Davinder Tutorials

This blog is all about Cyber Security and IT

Friday, April 24, 2020

Reflected XSS - Explained with a real world example

  April 24, 2020    

OVERVIEW OF THE VULNERABILITY:

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Suppose a website has a search function which receives the user-supplied search term in a URL parameter:

https://davindertutorials.com/search?term=hello

The application echoes the supplied search term in the response to this URL:

<p>You searched for: hello</p>

Assuming the application doesn't perform any other processing of the data, an attacker can construct an attack like this:

https://davindertutorials.com/status?message=<script>/*+Bad+stuff+here...+*/</script>

This URL results in the following response:

<p>You searched for: <script>/* Bad stuff here... */</script></p>

If another user of the application requests the attacker's URL, then the script supplied by the attacker will execute in the victim user's browser, in the context of their session with the application.

AFFECT OF THE VULNERABILITY
 
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Among other things, the attacker can:
  • Perform any action within the application that the user can perform.
  • View any information that the user is able to view.
  • Modify any information that the user is able to modify.
  • Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

There are various means by which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include placing links on a website controlled by the attacker, or on another website that allows content to be generated, or by sending a link in an email, tweet or other message.

Because of the external delivery mechanism for the attack means that the impact of reflected XSS is generally less severe than stored XSS, where a self-contained attack can be delivered within the vulnerable application itself.


REAL WORLD EXAMPLE OF THIS VULNNERABILITY:

PUBG's main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting (XSS).

Steps To Reproduce:

How this can be done by attacker

Prepare a JavaScript payload that it wants the victim to execute. In this case, for Proof of Concept purposes, our JavaScript code will prompt an alert showing the users' cookies.

alert(document.cookie);

Inject this Javascript code properly into the vulnerable parameter, creating thus a crafted future GET request that will inject the payload.

GET /?p=iqz78'%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3d1%3echplq HTTP/1.1
Host: www.pubg.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://www.pubg.com/es/feed/
Cookie: _icl_current_language=en; _icl_visitor_lang_js=en-us; wpml_browser_redirect_test=0; __cfduid=de74423d435717d651b1c9e2c63f4acc21575460678
As this injection happens in a GET parameter, the attacker simply needs to send the crafted Link that produces this GET request to the victim and have the victim click it.


   / /

  No Comments

Thursday, April 23, 2020

Cache Poisoned Denial of Service Simplified

  April 23, 2020    

Suppose someone try to visit a website lets says "davindertutorials.com" than the request go to the server . But what if the website server is placed in US and I am surfing that website from India . Few minutes earlier my friend who is living near to me accessing that same website . So lets says davindertutorials.com server is in US but is taking services from cloudfare. So cloudfare DNS is holding copy of the page requested by me which is accessed by my friend few minutes earlier is saved in the cache of cloudfare.


Whenever a cache receives a request for a resource, it needs to decide whether it has a copy of this exact resource already saved and can reply with that, or if it needs to forward the request to the application server.


Simplified example of this attack :

> GET /index.html HTTP/1.1 > GET /index.html HTTP/1.1
> Host: example.com > Host: evil.com

Identifying whether two requests are trying to load the same resource can be difficult so requiring that the requests match byte-for-byte is not actually possible so Caches tackle this problem using the concept of cache keys – a few specific components of a HTTP request that are taken to fully identify the resource being requested. In the request above, I've highlighted the values included in a typical cache key in orange.


GET /blog/post.php?mobile=1 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 … Firefox/57.0
Accept: */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://google.com/
Cookie: jessionid=xyz;
Connection: close


This means that caches think the following two requests are equivalent, and will happily respond to the second request with a response cached from the first:

GET /blog/post.php?mobile=1 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 … Firefox/57.0
Cookie: language=pl;
Connection: close

GET /blog/post.php?mobile=1 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 … Firefox/57.0
Cookie: language=en;
Connection: close

This means that caches think the following two requests are equivalent, and will happily respond to the second request with a response cached from the first:

So now if you see, attacker have replaced the language in the cache .. so they can also make many other changes as well

To verify that the cache has been poisoned, just load the homepage in a browser and observe the popup.







