According to Wikipedia, 'Referer spoofing is the sending of incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user.'
Fiddler XSS Inspector Easily detect cross-site scripting vulnerabilities using Fiddler. The Fiddler tool helps you debug web applications by capturing network traffic between the Internet and test computers. The tool enables you to inspect incoming and outgoing data to monitor and modify requests and responses before the browser receives them. An XSS testing plugin for the free Fiddler HTTP proxy, x5s actively injects tiny probes of ASCII and Unicode into every user-controlled input of a Web-application in order to elicit and identify character transformations and encoding issues that could lead to XSS vulnerability. X5s is automatic and easy to run. I am going to use Fiddler to do the attack for this example. In most of my posts, I usually use Burp Suite, but there is a cool ViewState Decoder that is available for Fiddler that I want to use here. The following screen shows the login form on the initial load: I will set up Fiddler to break before requests so I can intercept the traffic. Ammonite is an web application security scanner extension for Fiddler. Ammonite detects common vulnerabilities such as SQL injection, OS command injection. MockingBird is a Fiddler extension to transform HTTP requests to another format. There are lots of reason you might need to debug a HTTP/HTTPs request(s), be it try to recreate a issue and narrow-down the problem in your favorite language editor or compare contents between different request(s) etc. MockingBird is a Progress Telerik FiddlerTM extension to transform a Fiddler's HTTP.
In other words, making a server think that requests are coming from anywhere we want.
Fiddler XSS Inspector Easily detect cross-site scripting vulnerabilities using Fiddler. The Fiddler tool helps you debug web applications by capturing network traffic between the Internet and test computers. The tool enables you to inspect incoming and outgoing data to monitor and modify requests and responses before the browser receives them. An XSS testing plugin for the free Fiddler HTTP proxy, x5s actively injects tiny probes of ASCII and Unicode into every user-controlled input of a Web-application in order to elicit and identify character transformations and encoding issues that could lead to XSS vulnerability. X5s is automatic and easy to run. I am going to use Fiddler to do the attack for this example. In most of my posts, I usually use Burp Suite, but there is a cool ViewState Decoder that is available for Fiddler that I want to use here. The following screen shows the login form on the initial load: I will set up Fiddler to break before requests so I can intercept the traffic. Ammonite is an web application security scanner extension for Fiddler. Ammonite detects common vulnerabilities such as SQL injection, OS command injection. MockingBird is a Fiddler extension to transform HTTP requests to another format. There are lots of reason you might need to debug a HTTP/HTTPs request(s), be it try to recreate a issue and narrow-down the problem in your favorite language editor or compare contents between different request(s) etc. MockingBird is a Progress Telerik FiddlerTM extension to transform a Fiddler's HTTP.
In other words, making a server think that requests are coming from anywhere we want.
MSRC Notification
MSRC Notification
The original PoC sent to MSRC was using iframes, but their rejection made me come back to find something easier. Either way, the referer-spoof works essentially as in the original proof of concept.Date: Jul 14, 8:47AM (GMT-3)
From: Manuel Caballero
To: secure@microsoft.com
Attachments: IE_EDGE_xss_filter_bypass.zip
Hey fellas! Attached you have a working PoC with an XSS-Filter bypass […]
1) Inject an iFrame on the vulnerable URL.
2) Load the vulnerable inside the iFrame but this time, with the script you want to execute.
Now, this happens because IE/Edge disable the filter when the requests come from the same-domain referrer […]
It's easy to load inside the iFrame the vulnerable URL because IE/Edge has many problems regarding referrers.
It's quite easy (check the PoC) to emulate essentially, any referrer we want. […]
Date: Jul 14, 5:29PM (GMT-3)
From: secure@microsoft.com
To: Manuel Caballero
Hello, Thank you for contacting the Microsoft Security Response Center (MSRC)[…] but filter bypasses themselves are not considered to be vulnerabilities.
Regards,
[…]
MSRC
Referer
The referer is an HTTP header that allows a site to identify where the request is coming from. For example, if we search for 'MS Edge' in Google and click on the first organic link, the browser will navigate to microsoft.com sending google.com as the referer. Microsoft will know that we are coming from Google because the referer is sent by the browser when doing the request.
The referer is not only sent when clicking on a link but also on every resource that is requested. If we load a webpage (say, magicmac.com) that renders two images and an iframe, all those requests will carry the referer in the http header. The requests will look like this:
- Main page (magicmac.com) with an empty referer. The browser leaves it blank when we directly type the URL into the address bar.
- Two images. Both with magicmac.com as the referer.
- One iframe also with magicmac.com as the referer.
Let's watch that closely while capturing traffic using Fiddler Web Debugger. A simple html with two images side by side and an iframe below them.
Now check out the Fiddler log below with the request numbers matching the ones of the images/iframe above. In the first row we have the request number, then Host/URLs and in the last one, referers. To make this clearer I deleted a few lines (requests 1, 6 and 7) from the Fiddler log, as those were unrelated to our task.
