I have had most of the ideas I wanted to highlight on the third episode on my mind for a few weeks/months, but had to put them all together on a slide deck for a last minute presentation slot on the awesome Rooted CON 2011 Spanish security and hacking conference. It was the perfect scenario to finish the trilogy:
Picture by @a_zumito.
The full trilogy is available on three different Taddong's blog posts and associated presentations:
- "Browser Exploitation for Fun and Profit". November 2, 2010. SANS Special Webcast. Internet.
- "Browser Exploitation for Fun and Profit Reloaded". December 2, 2010. SANS@Night. SANS London 2010. London, UK.
- "Browser Exploitation for Fun and Profit Revolutions" (this post). March 4, 2011. Rooted CON 2011. Madrid, Spain. Presentation available here.
- XSS vulnerabilities and attacks are undervalued, and both their risk and real impact must be seriously considered by any organization interested on protecting their web applications, and collaterally, their web users and clients.
- XSS (Cross-Site Scripting) should be renamed WCI (Web Content Injection) in order to reflect the real scope of the attack, as well as what can be really done with it.
- One of the main goals was to provide web application pen-testers with an open-source XSS exploitation platform, based on Samurai WTF, BeEF (the old PHP-based and the new Ruby-based versions) and Metasploit, to push XSS vulnerabilities to the limit and be able to really demonstrate the impact of XSS.
- A “new” kind of XSS I have dubbed "Global (or URL-based) non-persistent XSS": I've called it "new" not stating I'm the one that has discovered it, but emphasizing how most organization put all their attention on enforcing input validation and output encoding to mitigate XSS vulnerabilities mainly on HTTP parameters (GET and POST) and HTTP headers, forgetting about the URL itself.
There are specific scenarios, such as web applications with multi-language support, where this vulnerability is specially relevant, and in particular, due to its global nature, as it affects all the resources within the web application.
- Multi-technology WCI (or XSS) on mobile devices: XSS, or better said WCI, not only affects the traditional web applications and web browsers but other "web clients" (or web-based user interfaces) associated to wireless technologies, such as the SMS or Bluetooth notification systems in mobile devices, like Windows Mobile (WM) 6.1, WM 6.5 (HTC), or Palm WebOS. My bet is that other inputs, such as barcodes, QR-codes, or audio, will affect mobile devices in the near future too!
I hope everybody attending any of the related presentations run during the last four moths, or that have simply read the material, enjoyed the whole trilogy. Now it is your turn to put that knowledge and skills into practice and help organizations to mitigate the impact and reduce the prevalence of XSS (or WCI) on web applications.
NOTE: In addition to these three episodes, I run an extra live episode on a special SANS promotion event in Madrid on January 25, 2011, "Browser Exploitation for Fun and Profit - Redux". It was a summary of episodes 1 and 2 in preparation for the last one (potentially) during Rooted CON 2011. The event was used to promote my upcoming 2-day "Metasploit Kung Fu for Enterprise Pen Testing" (SEC580, June 1-2, 2011) and 6-day "Web App Penetration Testing and Ethical Hacking" (SEC542, September 19-24, 2011) training courses in Spanish in Madrid later this year.