   / /

  No Comments

Wednesday, April 22, 2020

XSS found using host header injection

  April 22, 2020    

This vulnerability arise when you give any input to the host parameter and it may reflect back .

 Impact

An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

Real World Example:

Path : /billing-admin/profile/subscription/?l=de
Payload : c5obc'+alert(1)+'p7yd5
Steps to reproduce :
Request Header :
GET /billing-admin/profile/subscription/?l=de HTTP/1.1
Host: www.semrush.com
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=c5obc'+alert(1)+'p7yd5
Overview :
The payload c5obc'+alert(1)+'p7yd5 was submitted in the Referer HTTP header. Payload is copied from a request and echoed into the application's immediate response in an unsafe way.


In the above example the payload reflect back in the response causing the rise of the vulnerability.

   / / / / / / /

  No Comments

Password Reset link hijacking via Host Header Poisoning

  April 22, 2020    

This vulnerability raised when a website uses the Host header when sending out password reset links. This allows an attacker to insert a malicious host header, leading to password reset link / token leakage.

Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP or in another languages

There are two main ways to exploit this trust in regular web applications. 

The first approach is web-cache poisoning; manipulating caching systems into storing a page generated with a malicious Host and serving it to others.
The second technique abuses alternative channels like password reset emails where the poisoned content is delivered directly to the target.

Impact

The victim will receive the malicious link in their email, and, when clicked, will leak the user's password reset link / token to the attacker, leading to full account takeover.

Example for more understanding

1.) Open up Firefox and Burp Suite.)
2.) Visit the forgot password page (/index.php/login/concrete/forgot_password)
3.) Enter the victim's email address and click Reset and Email Password
4.) Intercept the HTTP request in Burp Suite & change the Host Header to your malicious site / server.
5.) Forward the request and you'll be redirected to your server.
The victim will then receive a password reset e-mail with your poisoned link.


If the victim clicks the link, the reset token will be leaked and the attacker will be able to find the reset token in the server logs. The attacker can then browse to the reset page with the token and change the password of the victim account!

Remediation

Use $_SERVER['SERVER_NAME'] rather than $_SERVER['HTTP_HOST']

   / / / /

  No Comments

HTTP Cache Poisoning via Host Header Injection

  April 22, 2020    


Vulnerability:

Rewriting of links and URLs in cached pages to arbitrary strings by unauthenticated HTTP clients.When the application reflects HTTP Header value back in it's response and it may be possible to poison the server cache. The X-Forwarded-Host is directly reflected as a hyperlink. Than Host Header Attack - Cache Poisoning vulnerability may be there like:

Affected software: ANY site that does not validate HTTP Host: headers.

It is common practice for web programmers and web frameworks to rely on the value of the HTTP Host header to write links. This is for convenience, so that the same software will run on localhost, various testing servers, subdomains, secondary domains, etc, without modification. For example:

<a href="<?=$_SERVER['HTTP_HOST']?>/login">Login</a>

This turns out to be a very, very bad idea in any language. The HTTP Host header is arbitrary text controlled by the client, but common practice treats it as though it were a safe environment variable.

HTTP Request

GET / HTTP/1.1
Host: davindertutorials.com
X-Forwarded-Host: test.com
...
....

HTTP Response

HTTP/1.1 200 OK
....
....
....
<li class="SL_hide" title="Get New Relic on your iPad, iPhone, or Android phone"><a href="http://test.com/mobility">New Relic for iOS & Android</a></li>
....

Now as you see we are able to see test.com in the response.

Mitigation: DO NOT use the value of the Host header for anything. If you must, apply very strict filters to only allow valid FQDNs, and then whitelist the FQDNs you allow. Treat it as you would any arbitrary data coming from the outside. If your webserver is configured to output the value of the Host header (as in the example, and as by default in many webservers), disable that configuration.

   / / /

  No Comments

Host Header attack

  April 22, 2020    

 In simple terms if a website x.com is requested and when i change the host to y.com , if I am able to open the host . Than it is a host header attack.

Vulnerability Description: 

Open Redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.

