Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label XSS Attacks. Show all posts

Expert Posts About Blogger's CSP Flaw

A cybersecurity expert found a strategy to escape Content Security Policy (CSP) functions via WordPress. The hack, found by Paulos Yibelo, depends on exploiting origin method execution. The strategy incorporates JSON padding to execute a function. 

It allows the exploit of a WordPress account, however, along with cross-site scripting (XSS) exploit, that the expert doesn't have as of now. Yibelo hasn't tried to use the trick on live websites yet, limiting the exploits for test research websites owned by the experts. 

“I haven’t really attempted to because it requires a logged-in WordPress user or admin to visit my website, so I install the plugin and have an HTML injection – which is illegal to do," said Yibelo. He also mentioned that they didn't try to abuse the bug in the open on bug bounty forums. 

The exports informed WordPress about the issue three months ago, however, the latter didn't reply. It was then that Yibelo published the findings publically on a tech blogpost. 

Attacks may happen in two situations: First, websites that don't use WordPress primarily but have a WordPress endpoint on the same domain or subdomain. Second, a WordPress-hosted website that uses a CSP header. 

Yibelo's blog says if an attacker finds an HTML injection vulnerability within the main domain (ex: website1.com – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full-blown XSS that can be escalated to perform [remote code execution] RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP. 

Yibelo hopes that wordpress fixes this issue soon for CSP to stay relevant on WordPress endpoint hosting sites. CSP is a technology established by sites and in use by browsers that may restrict resources and block XSS attacks. 

Port Swigger reports "CSP is a browser security mechanism that aims to mitigate XSS and some other attacks. It works by restricting the resources (such as scripts and images) that a page can load and restricting whether a page can be framed by other pages."

Symfony PHP Framework has a Cache Poisoning Bug

 

Websites built on the Symfony framework were vulnerable to web cache poisoning attacks due to misuse of HTTP headers. Symfony is a popular PHP framework for web applications that has received over 200 million downloads in the past. Web cache poisoning attacks were discovered to be vulnerable on the platform, possibly exposing sensitive information such as users' IP addresses. 

Web cache poisoning is a sophisticated technique in which an attacker takes advantage of a web server's and cache's behavior to provide a malicious HTTP response to other users. Web cache poisoning is divided into two stages. To begin, the attacker must figure out how to get a response from the back-end server that has a harmful payload. They must ensure that their response is stored and then served to the intended victims once they have succeeded. 

A poisoned web cache has the potential to be a catastrophic means of disseminating a variety of attacks, including XSS, JavaScript injection, open redirection, and so on. 

Manipulation of unkeyed inputs, such as headers, is at the heart of any web cache poisoning attack. When evaluating whether or not to serve a cached response to a user, web caches disregard unkeyed inputs. Because of this behavior, threat actors can use them to inject their payload and elicit a "poisoned" response, which, if cached, will be served to all users with the corresponding cache key. 

The bug was created when a Symfony-based website was running behind a proxy or load-balancer, which has since been resolved. Developers can tell Symfony to look for X-Forwarded-* headers in these circumstances, which provide further information about the client such the original IP address, protocol, and port. A trusted_headers allow list is used by Symfony to limit allowed headers and prevent web cache poisoning attacks. Symfony's developers added support for the X-Forwarded-Prefix header in version 5.2, which attaches information about the request's original path-base. 

The flaw was in the sub-request feature, which allows developers to render and serve a tiny section of a page instead of the entire page, according to a GitHub advisory. Even though it wasn't on their trusted headers list, the X-Forwarded-Prefix header was processed by 'sub-requests.' By forging malicious sub-requests with the X-Forwarded-Prefix header and having them cached in cache servers, malicious actors could perform web cache poisoning attacks.

QNAP Patched a Flaw that Allowed Attackers to Remotely Execute Malicious Commands

 

QNAP, a Taiwanese NAS manufacturer, has issued security updates for numerous vulnerabilities that might allow attackers to remotely inject and execute malicious code and commands on susceptible NAS systems. File sharing, virtualization, storage management, and surveillance applications all employ network-attached storage (NAS) appliances. The headquarters of QNAP is located in the Xizhi District of New Taipei City, Taiwan. QNAP began as a department of the IEI Integration Corporation, a Taiwan-based industrial computer services provider. 

