Forem: R̶E̶D̶A̶C̶T̶E̶D̶

XSS and SQLi Polyglot Payloads

R̶E̶D̶A̶C̶T̶E̶D̶ — Mon, 21 Oct 2019 04:05:28 +0000

What is 'XSS'?
Cross-site scripting (XSS) is a type of code-injection vulnerability found typically in web applications. XSS allows attackers to 'inject' client-side scripts into pages that will be processed and delivered to other users for viewing. XSS is often used to bypass access controls such as the same-origin policy. Attackers using XSS usually leverage known vulnerabilities in web applications, their servers, or the plug-in systems the web app needs for functionality. An attacker utilizing XSS will introduce malicious code into the content being delivered. When the combined content arrives to another user it is delivered from a trusted source. With XSS an attacker can gain elevated access-privileges to sensitive data, session cookies, and whatever other information that is maintained by the browser and will be delivered to the user.

What is 'SQLi'?
SQLi are SQL injections. They are code injection techniques like XSS, used to attack what are known to be or suspected to be data-driven applications. They are SQL statements formed with the intent of dumping database contents to the attacker. SQL injections can allow attackers to spoof identity, tamper with data, cause repudiation issues like voiding transactions or changing balances, disclose all of the system's data, destroy the data, or even become administrators of the database server. The first public discussions of SQL injection appeared around 1998 in Phrack Magazine.

What are 'polyglot payloads'?
Basically they are pieces of code that can be executed in multiple contexts in an application and still be treated as valid data. They are useful because with them you can test the application's input controls quicker and with less of a chance of being noticed. There are XSS, SQLi, and file (SWF, PDF, etc) polyglots. In complex applications the user input travels through many checkpoints. The route the input takes may be from the URL through a filter, into a database, and back out to a decoder before it is ever displayed for the user to see. The chart below illustrates what this input-route might look like.

XSS polyglot payload by Rsnake:
‘;alert(String.fromCharCode(88,83,83))//‘;alert(String.fromCharCode(88,83,83))//“;alert(String.fromCharCode(88,83,83))//“;alert(String.fromCharCode(88,83,83))//—></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

An XSS polyglot payload by Ashar Javed from his XSS PhD research:
‘“>><marquee><img src=x onerror=confirm(1)></marquee>”></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>’—>”></script><script>alert(1)</script>”><img/id=“confirm(1)”/alt=“/“src=“/“onerror=eval(id&%23x29;>’”><img src=“http://i.imgur.com/P8mL8.jpg”>

XSS polyglot payload by Mathias Karlsson:
“onclick=alert(1)//<button‘onclick=alert(1)//>*/alert(1)//

An SQLi polyglot payload by Mathias Karlsson:
SLEEP(1) /*’ or SLEEP(1) or’” or SLEEP(1) or “*/
The above polyglot payload works in single quote context, double quote context, as well as "straight into query" context. Please take the time to view Mathias Karlsson's slideshare below titled 'Polyglot Payloads in Practice'. There are some interesting attack patterns in it. It's also where the ASCII devil came from.

Mirror of RSnake's XSS Cheatsheet:
https://www.in-secure.org/misc/xss/xss.html

DEF CON 23 - Jason Haddix - How to Shot Web: Web and mobile hacking in 2015:
https://www.youtube.com/watch?v=-FAjxUOKbdI

Polyglot Payloads in Practice by Mathias Karlsson:
https://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra

Phrack Magazine:
http://www.phrack.org

If any of this is interesting to you please stay tuned. Next up is Cross-Site Request Forgery.

Engaging in OverTheWire's Wargames

R̶E̶D̶A̶C̶T̶E̶D̶ — Mon, 07 Oct 2019 03:10:18 +0000

OverTheWire offer a collection of wargames that are designed to help you learn and practice security concepts in addition to fostering and exercising a particular way of thinking. Thinking outside of the box is, inarguably, a hacker or coders most powerful ability. There are a million-and-one scripts and other tools out there and all of them are extremely easy to use in comparison to developing this ability. Even if you have the knowledge to write them yourself you will still need the requisite street-smarts to achieve the desired outcome. Developing this mindset will aid you in problem-solving for the rest of your life.

OverTheWire's first wargame titled 'Bandit' is aimed at absolute beginners. It will teach you the basics you will need to know in order to engage with their other wargames which increase in difficulty as you move up the levels. Bandit will teach you about using a Linux shell, remote connections, and SSH (secure shell). If you are unfamiliar with SSH I will provide a very brief explanation. The first iteration of SSH (SSH-1) was developed by Tatu Ylönen at Helsinki University of Technology. It's creation was prompted by a password-sniffing attack on the university network. SSH is a cryptographic network protocol for operating network services securely over an unsecured network. This is typically things like remote command-line, login, and remote command execution. Any network service can be secured with SSH. It was designed as a replacement for Telnet and other (insecure) remote shell protocols. Prior to SSH those protocols sent information (like passwords) in plain text which rendered them susceptible to interception through packet analysis. Will packet analysis be a future blog post? Who knows.

The games at OverTheWire are organized into levels and it is intended for you to complete the previous level before advancing. Unlike 'red team vs blue team' hacking CTF (capture the flag) matches, the OverTheWire wargame suite is played solo so there is a lot less 'organizational overhead' needed to get things started. Real friends are overrated anyway. Everyone knows from Mr. Robot that the super-leet have imaginary ones. Spoiler alert.

