JSON Based Attack Techniques (XSS) Part#1

Hi Everyone,

I want to talk about some advanced attacks and potential security flaws especially when using JSON Applications that can lead to Data Injection/Session Hijacking issues.

In this 1st part i’ll talk about a particular kind of vulnerabilities in web applications that are vulnerable more and more to XSS vulnerabilities that are reflected in non HTML responses, For example : JSON. Before I go further, i want to define JSON : JavaScript Object Notation (JSON) is a simple, text-based data transfer format that is used to transmit data between a server and web applications, it’s widely used as a transport mechanism in AJAX applications. I’ll not give some JSON code samples you can find it over the net. In general, every expression that is valid in JavaScript is also valid in JSON.

So in order to apply our tests we have to know that JSON data objects can be evaluated. So, this feature helps to overcome the security restrictions applied by the SOP (same origin policy). However, we can use scripts to communicate and transmit data by the nature of AJAX applications.

Hacking JSON consist on the following typical Fuzzing techniques :

– Array overwrite.

-Large/negative numbers.

-Symbols like <@’_”%/–.

-Additional serialized objects.

As i mentioned before i’ll demonstrate an example of exploiting an XSS vulnerability. But exploiting XSS vectors against Internet Explorer is more than an “alert(‘XSS’)” and as we all know it’s a little bit hard in this situation because browsers pop up the file download instead of rendering the response when the returned content-type is application/json or application/javascript or application/json-rpc.


Thus, the only solution is to bypass JSON parsing mechanism to indirectly exploit this issue, before we move to the trick that will allow us to attack the vulnerable application (IE versions below 10), I want to explain how Microsoft Internet Explorer Filters works. Recently i had a chance to explore how this filters prevent such attacks :

Microsoft Internet Explorer’s XSS Filters :                                                                 ===============================

Filters within Internet Explorer (IE) 8/9 have the capability to deal with and to detect reflected XSS attacks by applying regular expressions to response data. If this data were reflected within the response, IE would handle the payload to prevent it from actually triggering.

The following command show some Filters :
C:\>findstr /C:”sc{r}” \WINDOWS\SYSWOW64\mshtml.dll|find “<                                     C:\>findstr /C:”script” \WINDOWS\SYSWOW64\mshtml.dll|find “{”
Here are a some of the extracted regular expressions including Unicode characters, common URI attributes and event handler names…etc :


After converting the resulting regular expressions, then creating SecRules to prevent XSS attacks against a web application, any
user can apply blacklist-filtering secrules against incoming request data.                                    Some of the converted IE XSS filters:


It was just a quick look into IE Cross-site Scripting filters, Now we pass to the method we’ll use to overcome the problem we encounter previously. This problem is linked to IE content sniffing heuristics, any file can be interpreted as executable Javascript under many circumstances. It’s actually a security weakness even if the data is sent with the appropriate JSON content type and well configured, this concept remains true even if JSON is not embedded in HTML. However this way is based on rendering JSON responses in IE by direct browsing. First we should know how IE defines file types and what content-type will be set for each response :

  1.  IE search for the response data content-type in the windows registry for the specific CLSID key  (know more about CLSID i.e: “CLSID”=6650f4a1-E8B5-A1CF-BB82-012500DDCE0B ), to find the correct handler for that response.
  2. If the content-type is found, IE will consider that to be the valid content-type otherwise IE will attempt to identify the content-type from the file extension or another way.

In our situation the default mime-type list of Internet Explorer does not include any JSON data mime-type. Besides when visiting a link with JSON data included, IE directly prompts the file download dialog because the specific content-type to consider for the requested file is not found when IE attempts to search in the windows registry (HKCR\MIME\Database\Content Type\CLSID).

In order to force IE to recognize JSON responses and render them, the file extension must be considered by IE as text/html (.htm or .html) within the URL. In addition regarding the manner that most web servers use to parse the path, most server side languages (PHP, Python, Perl CGI…) accepts “path-info” parameter that uses the slash sign (/) as delimiter to be passed from the URL  (i.e : HTTP://[domain_name]/[path-info]?[GET params]). Then when an web application is vulnerable to a reflected XSS, the attacker simply adds “.html” as path-info, consequently the server returns a page with XSS content and the same JSON file type and finally IE matches .html path-info to be text/html and directly triggers XSS.

This way we are now able to exploit XSS using a combination of path-info parameter and IE’s content-type designation weakness.

That’s all for this 1st part guys stay in touch … 🙂

You can check my previous research about a kind of JSON attacks : http://www.marw0rm.com/handling-session-actions-web-application-authorization-bypass-youtube-as-example/


Follow me on twitter : https://twitter.com/r007hunt

Facebook Malicious W0rm !

