Exploiting XSS in Ajax Web Applications

April 12, 2012 by superevr in Security

Following up on yesterdays post Pluck SiteLife software multiple XSS vulnerabilities, let's take a look at how to exploit XSS in JSON responses using Internet Explorer.

Quick introduction to JSON

JSON is a model for encoding data, used by many web applications that want to serve dynamic or updating content within a single web page. It's formatted like so:

{"parameter":"value","next_parameter":"next_value"}

Using a technique called Ajax, JSON data is normally transferred behind the scenes as a web page is loading. Some people may that realize that because Ajax uses the standard HTTP protocol, it's possible to access JSON data directly by navigating the web browser to a specific URL. An example of this is the Twitter API, which allows me to construct a URL that provides a JSON encoded version of my Twitter profile and my last tweet. The JSON code in the response can be accessed directly or used with embedded scripts to display inline information.

<textarea id="nerds" style="width:700; height:34" disabled="true"></textarea>
<script>function callback(twitters){document.getElementById("nerds").value=twitters[0].text}</script>
<script src="https://api.twitter.com/1/statuses/user_timeline.json?include_entities=true&include_rts=true&screen_name=superevr&count=1&callback=callback"></script>

Websites using JSON without proper output encoding are likely to be vulnerable to XSS

Like any other web page, JSON responses are likely to reflect back the values they are given. This becomes problematic when the response contains HTML syntax and characters. Web browsers are designed to render HTML, and as soon as they see it they want to render the code into an image, or a link, or a form field as quickly as possible. When testing for XSS, I inject sample code like the HTML strikeout tag <s > into one of the request parameters, and see if the browser displays text with a line through it. If it does, then that is a pretty good indication of a cross-site scripting vulnerability.

The catch

In a clever attempt to prevent browsers from incorrectly rendering JSON code, the web server presents these pages with a special Content-Type of application/json or application/x-javascript. This tells the browser that it shouldn't render any code here because it has a special use. Unfortunately, this isn't enough. ¹

Content Sniffing for HTML in Internet Explorer

But web browsers really do love rendering code, and will mark-up HTML regardless of the content-type if you give them a good enough excuse. This is called content sniffing, and can be used by attackers in different scenarios to cause malicious JavaScript to run on a website that was thought to be immune to attack. Here are two facts on content sniffing that hackers already know about:

Internet Explorer relies heavily on the file extension when content sniffing.
File extensions can be spoofed by the requestor

This means that user/json will be displayed as plaintext, but user/json.htm can render as HTML! Depending on the web server, there are a several ways to spoof the file extension. A few examples:

/json.htm
/json.html
/json/.html (PHP and Asp.NET applications)
/json;.html (JSP applications) (see three semicolon vulnerabilities)
/json.cgi?a.html (discovered by Hasegawayosuke)

Trouble Shooting

Content sniffing is not always that easy. Here are some factors that may basic tests for content sniffing² :

Unable to add arbitrarily file extensions in the URL path
Site is using HTTPS
Site has headers for cache-control: no-cache or pragma: no-cache
Site has header content-disposition: attachment
Site Content-Type header is set to image/[anything]

Remediation

To protect against this type of vulnerability, several changes must be made. As always, programs should first validate that user input contains appropriate text characters. Also, any time user input is reflected back to a web browser, that text should be encoded properly (e.g. replace < with ~~< or \x3c~~ proper unicode escapes like \u003C). Finally, as an extra protection measure, have the web server include the additional header X-Content-Type-Options: nosniff to prevent content sniffing in Internet Explorer 8+ and other browsers.

JSON is generally designed to be processed in the background by JavaScript, so I understand why developers forget or are unaware of the possible consequences that could happen when the JSON data is accessed directly. Hopefully this post can raise awareness of possible security issues.

Side note: I discovered XSS in the application I used to write this post while writing that last paragraph . I sent the developer an email to follow up. ↩
These settings are not mitigations for XSS and should not be used for content-sniffing prevention. ↩

Pluck SiteLife software multiple XSS vulnerabilities

April 11, 2012 by superevr in Security

On November 30, 2011 I reported to US-CERT that I found multiple XSS vulnerabilities in Demand Media's Pluck SiteLife software. The details of the vulnerabilities (now patched) were published yesterday as US-CERT Vulnerability Note VU#400619.

