search

epsylon / xsser

Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
https://xsser.03c8.net
1.17k stars 238 forks source link

Problems injecting XSS for POST method #24

Closed galapogos closed 6 years ago

galapogos commented 6 years ago

Hi, I'm having some problems injecting simple XSS into POST method. My setup is as follows: A Kali Linux 2017.1 VM with xxser 1.7b A WebGoat vulnerable web-app installed on a Debian 9.10 VM Both VMs are running on a host Windows 10 machine.

I'm able to inject a simple "aaa" in the WebGoat "Phishing with XSS" page to get an alert.

However, when I run the following xsser command, I'm unable to get the alert, and xsser shows a failed injection.

xsser --statistics --verbose --url='http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900' -p "Username=XSS&SUBMIT=Search" --cookie='JSESSIONID=133E98839FD47DF220A3AF26DB42C219' --checkmethod=POST --payload="aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E" --proxy="http://localhost:8080" xsser output:

===========================================================================

XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy

===========================================================================
Testing [XSS from URL]...
===========================================================================

[-]Verbose: active
[-]Cookie: JSESSIONID=133E98839FD47DF220A3AF26DB42C219
[-]HTTP User Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: http://localhost:8080
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1 

[Info] HEAD alive check for the target: (http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900) is OK(200) [AIMED]

Sending POST: Username=XSS&SUBMIT=Search 

===========================================================================
Target: http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900 --> 2017-10-23 22:16:49.907274
===========================================================================

---------------------------------------------
[+] Trying: Username=XSS&SUBMIT=Searchaaa%3Cscript%3Ealert(1)%3C%2Fscript%3E
[-] Headers Results:

Connection: close
Cache-control: no-cache, no-store
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
http-code: 200
total-time: 0.021438
namelookup-time: 4.2e-05
connect-time: 0.000173
header-size: 187
request-size: 453
response-code: 200
ssl-verifyresult: 0
content-type: text/html; charset=utf-8
cookielist: []

---------------------------------------------
[-] Injection Results:
[+] Checking: url attack with aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E... fail

Searching hash: 45b8ed3c88cc029ed9a81bb79e86c88d in target source code...

Injection failed!

===========================================================================

Mosquito(es) landed!

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 1
- Sucessfull: 0
- Accur: 0 %

===========================================================================

===========================================================================
[*] Statistic:
===========================================================================
--------------------------------------------------
Test Time Duration:  0:00:05.142903
--------------------------------------------------
Total Connections: 2
-------------------------
200-OK: 2 | 404: 0 | 503: 0 | Others: 0
Connec: 100 %
--------------------------------------------------
Total Payloads: 1
-------------------------
Checker: 0 | Manual: 1 | Auto: 0 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
Total Injections: 1
-------------------------
Failed: 1 | Sucessfull: 0
Accur : 0 %
-------------------------
Total Discovered: 0
-------------------------
Checker: 0 | Manual: 0 | Auto: 0 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
False positives: 0 | Vulnerables: 0
-------------------------
Mana: 350
--------------------------------------------------
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)

===========================================================================

Apparently xsser didn't replace the XSS in the POSTDATA with the payload, but rather, just appended it to the end of the POSTDATA. This was confirmed in Burp Suite.

After modifying the command to the following: xsser --statistics --verbose --url='http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900' -p "SUBMIT=Search&Username=XSS" --cookie='JSESSIONID=133E98839FD47DF220A3AF26DB42C219' --checkmethod=POST --payload="aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E" --proxy="http://localhost:8080"

I get the following output:

===========================================================================

XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy

===========================================================================
Testing [XSS from URL]...
===========================================================================

[-]Verbose: active
[-]Cookie: JSESSIONID=133E98839FD47DF220A3AF26DB42C219
[-]HTTP User Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: http://localhost:8080
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1 

[Info] HEAD alive check for the target: (http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900) is OK(200) [AIMED]

Sending POST: SUBMIT=Search&Username=XSS 

===========================================================================
Target: http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900 --> 2017-10-23 22:20:26.191490
===========================================================================

---------------------------------------------
[+] Trying: SUBMIT=Search&Username=XSSaaa%3Cscript%3Ealert(1)%3C%2Fscript%3E
[-] Headers Results:

Connection: close
Cache-control: no-cache, no-store
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
http-code: 200
total-time: 0.023588
namelookup-time: 0.000125
connect-time: 0.000338
header-size: 187
request-size: 453
response-code: 200
ssl-verifyresult: 0
content-type: text/html; charset=utf-8
cookielist: []

---------------------------------------------
[-] Injection Results:
[+] Checking: url attack with aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E... fail

Searching hash: 90414d88c726ab7ff75b578642504207 in target source code...