Three high-severity stored cross-site scripting (XSS) vulnerabilities (recorded as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) affect devices running unpatched Photo Station software (releases before 5.4.10, 5.7.13, or 6.0.18), according to QNAP.

In addition, QNAP fixed a stored XSS Image2PDF problem that affected devices running software versions prior to Image2PDF 2.1.5. Threat actors can use stored XSS attacks to inject malicious code remotely and store it on the targeted servers indefinitely after successful exploitation.

Stored attacks are ones in which the injected script is kept on the target servers indefinitely, such as in a database, a chat forum, a visitor log, a comment field, and so on. When the victim requests information from the server, the malicious script is downloaded. 

A command injection bug (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices running the QVR IP video surveillance software was also fixed, allowing attackers to run arbitrary operations. Successful attacks leveraging the CVE-2021-34352 bug could result in NAS devices being completely taken over.

In April, QNAP NAS operating systems QTS and QuTS Hero were patched for a command injection vulnerability (CVE-2020-2509). The other critical flaw (CVE-2020-36195), which affected any QNAP NAS devices running Multimedia Console or the Media Streaming add-on, was also patched in the same batch of firmware upgrades.

 “Both vulnerabilities are simple to exploit if you know the exact technical details,” said Yaniv Puyeski, a security researcher of SAM Seamless Network. 

 The significant, pre-authenticated flaws, which require only network access to the susceptible services, highlight an insecure, all-too-common way of using the devices, according to Puyeski. “Unfortunately, a lot of QNAP owners expose their device to the internet through port forwarding which puts them at very high risk to be hacked,” he explained.

SIP Protocol Exploited to Trigger XSS Attacks via VoIP Call Monitoring Software

 

According to new research, the SIP communications protocol can be exploited to conduct cross-site scripting (XSS) assaults. 

In a blog post published on June 10, the Session Initiation Protocol (SIP), the technology used to manage communication across services such as Voice over IP (VoIP), audio, and instant messaging, can be used as a conduit to perform app-based assaults on software, as per Enable Security's Juxhin Dyrmishi Brigjaj. 

This includes cross-site scripting (XSS) assaults, in which users' browser sessions may be stolen, same-origin restrictions may be bypassed, and user impersonation may occur for objectives such as theft, phishing, or malware deployment. 

In the worst-case situation, according to Dyrmishi Brigjaj, this might lead to an "unauthenticated remote compromise of vital systems." 

The study looked into the case of VoIPmonitor, an open-source network packet sniffer that system administrators use to examine the quality of VoIP calls based on various network metrics. During an offensive security audit, a flaw in the software's graphical user interface (GUI) was uncovered. 

The monitoring of SIP device register requests is one of the GUI's functions. The monitoring system also includes the type of device that submitted the SIP register message via a User-Agent header value. This value is represented in the user's web browser's DOM. It may lead to the execution of malicious code in the hands of criminals. 

The researchers note, “At face value, this might not seem like much, and in the real world I’d use something less obvious, relying on some canary token or callback. However, keep in mind that this code is executed in an administrator’s browser and is stored there for a period of time.” 

According to Brigjaj, execution code during a brief window of opportunity can result in privilege escalation and full, permanent admin access. 

This would be accomplished by creating an administrator account in the system and storing a new JavaScript payload. 

As a result, the vulnerability could result in data and traffic exfiltration, the hijacking of other administrator accounts, and the deployment of malware such as keyloggers, backdoors, and more. 

On February 10, Enable Security reported its findings to VoIPmonitor, and the project's developers fixed the security issue on February 22 by adding new XSS mitigation measures. 

Users of VoIPmonitor are advised to upgrade to the most recent version, v.24.71. Enable Security tested the fix and determined that the avenue to the XSS attack vector had been eliminated.