[Extended
HTML Form Attack]
last update: 26.January.2002
Making use of Non-HTTP protocols to launch Cross Site
Scripting attacks.
Obscure [obscure@eyeonsecurity.org]
EyeonSecurity.
Copyright � 2001,2002 EyeonSecurity,
Redistribution of this document is permitted as long as
the contents
are not changed and this copyright notice is
included.
[The Original HTML form attack]
[Playing with error messages and replies]
[Finding vulnerable hosts � what this
exploit depends on]
This paper will talk about a new way to inject HTML scripts, which makes use of the same method described in the paper by Jochen Topf called �The HTML Form Protocol Attack�. This novel method of injecting Active Scripts allows a person, who has knowledge of the services running on a network, to steal cookies, which can possibly mean hijacking of Web Application authentication as well as other sensitive information stored in cookies.
The research done by Jochen Topf shows how HTML forms
can be used to penetrate internal networks from a site outside that network, by
making use of well-known features of the HTTP protocol.
While the paper by Jochen Topf describes
possibilities of sending commands to internal servers, it does not take into
account what gets displayed in on client web browser. Instead it covers the
fact that attackers may penetrate an internal network, or servers, which make
use of IP filters, by abusing the HTML Form.
This paper is available on
http://www.remote.org/jochen/sec/hfpa/
A recently discovered security problem involves
modifying HTML content by inserting malicious HTML tags or script. By inserting
Active Scripting, it is possible to steal session authentication of a web
application. While this problem has been around for years, it�s only been
publicised in the recent years. �Microsoft Passport Account Hijack Attack�, also on eyeonsecurity.org, is a paper which
describes XSS attacks by example.
CERT has also published an advisory:
http://www.cert.org/advisories/CA-2000-02.html
The ECHO service running on port 7 is a classic
example of a service which replies back to what you specify.
|
G:\>nc -v server 7 server [172.16.1.3] 7 (echo) open hi there ! hi there ! ^C G:\> |
Sending �hi there� to an ECHO server, will send back
a �hi there� reply. What if I make use of an HTML Form, and point it at the
echo server?
The source of the page:
|
<form name="form1"
method="post" action="http://echo-server:7/"
enctype="text/plain"> �
<textarea name="eostest"> <html> <script>alert()</script> �
</textarea> �
<input type="submit" value="Submit"> </form> |
The end result when the form is submitted looks
something like:
|
POST / HTTP/1.1 POST / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, */* Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, */* Accept-Language: en-gb Accept-Language: en-gb Content-Type: text/plain Content-Type: text/plain Accept-Encoding: gzip, deflate Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0; Q312461) User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0; Q312461) Host: 172.16.130.1:1212 Host: 172.16.130.1:1212 Content-Length: 45 Content-Length: 45 Connection: Keep-Alive Connection: Keep-Alive Cache-Control: no-cache Cache-Control: no-cache eostest=<html>
<script>alert(document.cookie)</script> eostest=<html> <script>alert(document.cookie)</script> � |
Of course everything is echoed back (RFC 862).
This sometimes (tested in Internet Explorer 5.x and 6) causes the JavaScript
code to be rendered within an html page � which is made out of the echoed
replies of the server.
A server running a Web Application (such as Web-Mail)
and an echo server is therefore obviously vulnerable to a XSS attack, which I
describe as Extended HTML Form Attack.
However many servers will not be running the echo
service, since this is only used for testing purposes mostly. On the other hand
it is very frequent that they will have other server software such as SMTP,
FTP, NNTP and POP3. All of these services tend to echo back some information
specified by the client, depending on the implementation of the protocol by the
server developers and the settings specified by the server�s administrator.
If we want to use this vulnerability to hijack a Web
Application the following requirements have to be satisfied:
The below is a list of servers which were actually
successful in echoing back JavaScript commands to the web browser:
|
Vendor |
Server
|
Commands |
Example Command |
|
Serv-U 3.0 |
MKD, GET |
mkd
<script>alert(document.cookie)</script> |
|
|
WU-FTP |
USER, MKD, GET,
non-existant command + script as argument |
user
<script>alert(document.cookie)</script> and ASDF
<script>alert(document.cookie)</script> |
|
|
Imail 6.06 |
RCPT |
rcpt to: img
src=javascript:alert(document.cookie) |
|
|
ProFTPD |
USER,MKD,GET |
user
<script>alert(document.cookie)</script> |
|
|
QPOP(3.1.2) |
USER |
user
<script>alert(document.cookie)</script> |
This list is not exclusive and many other servers can
be used to launch this type of attack.
In my testing, I noticed that some vendors prevent
this and other attacks by only allowing a certain amount of errors to be
generated for each connection. In this case, since the HTTP request by the
victim contains HTTP headers (i.e. POST /a.cgi HTTP/1.1 etc), many errors will
be generated and the connection is terminated. This was found true on Microsoft
SMTP server (part of IIS), and some other servers.
When searching for vulnerable servers, it is probably
the easiest to use SMTP servers, since they show up in the MX records. Of
course the other alternative is port scanning � for FTP, SMTP, POP3, and NNTP.
This attack mentioned here can be exploited in
various ways. Till now we only mentioned how an attacker can use it to gather
session cookies. In fact this is probably the most dangerous and easily
exploitable method.
However it can also be used in conjunction with the
HTML Form Attack described by Jochen Topf to return a result to the attacker.
This way the attacker can actually know that his attack was executed by
injecting JavaScript code, which in turn sends him back the resulting page.
The solutions for this kind of attack are just like
the ones mentioned in the original document �The HTML Form Protocol Attack�.
While Internet Explorer and Opera are vulnerable to this attack, Netscape and
Mozilla (without the proxy settings- i.e. direct connection) restrict access to
certain well-known ports, like 25 (SMTP), 21 (FTP), 110 (POP3) and 119 (NNTP).
While I do not think this is a server side issue, but rather a client side
(web-browser) issue, servers could also limit the number of errors for each
session.
The HTML Form Protocol Attack
http://www.remote.org/jochen/sec/hfpa/
Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html
Microsoft Passport Account Hijack Attack