Upload File

blind xss & femida - zeronights...femida who is femida ? burp suite plugin that:! flexible and...

  • Home
  • Documents
  • BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE
21
BLIND XSS & FEMIDA Pavel Rukavishnikov hd

Upload: others

Post on 27-Jun-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

BLIND XSS & FEMIDA

Pavel Rukavishnikov

hd

Page 2: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

whoami

Pavel Rukavishnikov

• Ctf player

• programmer

Github: https://github.com/wish-i-was

Twitter: https://twitter.com/wish_iwas

HD

• Script kiddie

• Bounty hunter

• pentester

Github: https://github.com/HD421

Twitter: https://twitter.com/hd_421

https://github.com/wish-i-was/femida
https://twitter.com/wish_iwas
https://github.com/HD421
https://twitter.com/hd_421
Page 3: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Agenda

•What is blind xss?

• How to deal with it

•Where to inject

• Callback handlers

• How to improve and automate

• TODO

Page 4: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Few facts about blind xss?

• Almost always it’s stored• You can’t see alert(1337)

• need your patience

• facing it the other way

Page 5: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Where to inject

Headers:

• User-Agent

• Referer

• Origin

• X-Forwarded-For

Request parameters:

• imagination

Page 6: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Ground control

your target is to receive a knock-knock from

Application used by administrator/team member

payload

payload

payload

payload

payload

payload

payload

payload

paylo

ad

pa

ylo

ad

Page 7: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Few more

payload

payload

payload

Page 8: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

CSP report

How It look sometimes

• Almost always request is static (except custom csp

reporting frameworks like

sentry csp)

• Processing servers are oftenly poorly protected

Page 9: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Should I look for it?

Page 10: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Callback handlers

Page 11: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Callback handlers

Page 12: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Callback handlers

Callback tokenSSRF

XXE

XXS

https://github.com/jobertabma/ground-control

https://github.com/jobertabma/ground-control
Page 13: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Callback handlers

https://github.com/ssl/ezXSS

https://github.com/ssl/ezXSS
Page 14: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Callback handlers

https://xsshunter.com

https://xsshunter.com/
Page 15: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Callback handlers

Launch your own Collaborator Server:

https://blog.fabiopires.pt/running-your-instance-of-burp-collaborator-server/

https://blog.fabiopires.pt/running-your-instance-of-burp-collaborator-server/
Page 16: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

What can be simplified?

Daily routine looks like:

1. intercept the request

2. Put payload in correct header/parameter

3. Send request

4.Repeat n-times b/c you never know what will

be logged at backend

Page 17: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

Should we perform manual check all the

time?

Automated

Manual

Page 18: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

FEMIDA

Who is femida?

Burp Suite plugin that:

• Flexible and easy

configurable

• Performs accurate

passive checks

• Active scan

Page 19: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

FEMIDA

PLUGIN DEMO HERE

Page 20: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

TODO

• CSP report detector and request

generator

•WAF detector

• Etc…

Page 21: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE

We wish you Happy hacking

Thank you for attention

Fell free to ask your questions:

Twitter:

• https://twitter.com/hd_421

• https://twitter.com/wish_iwas

Plugin: https://github.com/wish-i-was/femida

https://twitter.com/hd_421
https://twitter.com/wish_iwas
https://github.com/wish-i-was/femida

DataManager Plugin - d36j349d8rqm96.cloudfront.net Plugin - M… · DataManager Plugin 6Version History 6 Version History 6.1Plugin Version Plugin-Version Date [dd.mm.yyyy] Notes

UEFI Firmware Rootkits: Myths and Reality - ZeroNights 2016 · PDF fileUEFI Firmware Rootkits: Myths and Reality (Revisited for ZeroNights) Alex Matrosov @matrosov Eugene Rodionov

Zeronights 2013 - воруем домены

Sergey Belov - ZeroNights

gafc.khu.ac.krgafc.khu.ac.kr/gep/download/2016_inform/Femida Handy.docx · Web view2007“Social accounting for value-added.” European Institute for Advanced Studies in Management

ZeroNights 2019 — ZeroNights 2019 - CISCO ASA: FROM 0 TO ID=0 · 2019-12-12 · •CVE-2016-1287 •A heap overflow in IKE Cisco fragmentation by Exodus Intel rewarded as best server-side