Hi Everyone,

Phishers became more professional , using various ways to get users credentials, Facebook is one of the popular websites that is apt to such attacks.

Today i want to share with you guys this blog post concerning a malicious code that is widespread all over the internet. Recently I was tagged in a post by a friend on Facebook, so i checked this post and i found that it’s about a new method to “Hack Facebook accounts” as i wanted me too to hack some Facebook accounts ( lol :p ) i was curious on how can i do it, then i found these steps :

  1. First go to your victim’s profile.
  2. Select Inspect Element.
  3. Copy the code from this link : http://pastebin.com/raw.php?i=PwMMAP19(o_O).
  4. Now paste the script into the box given blow (Console).
  5. Press Enter and after 10 seconds you’ll get a message from your victim includes his email and password.

I didn’t follow these steps of course, I suspected something wrong so on i checked directly the link. I found that it contained some obfuscated JavaScript, I took a fast look trying to understand what this script does to hack Facebook accounts, I noticed that it’s not clear so far ( hex encoding/not structured code) generally not fully understandable. My curiosity growth and i tried to examine it deeply. Consequently i copy the code to a JavaScript beautifier in order to reveal the hidden sections, after decoding it i was looking at the code, it revealed some sections but still not fully comprehensible, there were a few methods that were designed to be confusing, and then several strings and arrays that would eventually be decoded using another way and executed to understand the code.

At the beginning i thought i’m facing a kind of Luckysploit malwares, so in this case i have to find better ways to run javascript in a secure environment to minimize the risks that go with executing it. I didn’t see any tool could be built to generically deobfuscate this code completely. I got Malzilla in my hands so i sent the sample to Malzilla Decoder and i tried to run the script away from my Facebook account or browser and show eval() result in some parts of the code because it seems sending some POST Requests to Facebook server. Anyway this wasn’t able to get me the values I was looking for and if I had missed another eval() it’s possible that I could have executed what was clearly malicious code. I proceeded directly to manual analysis , i examined the code, it was clearly 9 main functions that sends many XHR requests to Facebook server and perform many actions, but initially the script brings some cookies like : c_user & fb_dtsg – to implement them later.

var fb_dtsg = document.getElementsByName(‘fb_dtsg’)[0].value;

var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);

In addition i noticed that the 3 last functions : [ Report(param), arkadaslari_al(id), RandomArkadas(), yorum_yap(id,param) ] appears to be obfuscated to make the code more disorganized using an easy method simply we have 2 arrays : _0xb161 & _0xa22c contains multiple elements hex encoded :

var _0xa22c = [“value”, “fb_dtsg”, “getElementsByName”, “match”, “cookie”, “1395443067381092”, “onreadystatechange”, “readyState”, “arkadaslar = “, “for (;;);”, “”, [……..] “status”, “close”];

I realized after that these elements are used to be implemented in the functions i already mentioned and passed around via a series of misleading assignments. Every time a function wants to use an element it sets a reference to it ( i.e :  _0xa22c[2] ==> “getElementsByName”). After digging around for a few minutes and coding a simple program to put each element in its place. Finally i got an organized and comprehensible code, Now it’s time to take a look to the tasks assigned to each function.

Deobfuscated & explained script here : http://pastebin.com/1hY0kwCk

We should now do a simulation of this process to ( get the victim email & password ohh i’m so excited ^^ :p) since we know what the code does & discovered the bad reasons behind coding this script. Besides once i executed this script following the steps above using a test accounts in an isolated environment to prevent any risky execution i got a strange behavior. The background of Facebook changes, a media player appears and auto-played, all the functions executed their tasks successfully, actual results was stealing your Facebook cookies and uses your account to like a series of pages,subscribe in a list, add profiles, auto follow,report a profile, Like and get tagged in a post. So the hole process results in gaining access to Facebook paths/sensitive Data.

fb  fb2

Moreover i was searching for many sources on the net to get a similar sample. Then i found many codes with different audio links : http://picosong.com/media/songs/XXXXXX so i suspected that maybe it’s used to run a crafted mp3 files ( i.e : used to exploit a 0-Day in browsers) or to run some malicious binaries. worse than that, i found some Add-ons that is used to such ends but some of them are deleted  like “Facebook Essential”, but many others still used for bad purpose.

To sum up i want to mention that these scripts can be extended to steal victim cookies easily or used on potential victim to loads a compromised web page or opens a malicious link. Contains often highly obfuscated Javascript that determines what is on the victim’s computers and loads all exploits to which this computer is vulnerable. So we wanted at the beginning to trap a victim and get his credentials but we are the real victim.

It’s just a quick post, hope you like it.

Stay tuned …

email : jigsaw0658@gmail.com