Look below how request #2 has an empty referer because its the URL that we typed in the address bar, with no referer at all. Then come requests #3 and #4 where both have magicmac.com as the referer. Finally request #5 also with magicmac.com
But what happens after that? Why is that all requests starting from #8 have bing.com as the referer? It's because those images/scripts are being requested by bing.com and not magicmac, even if the top URL is magicmac. Keep in mind that the referer is always the Host/URL that generates the request. Bing.com is inside an iframe and all requests that is doing are coming from bing.com, not magicmac. Who is requesting those scripts and images? Bing.com
If this explanation is unclear I suggest you read this Wikipedia article which is better written and more detailed.
Basic uses of the http referer on the web
- A server wants to prevent other sites requesting images from itself. This is called Hotlinking.
- A website wants to serve premium content only to a specific HTTP referer. This happens a lot with videos/tutorials served from Vimeo. They are accessible only when the browser referer comes from a particular host. In other words, if you know the 'secret' host and how to change your referer, you can get all that content for free.
- Browsers disable the XSS Filter leaving the site naked against XSS or CSRF attacks. What? Oh yes. IE/Edge allow a site to 'auto-xss' itself. In other words, those browsers will literally disable the XSS filter if the referer of the request comes from the same domain. No worries if unclear, we will see this in a bit.
Creating vulnerable samples
Let's create a couple of php scripts: one with a referer check to serve 'premium content' and another vulnerable to XSS attacks.
The script below is serves premium content only to requests coming from www.nature.com, otherwise it says you are not authorized.
2 4 6 8 10 12 14 16 | // http://www.cracking.com.ar/demos/referer/refcheck.php $ref=$_SERVER['HTTP_REFERER']; $host=$refData['host']; if($host'www.nature.com') echo'This is your premium content because you are coming from: '.$host; else echo'You are not authorized to view this page'; |
[ Try it Live! ]
The page returned a 'not authorized' message because the referer is brokenbrowser, not nature. But no worries, we will bypass this soon. Let's see now a site that is vulnerable to XSS attacks.
Fiddler Xss Plugin
2 4 6 | // http://www.cracking.com.ar/demos/referer/xss.php // http://www.cracking.com.ar/demos/referer/xss.php?xss=</span><span>alert</span><span>(</span><span>1</span><span>)</span><span> |
[ Try it Live! ]
Autodesk revit crack file download. The code injection failed thanks to the XSS filter. No hurries, we will bypass this in a second.
Referer spoof – How to do it
The problem that both Edge and IE have is quite simple: when changing the location of the top window using JavaScript, the referer will be the previous URL instead of the host that change it. Check below, easier reading the code than my English explanation:
2 4 | win=window.open('http://www.nature.com'); win.location.href='http://www.cracking.com.ar/demos/referer/refcheck.php'; |
[ Try it Live! ]
Fooled! Microsoft Edge (and IE) mistakenly passed nature.com as the referer when it was just the previous page. Remember: the referer should be the URL that initiated the request, not the previous page. In the example above, we opened a window on nature and immediately changed -via scripting- its location. The referer should have been the URL of the script that changed its location which in this case is also cracking.com.ar. Want to try it again? Let's make whatsmyreferer.com think that we are coming from Paypal.
2 4 | win=window.open('https://www.paypal.com'); win.location.href='https://www.whatismyreferer.com'; |
[ Try it Live! ]
Fiddler Xss
XSS Filter Bypass – How to do it
Bug hunter, I'm pretty confident of your awareness on the mechanics of the XSS filter of IE/Edge, but just in case, remember that it is literally disabled on pages where the referer host equals the host of the rendered page. So this will be pretty simple: we open any URL that belongs to the host of the vulnearable page, and then we change the location XSSing it straight! If we want to attack ebay.com then we will emulate-spoof ebay.com as the referer and then, XSS it. Let's give it a try. Remember the vulnerable page above?
2 4 | // http://www.cracking.com.ar/demos/referer/xss.php |
We tried to inject a script there but failed because the XSS filter blocked it. But let's fool the referer and make this work!
2 4 6 | win=window.open('http://www.cracking.com.ar');// Referer Spoofer // Successful code injection win.location.href='http://www.cracking.com.ar/demos/referer/xss.php?xss=</span><span>alert</span><span>(</span><span>1</span><span>)</span><span>'; |
Fellow bug hunter, I hope you will continue playing with this. The history and location objects have other bugs waiting to be found. Play with them and the vulnerabilities will come to you!
Have fun and ping me if you have questions!
x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It's main goal is to help you identify the hotspots where XSS might occur by:
- Detecting where safe encodings were not applied to emitted user-inputs
- Detecting where Unicode character transformations might bypass security filters
- Detecting where non-shortest UTF-8 encodings might bypass security filters
It injects ASCII to find traditional encoding issues, and it injects special Unicode characters and encodings to help an analyst identify where XSS filters might be bypassed. The approach to finding these hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected. The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways â€' URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems.
The types of test cases that x5s includes:
- Traditional test cases - characters typically used to test for XSS injection such as <, >, ',and ' which are used to control HTML, CSS, or javascript;
- Transformable test cases - characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish 'Ä°' which will lower-case to 'i' in culture-aware software.
- Overlong UTF-8 test cases - non-shortest UTF-8 encodings of the 'traditional' test cases noted above. E.g. the ASCII < is 0x3C normally and 0xC0 0xBC in non-shortest form UTF-8.
Requirements
Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and 'fiddle' with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.
Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.
Post scriptum
Comments
Related Articles
| Configurations checks |
|
| Exploitation |
|
| x5s |