QlikView Plugin User Manual - QlikView - AccessPoint Plugin User... · QlikView Plugin User Manual ... This document is a brief manual for QlikView Internet Explorer plugin, ... instead

WordPress plugin development plugin development (with pictures) Simon Wheatley WordPress plugin development (with pictures) Simon Wheatley plugins photo by djking anatomy of a plugin

Patient Reported Outcome measures encompass Quality of Life · Femida Gwadry-Sridhar Dr. Femida Gwadry-Sridhar is the founder and chief executive officer of Pulse Infoframe Dr. Gwadry-Sridhar

Telecom security from ss7 to all ip all-open-v3-zeronights

Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015

Blender Plugin Installation Guide - Amazon S3 · Blender Plugin Installation Guide Step 1: Download The Plugin a- Download Blender Plugin from ... film, and video game design

MIDI Controlling FX chains Plugin programs & Plugin parameters

Software Engineering for Android – Security and User Experience … · 2011-07-07 · Bugtracking Code Review Common Build Telekom Plugin Plugin Plugin Plugin Plugin Plugin integrationPlugin

PCM Plugin - d36j349d8rqm96.cloudfront.net PCM Plugin Manual.pdf · PCM Plugin Manual – Version 1.0 – April 2014 Page 3 of 24 What is the PCM Plugin? The PCM Plugin is the plugin

Snakes in a plugin - WordPress plugin security

DIALux4[1].0- · PDF filedialux 2 plugin. 1.X. plugin , plugin. luminaire selection Plugin plugin . home page, Intenet Explorer

Lesosai et le BEM (Building Energy Modelling) · USai Revit Plugin - Archicad (mit gratis Plugin Cadimage, Tutorial) - Sketchup (mit Plugin) - Vectorworks Architektur 2013 (ohne Plugin)

dialux 2 - خانهabginehco.ir/wp-content/uploads/2015/11/Software-Training-DIALUX.pdf · dialux 2 plugin. 1.X. plugin, plugin. luminaire selection Plugin plugin. home page, Intenet

Smuggling splitting poisoning. ZeroNights. ONsec

Burp Zeronights workshop

CAD - dl.poweren.irdl.poweren.ir/downloads/PowerEn/Book/2017/آموزش دیالوکس(PowerEn.ir).pdf · PowerEn.ir dialux 2 plugin. 1.X. plugin, plugin luminaire selection Plugin

Facebook Regisrtration Plugin (Plugin)

skofemida.kz · «Femida» 3an Keuecmi.uepnin 1 - Tapay. 1. 3aH K0MeriH Kepcery 3K0HiHAeri kqb13Meerri perrey )KOHe 03iHiH MY111enepiHiH Ka3a1ÇTaH PeCnyÕJIHKaCb1Hb1H aaBOKaTTb1K

Testing of Password Policy Anton Dedov ZeroNights 2013

WizIQ Virtual Classroom plugin for · PDF fileWizIQ Virtual Classroom plugin for ... Installing the plugin8 ... Moodle version 2.3 & 2.4 WizIQ Virtual Classroom plugin Plugin 2.0

DbiFuzz framework #ZeroNights E.0x03 slides

CKEditor Plugin Documentation (AutoRecovered) Plugin Documentation.pdfCKEditor 4 Plugin Documentation Contents ... This plugin allows you to install CKEditor - the Smart WYSIWYG HTML

Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)

Assessment Report on the Implementation of SRS Femida and ... · Assessment Report on the Implementation of SRS Femida and Voice Recorders in Moldovan Courts of Law Rule of Law Institutional

CAD - dl.sariasan.comdl.sariasan.com/New Softwares/Dialux 1 SariAsan.pdf · PowerEn.ir dialux 2 plugin. 1.X. plugin, plugin luminaire selection Plugin plugin. home page, Intenet Explorer

РУКОВОДСТВО АДМИНИСТРАТОРА...8 IS Mechanics SRS Femida Руководство администратора 5. Инсталляция и конфигурация

Reversing Data Formats: What Data Can Reveal by Anton Dorfman ZeroNights 0x03, Moscow, 2013

MariaDB Sicherheit: Audit Plugin, Authentification Plugin, Rollen

ZeroNights: Automating iOS blackbox security scanning