Thursday, 26 January 2012

Embedding untrusted HTML XSS+ challenge

Where this came from - skip to the end for the challenge if you do not care :)

During the OWTF workshop at BSides Vienna the interaction with the audience was great. For the purpose of this blog post the conversation on embedding HTML input from an untrusted source developed as follows:

- Olaf first asked something like "Do you sanitise input in OWTF? like for example the Tool Tip information in the report?" (great question!)

- I answered something like this: "OWTF is a tool that allows code execution by design, I mean, there is a configuration file where you teach it how to run external tools .. I think the issue for OWTF is not really on the configuration -pen tester input- but rather what it does with the input from external sites, actually I am not sure that input is really sanitised properly absolutely everywhere so there must be vulnerabilities for sure... "

- Then I remembered a plugin that embeds content (raw HTML body inside the OWTF report) from a third party site and showed it as an example of "bad bad coding practice" aka "you should never do this". Then I joked about Marc's question on whether the OWTF report was using google analytics :). The google analytics script was really from the untrusted source, not OWTF :).

- Chris John Riley then suggested something like "can't you get rid of it?" (good point!)

- And I said something like "I could but it would still be bad, not as bad as now but still bad". What I meant was that if I stripped out "script" tags, then the third party site could still use javascript events in html attributes or svg tags, etc. So the situation would still "be bad".

The challenge

So for the new OWTF version I have decided that security folks must preach by example and -after some pain trying to figure out how to do this using python- I am going to expose my initial solution to the community so that you try to break it and let me know how it goes :). You can contact me on: name.surname@gmail.com

UPDATE 27/01/2012 - Filter try #1 is broken (see hall of fame below)
UPDATE 27/01/2012 - Filter try #2 is broken (see hall of fame below)
UPDATE 27/01/2012 - Filter try #3 is broken (see hall of fame below)
IMPORTANT TIP: The Backtrack 5 R1 lxml library is slightly weaker (bypasses to filter #3 don't work if you compile lxml using python 2.7-dev). Filter #4 remains undefeated even on the weaker setup .. by now :).
UPDATE 04/02/2012 - Filter try #4 is broken (see hall of fame below)
UPDATE 04/02/2012 - Filter try #5 is broken (see hall of fame below)
Filter try #6 is as follows:


Yes, I am "cheating" (aka trying to follow "best practice" and reuse an apparently good solution instead of a broken home-brew one), I tried to code a solution myself but it was horrible, the library seems to do the basics fine and appears to protect from a number of common attack techniques.

The question is: can you break it? :). Please see installation instructions in the filter script itself (above).

The way the challenge works is:
1) Create a file called "input.txt" with the HTML code of your choice in the same directory
2a) Get the Sanitiser to output evil stuff ... no rules! (XSS, CSS, browser bugs, Java, ActiveX, whatever!)
2b) If you cannot break it but make python choke (i.e. show an error trace) I am also interested!
3) Send me the input.txt PoC file for verification + Let me know how you want me to credit you (name/handle/whatever :))

I will include a ranking of successful breakers that did not wish to be anonymous in an update to this post.

The Sanitiser will be included in the next OWTF release (2-3 weeks maybe).

Thank you in advance for participating! I think the library has more options but I have not explored that yet. Depending on your success there may well be subsequent challenges here :)

Filter try #1 - Hall of Fame
#1 - Mario Heiderich - 26/01/2012
Bypass 1: <style>*{x=expression\28write\28 1\29\29}</style>
Bypass 2: Among many others: <style>@\import "data:,*%7bx:expression%28write%281%29%29%7D";</style>

Filter try #2 - Hall of Fame
#1 - Mario Heiderich - 27/01/2012
Bypass: <a href="javascript:alert(1)">⃒<h1>CLICKME
NOTE: Even basic things like <a href="javascript:alert(1)"> worked .. I hope Filter #3 is harder!

