The future of XSS attacks

21:05 21.01.2010

This is English version of my The future of XSS attacks article.

In case if for Cross-Site Scripting attack it’s not possible to use any tags and angle brackets at the site, it’s possible to conduct XSS attack with using of tags’ properties. It can be style property, or different even handlers (or sometimes it’s possible to conduct attack via src property). For the attack it’s needed to use quotes (single or double ones, or sometimes even quotes isn’t required), to add new property to the tag, in which we managed to include the code.

At attack via style property the next methods are used (in which the code executes automatically at page opening):

1. Via expression(), which works only in browsers IE (before IE8).
2. Via background:url() or background-image:url(), which works only in browsers IE.
3. Via -moz-binding:url(), which works only in Mozilla Firefox and other browsers on Gecko engine (before Firefox 3).

Examples of attacks with expression() and -moz-binding you can see in case of vulnerabilities at www.ibm.com.

At attack via event handlers the next methods are used:

1. Via onMouseOver, onfocus, onblur, onselect, onchange, onclick and other events (in which the code executes at appropriate event).
2. Via onerror, onload, onunload (in which the code executes automatically at page opening, or its closing in case of onunload event).

A possibility of using of onerror, onload and onunload happens not very often, and other handlers trigger not automatically, so they are less popular at conducting of XSS attacks. The most often the attacks via style property are used.

But already in 2008 in Firefox 3 possibility of attack via -moz-binding was removed (it was partly removed - it’s possible to attack only with using of xml-files at the same site). Which I wrote about in article XSS attacks in Mozilla Firefox via styles. And in Internet Explorer 8, which released at beginning of 2009, support of expression() was removed. Support of javascript and vbscript URI in background-image and background-image also can be removed with time.

So in light of these events it became harder to conduct automated XSS attacks in new browsers in such conditions (when it’s not possible to use any tags and angle brackets). And as more widespread these versions of browsers become, the harder it’ll be to conduct XSS attacks in such conditions (so that they will be automated, without need for user to do some actions). From other side, such browsers as Opera, Chrome and other browsers completely resist to attacks via style property.

For solving of this task the technique MouseOverJacking can be used, which I already wrote about. This technique allows to conduct automated XSS attack. At that it’s cross-browser solution, which works in all browsers. Including in IE8 - at using of CSS (as in my PoCs) it allows to bypass IE8’s built-in protection against Clickjacking.

I.e. MouseOverJacking can be used not only for specific attacks, which were about in the article about this technique, but for wide variety of XSS attacks (instead of expression() and -moz-binding). At that the attack is fully automated, so the effectiveness of the attack is the same as in expression() and -moz-binding (and due to cross-browser it’s possible to attack even more users).

It’s possible to conduct such attacks as via MouseOverJacking, as via Clickjacking. But MouseOverJacking has higher effectiveness, because at Clickjacking attack the victim must to do a click (which can not always happen), but at MouseOverJacking it’s not needed to do any actions, only one move of the mouse (which will always happen).

Examples of PoC for Cross-Site Scripting vulnerabilities.

For reflected XSS:

http://site/script?param=%22%20style=%22width:100%;height:100%;display:block;position:absolute;top:0px;left:0px%22%20onMouseOver=%22alert(document.cookie)%22

For persistent XSS:

<a href="#" style="width:100%;height:100%;display:block;position:absolute;top:0px;left:0px" onMouseOver="alert(document.cookie)">&nbsp;</a>

So I propose to use MouseOverJacking technique for wide variety of XSS attacks (in case of impossibility of using of the tags and angle brackets). And security professionals and attackers can use this technique for creating of PoC for XSS vulnerabilities or for conducting of XSS attacks.


14 відповідей на “The future of XSS attacks”

  1. MaXe каже:

    The future of XSS attacks are very limited or non-existing if the Content Security Policy (CSP) in FireFox is implemented correct on any website in the world.

    You can read more about it here: https://wiki.mozilla.org/Security/CSP

  2. MustLive каже:

    MaXe

    Thanks, for comment.

    I know about Content Security Policy. I wrote about it in November and that time I tested working of CSP in my browsers. And in Mozilla’s CSP demo only two tests were passed in both my old Mozilla and new Firefox 3. So it’s solution for future versions of Firefox browser (for now it’s not actual), we’ll see how it’ll be implemented in the next versions of Firefox (in 3.7) and will see how other browser vendors will act with CSP. But the idea is interesting and promising.

    And there is a hole in Mozilla’s CSP implementation, as you can read in Bypassing CSP for fun, no profit ;-) . So they need to impove their CSP.

    So for now a future of XSS attacks is not too dark. And current mitigations of XSS in new versions of Firefox and IE I bypassed with my MouseOverJacking technique.

    P.S.

    And tell me, what do you think about using of MouseOverJacking instead of expression() and -moz-binding for conducting XSS attacks as cross-browser solution (which works in any browser, including new versions of Firefox and IE)?

  3. sirdarckcat каже:

    @MaXe: LoL, CSP on all websites in the world xDDDDDDDDDDDDDD, let’s talk in 10 years, if CSP is on 50% or more I’ll buy you a beer every day for the rest of your life (I’m a man of my word).

    Greetings!!

