XSS testing of Cookie Keys
First off I'd like to give thanks to the dev & support team of Arachni for providing such a good tool!
I am new to Arachni so this could be covered elsewhere, but if so I've failed to find it. So far I have Arachni successfully crawling through our site and having given it an insecure version I am hoping it will find various known issues. It has done very well, finding most of the issues, but there is one hole to do with our use of cookies.
We use keys within cookies, i.e. multiple key=value pairs within one cookie, so rather than have:
Cookies: name1=value1; name2=value2;
We have:
Cookies: name1=key1=value1&key2=value2;
This means that when testing for XSS the payload should be injected into both key1 & key2, but currently it appears that Arachni only injects at the end of the Cookie value so only key2 is injected, key1 is never tested. Ideally I would like it try both of the following (i.e. as if it was 2 different cookies):
Cookies: name1=key1=value1<inject-here>&key2=value2;
Cookies: name1=key1=value1&key2=value2<inject-here>;
Can Arachni be configured to do this? If so how? And if not how hard would it be to implement?
I can give a working example if needed.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Tasos Laskos on 26 May, 2017 04:13 PM
I think that you're looking for this: https://github.com/Arachni/arachni/wiki/Command-line-user-interface...
Give it a try and let me know how it works.
Cheers
2 Posted by Steven Phillips on 26 May, 2017 06:14 PM
Hi Tasos,
Thanks for the quick response. I've tried the option but it doesn't seem to work, running with --output-debug I get the following printed in the console:
I only get the second line if I use the --audit-parameter-names option, so its getting the option, but its not identifying the obvious coding flaw. The cookie ATEST is initialised to:
Cookies: ATEST=ua=2&nm=John+Doe&uk=23;
And then my test website does the dumbest thing of:
i.e. no Html encoding, so any injection into the 'nm' cookie key would work - but Arachni is not finding it.
What have I missed?
Support Staff 3 Posted by Tasos Laskos on 27 May, 2017 03:48 PM
I don't think Arachni can do what you want, there's no support for nested cookies -- is that actually a thing? I've never come across it before.
Out of curiosity, can you please show me the
Set-Cookieheader?4 Posted by Steven Phillips on 28 May, 2017 12:14 PM
Hi Tasos
I've cut the example down to 2 simple files which should run in any version of IIS which ASP enabled.
First file: atest.asp
Second file: setNameEx.asp
When first loaded the initialisation of ATEST1 leads to:
Note the order is reversed, i.e. the initialisation order is uk, nm & then ua and the order in the cookie is ua, nm, uk. When I set the name to 'John&Doe' the following is returned:
Note nm becomes first, so the last modified key is given first. This is the worst behaviour for arachni as any added/changed key will never be injected.
Note also that IIS URL encodes the values so a '&' is a reliable key separator.
So would it be possible to create a '--cookie-has-keys' option which can be used multiple times, taking a cookie name and ideally makes Arachni inject before any '&' as well as at the end?
As I said, Arachni is so close to doing all I want it to but as you can see, this is rather a large hole for us. I would be happy to try any implement this if you thought it feasible and could give me a few pointers...
Thanks.
Support Staff 5 Posted by Tasos Laskos on 28 May, 2017 12:42 PM
I should be able to swing that, adding new input vectors to Arachni isn't that difficult but I'll have to do it myself.
It may take a while to get to this though.
6 Posted by Steven Phillips on 28 May, 2017 01:02 PM
Anything I can do to help? I'll certainly be happy to test :-)
Support Staff 7 Posted by Tasos Laskos on 28 May, 2017 01:08 PM
You've been most helpful already, I understand the behavior you need. Once I have something that you can test I'll let you know.
I sense that you need this soon, so I'm making it my next task. I'll try to start work on this within a couple of days.
8 Posted by Steven Phillips on 28 May, 2017 01:38 PM
Much appreciated Tasos!
Support Staff 9 Posted by Tasos Laskos on 31 May, 2017 03:16 PM
I think I got it working, I need to run a few time consuming tests before I push the change though. Might take a couple more days.
