Tuesday, July 18, 2006

the devil made me do it

I was just reading RSnake's post on Attacking Applications Via XSS Proxies. We've toyed around with different XSS exploitation ideas for a long while, but having seen it written out, its spooky. Essentially RSnake describes how someone could hack a website, using an XSS'ed victim, with the bonus that the attackers IP never shows up in the target machines logs. The explanation is a bit complicated, the XSS proxy attack diagram makes it easier, but once it clicks you'll see how plausible and easy the idea becomes.

Another side effect of the research applies to cyber crime (hacking) cases. I've read that court have found reasonable doubt for the accused where the arguement is a trojan-horse on their machine did the hacking. Not them. The forensic investigators certianly can't rule out the possibility, because hey, the machine did have a trojan and could have done exactly that. The thing is XSS malware is able act similarly to an typical trojan horse, the main difference is the code resides in the web browser, and not present on the filesystem or memory.

What if a person wanted to frame someone using an XSS attack? For instance making their victim hack another website (ala Rsnake), DoS some government websites, or access some pedophilia. Every log in the world would say the victim did exactly that and leaves very little if any forensic evidence. Trojan defense goes out the door, for the innocent and the guilty, especially since I doubt forensic investigators are looking for XSS malware to begin with.


Anonymous said...

I've seen this attack example in http://xss-proxy.sourceforge.net , it seems pretty similiar to the attack you describe, but it goes into using javascript and its HTML DOM manipulating capabilities to establish a connection with the victim.

Jeremiah Grossman said...

By the way, thanks for commenting. For a while there I thought I was the only reader. :)

RSnake and I share lots of ideas, so its no surprise our posts and presentations overlap. The main thing he put forth in the post I meantioned, that I hadn't covered, is how to go about finding and exploiting the intended target website without the attacker leaving their IP address in the logs. His method explains a way to do. My example and explanations so far has been where the attacker does their homework up front, and then uses the victim for exploitation.

Anonymous said...

I think I see what you are trying to implement. But my confusing is what is site A and B? Im not sure if javascript can propogate from webpage to webpage on different domains, but its worth a shot.

Jeremiah Grossman said...

A and B I believe could be any websites you can capture users on. Nothing special really except as to provide a jump to so the attacker doesn't leave their IP's on the real target, C.