How to find this Vulnerability 

1. Change host to x.com, Than click on go . If  not able to success . than try below method.
2. Change host to x.com and Set X-Forwarded-Host to original domain.com, if still unable to get success , try the below one
3. Do the opposite to step two , Means change host to original domain.com and Set X-Forwarded-Host to original x.com

If you are unable to find success with the above written steps , Than may be the website is secured for this vulnerability.

Remediation:

If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.

Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.


Example of a Bug Reported:

Vulnerable URL:
https://wakatime.com/settings/account?apikeyrefresh=true
Payload: " X-Forwarded-Host: bing.com "
How to reproduce this vulnerability:
  1. Open this URL " https://wakatime.com/settings/account?apikeyrefresh=true " and send it to the repeater in burp suite.
  2. add the payload to the header request and forward the request.
  3. It will directly redirect to bing.com

Impact

Impact:
Whenever a user visits this URL, it will redirect them to site.com. It is used in phishing attacks.

   / / / / /

  No Comments

Sunday, April 12, 2020

SPF Record Missing is an important Security Concern

  April 12, 2020    

What Is SPF/TXT Records?
An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.
like : Suppose woodland company have email address as : customersupport@woodland.com , So if  I am able to send a mail using that address that means SPF records are not properly set .

Checking Missing SPF:
There Are Various Ways of Checking Missing SPF Records on a website But the Most Common and Popular way is kitterman.com
Steps to Check SPF Records on a website:-
Go to http://www.kitterman.com/spf/validate.html or mslookup
Enter Target Website Ex: target.com (Do Not Add https/http or www)
Hit Check SPF (IF ANY)
If You see any SPF Record than Domain is Not Vulnerable But if you see Nothing Here then "HURRAY! You Found a Bug"
POC:
Once There is No SPF Records. An Attacker Can Spoof Email Via any Fake Mailer Like Emkei.cz. An Attacker Can Send Email From name "Support" and Email: "support@davindertutorials.com" .With Social Engineering Attack He Can TakeOver User Account Let Victim Knows the Phishing Attack but When He See The Email from the Authorized Domain. He Got tricked Easily.
How to reproduce this
  2. fill all the details
    like
    Name - mycrypto
    email - support@mycrypto.com
    to - your email address
Click on send email .It will directly send a mail from support@davindertutorials.com to you


   / /

  No Comments

Wednesday, March 27, 2019

Understanding the Basics: Confidentiality, Integrity and Availability

  March 27, 2019    



Confidentiality, integrity, and availability, often known as CIA, are the building blocks of information security .

Any attack on an information system will compromise one, two, or all three of these components. Based on which of these components is being compromised the most, efficient security controls can be designed accordingly.


Confidentiality

In layman’s terms, something that is confidential is secret and is not supposed to be disclosed to unintended people or entities. What’s the first thing that comes to your mind that needs to be kept confidential? Probably
your passwords and ATM PINs . There may be many parameters and information items that need to be kept confidential during a particular communication. If confidentiality is compromised, it might result in
unauthorized access to your systems or severe loss to your privacy!

Integrity

In context of the information security (InfoSec) world, integrity means that when a sender sends data, the receiver must receive exactly the same data as sent by the sender. For example, if someone sends a message “Hello!”, then the receiver must receive “Hello!” . Any addition or subtraction of data during transit would mean the integrity has been compromised.

Availability

Availability implies that information is available to the authorized parties whenever required. For example, consider a server that stores the payroll data of company employees. The finance team wants to access it at of fiscal year-end for some reporting purpose. If the server is able to provide all the requested information to the requestors, then its availability is considered good and healthy. But if the server goes down at all (for any intentional or unintentional reason), and the finance team is not able to retrieve required data in time, then we say that the information availability has been affected or compromised.

During an attack on a computer system, at least one of the three, confidentiality, integrity or availability, is affected or compromised.

Various attacks on Confidentiality, Integrity and Availability

Attacks that affect Confidentiality are:
Packet sniffing, password cracking, dumpster diving, wiretapping, keylogging, phishing

Attacks that affect Integrity are:
Salami attacks, data diddling attacks, session hijacking, man-inthe- middle attack

Attacks that affect Availability are :
DoS and DDoS attacks, SYN flood attacks, physical attacks on

   / / / /

  No Comments

Subscribe to: Posts (Atom)