Old worms on new hooks! Here Phishy Phishy! XSS is Hook Line and sinker!!

The boring stuff first —WTF is XSS? —

if you already know this

Scroll down to “Weaponization of HTML attachments with XSS Techniques.

Otherwise - this is the way! (mando!)

What is cross-site scripting (XSS)?

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

Verbatim copied from — https://portswigger.net/web-security/cross-site-scripting as their wheel was working fine no need to fine tune!

How does XSS work?

Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.

Verbatim copied from — https://portswigger.net/web-security/cross-site-scripting yep.. thats how I would have said it too.

Weaponization of HTML attachments with XSS Techniques - Phishing da fools who open email attachments ending in HTML!

Recently I have witnessed XSS (Cross-site Scripting) successfully used in a phishing attack. Rather than scanning for vulnerabilities in web pages, threat actors are now just sending you the web page as an attachment loaded with browser friendly imbedded XSS scripts to undress your local defenses. Any of the techniques that are found in XSS Cheat sheet can be used to launch these attacks.

XSS is a great way to get past your local defenses, by sending you the web page as a file and notifying you of an incoming file attachment, threat actors have effectively used XSS without having to worry about bypassing local browser protections (CSRF)

So don’t threaten me with a good investigation!

As a Forensic Investigator, I am always watching out for new phishing attacks, but the last one that crossed my way was pretty cool.

So I wanted to talk about it.

It came in the form of an email with an HTML attachment that looked like a legitimate notification and instantly got the user fooled.

Here is the example of what I have seen in the past using this little technique.

Threat actor does something normal like inline some graphics like create a purple square - 

src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0naHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmcnPjxyZWN0IHdpZHRoPSc1MCcgaGVpZ2h0PSc1MCcgc3R5bGU9J2ZpbGw6ICNiMGI7JyAvPjwvc3ZnPg=="

Which literally converts to …

harmless right??

NOT HARMLESS - this also means our unisex threat monster can embed 

Base64 encoded —  <script></script>  —

in a separate base64 as no AV is going to double decode so…. lets all hold hands and say BYPASS… together now.


blah blah blah… no no I mean BLOB BLOB BLOB

Binary Large Object TIME!

Base64 something fun like this ..  
<script>//<![CDATA[
        …code…MAKE ME A BLOB ...code...
    //]]>
    </script>
and your pooched..

XSS is such an old vulnerability that people don't really care about anymore as most browsers defend against code injection techniques. however if the code is already embedded then the "Hidden XSS code " can uses a series of Unicode characters to hide a malicious code in a image vector that is generated client side.

SO Check your payloads at the door … Or just check em out here ..

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md

Whew … that was fun.