Filter try #3 - Hall of Fame
#1 - @notracecc - 27/01/2012
Bypass: <a href="data:image/svg+xml,%3C%3Fxml%20version%3D%221.0%22%20standalone%3D%22no%22%3F%3E%0A%3C%21DOCTYPE%20svg%20PUBLIC%20%22-%2f%2fW3C%2f%2fDTD%20SVG%201.1%2f%2fEN%22%20%0A%20%20%22http%3A%2f%2fwww.w3.org%2fGraphics%2fSVG%2f1.1%2fDTD%2fsvg11.dtd%22%3E%0A%3Csvg%20width%3D%224in%22%20height%3D%224in%22%20id%3D%22the_svg%22%0A%20%20%20%20%20viewBox%3D%220%200%204%204%22%20version%3D%221.1%22%0A%20%20%20%20%20xmlns%3D%22http%3A%2f%2fwww.w3.org%2f2000%2fsvg%22%3E%0A%09%3Ccircle%20cx%3D%221%22%20cy%3D%221%22%20r%3D%221%22%20fill%3D%22blue%22%20stroke%3D%22none%22%20id%3D%22the_circle%22%2f%3E%0A%20%20%20%3Cscript%20type%3D%22text%2fecmascript%22%3E%0A%20%20%20%3C%21%5BCDATA%5B%0A%20%20%20%5D%5D%3E%0Aalert%281%29%3B%0A%20%20%3C%2fscript%3E%0A%3C%2fsvg%3E">Click</a>

#2 - Mario Heiderich - 27/01/2012
Bypass: <a href='feed:data:x,123456'>Click</a>
NOTE: ok, it looks like the level is going up, thanks!

Filter try #4 - Hall of Fame
#1 - @dreyercito - 04/02/2012 (implied by Filter #5 bypass)
Bypass: <junk1:junk2:junk3:script>alert(1)</junk4>
NOTE: Small variation of the Filter #5 bypass by @dreyercito. Filter #4 is finally broken too :).

Filter try #5 - Hall of Fame
#1 - @dreyercito - 04/02/2012
Bypass: <junk1:junk2:script>alert(1)</junk3>
NOTE: I did not expect less from you my friend :)

Monday, 23 January 2012

BSides Vienna Slides, Demos, Experience and Trivia answers!

BSides Vienna took place last Saturday (21/01/2012) and it was only 3 weeks away from BerlinSides (where I gave the same talk and the same workshop) so the materials I used where almost identical. I decided it was more important to release an OWTF "Vienna" version instead.

However, to keep it simple for the attendants that asked for the slides here are the links:
- "Silent web app testing by example" - 50 minutes: Slides
- "Introducing OWTF workshop" - 2 hours and 40 minutes: Slides, Video demos, Live demo (The live part is what discussed the improvements in the Vienna version, etc). The OWTF project page contains links to everything else. If you have any ideas or feedback of any kind (positive or negative) on this project please do get in touch.

I would like to thank the audience and organisers for their kind words and special thanks to those that made it until the end of my almost 4 hours talking: I never met anybody able to do that until Vienna :).

I think the venue was really nice and the room size was just perfect for the audience. Also nice food and some interesting multi-purpose local sugary beverage "like metasploit" :).

The organisers asked for a contest so I came up with the following trivia questions (btw nobody got the 2nd one right):

Question 1: What is the OWASP Testing Guide item (name and/or code) to review HTML comments?
Answer 1: Testing for application configuration management (OWASP-CM-004).
Link: https://www.owasp.org/index.php/Testing_for_application_configuration_management_(OWASP-CM-004)

Question 2: Name three technologies that allow developers to relax the Same Origin Policy security model
Answer 2: HTML 5 Cross Origin Resource Sharing (CORS), Flash (via crossdomain.xml) and Silverlight (via crossdomain.xml and clientaccesspolicy.xml)

Thursday, 19 January 2012

OWTF 0.11 "Vienna" released!

Background:
The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)


Dedicated with special love to BSides Vienna, its organisers and attendants, OWTF 0.11 "Vienna" is here!

NOTE: I ran into some issues with github which forced me to delete the repository and re-create it (in exactly the same location), apologies for the inconvenience!

Some links:
- Project page: http://owtf.org
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Download OWTF: https://github.com/7a/owtf/tree/master/releases
- Demo interactive reports (Firefox >= 8): https://github.com/7a/owtf/tree/master/demos

Change Log since OWTF 0.10 "Berlin" (Full change log is here):