10 Posted by Steven Phillips on 31 May, 2017 06:30 PM
Excellent news - looking forward to giving it a hammering :-)
While on the subject of cookies, I've been looking for a way to stop Arachni audit a specific cookie (we use a cookie internally for testing that does not need injecting etc) and found various web references to the '--exclude-cookie' option but this no longer appears to exist.
Has this functionality been removed or is there still a way to stop a specific cookie from being audited?
Thanks
Support Staff 11 Posted by Tasos Laskos on 31 May, 2017 06:33 PM
That's a really old option, you can now use: https://github.com/Arachni/arachni/wiki/Command-line-user-interface...
12 Posted by Steven Phillips on 31 May, 2017 08:31 PM
That's what I'm after - thanks!
Support Staff 13 Posted by Tasos Laskos on 06 Jun, 2017 09:20 AM
Done: https://github.com/Arachni/arachni/commit/6a4135b062d56711809628042...
Give the nightlies a try, the option is called
--audit-nested-cookies.14 Posted by Steven Phillips on 06 Jun, 2017 11:51 AM
Hi Tasos,
I've downloaded and installed, verified the option is being used but nothing is being reported!?! What am I doing wrong? In the console I see:
and atest1.asp does:
So no attempt to check the value of 'nm' or protect the output but arachni is not reporting the issue. Is there any way to see what its injecting or the response it got? I've tried using page_dump plugin but I only got 3 yaml files and none had an injection (so is this limited to the initial output from the spider?).
This looks so close now but I'm confused as to why it hasn't spotted the injection, best guess would be that the injected value wasn't URL encoded so IIS broke the injection...
Support Staff 15 Posted by Tasos Laskos on 07 Jun, 2017 08:34 AM
The
page_dumpplugin will only save pages as they're crawled, it won't dump all HTTP responses. My advice would be to use a proxy to see what's going on.16 Posted by Steven Phillips on 07 Jun, 2017 11:42 AM
Hi Tasos,
I've reduced the checks-list down to just xss to keep things focused and found out what the problem is. When a non-nested cookie is used Arachni spots the weakness with any of the xss injections (but only lists one so changes on each run).
The problem is in the way Arachni is trying to inject and encode the nested cookies. The format is the same as a URL line with query values and the encoding is very important, it has to be:
Where the key names and values are URL encoded but the '=' and '&' separators aren't and mustn't be. So:
Is a valid nested cookie with Request.Cookies("ATEST1")("a") == 'b', Request.Cookies("ATEST1")("c") == 'd' etc. However
Is not a valid nested cookie it is now simply a cookie with a single value, this is why Arachni is not spotting my simple test case, the injected cookie value is sent as follows:
So the page's call to Request.Cookies("ATEST1")("nm") returns an empty string.
Given a nested cookie of 'ATEST1=a=b&c=d&e=f', the easiest way I can think of for injecting a nested-cookie is to literally insert the URL encoded injection before every '&', i.e. test:
To inject both 'a' and 'c' keys, injecting 'e' is not needed become the basic cookie injection will have done this key already. I've looked at some of the arachni ruby code and I must confess it did not make much sense to me, but if you want to send me a patch for testing I'm very happy to.
One point of curiosity, as mentioned above, with each run I seem to get a different injection attempted, certainly not every injection and not the same one, but a random one. Is this by design? And does this mean that, in practice, I may get variable results depending on which injections were 'randomly' selected? I can imagine this is done so there is a balance between performance and coverage, i.e. each run is reasonable in time and full coverage is obtained over time with successive runs, but would be good to know this is by design not misconfiguration on my part.
Thanks,
Steve
Support Staff 17 Posted by Tasos Laskos on 07 Jun, 2017 11:45 AM
I see, I'll update the code.
Also, injections aren't random and are identical in all ways that matter, what changes is the seed (
617d82c6b0fc3da69ad107e7a7a1ea9d) for each scan, which is random.Are you seeing something different?
