This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Carriage Return Line Feed (CRLF) | CRLF Injection |HTTP Response Splitting

By  September 09, 2022  No comments

 

What is CRLF?

When a browser sends a request to a web server, the web server answers back with a response containing both the HTTP response headers and the actual website content, i.e. the response body. The HTTP headers and the HTML response (the website content) are separated by a specific combination of special characters, namely a carriage return and a line feed. For short they are also known as CRLF.


The web server uses the CRLF to understand when new HTTP header begins and another one ends. The CRLF can also tell a web application or user that a new line begins in a file or in a text block. The CRLF characters are a standard HTTP/1.1 message, so it is used by any type of web server, including Apache, Microsoft IIS and all others.

What is the CRLF Injection Vulnerability?

In a CRLF injection vulnerability attack the attacker inserts both the carriage return and linefeed characters into user input to trick the server, the web application or the user into thinking that an object is terminated and another one has started. As such the CRLF sequences are not malicious characters, however they can be used for malicious intend, for HTTP response splitting etc.

CRLF injection in web applications

In web applications a CRLF injection can have severe impacts, depending on what the application does with single items. Impacts can range from information disclosure to code execution, a direct impact web application security vulnerability. In fact a CRLF injection attack can have very serious repercussions on a web application, even though it was never listed in the OWASP Top 10 list. For example it is also possible to manipulate log files in an admin panel as explained in the below example.

An example of CRLF Injection in a log file

Imagine a log file in an admin panel with the output stream pattern of IP – Time – Visited Path, such as the below:

If an attacker is able to inject the CRLF characters into the HTTP request he is able to change the output stream and fake the log entries. He can change the response from the webs application to something like the below:

The %0d and %0a are the url encoded forms of CR and LF. Therefore the log entries would look like this after the attacker inserted those characters and the application displays it:

IP – Time – Visited Path

Therefore by exploiting a CRLF injection vulnerability the attacker can fake entries in the log file to obfuscate his own malicious actions. The attacker is literally doing page hijacking and modifying the response. For example imagine a scenario where the attacker has the admin password and executed the restrictedaction parameter, which can only be used by an admin.

The problem is that if the administrator notices that an unknown IP used the restrictedaction parameter, will notice that something is wrong. However, since now it looks like the command was issued by the localhost (and therefore probably by someone who has access to the server, like an admin) it does not look suspicious.


The whole part of the query beginning with %0d%0a will be handled by the server as one parameter. After that there is another & with the parameter restrictedactionwhich will be parsed by the server as another parameter. Effectively this would be the same query as:

HTTP Response Splitting Using CRLF Injection

Since the header of a HTTP response and its body are separated by CRLF characters an attacker can try to inject those. A combination of CRLFCRLF will tell the browser that the header ends and the body begins. That means that he is now able to write data inside the response body where the html code is stored. This can lead to a Cross-site Scripting vulnerability.

An example of HTTP Response Splitting leading to XSS

Imagine an application that sets a custom header, for example:

The value of the header is set via a get parameter called “name”. If no URL encoding is in place and the value is directly reflected inside the header it might be possible for an attacker to insert the above mentioned combination of CRLFCRLF to tell the browser that the request body begins. That way he is able to insert data such as XSS payload, for example:

The above will display an alert window in the context of the attacked domain.

An example of HTTP Response Splitting leading to Redirect

Browser to:

And the server responses with the header:

crlf injection In URL Path

You can send the payload inside the URL path to control the response from the server:

HTTP Header Injection Using CRLF Injection

By exploiting a CRLF injection an attacker can also insert HTTP headers which could be used to defeat security mechanisms such as a browser’s XSS filter or the same-origin-policy. This allows the attacker to gain sensitive information like CSRF tokens. He can also set cookies which could be exploited by logging the victim in the attacker’s account or by exploiting otherwise unexploitable cross-site scripting (XSS) vulnerabilities.

An example of HTTP Header Injection to extract sensitive data

If an attacker is able to inject the HTTP headers that activate CORS (Cross Origin Resource Sharing), he can use javascript to access resources that are otherwise protected by SOP (Same Origin Policy) which prevents sites from different origins to access each other.

New HTTP request in SSRF

Abusing CRLF injection you can craft a new HTTP request and inject it.
A good example can be done using the SoapClient deserialization gadget from in PHP. This class is vulnerable to CRLF inside the user_agent parameter allowing to insert new headers and body content. However, you can even be able to abuse this vulnerability to inject a new HTTP request:

Impacts of the CRLF injection Vulnerability

The impact of CRLF injections vary and also include all the impacts of Cross-site Scripting to information disclosure. It can also deactivate certain security restrictions like XSS Filters and the Same Origin Policy in the victim’s browsers, leaving them susceptible to malicious attacks.

How to Prevent CRLF / HTTP Header Injections in Web Applications

The best prevention technique is to not use users input directly inside response headers. If that is not possible, you should always use a function to encode the CRLF special characters. Another good web application security best practise is to update your programming language to a version that does not allow CR and LF to be injected inside functions that set HTTP headers.

