Wednesday 11 May 2011

Simulating targets for XSS/CSRF attacks in hacking games

Many web application hacking techniques require a victim as well as a vulnerable website. Such techniques include XSS, CSRF, XST, HTTP response splitting, session fixation, and various others. While it is possible to find these without a victim, to truly understand them it helps to exploit them. And you can't exploit them without a victim. This post explains how to simulate victims using HtmlUnit, the technique I used in the hacking game hackxor. HtmlUnit is "A java GUI-Less browser, which allows high-level manipulation of web pages, such as filling forms and clicking links". Here's a brief set of instructions:

Create accounts for your victim on all websites you want them to use. Ask questions like How strong is their password? Do they re-use it across multiple websites? Do they have the same username on each site? etc.

Create a database table that contains what your victim knows. This should at least contain website/username/password sets. This is necessary because it ensures that if the player/attacker changes the victim's password on a website, the victim cannot log in.

Write some code that uses the HtmlUnit library to log the victim into each website they have an account on with their username and password. Hackxor's code looks something like:

WebClient browser = new WebClient(BrowserVersion.FIREFOX_3_6);
for(each website the user has an account on){
final HtmlPage login = browser.getPage(website);
final HtmlForm form = login.getFormByName("login");
form.getInputByName("user").setValueAttribute(user);
form.getInputByName("pass").setValueAttribute(pass);
form.getInputByName("submit").click();
}

Finally, create a way for the player to contact the victim. Hackxor uses a fake webmail system that checks the 'to' address to see if it matches a victim's, then uses the above code to log the victim into all their accounts, then finally calls
browser.getPage("thepagewherethemessagebodyis");

That's it. Hopefully you can see the advantage of simulating victims, and that this is a robust and easily extendible way of doing it.

Update: See also https://blog.gregbrockman.com/2012/08/system-design-stripe-capture-the-flag/

No comments:

Post a Comment