18 Posted by Steven Phillips on 07 Jun, 2017 12:44 PM
I am seeing something different - I've had to run my test case quite a few time and I've been comparing the injections given to a non-nested cookie (ATEST1M) with those of the nested one (ATEST1) and here are all the identifiied xss injections for the non-nested cookie for the last 5 runs:
So only in the last run was more than one identified, however following is a list of HTTP_COOKIE values given when ATEST1M appears to be injected during run 13 (in order):
The one arachni identified is the last one but the encoding of this is wrong for IIS with ASP, the initial non-injected value of HTTP_COOKIE is:
The ATEST1M value decoded is "Hello world!', IIS+ASP encodes the ' ' to a '+', but arachni appears to be decoding the %## part of the value, injecting and then not encoding the result.
The other 2 values look like a double encoding - note the '%253Cxss' this decodes to '%3Cxss' which then further decodes to '<xss' - I don't know what caused this, especially as this appears in the first injection of ATEST1M.
For the 14th run the following HTTP_COOKIE values were submitted (in order):
The first and last were reported but note the second, this appears to be a double encoded form of the injection identified in runs 11 & 12, this injection was not present in run 13 for ATEST1M in any encoded form.
Please note at I am running classic ASP code on IIS so I'm using the no fingerprinting option having set platforms to 'windows mssql iis asp', I'm also using a profile afp file and option --profile-load-filepath rather than doing this all by command line options as this seems easier to read and maintain.
Support Staff 19 Posted by Tasos Laskos on 14 Jun, 2017 11:12 AM
To be honest I'm a bit confused, I'm not sure I understand what you're describing.
Regarding the encoding though, Arachni decodes the cookie and when it alters its value for the injection it encodes it again according to the RFC.
Double encoded values are there simply because the XSS check also includes double encoded payloads.
Regarding the encoding of
&and=in the nested cookies, that's tricky because there's nothing about nested cookies in the RFC and those are sensitive characters.So, when it comes time for transport these are encoded and that happens in the HTTP client which isn't aware of the input vector. If I don't find a clean way of handling this I'm afraid that I'll have to revert the change and simply not supported nested cookies as input vectors.
20 Posted by Steven Phillips on 14 Jun, 2017 12:20 PM
Hi Tasos,
I'm anxious to get this working, not only for my benefit, but for all users of Arachni that are testing MS sites. If you go to a .Net site, e.g. msdn.microsoft.com or www.asp.net there are some base cookies, like MSFPC, which clearly have nested values so this is and will continue to be an important area of testing.
Can you point me to this area of code, i.e. where the xss checker locates nested values and injects payloads and I'll have a play to see if I can be of any help.
Thanks,
Steve
Support Staff 21 Posted by Tasos Laskos on 15 Jun, 2017 10:58 AM
It's not that simple (it's simpler in a sense), the checks aren't aware of the input vectors, they all expose the same API so there's not a place in the XSS check that handles nested cookies specifically.
I got an idea of how to go about fixing this though, I'll let you know once I've got something that you can test.
Support Staff 22 Posted by Tasos Laskos on 18 Jun, 2017 03:17 PM
Can you give the nightlies a try please?
23 Posted by Steven Phillips on 19 Jun, 2017 07:14 AM
Hi Tasos,
I'm getting an exception from the overnight build before it has started testing the site:
Please let me know if you need any more information or if there is a simple way to patch this build.
Thanks,
Steve
Support Staff 24 Posted by Tasos Laskos on 19 Jun, 2017 03:32 PM
Are you sure you used the nightlies? I'm seeing "arachni-1.5.1" in there.
25 Posted by Steven Phillips on 19 Jun, 2017 03:44 PM
Hi Tasos,
Sorry - I downloaded the overnight build and then extracted the release - Duhhh!
And you are a star! Nested value now being correctly XSS injected and weakness in my test case has now been identify correctly - this is excellent news!
I'm now going to run it on a less trivial test site and see what comes out...
Thanks for your rapid help on this,
Steve
Support Staff 26 Posted by Tasos Laskos on 19 Jun, 2017 03:47 PM
Good to head, feel free to re-open this discussion if you come across any issues.
Tasos Laskos closed this discussion on 19 Jun, 2017 03:47 PM.