CHEATSHEET OF CRLF INJECTION ATTACK

Read More

Cross-site WebSocket hijacking (CSWSH)

By  September 09, 2022  No comments

 

What is WebSocket?

WebSocket is, like HTTP, a communications protocol that enables interaction between a browser and a web server.
The WebSocket protocol allows both servers and browsers to send messages to each other using a single TCP connection.

This is very useful when trying to create real-time applications such as online games and live chat. For example, Slack’s web app uses WebSocket connections to sync messages in its chat functionality.


In order for a web application to sync in real-time, web servers need to be able to actively push data to its clients. And this is where WebSocket comes in.


Traditionally, HTTP only supports client-initiated communications. This means that every time the real-time application needs to be synced (for example, an online game updating its live leaderboard), the client’s browser would need to send an HTTP request to retrieve the data from the server.

When an application is constantly doing this type of update, this traditional method incurs a lot of unnecessary overhead and ultimately slows down the application.

Whereas the WebSocket protocol solves this problem by creating a persistent connection between the client and the server that allows both client and server-initiated data transfers.

During the lifetime of a WebSocket connection, the client and the server are free to exchange any amount of data without incurring the overhead and latency of using traditional HTTP requests.

How are WebSocket connections established?

A WebSocket connection between a client and a server is established through a WebSocket handshake.


This process is initiated by the client sending a normal HTTP or HTTPS request to the server with the special header: “Upgrade: websocket”. If the server supports WebSocket connections, it will respond with a 101 status code (Switching Protocols). From that point on, the handshake is complete and both parties are free to send data to the other.


Side note: WebSocket uses the ws:// URL scheme, and the wss:// URL scheme for secure connections.

WebSocket connections are normally created using client-side JavaScript like the following:

The wss protocol establishes a WebSocket over an encrypted TLS connection, while the ws protocol uses an unencrypted connection.

To establish the connection, the browser and server perform a WebSocket handshake over HTTP. The browser issues a WebSocket handshake request like the following:

If the server accepts the connection, it returns a WebSocket handshake response like the following:

At this point, the network connection remains open and can be used to send WebSocket messages in either direction.

Note

Several features of the WebSocket handshake messages are worth noting:

  • The Connection and Upgrade headers in the request and response indicate that this is a WebSocket handshake.
  • The Sec-WebSocket-Version request header specifies the WebSocket protocol version that the client wishes to use. This is typically 13.
  • The Sec-WebSocket-Key request header contains a Base64-encoded random value, which should be randomly generated in each handshake request.
  • The Sec-WebSocket-Accept response header contains a hash of the value submitted in the Sec-WebSocket-Key request header, concatenated with a specific string defined in the protocol specification. This is done to prevent misleading responses resulting from misconfigured servers or caching proxies.

The Sec-WebSocket-Key header contains a random value to prevent errors from caching proxies, and is not used for authentication or session handling purposes (It’s not a CSRF token).

Websockets Enumeration

You can use the tool https://github.com/PalindromeLabs/STEWS to discover, fingerprint and search for known vulnerabilities in websockets automatically.

Cross-site WebSocket hijacking (CSWSH)

Also known as cross-origin WebSocket hijacking.
It is a Cross-Site Request Forgery (CSRF) on a WebSocket handshake.


It arises when the WebSocket handshake request relies solely on HTTP cookies for session handling and does not contain any CSRF tokens or other unpredictable values.
An attacker can create a malicious web page on their own domain which establishes a cross-site WebSocket connection to the vulnerable application. The application will handle the connection in the context of the victim user’s session with the application.

Structure of an attack

To carry out the attack, an attacker would create a script that will initiate the WebSocket connection to the victim server. She can then embed that script on a malicious page and trick a user into accessing the page.


When the victim accesses the malicious page, her browser will automatically include her cookies into the WebSocket handshake request (since it’s a regular HTTP request). The malicious script crafted by the attacker will now have access to a WebSocket connection created using the victim’s credentials.

Simple Attack

Note that when establishing a websocket connection the cookie is sent to the server. The server might be using it to relate each specific user with his websocket session based on the sent cookie.


Then, if for example the websocket server sends back the history of the conversation of a user if a msg with “READY” is sent, then a simple XSS establishing the connection (the cookie will be sent automatically to authorise the victim user) sending “READY” will be able to retrieve the history of the conversation.:

Stealing data from user

Copy the web application you want to impersonate (the .html files for example) and inside the script where the websocket communication is occurring add this code:

Now download the wsHook.js file from https://github.com/skepticfx/wshook and save it inside the folder with the web files.


Exposing the web application and making a user connect to it you will be able to steal the sent and received messages via websocket:

The impact of Cross-Site WebSocket Hijacking

Using a hijacked WebSocket connection, the attacker can now achieve a lot of things:

  • WebSocket CSRF: If the WebSocket communication is used to carry out sensitive, state-changing actions, attackers can use this connection to forge actions on behalf of the user. For example, attackers can post fake messages onto a user’s chat groups.
  • Private data retrieval: If the WebSocket communication can be used to retrieve sensitive information via a client request, attackers can initiate fake requests to retrieve sensitive data belonging to the user.
  • Private data leaks via server messages: Attackers can also simply listen in on server messages and passively collect information leaked from these messages. For example, an attacker can use the connection to eavesdrop on a user’s incoming notifications.

