Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Network Security Devices Prone to XSS
Posted by: rsnake
Date: August 22, 2006 04:26PM

I know it's a little strange to be hacking security devices, but I've seen a number of them that are themselves vulnerable to XSS. All that I've seen have been patched (with the exception of ones where disgruntled employees can include XSS that other employees will go and visit).

It would be interesting to catalogue how they have worked. The one that sticks out in my mind was actually something that captured URLs. The URLS could be:
http://<script>alert("XSS")</script> (it was slightly more complex than that, because of how it decoded it, but you get the picture).

Understanding the attack library against security devices might be a good idea going forward. If it's a way to attack the network device so that logs do not show up properly, and the security of the network is compromised (commands on web based interface of the IPSs run as the administrator), that's probably worth talking about.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: kirke
Date: September 20, 2006 12:05PM

do you mean that the device's browser based GUI is prone to XSS, or do you mean that the device is prone to XSS through the links it should check?

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: rsnake
Date: September 20, 2006 12:21PM

Sorry, I should have been more clear, I mean the GUI is vulnerable.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: kirke
Date: September 20, 2006 12:50PM

I knew of some in *5's overtaken product, but have no current version handy to check if it is still vulnerable.
I also know that same product was prone to CSRF (aka some better names:)
They probably fixed XSS, but I doubt for CSRF.

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: hackathology
Date: March 14, 2007 07:14AM

Hmz, i am going to try it on my networking devices. I thot of that initially, but i am not very good in scripting, but rsnake jsut gave me an idea.

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: rsnake
Date: March 14, 2007 10:25AM

Yah, let us know the results. I'm always interested in how web based technology can cause havoc with networking devices.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: hackathology
Date: March 14, 2007 10:48AM

Ok for once, this might not be a networking device, but instead its Microsoft web server IIS 6.0 and siebel crm application. I had tested it during a pen test on a bank. Oh my it was horrible!!

For the siebel crm application, it has weak session ID. If you have two user accounts, login in as user1, keep note of the rowid field. Login as user2, copy and paste the rowid value of user1 into rowid field of user2. You can actually change all the details of user1. Thats bad !! Thats one of the most horrendous encounter. Imagine this, you can change and reset all the password for all the users.


Microsoft IIS 6.0, there appears a flaw in the parameter ReturnURL. I remember i tested it for XSS, and it actually works. Just insert a normal <script>alert("XSS")</script> in the ReturnURL parameter and boom. XSS!!!

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: rsnake
Date: March 14, 2007 11:36AM

Ugh... both of those are bad.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: hackathology
Date: March 14, 2007 11:45AM

Yup. Those are bad. I had made a video out of the siebel application. I see if i can find it and post it online. Let me know where is the best place to post this video, so everyone can see it.

http://hackathology.blogspot.com



Edited 1 time(s). Last edit at 03/14/2007 11:49AM by hackathology.

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: hackathology
Date: March 14, 2007 12:11PM

not to mention BEA WebLogic Server 7.0 and 8.1

vulnerablesite:7001/console/x?=<script>alert(document.cookie)</script>

http://hackathology.blogspot.com



Edited 1 time(s). Last edit at 03/14/2007 12:12PM by hackathology.

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: jungsonn
Date: March 15, 2007 07:59AM

Great stuff! these are clearly things you come accross in the network field? I hooked you up on my blog, I also put a link up to it soon.

You know i've been toying with routers and stuff and to detect them through there default logo/image like: http://www.jungsonnstudios.com/blog/?i=145&bin=10010001

Anyway it's really interesting to do some more research in these areas.

Options: ReplyQuote
Re: Network Security Devices Prone to XSS
Posted by: hackathology
Date: March 16, 2007 02:09AM

Hi jungsonn, nice to meet you. I will add you to my link too. I need more links. Lets learn from each other.

http://hackathology.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.