Bandit currently has 34 levels. The suggested order to play the games is to start there at level 0, then once you have worked through it move on to either Leviathan, Natas, or Krypton. After that they suggest Narnia, Behemoth, Utumno, and Maze in that order. There are also Vortex, Semtex, Manpage, and Drifter. Bandit is designed to familiarize the user with the command-line and SSH and set you up with some of the skills necessary for the later games. In Narnia the user is familiarized with basic exploitation. You are provided with the source code of each level in Narnia to make it easier to find the vulnerabilities. Behemoth deals with common coding mistakes such as buffer overflows, race conditions, and privilege escalation. Most of the beginner games do not require previous coding experience, but it will certainly become useful as you advance. Each shell game has its own SSH port and these wargames are a great way to familiarize oneself with the command-line and general concepts of network security.

To get started with 'Bandit' you will need SSH. The host is bandit.labs.overthewire.org on port 2220 with a login and password of bandit0. You can connect through the command-line with:

ssh -l bandit0 -p 2220 bandit.labs.overthewire.org

For Ubuntu users you can install the SSH server with:

sudo apt update sudo apt upgrade sudo apt install openssh-server

For Windows (non-WSL) users you will need to download PuTTY here:
https://www.putty.org

OverTheWire also uses a scoreboard invoked by the wechall command in the SSH shell. It is provided by WeChall at https://www.wechall.net. To use the scoreboard go to the WeChall website and register for an account. Go to Account then WarBoxes to get your token. Edit your ~/.bashrc adding:

export WECHALLUSER="YourUserName" export WECHALLTOKEN="YOUR-WECHALL-TOKEN-HERE"

Next, edit your ~/.ssh/config and add:

Host *.labs.overthewire.org SendEnv WECHALLTOKEN SendEnv WECHALLUSER

Additional information:
https://overthewire.org/wargames/

Please do not hesitate to contact me if there is a particular subject you would like covered in a future blog post.

Creepin' with Maltego

R̶E̶D̶A̶C̶T̶E̶D̶ — Mon, 30 Sep 2019 04:25:38 +0000

If you are not familiar with the acronym OSINT it stands for Open-Source INTelligence. This is data gathered from overt and publicly available sources. Do not make the mistake in thinking that just because the information is not obtained through covert, clandestine, or Secret Squirrel means that it is not valuable or actionable. It may have gone by different names but OSINT has been around for hundreds of years. These techniques have been the stock-in-trade of national security analysts, law enforcement agents, private investigators, business intelligence professionals, and even hackers.

The information flow of OSINT sources can be broken down essentially to legacy media, internet, public government data, professional and academic publications, commercial data, and what is known as grey literature. Grey literature just refers to things like technical reports, preprints, patents, working papers, business documents, unpublished works, and newsletters.

Maltego is an extremely powerful proprietary OSINT and forensic tool developed by Paterva. If you ever thought that Data Structures sprint at Operation Spark would not ever be useful, well, you would be wrong. Maltego presents the data visually in graph format, suitable for link analysis and data mining. However, the real power in Maltego is its library of customizable transforms. These transforms are like a combination between an API pull request and a sorting algorithm. They are small pieces of code that fetch related information for a given input. The output of these transforms is designed to be extensible so that other transforms can be run on it. They are also designed to return the smallest piece of information possible. You may be wondering why someone would want the smallest piece of information possible to be returned. The more the merrier right? Well, take the following example from the Maltego documentation:

"The graph at the top has a whole layer less, whilst showing the same information. Using the second graph allows the analyst to quickly look at things like all the services running on port 80. Doing the same on the graph at the top would mean you would have to traverse up the tree to the IP addresses and then down again to the services giving you other services that are not running on port 80. Modelling your data correctly is a very important step in the process of building your own custom transforms. It is advised to give this step some thought before moving on with actually writing code for your transforms."

In other words, it's like asking the super computer Deep Thought the answer to life, the Universe, and everything... and getting 42. You have to know the questions to ask in order to gain useful answers. Much of the skill in using Maltego is asking the right questions.

Maltego can provide a core picture of an organizations network architecture. It arranges data from API pull requests into a visual format to illustrate useful relationships. This is an automated process that is far more efficient than any Google search. For instance, from a website you can identify tracking URLs. From this information you can identify other websites owned by the same organization and tracked with the same codes. Next, you can look up the DNS information. This would tell you which servers are pointing to the actual IP address that the website is hosted on. It will even tell you of other websites hosted with the same DNS server which may also belong to that organization. From the DNS server you can identify the MX server and the name server. You can explore the net block and find additional services or websites within the organization. Eventually, if you ask the right questions, you will discover the AAS number. All of this is automated and in an easy-to-read visual format. The format of the presented material is also important because it allows one to recognize useful relationships between nodes that may have otherwise been missed if only viewed through a terminal.

So as we have learned Maltego can be an invaluable tool to digital forensic and penetration testing specialists. Maltego can do much more than network mapping. Perhaps in an upcoming post I will write on the topic again. In the meantime I hope you enjoyed this post and follow me if you wish to stay tuned.

Maltego training video for absolute beginners:
https://www.youtube.com/watch?v=sP-Pl_SRQVo