Tuesday, March 30, 2010

From Stored XSS to DDoS, almost

The backbone of science is sharing your failed experiments so here goes.

I was a little frightened when directed to RFC 2397. Basically it says that included objects that you would reference by a URL can be provided inline in one or more forms. It looks like this:

<img src=”data:image/png;base64,alkj2K09…..” />

Try it. It’s kind of neat-o. The idea I had was that maybe you could provide a java applet that way. You can already deliver an applet by reference with XSS but an applet is only supposed to be able to make connections back to the site that it was downloaded from. If you try to connect to anything else, like the target site, it generates a pop message that the user has to click through. If I could get the target site to provide the applet it should be able to connect back to the target site without the user being aware.

The fun idea I had was to write a java applet implementation of the slowloris attack. The really awesome thing if this were possible is that if you find a stored XSS vulnerability in the target site you could get the legitimate users of the site to DDoS it indefinitely. Beyond that, you may be able to make SSH or other authenticated connections back for random password guessing; perhaps the results could be reported back to the attacker via DNS requests. The difficulty (if it worked) is that the target site would have to allow a pretty large stored XSS. If the stored XSS vulnerability is against a TEXT database column you’re fine. If it’s against a VARCHAR(128) and you’re trying to deliver a 1.2KB jar file it’s not going to work.

I could get the applet to work flawlessly at attacking my test web server. It would sometimes even do so without the socket connection sandbox permission dialog from popping up. It wouldn’t work properly with the inline jar file though. Eventually I tried Firefox+Sun JRE on windows and it gave me the error message I needed: unknown protocol: data or something similar.

Maybe this could still work with Flash or some funky contortions with JNLP. I, however, am done working on it.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.