Injection failed!

===========================================================================

Mosquito(es) landed!

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 1
- Sucessfull: 0
- Accur: 0 %

===========================================================================

===========================================================================
[*] Statistic:
===========================================================================
--------------------------------------------------
Test Time Duration:  0:00:05.147587
--------------------------------------------------
Total Connections: 2
-------------------------
200-OK: 2 | 404: 0 | 503: 0 | Others: 0
Connec: 100 %
--------------------------------------------------
Total Payloads: 1
-------------------------
Checker: 0 | Manual: 1 | Auto: 0 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
Total Injections: 1
-------------------------
Failed: 1 | Sucessfull: 0
Accur : 0 %
-------------------------
Total Discovered: 0
-------------------------
Checker: 0 | Manual: 0 | Auto: 0 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
False positives: 0 | Vulnerables: 0
-------------------------
Mana: 350
--------------------------------------------------
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)

===========================================================================

This time, checking the response in Burp Suite shows that the alert is indeed inside. However, xsser still reports a failed injection. I notice that only HEAD and POST methods were logged in Burp Suite when xsser runs, but during manual injection with a browser, POST and quite a few GETs were logged. This is also confirmed in the server logs shown below.

Server logs for manual injection:

192.168.247.1 - - [24/Oct/2017:10:09:39 +0800] "POST /WebGoat/attack?Screen=1382523204&menu=900 HTTP/1.1" 200 1021 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:39 +0800] "GET /WebGoat/service/lessoninfo.mvc HTTP/1.1" 200 466 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/lessonplan.mvc HTTP/1.1" 200 1064 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/solution.mvc HTTP/1.1" 200 1879 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/source.mvc HTTP/1.1" 200 8396 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/cookie.mvc HTTP/1.1" 200 506 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/lessonprogress.mvc HTTP/1.1" 200 449 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/hint.mvc HTTP/1.1" 200 4648 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/lessonmenu.mvc HTTP/1.1" 200 11285 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"

Server logs for xsser injection:

192.168.247.1 - - [24/Oct/2017:10:08:36 +0800] "HEAD /WebGoat/attack?Screen=1382523204&menu=900 HTTP/1.1" 200 230 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
192.168.247.1 - - [24/Oct/2017:10:08:36 +0800] "POST /WebGoat/attack?Screen=1382523204&menu=900 HTTP/1.1" 200 1688 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

There seems to be 2 things wrong here:

  1. xsser isn't replacing the "XSS" string in POSTDATA with the payload, but instead just appends the payload to the POSTDATA.
  2. No GET methods after POST, and doesn't detect the payload in the HTTP response, leading to a failed injection.
leisipeisi commented 6 years ago

Hi,

I had a similar problem and tried to investigate a litte further.

My setting: I have a Kali Linux VM and my aim is a DVWA running on 192.168.0.3. Make sure you have the newest version of XSSer, the version shipped with my Kali Linux did not replace 'XSS' in POSTDATA.

1. Empty POSTDATA

The command I used was: ./xsser -u "http://192.168.0.3/vulnerabilities/xss_s/" -p "txtName=Eve&mtxMessage=XSS&btnSign=Sign+Guestbook" --cookie "PHPSESSID=8257069907ff7323fda7f8a7213b2528; security=low"

And I received [+] Trying: http://192.168.0.3/vulnerabilities/xss_s/ (POST: ) Using Burp I saw that the request indeed had no POSTDATA included. Solution: --no-head solved it for me.

2. Check fails

After adding --no-head, the POST request was all fine and the injection worked (I saw the injection on the website), BUT the check of XSSer failed and told me the injection was not successful. The reason for that is that the value url_orig_hash is set to a value X in line 603 of main.py. This value is, as far as I saw, included in the POSTDATA and it is indeed the value I saw injected on the website. In line 659 url_orig_hash is set again to a value Y. This is the value XSS used to check if the injection was successful. Since X != Y hold, the injection was declared as not successful.

I don't have a solution for this since I am not sure I understood all things happening the code but this is the reason for my failing POST injection.

epsylon commented 6 years ago

@galapogos I think it is related with the keyword (1) that you are using as payload to inject. XSSer will detect on target's code 'XSS'. This is created that way to evade multiple false positives.

Try to change your injection payload this way:

`xsser --statistics --verbose --url='http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900' -p "Username=XSS&SUBMIT=Search" --cookie='JSESSIONID=133E98839FD47DF220A3AF26DB42C219' --checkmethod=POST --payload="aaa%3Cscript%3Ealert(XSS)%3C%2Fscript%3E" --proxy="http://localhost:8080"

@leisipeisi I will review that -> Solution: --no-head solved it for me. `