Browser Exploitation for Fun & Profit Revolutions

Unexpectedly, at the end of last week I had to prepare in less than 24 hours the third (and last by now) episode of the "Browser Exploitation for Fun and Profit" trilogy, dubbed "Revolutions". With this one, the "Matrix-like" series is over ;)

I have had most of the ideas I wanted to highlight on the third episode on my mind for a few weeks/months, but had to put them all together on a slide deck for a last minute presentation slot on the awesome Rooted CON 2011 Spanish security and hacking conference. It was the perfect scenario to finish the trilogy:

Picture by @a_zumito.

The full trilogy is available on three different Taddong's blog posts and associated presentations:

• "Browser Exploitation for Fun and Profit". November 2, 2010. SANS Special Webcast. Internet.
• "Browser Exploitation for Fun and Profit Reloaded". December 2, 2010. SANS@Night. SANS London 2010. London, UK.
• "Browser Exploitation for Fun and Profit Revolutions" (this post). March 4, 2011. Rooted CON 2011. Madrid, Spain. Presentation available here.

Each episode content somehow builds on the topics and knowledge covered on the previous episodes, trying to minimize the overlap, except for the most important messages and goals I wanted to address with this initiative:

• XSS vulnerabilities and attacks are undervalued, and both their risk and real impact must be seriously considered by any organization interested on protecting their web applications, and collaterally, their web users and clients.
• XSS (Cross-Site Scripting) should be renamed WCI (Web Content Injection) in order to reflect the real scope of the attack, as well as what can be really done with it.
• One of the main goals was to provide web application pen-testers with an open-source XSS exploitation platform, based on Samurai WTF, BeEF (the old PHP-based and the new Ruby-based versions) and Metasploit, to push XSS vulnerabilities to the limit and be able to really demonstrate the impact of XSS.

This third episode emphasizes all these main principles, focusing on the current XSS state-of-the-art and using (again) a practical and live demo, plus including two related topics I had a pending publication for:

• A “new” kind of XSS I have dubbed "Global (or URL-based) non-persistent XSS": I've called it "new" not stating I'm the one that has discovered it, but emphasizing how most organization put all their attention on enforcing input validation and output encoding to mitigate XSS vulnerabilities mainly on HTTP parameters (GET and POST) and HTTP headers, forgetting about the URL itself.
  There are specific scenarios, such as web applications with multi-language support, where this vulnerability is specially relevant, and in particular, due to its global nature, as it affects all the resources within the web application.

• Multi-technology WCI (or XSS) on mobile devices: XSS, or better said WCI, not only affects the traditional web applications and web browsers but other "web clients" (or web-based user interfaces) associated to wireless technologies, such as the SMS or Bluetooth notification systems in mobile devices, like Windows Mobile (WM) 6.1, WM 6.5 (HTC), or Palm WebOS. My bet is that other inputs, such as barcodes, QR-codes, or audio, will affect mobile devices in the near future too!

I added a new final step to the live demo to demonstrate the BeEF frame redirect plug-in capabilities (by Yori Kvitchko), where the victim user can remain hooked to the BeEF framework through the vulnerable web application, while the vulnerable web page is hidden under a 100% iframe showing a different page, such as Google. Although this technique still has a few drawbacks on the pen-tester side due to the original URL and favicon not being replaced by the new attacker's iframe, this can be easily bypassed on some (web clients of) mobile devices (e.g. iPhone and Android) using URL or address bar hiding techniques (see the references at the end of the presentation).

I hope everybody attending any of the related presentations run during the last four moths, or that have simply read the material, enjoyed the whole trilogy. Now it is your turn to put that knowledge and skills into practice and help organizations to mitigate the impact and reduce the prevalence of XSS (or WCI) on web applications.

NOTE: In addition to these three episodes, I run an extra live episode on a special SANS promotion event in Madrid on January 25, 2011, "Browser Exploitation for Fun and Profit - Redux". It was a summary of episodes 1 and 2 in preparation for the last one (potentially) during Rooted CON 2011. The event was used to promote my upcoming 2-day "Metasploit Kung Fu for Enterprise Pen Testing" (SEC580, June 1-2, 2011) and 6-day "Web App Penetration Testing and Ethical Hacking" (SEC542, September 19-24, 2011) training courses in Spanish in Madrid later this year.