19/01/2012 - 0.11 "Vienna" pre-alpha release: Dedicated with special love to BSides Vienna, its organisers and attendants
 + Significant report improvements
 + OWTF will now only execute external plugins once regardless of the number of targets (it was 1 x num_targets before, way slower)
 + Host names are now retrieved properly from python via import socket + socket.gethostbyname -> i.e. cannot use dns/host when /etc/hosts is required in a pen test (Bug report
 credit: Sandro Gauci)
 + Fixed licence to more accurately match 3-clause-BSD (the intended licence :))
 + Created initial FAQ based on actual feedback/questions
 + Added new grep + external plugins for HTML5 Cross Origin Resource Sharing (CORS) (OWTF-WGP-002) - Thanks to Krzyzstof Kotowicz for answering my questions + great PoCs :)
 + Added links to interesting resources for manual exploitation, etc on the external CORS plugin (Thanks to Krzysztof Kotowicz)
 + Added links to interesting resources for manual exploitation, etc on the external Cross Site Flashing plugin (Thanks to Krzysztof Kotowicz, Michele Orru, Mario Heiderich)
 + Tweaked cross site flashing passive plugin (google hacking searches) to also search for Silverlight's stuff: clientaccesspolicy.xml, .xap and .scr files
 + Tweaked cross site flashing semi passive plugin to also try to get the clientaccesspolicy.xml file (Silverlight's equivalent to crossdomain.xml)
 + Tweaked regexps for Application Configuration Management (OWASP-CM-004) to reduce false positives
 + Added regexps to Application Configuration Management (OWASP-CM-004) to search for PHP+ASP source code disclosure too
 + Added resources (Nicolas Gregoire's XLT wiki) to XML Injection external plugin (to assist with manual exploitation)
 + Added Nicolas Gregoire's HTTP-Traceroute.py reverse proxy check script to tools/discovery/web/rev_proxy (Thanks to Nicolas for allowing direct redistribution with OWTF!)
   Added a GET and TRACE reverse proxy checks using HTTP-Traceroute.py to: Infrastructure Configuration Management (OWASP-CM-003) - with WAF and Load Balancer checks -
   Link for background: http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html
 + Bug fix: owtf.py -l net (also owtf.py -g net) would crash because there are no net plugins yet: An error message explaining this is now shown instead (Bug report credit: am
06, Michele Orru)
 + Bug fix: semi_passive/Testing_for_Cross_site_flashing@OWASP-DV-004.py does no longer show duplicates + minor plugin clean-up
 + Bug fix: Fixed some issues on Transaction DB comparisons that resulted in the Cache not working right
 + Modified web/passive/Spiders_Robots_and_Crawlers\@OWASP-IG-001.py to directly submit the form on tool.motoricerca.info (because it does not work via link, uses POST only)
 + Added Start, End and Runtime fields to Plugin Register + Modified report to display the Start + End Date/Time for each plugin (potentially useful to correlate log events)
 + Added http://statsie.com passive analysis link (on Passive Search Engine Discovery)                                                                                        
 + Created a configuration health-check module by massive popular demand :). When OWTF starts it will now warn you when tools are missing and suggest how to fix it.          
 + Created initial rudimentary owtf_dir/tools/bt5_install.sh script (incomplete, but getting there) to download tools missing or unreliable in Backtrack 5                    
 + Updated install script (owtf_dir/install/bt5_install.sh) + /profiles/general/default.cfg to include the latest Arachni version (v0.4.0.2) and verified it works            
 + Experimental: Created a Command Register (owtf_review/db/command_register.txt) where information on all commands run is stored:                                            
   - Start+End Date/Time, Runtime, Status (Finished/Cancelled), Actual command run, Command without plugin output info (needed internally for the framework)                  
   - Purpose 1: Avoid running the same command several times, very useful when you have several domain.com targets. A message like "command already run for target X" appears
   - Purpose 2: Simple date and time correlation becomes possible: Useful for debugging and IDS testing (which exploit worked? what command brought the server down?, etc)    
   - Purpose 3: It is simply nice to have a log of every command that was run, and questions like "what tools did you run and how?" become easier to answer
 + Added link to Gareth Heyes' awesome http://shazzer.co.uk project to assist with manual XSS exploitation
 + Added Command execution start date/time information on the screen so that the pen tester can make a better decision (wait/stop it)
 + Experimental: Created a redirect detection mechanism so that it is more intuitive to realise when all URLs are being redirected (i.e. blanket redirect from port 80 to 443)
   - Status will be marked as "302 Found": Instead of the previous "200 OK", which did not reflect the redirect (not ideal but better than 200)
   - URL will be set as the redirected URL: This way it is more obvious if the target is http:// but the transaction log is all https://, that there is a blanket redirect
   - Known issue: The scope can be wrong if the redirect is performed to outside of the target URL, need to work more on this

 + Experimental: If the user supplies only domain names, the scope expands to https + http for each domain
 + Experimental: If a passed URL cannot be reached it is removed from the report (assumed it does not exist) -> useful for huge scopes!

