« Wikipedia's search engine will spell trouble for the SEO market | Main | Vulnerability Scanners Review »

Backdooring UIML's and Existing JavaScript Applications

One of the more interesting aspects of so called 'Rich Internet Applications' involves User Interface Markup Languages such as XUL (By Mozilla, been around awhile) and XAML/XBAP (.NET 3.0 the new kid on the block). Essentially these languages allow you to 'paint' buttons, menu bars, grids, forms, messageboxes, and other GUI components associated with HTML and Forms UI (including progress meters) by specifying certain XML tags. The goal is to quickly develop applications using XML, and then using backend code to perform a function (usually written in JavaScript or .NET).

If you're reading this you're probably interested in attacking these sorts of applications, same here! Ok we know everything is xssable but how can XSS impact a UIML based application? One example would be to find a website using this type of technology and find an xss issue in it. Ok so far this is pretty standard however instead of actively attacking the UIML application directly lets instead make a copy of it and sniff its usage thereby making a 'trojaned' copy. If you can utilize an existing xss flaw you can create a new link to your own copy of the UIML based (externally hosted or with the data URI trick) application which essentially sniffs what the user is doing before performing the action (You record everything they do, then perform the actual duties). Javascript does not support overloading however does allow you to define a method twice, and the second declaration will win. If you can XSS after the JS inclusion (which is often the case) you can override it.

Much like an existing website a UIML application may perform a transaction or a duty containing sensitive user information requiring a login first. If you emulate the application you will have the ability to know when the user has logged in and once you can identify this, perform whatever duty it is that you want to do. While writing this news entry a paper came to my attention discussing backdooring Ajax applications that was released during the CCC conference. Be sure to check it out.

Here are some sample UIML applications so you have an idea of exactly what I'm talking about.
XUL: http://www.faser.net/mab/chrome/content/mab.xul (Mozilla Only)
WPF/XBAP: http://www.mobiform.com/demos/paintfactory/WebPaintFactory.xbap (.NET 3.0 Beta must be installed!)(IE Only)
WPF/XBAP/XAML: http://scorbs.com/workapps/woodgrove/Finance.xaml (.NET 3.0 Beta must be installed!)(IE Only)
WPF/XBAP : http://scorbs.com/workapps/woodgrove/FinanceApplication.xbap (Same req as above)


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!