There I was sitting at my computer, having a look over my Ethical hacking notes on blackboard student learning system, "Webcourses" as it's known in DIT. I was reading about the "hacker" mindset. One of curiosity and obscurity. Then it dawned on me, Do I know how this current web portal works? The answer of course to this was no. I began my adventure.
The first thing I noticed was that this Blackboard System, was very heavily dependant on javascript. Javascript being client side of course made it very easy to read a lot of how things were working. If I could find a cross site scripting attack vector, I could easily wreak havoc. I played around with many of the features available on Webcourses, such as the calendar, the mailing system, notes and anywhere I could basically insert user input, hoping for that wonderful popup box.
I found nothing. The last place I looked was the file upload section. I tried uploading all sorts of different files hoping the content would get executed when using the previewFile option, but no nothing. Then I seen it. The filename. It printed the filename exactly as I uploaded it. I tried "
.text" as the filename. It got through Unsanitized. I have found my attack vector!
Once I have a persistent xss attack, the goal becomes stealing sessions. MMMm Cookies! I started playing around with filenames. The site was throwing back errors anytime I used the quote character ("). Using touch I created the file "". I could'nt use a space in the onload function or else blackboards started going wonky.
I then uploaded any of these files into my student folder. For the expected results.
Success!
I reached a point were I lost focus and start playing around more. I was succesfully able to open popup windows to nowhere using functions like openBox(url,title); that were already within the system, I Could delete files and switch between the various tool windows. After a while I got back on track.
I reached a point of almost giving up. But then I remembered the words of a great song. "Never gonna give you up, never going to let you down, never gonna run around and desert you." Back to work! Someone who has experience at exploiting vulnerabilities would have probably had this done in a few minutes. I started playing around and constructing my javascript using String.fromCharCode(... It was time to get these cookies. The queries I was running weren't working, I kept going over the character limit of a filename.
I kept at it and asked other wonderfully talented people I know by the names of d_fens and wolfric for a helping hand. These attacks are rather easy when it comes down to it, but I knew they had found similar attack vectors before. wolfric had his own set for the same system as he also is a student in DIT. We ended up submitting our similar findings to blackboard (Security disclosure) together.
So what was the final name of the file that retrieved my delicious cookies.. Using one of my conversion tools here, You can see that it = if you go to the link you will see the javascript that got executed. Whether this be an alert or a link to another page that will collect and store the cookies. Any javascript I put here will be executed!
I hope you have enjoyed this walkthrough, have learned from my mistakes or have picked up some new tips. The main one being, If you are going to make a website, make sure to Sanitize absolutely any bloody input whatsoever. I feel I have grown from this stroll in the jungle of xss.
The dangers we mentioned in the submission included stealing people's sessions, maybe directly accessing someone's account and leaving yourself a nice little sneaky session capturer, maybe even a javascript key logger. Once again, the only limit is your imagination!. The college promptly fixed these issues. Que the cheesy finishing statement
HAX BRAH!