Adventures in XSS Pt2
My plans are to expand my previous "adventures in XSS" post into what will hopefully become a long running series. I want to detail my casual discovery of XSS on the web during day to day browsing, none of my professional penetration testing will ever be revealed to the public. I want to highlight a phenomena in this post which many white hat hackers may have run into, and that's complacency of website owners.
[H]ard|OCP.com
When I was attending University, some 10+ years ago, my flatmates introduced me to Hard|OCP, one of the more respected computer hardware enthusiast websites, at the age of 19 I already had a fascination with computer hardware, but it was Hard|OCP that introduced me to bench marking and overclocking for the first time.
I was a loyal member of the community for many years, extremely naive as a relatively late comer to the hardware scene. I engaged in fanboyism to justify my purchases and plenty of healthy banter, I loved learning as much as I could from everyone.
Fast forward 7-8 years and my time with Hard|OCP had come to an end, a difference in opinion of review techniques left me unable to really make use of their content and some bad decisions by their forum moderators in how they handle running the forums marked my exit. I quickly gravitated towards the Anandtech community where I made my new home and have been since.
XSS
About 6 months ago I was showing my brother some examples of what I had been learning by tinkering with computer security, without much thought I loaded Hard|OCP and I set out to give him an entirely fictional example of how things like SQLi and XSS worked. It was during that process that I realised that I'd accidentally stumbled across a real examples of XSS. I was surprised at the time although on reflection the relatively old and now retro style of Hard|OCP suggests that development probably hasn't occurred for years and that security might not be great.
Some time later I decided to thoroughly test out the site to try and give something back to the community by finding any exploits and reporting them to Kyle the owner. I methodically went through each page, each section, all the archives, every feature and I tested it for every exploit I knew how to perform. When I was done I had found XSS on the search page, some strange overflow problem with the archive system where extremely long parameters would actually cause PHP source code to spill into the HTML source potentially revealing sensitive information, and XSS in their forum posts. They take the newest 10 forum thread titles and put them on the front page without sanitising them. The forum itself did not sanitise the input before putting it into the database, instead it does it after the data is pulled from the database but before it lands on the final page.
This should act as a cautionary tale to everyone. Sanitising input is important and doing it after being pulled from the database rather than before it's put in is seen by some as the proper way to sanitise data (after all these characters don't have any special meaning in the context of the database, only the page). While I agree with that methodology it does leave all future development potentially vulnerable to XSS as developers may add new features and simply forget to do the basic security checks.
This should act as a cautionary tale to everyone. Sanitising input is important and doing it after being pulled from the database rather than before it's put in is seen by some as the proper way to sanitise data (after all these characters don't have any special meaning in the context of the database, only the page). While I agree with that methodology it does leave all future development potentially vulnerable to XSS as developers may add new features and simply forget to do the basic security checks.
As a penetration tester for web technology, one important lesson to learn is how to find user input. User input comes in many different forms, the most obvious is anywhere a user literally provides text input as part of a legitimate function of the website, for example forum posts or news comments. However these are obvious and often the first thing to be checked and fixed, there's usually a lot less obvious ones that require more creativity to spot, using the forum as an attack vector on the main site (they're hosted separately) is a good example.
Responsible Disclosure
It was at this point I contacted Kyle Bennett the owner of Hard|OCP, I had tested the reflected XSS vectors in the search feature and abused the archive page parameters, but testing a stored XSS exploit was something I really wanted his permission to do. I fired him and email and explained the exploits, he was fast to respond and seemed eager to fix everything, despite not being a PHP developer I explained the standard steps for preventing XSS which is to HTML encode all user input, something which takes a competent coder just a few minutes. He set his developer onto fixing this immediately.
Meanwhile I speculated that an XSS attack might be possible from forum thread titles, I'd observed the page caching forum threads every 15-30 minute intervals, I'd seen rogue instances of people using special HTML characters in their forum titles purely through normal use. So I asked Kyle if I could test and promised to not cause any interruption. He agreed and I went about firing through forum threads with enough HTML markup in them to test exposure without ever creating a problem on the front page. I quickly confirmed this vulnerability and he added it to the list of things to be fixed.
Complacency
Unfortunately one of the biggest problems you'll run into as a white hat hacker is complacency, people have little to no motivation to spend time, effort and money fixing security issues unless they have a really solid understanding of the potential fallout caused by the problem. Even when you provide a penetration testing service for free (something that would otherwise cost upwards of thousands of dollars), they're often not motivated to fix issues, especially if the vulnerabilities have no impact on the current operation of the site/service.
While it's true that Kyle addressed most of the issues, it's also true that he left the forum XSS wide open. I did spend several weeks keeping track of the issue and waiting for a fix, in the end I emailed him again as a reminder that this was still an issue and a particularly nasty one. Before long I forgot about the site, it was only in the last few days I came back and checked the front page for exploits, sure enough the forum threads were still coming through unfiltered. Kyle had everything he needed, he knew the attack vector and knew the seriousness of it, all that was lacking was motivation.
