Re: XSS/CSRF to a real command-shell

["Robin Wood" <dninja () gmail com>]

On 23/04/2008, Shenk, Jerry A <jshenk () decommunications com> wrote:
> So, in your example, Robin, XSS was the vehicle to deliver hostile code
>  to a vulnerable application.
>
>  So for Joseph, for you to get a command-shell via XSS, you're going to
>  need to fine some other vulnerability on the client that views the
>  XSSable web site.
Ye, the XSS just gets their browser to visit the url with the exploit
in it. As it is all done behind the scenes you don't have to trick
them into visiting a real hostile site.

Robin

>  -----Original Message-----
>  From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
>  On Behalf Of Robin Wood
>  Sent: Wednesday, April 23, 2008 4:02 AM
>  To: Joseph McCray
>  Cc: pen-test
>  Subject: Re: XSS/CSRF to a real command-shell
>
>  On 22/04/2008, Joseph McCray <joe () learnsecurityonline com> wrote:
>  > Ok - I'm tired of beating my head against this wall on the subject -
>  so
>  >  some friends and I decided to put something together. I'm calling in
>  the
>  >  cavalry because I'd like to see if someone else is working on this
>  >  before we get knee deep into development.
>  >
>  >
>  >  Situation:
>  >  I usually categorize XSS as a medium unless it is on a public facing
>  >  and/or critical server in which case I classify it as a high. I'm
>  >  looking to be able to BETTER illustrate the dangers of XSS to
>  customers,
>  >  and to move beyond cookie/session theft via XSS. If I could get XSS
>  to
>  >  at least be a stepping stone to full control over a machine then I
>  could
>  >  possibly classify it as a high, and for real fun of the job - have a
>  >  shell.
>  >
>  >
>  >  To make a long story short - I want to take XSS/CSRF to a REAL
>  >  command-shell.
>  >
>
>  I watched a demo yesterday that had the XSS request something
>  (probably an image) from a url which had metasploit listening on it.
>  Metasploit then delivered a remote code execution exploit which
>  dropped meterpreter on the client. Game over.
>
>  I think that you may be looking for a more generic attack but this is
>  a good start as you could have a set of exploits lined up then either
>  use some kind of js checking to try to work out which browser is in
>  use and chose the correct exploit or you could just run through all of
>  them till one matches.
>
>  Robin
>
>
> ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Need to secure your web apps NOW?
>  Cenzic finds more, "real" vulnerabilities fast.
>  Click to try it, buy it or download a solution FREE today!
>
>  http://www.cenzic.com/downloads
>  ------------------------------------------------------------------------
>
>
>  **DISCLAIMER
>  This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
> they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
> intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
> message. If you have received this communication in error, please notify the sender and delete this e-mail message. 
> The contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------