Friday, 6 January 2012

OWTF 0.10 "Berlin" released!

Background:
The Offensive (Web, etc) Testing Framework (aka owtf) is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org

NOTE: I believe looking at the slides and demos prior to using this will help.
WARNING: This tool unites many great tools and their power, please hack responsibly and always have permission.


Please note that:
- My code always looks like garbage to me and I am not proud of this or anything I ever wrote (i.e. I always see problems/weaknesses in my code)
- So, owtf "kind of works" but this is an initial prototype and has definitely many weaknesses and bugs!
- Criticism will be welcome and constructive criticism will be welcome twice ;)

Some links:
- Direct download for this release (0.10 Berlin)
- Direct download for Demo interactive report (0.10 Berlin, Multi-URL working) <- only a browser needed for this (best with Firefox >= 8)
- Project change log
- Project page (ideas on what to do with this welcome)
- Github page
- Youtube project channel
- Please have a look at the readme files your question might have been answered ;)

Happy pwnage ;)

Contributions of any kind are welcome, some examples: Web design, CSS, JavaScript, python, external scripts, external tools, architecture review, criticism, approach, how tools are run, cool links missing, cool tools missing, etc! (i.e. absolutely anybody can help!)

The biggest limitations at the moment (in my opinion) are:
- Lack of inbound proxy: To be implemented
- Lack of threading: Not as bad as you might think in practice (underlying tools, specially the heavy ones, do use threading) but must be solved in the future. Threads by IP might be the best way to go but ideas are very welcome. The problem of implementing threading in a tool like this is to avoid crashing the pen tester's machine (I implemented a solution for this for my OSCP scripts which have not been ported to owtf yet, but will be in the future)

Tuesday, 3 January 2012

owtf 0.10 "Berlin" 1 URL sample report and update

NOTE: I believe looking at the slides and demos before playing with the interactive report will help.
NOTE 2: The report has been built for HTML 5 localstorage, your flags and notes will be kept even if you close the browser as long as you use Firefox >= 8 (there is a bug before then) and maybe other browsers (not tested)

After a long night of bug fixing the single URL report seems usable (there were a lot of broken links in BerlinSides so I was limited in what I could show), the following is an example for you to play with until I fix a few remaining nasty bugs:

owtf 0.10 "Berlin" 1 URL sample report for demo.testfire.net

MD5: bb5b75a7382b9147583fb013db6eac38
SHA1: 41d15d53f0c98eb6a056dd49c8a53c5a1552d1a2


Estimates (largely depending on my body response to caffeine and inspiration :)):
- 1-2 more owtf nights until I get multi-url working properly, hopefully with the summary counters working
- 1 more night to change licence and upload to github

Will upload the multi-url report as soon as I have it sorted.

Sorry for the delay, I am really doing my best. This is a lot more than I had working for BerlinSides, please bear with me, I think I will have it ready for this week.

In the meantime enjoy :)

Sunday, 1 January 2012

Offensive (Web, etc) Testing Framework slides, demos and info

Happy new year!

I would like to take this opportunity to thank everybody that chose to attend my OWTF workshop despite it happening at the same time that probably one of the best talks at BerlinSides: "Layers of misunderstanding, or how digital radio is not what you think..." by Travis Goodspeed, which I unfortunately missed too since I had to do the workshop :P.

I believe the smart BerlinSides audience had an open mind and understood this somewhat different tool and the philosophy behind it. There was some healthy debate and feedback at the end which I have already appended to my huge todo list, I really do need to release this asap so that others can help, this project is too extensive for one person only :).

Release
- I hope to release the source code next week(end-ish) as soon as I get a chance to fix the most unacceptable outstanding bugs, change the licence to the right thing on all files and figure out how to upload it all to github.
- Chosen hosting: github (nobody against at BerlinSides)
- Chosen licence: 3-clause-BSD (nobody against at BerlinSides)
- Please do contact me if you have a different opinion on licence and/or hosting. You are still on time and this is a hard decision!

The slides are published here (download as PDF if fonts look funny), the demos I used in BerlinSides are here.

Project info:
- OWTF Youtube Project Channel
- Project page
- Twitter handle: @owtfp