  4. MustLive каже:

    Eduardo

    You also tell me, what do you think about using of MouseOverJacking instead of expression() and -moz-binding for conducting XSS attacks as cross-browser solution (which works in any browser, including new versions of Firefox and IE)?

    LoL, CSP on all websites in the world

    Taking into account, that XSS known already from 1998 (persistent XSS was found in 1998 and term Cross-Site Scripting was introduced in 2000, when reflected XSS was found). And for now, in 2010, after 12 years we have such situation, that 80-90% of web sites in Internet have XSS holes. Than it’s quite possible that nothing will greatly change in next 10 years. So I’m sharing sirdarckcat’s confidence in that (CSP will need to pass a long way before it’ll spread enough).

    And because for CSP it’s needed not only browser support, but also server-side support (web developers need to set X-Content-Security-Policy header in their web apps), then it’ll take a long time for spreading of CSP in Internet. As web developers make XSS holes and often don’t want to fix them (or do it slowly, or just ignore it), the same can be with CSP.

  5. sirdarckcat каже:

    about:
    > You also tell me, what do you think about using of MouseOverJacking
    > instead of expression() and -moz-binding for conducting XSS attacks as
    > cross-browser solution (which works in any browser, including new
    > versions of Firefox and IE)?

    dude, we’ve all been using this for years..

  6. Ismael Rocha каже:

    Good stuff!

  7. MustLive каже:

    Ismael Rocha

    You are welcome.

  8. MustLive каже:

    dude, we’ve all been using this for years

    sirdarckcat, really? Because I thought XSS via styles (described in my article) mostly were used :-) .

    Are you talking about MouseOverJacking or about XSS via event hadlers? Because these are different things, as I mentioned in my article MouseOverJacking attacks (read “The idea of MouseOverJacking attacks” part of the article).

    MouseOverJacking is automated attacks, while XSS via event hadlers is not. I’m using XSS via event hadlers for many years (first time I mentioned at my site about such XSS regarding holes at cenzic.com and picosearch.com), but MouseOverJacking is different thing. It uses both XSS holes (via onMouseOver) and special ways to make attack fully automated - to make it comparable to attacks via styles.

    As I mentioned in current article, the most often the attacks via style property are used (I also used them for many years in my PoCs). And taking into account situation with modern browsers, I proposed my cross-browser solution.

  9. sirdarckcat каже:

    1st, expression works on IE8 on pages without a doctype:
    http://0x.lv/xss.php?nofil&html_xss=

    And on IE you can also use behavior:url(#default#time2) and onbegin if the page has a doctype.. so either way, IE is pretty much pwnable via styles.

    If you want cross browser solutions, we usually use onmouseover with top/width on 100% and position absolute on 0,0.

    Just to mention the first results on google:
    http://sla.ckers.org/forum/read.php?2,24036
    http://sla.ckers.org/forum/read.php?2,31650
    http://sla.ckers.org/forum/read.php?2,15812,page=2

    But yeah, considering we are on 2010 and there are PoCs since 2007, I’m correct on “years”.

    Nice name anyway! I will never use it, but maybe some people will.

    Greetings!!

  10. sirdarckcat каже:

    lol, wordpress encoded my PoC xDD

    http://0x.lv/xss.php?nofil&html_xss=%3Ca+style=xss=expression(alert(1))%3E

  11. NotMyRealName каже:

    I think this would be better titled “The past of XSS attacks”. Most of this has been known for a long time.

    expression(), background(), -moz-binding(): That is ancient and has been known for a long time.

    Use of tag attributes, like onload, onerror, etc.: Ancient.

    onMouseOver with a clever style: OK, I hadn’t seen that before, but it feels to me like a pretty minor tweak to some existing thing.

    I think you’re hyping this way too hard. Fancy names like “MouseOverJacking”? “The Future of XSS”? It’s just a twist on standard approaches. A clever twist, but come on: have a sense of perspective.

  12. MustLive каже:

    lol, wordpress encoded my PoC xDD

    Yes, WP is fun engine :-) . I’ve fixed your comment.

    sirdarckcat and NotMyRealName

    Thanks for your feedback. It’s important for me to know thoughts of other security professionals on this topic.

    I see that you are mature security professionals and it’s hard to surprise you in this topic, but in any case there was something new in these two articles for you. And looked in my article MouseOverJacking attacks, that there are other attack vectors besides XSS (such as DoS, CSRF and others). And feel free to read other my articles, where you certainly will find something interesting and new for yourself.

    I’ll anwer separately at your comments soon.

  13. Zerial каже:

    Hi MustLive,

    I’ve translated to Spanish this article:
    http://blog.zerial.org/seguridad/el-futuro-de-los-ataques-cross-site-scripting-xss/

  14. MustLive каже:

    Zerial

    Thanks for your attention to my article and for your work.

    I hope the article was interesting for you (as it looks like, because you dicided to translate it). And I hope my English version of the article was sufficiently clear for you :-) . I can suggest for you some breaklines (indents) in the text of your version of my article - it’ll improve its readability.

    And feel free to read other my articles (there are English versions of many of them, some of which are published at my site and some at WASC Mailing List).

Leave a Reply

You must be logged in to post a comment.