How to prevent Cross-Site WebSocket Hijacking

In order to prevent Cross-Site WebSocket Hijacking, an application would need to deny WebSocket handshake requests from unknown origins. There are two ways this can be achieved:

  • Check the Origin header: browsers would automatically include an Origin header. This can be used to validate where the handshake request is coming from. When validating the Origin of the request, be sure to use a whitelist of URLs instead of a blacklist, and use a strict and rigorously tested regex expression.
  • Use CSRF tokens for the WebSocket handshake request: applications could also use a randomized token on a WebSocket handshake request and validate it server-side before establishing a WebSocket connection. This way, if an attacker cannot leak or predict the random token, she will not be able to establish the connection.

WebSocket is a big part of many modern applications. However, it is often overlooked as a potential attack vector.

As Web Sockets are a mechanism to send data to server side and client side, depending on how the server and client handles the information, Web Sockets can be used to exploit several other vulnerabilities like XSS, SQLi or any other common web vuln using input of s user from a websocket.

Read More

Clickjacking| Clickjacking Attacks

By  September 09, 2022  No comments

 

What is Clickjacking?

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.

The invisible page could be a malicious page, or a legitimate page the user did not intend to visit – for example, a page on the user’s banking site that authorizes the transfer of money.

TYPE Of Clickjacking Vulnerability:-

Likejacking

a technique in which the Facebook “Like” button is manipulated, causing users to “like” a page they actually did not intend to like.


Cursorjacking

a UI redressing technique that changes the cursor for the position the user perceives to another position. Cursorjacking relies on vulnerabilities in Flash and the Firefox browser, which have now been fixed.

Prepopulate forms trick

Sometimes is possible to fill the value of fields of a form using GET parameters when loading a page. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.

Populate form with Drag&Drop

If you need the user to fill a form but you don’t want to directly ask him to write some specific information (like your email or and specific password that you know), you can just ask him to Drag&Drop something that will write your controlled data like in this example.

Examples Of Clickjacking Attacks:-

Basic Payload

Multistep Payload

Drag&Drop + Click payload

XSS + Clickjacking Vulnerability

If you have identified a XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.

Example:
You found a self XSS in some private details of the account (details that only you can set and read). The page with the form to set this details is vulnerable to Clickjacking and you can prepopulate the form with GET parameters.
An attacker could prepared a Clickjacking attack to that page prepopulating the form with the XSS payload and tricking the user into Submit the form. So, when the form is submited and the values are modified, the user will execute the XSS.

How to avoid Clickjacking Attacks?

Client side defences

It’s possible to execute scripts on the client side that perform some or all of the following behaviours to prevent Clickjacking:

  • check and enforce that the current application window is the main or top window,
  • make all frames visible,
  • prevent clicking on invisible frames,
  • intercept and flag potential clickjacking attacks to the user.

Bypass

As frame busters are JavaScript then the browser’s security settings may prevent their operation or indeed the browser might not even support JavaScript. An effective attacker workaround against frame busters is to use the HTML5 iframe sandbox attribute. When this is set with the allow-forms or allow-scripts values and the allow-top-navigation value is omitted then the frame buster script can be neutralized as the iframe cannot check whether or not it is the top window:

Both the allow-forms and allow-scripts values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviours while allowing functionality within the targeted site.


Depending on the type of Clickjaking attack performed you may also need to allow: allow-same-origin and allow-modals or even more. When preparing the attack just check the console of the browser, it may tell you which other behaviours you need to allow.

X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or </frame> . Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the X-Frame-Options header for all responses containing HTML content. The possible values are:</p>

  • X-Frame-Options: deny which prevents any domain from framing the content (Recommended value)
  • X-Frame-Options: sameorigin which only allows the current site to frame the content.
  • X-Frame-Options: allow-from https://trusted.com which permits the specified ‘uri’ to frame this page.
  • Check limitations below because this will fail open if the browser does not support it.
  • Other browsers support the new CSP frame-ancestors directive instead. A few support both.

Content Security Policy (CSP) frame-ancestors directive

The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application’s Content Security Policy.


The frame-ancestors ‘none’ directive is similar in behaviour to the X-Frame-Options deny directive (No-one can frame the page).


The frame-ancestors ‘self’ directive is broadly equivalent to the X-Frame-Options sameorigin directive (only current site can frame it).


The frame-ancestors trusted.com directive is broadly equivalent to the X-Frame-Options allow-fromdirective (only trusted site can frame it).

The following CSP whitelists frames to the same domain only:


Content-Security-Policy: frame-ancestors ‘self’;


See the following documentation for further details and more complex examples:

Limitations

  • Browser support: CSP frame-ancestors is not supported by all the major browsers yet.
  • X-Frame-Options takes priority: Section “Relation to X-Frame-Options” of the CSP Spec says: “If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is “enforce”, then the X-Frame-Options header MUST be ignored”, but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.
Read More