OWASP Day @ FIUBA Argentina

nahuel — Thu, 22 Jul 2010 20:29:38 +0000

El día 30 de Junio de 2010 se llevó a cabo el OWASP Day en la sede de Paseo Colón de la Facultad de Ingeniería de la Universidad de Buenos Aires. Se realizaron charlas relacionadas con la Seguridad en Aplicaciones Web y otros aspectos relacionados a la Seguridad de la Información.

Bonsai Information Security participó siendo Sponsor y presentando a Nahuel Grisolía, Project Leader de Bonsai, como ponente en una de las charlas.

Más información sobre el OWASP Day aquí.

A continuación, las Slides que se utilizaron en el evento:

Cross Site Scripting Payloads

andres.riancho — Tue, 13 Oct 2009 14:01:12 +0000

Most of us are tired from the usual Cross Site Scripting vulnerabilities that get reported every day in full-disclosure, so when one of our researchers found a XSS in an Open Source project, we hesitated to publish it. After some thinking, we started to realize that maybe it would be interesting to the general public to see a customized XSS payload that would exploit the Web application, which suddenly made our newly discovered XSS vulnerability much more fun.

The vulnerability that we’re going to be exploiting is a persistent cross site scripting in Achievo . For those that do not know, Achievo is a flexible web-based resource management tool for business environments. Achievo’s resource management capabilities will enable organizations to support their business processes in a simple, but effective manner. This vulnerability was found a while ago by our research team, and has been fixed in version 1.4.0.

The vulnerability is a really basic persistent XSS, where we can write virtually anything in the title of a scheduled meeting. As the meetings from a user can be seen by other users, and most interestingly administrators, the XSS can be exploited to elevate privileges in the application.

With the objective of writing the XSS payload, I developed a JavaScript export feature, that allows w3af users to export any HTTP request to JavaScript, that will reproduce the same request when a user loads the script in a browser.

Using the newly created feature, we were able to easily create a JavaScript payload, that when accessed by an Achievo administrator will perform the following tasks:

Create a new application profile
Apply administrator privileges to the profile
Assign the newly created profile to a common user

You can find the customized XSS payload by clicking here. In order to exploit this vulnerability, a user would need to change the first four variables in the script, upload the script to a publicly accessible web server, and then point the Cross Site Scripting to that resource. After some time, and if an Achievo administrator browses through the schedule, the configured user will elevate their privileges to administrator.

In this case it was impossible (because of the application not having that particular feature) to actually upload new files to the web server, but in many other Web applications, it would have been completely possible to create a XSS payload that would use the administrator privileges to upload a specially crafted file to the web server, which would then provide operating system access to the intruder.

With the creation of tools like w3af’s JavaScript export feature, and the huge amount of XSS vulnerabilities found every day, we think that the time for customized XSS payloads written in minutes instead of hours, has arrived!

Bonsai - Information Security Blog » security

OWASP Day @ FIUBA Argentina

Cross Site Scripting Payloads