We now enter a moral gray area, because my motivations are good, I want Hard|OCP to be secure and all the users to be safe, however these actions reveal the vulnerability for anyone else savvy enough to copy and abuse. In the end I decided that I'd take the shock route and try and deliberately minimize the disruption in the meantime.
The hack
The forums threads are pulled periodically from the database by arrangement of date created, they're then cached and used on the front page, the threads drop off as new ones are added, at Hard|OCP's peak that's about 7-8 threads per refresh. So I carefully timed when the updates were happening, I measured the times the posts rotated out, I wanted to post the thread as close to the update as possible, after all I didn't want a forum moderator deleting the thread before the front page had a chance to cache it. I also didn't want the front page to display the hack too long, luckily the natural cycle of the forum posts would quite quickly cycle out the hack. I planned it for a time of day with a lot of forum activity to naturally push the hack off the front page in the shortest time. I then posted a basic javascript alert saying "Fix me :(" and then went to lunch at the pub and had a few beers in anticipation of what was to come.
This is all it took:
:("/><script>alert('Fix me :\'(');</script>
There was only space for a few characters to deal with, they shorten any really long thread title in order to fit neatly on the front page, this attack was 1 character short. It didn't cause any real disruption just the alert, the site worked as normal otherwise. I'd have tidied up the HTML after it had I more characters to deal with.
The fallout
What happened next was exactly what I expected, a bunch of users were hit with popups, a few smart people spotted the exploit on the font page, they checked the source code to find the point of origin, that listed the forum thread ID. Several posts appeared in thread I had started, they joked about XSS and how they typically browse with noscript enabled, a smart choice.
Moments later threads popped up in the website feedback forums, people who don't know XSS had spotted the popups and reported them, one user calmed everyone by saying Kyle and his team were "on it", clearly indicating this had been reported and acknowledged. I have no doubt Kyle knows the source of the issue as I did it from my real forum account and they'd found the thread and removed it already.
An hour or so later all the threads were deleted, my account was banned (bye bye 6000 post count) and there exists no sign it ever happened. Quickly checking the thread names on the front page later in the day, this is still not fixed, despite the fix being just a few lines of code. In PHP all you have to do is implement the htmlspecialchar() function to remove all special characters from the user supplied input.
An hour or so later all the threads were deleted, my account was banned (bye bye 6000 post count) and there exists no sign it ever happened. Quickly checking the thread names on the front page later in the day, this is still not fixed, despite the fix being just a few lines of code. In PHP all you have to do is implement the htmlspecialchar() function to remove all special characters from the user supplied input.
Morality
This whole ordeal raises some interesting ethical questions and for experienced white hat hackers this almost certainly isn't unfamiliar territory. You quickly become accustomed to the types of exploits that are possible and the fallout they can potentially bring, however conveying that to site owners who aren't code savvy is a tricky task. Often fixing these issues cost development time and money. You can repeat vulnerabilities over and over and allow months to go by when developers only need mere minutes to fix, but eventually you have to accept that until something bad happens, this probably isn't going to get fixed. Let me clear this has nothing to do with Kyle, it's just a general pattern that many owners fall into. Add to the fact that bad things are often done with some level of stealth (not everyone wants to deface) and that acts as a motivator to get site owners to take action now rather than later.
The whole point of starting this blog post with my background and personal investment in the Hard|OCP community was to demonstrate that these kind of actions come from the desire to protect people, not to harm them. Some people might argue that it's just an excuse to hack things, but the reality of the situation is that I pen tested this site for free, I explained in detail the hacks and risks to the owner as well as the steps to best fix it. I spent time testing and re-testing their implemented fixes, as well as coming back to check on the site and see if anything is still vulnerable at regular intervals - I'm not paid anything to do that. At the end of the day hackers are left with a choice which is the lesser of 2 evils, either cause an embarrassing situation and hope that it encourages a legitimate fix or leave the vulnerability open and hope that no one ever finds and abuses it.
And nothing stays hidden forever.
Kyle if you ever read this, I hope you understand that it wasn't meant maliciously but rather to keep your users safe. I'd like to extend a personal thank you for running the site that provides endless value and helped teach me, the same to all the forum members who contribute positively to the community.
*Update* Kyle wasn't please and accused me of whining about being banned, I genuinely have no hard feelings about that, for the record. I've gone back and tried to re-word parts of the post to better reflect that.
*Update* Kyle wasn't please and accused me of whining about being banned, I genuinely have no hard feelings about that, for the record. I've gone back and tried to re-word parts of the post to better reflect that.
Work [H]ard, Play [H]ard, Stay [H]ard.
No comments:
Post a Comment