Danny Chrastil

dis·k0n·n3ct: hacker, developer [python,ruby,php]

Read this first

XSS; Beyond the alert box

Cross site scripting (XSS) is everywhere. Holding the 3 spot on the OWASP Top 10 list, it is one of the most common findings while performing vulnerability assessments and penetration testing. With the rise of new web technologies, such as HTML5, the attack vector is constantly growing. Therefore, we also need to be advancing our detection techniques and how we are effectively communicating the business impacts to the client.

One of the most common techniques used as proof of concept (PoC) for identifying XSS has been the javascript alert box. The premise is this: if an attacker can send javascript code for an alert box into the application and have it executed within the browser, then XSS is present. For example:

The attacker modifies the user parameter to contain the javascript code for an alert box:



Continue reading →

XSS Through HTML5 PostMessage()

XSS with HTML5 postMessage()

This is going to be a technical dive into the new HTML5 postMessage() method which can be exploited to launch XSS attacks against a site which otherwise was properly filtering client provided input.

The Method

The postMessage() method was created to enable cross-document messaging from applications on separate domains. In other words, it effectively side steps the same-origin policy allowing applications to send and receive data to and from each other. Here is the syntax for the method:

otherWindow.postMessage(message, targetOrigin, [transfer]);

Let’s take the following example:

Site A has a nested iframe of Site B, which is on a separate domain:

If Site A wants to read content from Site B using a script like this:

Site A:

<iframe src="http://site-b.net/" name="siteb"></iframe>

document.getElementsByName('siteb')[0].onload = function() {

Continue reading →

Maltego OpenSSL Heartbleed Transform

Since the release of the OpenSSL Heartbleed attack, there have been many scripts, websites, and offered services to perform checks on whether a site is vulnerable to this devastating attack. Each check has its benefits and specific application; I am providing another solution which is a Maltego Transform based on the ssltest.py script by Jared Stafford (jspenguin@jspenguin.org).

You will need the following two files in order to set this up:

1.) MaltegoTransform-py.zip (Maltego Basic Python Library)

2.) maltego_heartbleedtest.py (The Custom Maltego Transform)

Once you have downloaded the files, move the MaltegoTransform.py file to your python library directory and the maltego_heartbleedtest.py into a directory of your liking (remember this directory for later).


Continue reading →