A web application is helpless against Cross Site Port Attack if it forms client provided URL’s and does not disinfect the backend reaction obtained from remote servers previously while sending it back to the client. The responses, in specific cases, can be concentrated to distinguish benefit accessibility (port status, flags and so forth.) and even bring information from remote administrations in unique ways.
Detecting a potential XSPA vulnerability is very simple, if the web app takes URL as input and tries to make it connect to the port and analyse the output and I have been attempting this XSPA attack on a testing app http://testphp.vulnweb.com/
Once I visited the testing site, I have selected the image categories option on the site as follows
Later I have selected the required image file it takes me to the URL as follow
Once I Visited this site, I have started to capture the backend response using Burp Suite tool
Burp Suite is a graphical tool for testing Web application security, and was mainly developed to provide a comprehensive solution for web application security checks. In addition to this basic functionality, it also has some extra features such as proxy server, scanner and intruder, the tool also contains more advanced options such as a spider, a repeater, a decoder, a comparer, an extender and a sequencer
I have cross checked this site using my localhost with some ports and captured the response in burp suite, and by this method, we can precisely analyse the response for each port
Here I have captured the response of the image URL and crossed check it with my localhost with port 80(HTTP), and I can see the response 200 OK (Normal response)
Once It fetches the average result, and you can also confirm this for other ports like 22(ssh), 21(ftp), 25(SMTP), 8080(https) etc. and you can check the result in browser as well.
During Port analysis, if any required port is closed, it fetches the result as
It also shows the response of 200, but it displays some warning like (failed to open) or connection refused etc. and if it shows this case of errors then you can confirm that the port is closed
The above screenshot shows the different case of the port is opened but it shows the result without exposing the attacker IP on the server logs and it also reveals the backend service running on SSH.
MITIGATION FOR XSPA ATTACK:
- Unauthorized URL’s access should be restricted.
- Restrict Connectivity to the internal ports.
- Whitelist IP address.
- Disable Unwanted protocols and services.
- You can block your ports using firewall for better security please check the link below to block your internal ports.
XSPA vulnerability attack is mainly used to perform port scanning of a target using another vulnerable website. An attacker can also perform a DOS attack, Code Execution and other major attacks on other vulnerable websites.