Tuesday 29 October 2013

[EN] JSP Code Review - part 1

Durning pentesting of webapps in various companies, often happens that
few pages are written in JSP.

I described here few different cases of testing webapps - by white box and/or black box 
testing - so today I decide, why not do it again for JSP-based pages? ;)

For our purpose, a great example we can find at one of pages with tutorials 
in section called 'HTTP Header Request Example'. Below I will show you
how we can check if this or that (or part of ;)) page is vulnerable to attacks.

(In case you don't know how to prepare your virtual environment for testing 
JSP-based pages, check this site. Here you will find nearly step-by-step list
to install Tomcat with Java at your linux-box. If you will have any troubles
leave me an email or comment below.)

Ok. Let's get back to our JSP tutorial.
Example code will show headers after request to our 'test page'.

---<code>---
<%@ page import="java.io.*,java.util.*" %>
<html>
<head>
<title>HTTP Header Request Example</title>
</head>
<body>
<center>
<h2>HTTP Header Request Example</h2>
<table width="100%" border="1" align="center">
<tr bgcolor="#949494">
<th>Header Name</th><th>Header Value(s)</th>
</tr>
<%
   Enumeration headerNames = request.getHeaderNames();
   while(headerNames.hasMoreElements()) {
      String paramName = (String)headerNames.nextElement();
      out.print("<tr><td>" + paramName + "</td>\n");
      String paramValue = request.getHeader(paramName);
      out.println("<td> " + paramValue + "</td></tr>\n");
   }
%>
</table>
</center>
</body>
</html>

---<code>---

Ok. Let's save this code as 'headers.jsp'.


It's not the problem to test this site by using Burp like it was described
in few mini-arts here but in this case we will do a little 'code review'. ;)


Few short examples was also described here or here. So here we will use 
similar trick. In case we know that if user's input is not (or properly) sanitized
then it's possible to inject code in web.


So now we will search for 'something' that will print out 'text' (string) added 
by user. In our JSP, it will befunction out.print. Let's find out if we can 
grab this string in our source code:

# cat -n header.jsp | grep out.print
    17        out.print("<tr><td>" + paramName + "</td>\n");
    19        out.println("<td> " + paramValue + "</td></tr>\n");
#



Yes, we can. ;)


We can see 2 lines, both with 'some parameter/value names'.
Let's find out what are those:


(...)
      String paramName = (String)headerNames.nextElement();
(...)



It seems to be some 'string', let's check the other 'parameter':


# grep paramValue header.jsp
      String paramValue = request.getHeader(paramName);
      out.println("<td> " + paramValue + "</td></tr>\n");
#



Great. So now we can see that 'paramName' is from request, and it gets
some header value(s) (getHeader() function). And, because its not filtered
in any way before printing out, we can try to inject here some code.


Let's check if we can change one of presented headers, for example,
lets change an user Agent. 


To do that we can use DataTamper or mentioned Burp Proxy (but honestly 
in my opinion for this kind of 'simple checking' - DataTamper will be fine.


Let's catch request to server (our 'header page' in JSP) and next we will 
change value from userAgent to our favourite 'XSS payload':

Tampered header
As a response from this not-filtered input, we can see nice and old XSS alert box ;)
 

XSS in JSP webapp

Good luck with code review!

If you have any questions - as always - leave me an email. ;)

Cheers 
o/ 

Wednesday 9 October 2013

[EN] Testing format strings bugs

Few weeks ago I wrote a short post about where you can find examples
to learn RCE vulnerabilities and how to exploit them.

Today I would like to present you similar story, this time for format string attacks.
Few examples of vulnerable codes you will find here. ;)

If you have any questions feel free to ask, but once again:
I will help you only with legal ideas, so please do not send me an emails
that you want steal someone's database ;) Thanks.

Enjoy!

o/

[EN] Wordpress 3.6.1 XSS

"Houston we've got a problem..." ;)

... in latest (3.6.1) Wordpress :


Same story as before but seems to be not patched anyway:
Enjoy, because 'it can not be used' - right? ;)


* Update @ 17/10/2013 *

Check file 'options-discussion.php' in /wp-admin/ directory, for lines 187-202.
You will find there:
---<code>---
   187  <?php
   188  $ratings = array(
   189          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   190          'G' => __('G &#8212; Suitable for all audiences'),
   191          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   192          'PG' => __('PG &#8212; Possibly offensive, usually for audiences 13 and above'),
   193          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   194          'R' => __('R &#8212; Intended for adult audiences above 17'),
   195          /* translators: Content suitability rating: http://bit.ly/89QxZA */
   196          'X' => __('X &#8212; Even more mature than above')
   197  );
   198  foreach ($ratings as $key => $rating) :
   199          $selected = (get_option('avatar_rating') == $key) ? 'checked="checked"' : '';
   200          echo "\n\t<label><input type='radio' name='avatar_rating' value='" . esc_attr($key) . "' $selected/> $rating</label><br />";
   201  endforeach;
   202  ?>


---<code>---

so because there is no any checking if 'rating' is valid or not, we can put in 'avatar_rating'
parameter any JavaScript/HTML code we want. In this case reflected XSS is possible.

To patch this bug, we need to edit wp-includes/pluggable.php file and change line 1662 like below:
Changed pluggable.php file

Simple change this line and add Wordpress's functions 'esc_html'.
Now it should be ok. ;)

Friday 4 October 2013

[EN] osCommerce 2.3.3.4 Exploited

Hi ;)

Durning few projects sometimes I can find that customers are using osCommerce
at their servers.

I prepare a small (poc) tool to a little bit automate a process of password cracking
and exploiting RCE available in admin panel (again ;) ).

Like I said to next week, this won't be public, sorry.
Anyway if you think that you will need it before (to test your sites or
your customers) then feel free to let me know privately, via email as always.

Have a nice day
o/