get setup quickly via appspot.com with a hosted version of Gruyere. Gruyere offers the attacker a number of vulnerable scripts to attack. It is a custom-built script, that’s designed to be insecure from the get-go.
In this entry, I will cover exploiting Gruyere’s snippet feature, by using a cross-site scripting attack to retrieve another user’s cookie, and log it remotely in a flat-file. So let’s begin, shall we?
The first thing to do is to create two accounts on your Gruyere installation. I like to call the user’s attacker and victim. Guess who’s the bad guy?
You should notice upon loading Gruyere for the first time, that all user’s snippets are listed on the index page. That is – that when any user creates an entry, it is there for all users to see (and execute!) when they visit the homepage. We will use this to our advantage when we add our very own snippet.
So once we have logged in as the evil-user (attacker), we will immediately want to start examining how the add snippet feature processes it’s posts, and check how well it validates input.
We can see that while alert(‘Hack le Hector!); is certainly stored in the DB, with the script tags are unfortunately removed. Therefore, we need to be a little more cunning.The XSS cheat-sheet over on ha.ckers.org is the bible for XSS-obfuscation and is worth a browse.
After a few minutes of tinkering, I got the alert message to eventually process via an invalid HTML trick. This involves inserting an unclosed tag directly prior to a inserting the script tag. XSS filters may view the subsequent tags as tag attributes, opposed to being separate entities. However, the actually script tag will be parsed as a tag, rather than a tag attribute, which will result in a successful injection.
XSS Cheat Sheet: http://ha.ckers.org/xss.html