Heres the original report I sent to US-CERT and on November 30, 2012:

I would like to report multiple XSS vulnerabilities.
...
Here are the vulnerability details for Pluck:
This demonstrates multiple XSS vulnerabilities in the Pluck SiteLife Software. According to a sales associate, "The SiteLife product was rolled into a broad social/community platform offering about 2.5 years ago. It's simply called Pluck now and Pluck 5 is the latest version." The version of Pluck that is exploitable is unknown by me at this time.
Here are a few of the known vulnerable URL's and URL parameters:
http://sitelife.example.host/ver1.0/Direct/Process?referrerURL=x&jsonRequest=<body%20onload=alert(1)//>
(Internet Explorer)
http://sitelife.example.host/ver1.0/Direct/jsonp.htm?r=<img%20src=x%20onerror=alert(2)//>&cb=<body%20onload=alert(1)//>
(Internet Explorer)
http://sitelife.example.host/ver1.0/sys/jsonp.app/.htm?cb=<img%20src=x%20onerror=alert(1)>&widget_path=pluck%2fuser%2fpersona%wffirstperson%2fprofile.app
In addition to the "cv", "jsonRequest", and "r" parameters, the "ctk" parameter is also vulnerable in some instances.
Here is a proof of concept affecting the pluck.com domain: http://sitelife.pluck.com/ver1.0/direct/process?referrerURL=x&jsonRequest=<body%20onload=alert(1)//>
Here are SOME of the sites that appear to be using the vulnerable SiteLife software. ...

I go on to list over 40 popular websites running Pluck SiteLife software that have the vulnerability, which I won't list here.

Tomorrow, I will post an in-depth look at XSS in Ajax Web Applications and tell you why some of these vulnerabilities were Internet Explorer specific.

Bug Bounties Part 1

February 18, 2012 by superevr in Security

I think it's great that companies have started programs to reward ethical hackers that responsibly disclose vulnerabilities before they become a problem to their customers. Each of the vulnerabilities that I will be posting has already been fixed by the group responsible, or the site has been retired. I'm publishing this information because it was an interesting exercise to find these vulnerabilities. I think that by examining previously found vulnerabilities, we can determine patterns that can help reveal vulnerabilities in the future.

Vark.com

One of the first bug bounties I received was for the website "vark.com". Vark.com was a site where users can ask questions, and Vark would find users with knowledge of that topic to answer the question for you. It's pretty cool concept, one that's been done a few times before.

Vark had XSS on the main search query field:

[code autolinks="false"]http://vark.com/users?q=xss%C0%3Cimg+src=x+onerror=alert(1)//&commit=Search[/code]

The cool thing about this attack vector is the characters "%C0%3C" or 0xC03C. If you are unfamiliar, this is an attack on improper decoding of UTF-8 characters. UTF-8 is a variable-width encoding allowing for text characters to be represented by multiple bytes of code (eg. Latin Capital Letter A with Grave À is represented with 0xC380. A funny thing is that there are no characters between 0xC000 and 0xC1FF, even though it falls within the UTF-8 range. A parser that wasn't running correctly could interpret 0xC03C as one character, allowing it to pass a filter against 0x3C ("<"). When a secondary parser or web browser sees an invalid UTF-8 encoding, it will simply ignore the invalid character ("0xC0") and you are left with 0x3C, and the ability to insert malicious code.

The same parsing issue allowed for XSS on new questions that would be viewed by other users.

Google paid out $500 for this vulnerability. Vark.com has since been discontinued.

Jaiku.com

Jaiku was a twitter clone that Google purchased in 2007, and re-launched in 2009 after being brought into the Google development eco-system.

I found XSS on the page that you get after registering for the system. Incidentally, the page could also be visited by users that were not logged in, or users that had been logged in for a long time.

[code autolinks="false"]http://www.jaiku.com/welcome/done?redirect_to=javascript:alert%281%29[/code]

The redirect_to URL was reflected in a link.

Jaiku was losing popularity and with Google Buzz and Google+ initiatives alright out there, it was likely to be shut down soon. However, the Google Security Team told me that there were still quite a few diehard Jaiku users around, and so they paid out $500 for the vulnerability.

Google retired Jaiku.com on January 15, 2012.

spreadsheets.google.com

Google Docs has functionality to create surveys for people to fill out and provide information. The extended description for a survey allowed a user to enter in some HTML elements. Additionally, there is a feature to edit the confirmation page that is presented once the survey is completed, and an attacker could include some HTML here as well. Google has a really comprehensive filter against XSS here, where they actually allow users to enter certain HTML elements (like images, styling, etc). At the time, Google docs didn't seem to be using the latest version of this filter.

The XSS is exploited using <IMG> tag with a "src" attribute set to execute javascript, a vulnerability that affects Internet Explorer 6:

[code autolinks="false"]<img src="javascript:alert('img-src')">xxx</img> //xss[/code]

You can still go to my POC that I sent in to google security, and if you look at the source code of the page you'll see what their filter is now doing to prevent XSS:

[code autolinks="false"]<img src="//images-docs-opensocial.googleusercontent.com/gadgets/proxy?url=javascript:alert(document.domain)&container=docs&gadget=docs&rewriteMime=image/*" /> //xss[/code]

Google sent me a $500 check for reporting this vulnerability.