Mocking the military
Disclaimer: This probably isn't safe for work.
Bad language, political views, and oxford commas aplenty.
Mocking the military; Hacking the hackers is pretty clickbaity title, but apt. This article covers a few basic cross site scripting bugs in websites owned by the Department of Defence and Ghost Security. The idea is to highlight how even the most security conscious among us can forget to check for basic exploits.
A little cited quote from scientific genius, Einstein…
"He who joyfully marches to music rank and file has already earned my contempt. He has been given a large brain by mistake, since for him the spinal cord would surely suffice. This disgrace to civilization should be done away with at once. Heroism at command, senseless brutality, deplorable love-of-country stance and all the loathsome nonsense that goes by the name of patriotism, how violently I hate all this, how despicable and ignoble war is; I would rather be torn to shreds than be part of so base an action! It is my conviction that killing under the cloak of war is nothing but an act of murder."
Even though I despise war, I don't want terrorists to win!
Mocking the military; Hacking the hackers
Cross site scripting is one of the easiest exploits to detect and protect against, yet one of the most prolific. The example below is a great example of an easily overlooked bug in a website that could cause a lot of damage. I decided to check the Department of Defense website.
Altering URLs for some dod.mil pages also changed the content (NSFW)…
The vulnerable page was:
Petulant, maybe. It made me laugh at the time and increased the odds of being fixed.
The Department of Defense responded quickly and an intial fix was rolled out within 24 hours. They confirmed the logic issue was resolved as several other pages were affected. I imagine the reply was sent through gritted teeth, but it got fixed and everyone is happy.
I always email the site owner and wait 12 weeks. Then I try other forms of contact to get issues resolved. Certain religious extremist groups may not be as helpful.
My proof of concept, sardonic by design, was intended to get a reaction. The vast majority of vulnerabilities go unfixed for months, even in government websites.
Even hackers make mistakes.
So we've tried mocking the military. Why not hack some hackers?
I tried to use the same technique on a group I've morally supported for a while. Ghost Security are a splinter-group of Anonymous which specialised in combating the spread of religious extremism on the internet.
You'd assume that hackers would protect against a simple XSS vector?
GhostSec are great guys and fighting for the right team by taking down extremists. I decided to check their website because T.V. kills brain cells.
The proof of concept code used was, as always, basic:
derp.com/?pwn=1&"><img src=x onerror=prompt(/XSS/)>
I notified GhostSec about this on Twitter, and they replied with "just feeding our XSS database ty" before adding basic protection.
They added input validation. I bypassed it. This is fun! Think I have a new friend!…
I use a fairly diverse set of testing queries when bored. Some common, some esoteric, some WAF bypass techniques. It took about 2 minutes trying different vectors before I got a winner:
derp.com/?pwn="><marquee loop=1 width=0 onfinish=1/prompt`/XSSPOSED/`>derp</marquee>
The rest of the site seemed fairly secure so I moved on, after the obligatory bragging on social media. I read another story about them around 4 months later. Why not…
XSS number 3
— Adam Davies (@mradamdavies) March 8, 2016
Same technique, different page. Funnily enough I didn't get a reply this time.
Usually, a reflected XSS on a site like this would be low risk. In my opinion, their lack of knowledge and terrible protection made it a winning fail. For me, at least.
One Man's Trash…
The point of this rant is even the best make mistakes. The only real difference is scale of impact and intent on discovery. If I had been trying to recruit bad people to do silly things, this would be a very different blog post.
I have been informed that Ghost Sec and Ghost Security are different entities. One apparently riding the fame of the other. The source is reliable and respected, so I trust it. The group split and script-kiddies formed GhostSec. The story seems to hold true as, initially, they didn't think XSS was an issue. According to press-releases, the original Ghost Security have beem known to use XSS and phishing techniques to hijack accounts. So, check out ghostsecuritygroup.com for comparison.
The most frustrating thing is that cross site scripting attacks are the easiest to test for, most basic to protect against, indicative of weak security, and a risk on many levels. I've used similar techniques to circumvent world leading Web Application Firewalls, then helping to get patched, obviously.
I am genuinely curious as to why such basic exploits are still on high value websites. Could it be the budget is too small? Maybe the training isn't good enough?
I'd really like to hear from professionals and hackers alike, but hey, this is the internet — try to XSS my comment form if you must 😉