XSS Without the Browser Wait, what? Toorcon Seattle, 2011.

Slides:



Advertisements
Similar presentations
Past, Present and Future By Eoin Keary and Jim Manico
Advertisements

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Web browsers It’s a software application for retrieving and presenting information on WWW. An information resource is identified by a Uniform Resource.
Introduction to JavaScript Module 1 Client Side JS Programming M-GO Sponsored By
EECS 354 Network Security Cross Site Scripting (XSS)
OWASP Xenotix XSS Exploit Framework
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
MWD1001 – Website Production Web Browsers Week 11.
SharePoint Saturday Sponsors Gold Bronze Custom REST services and jQuery AJAX Building your own custom REST services and consuming them with jQuery AJAX.
Chapter 4 Application Security Knowledge and Test Prep
INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
© 2010 UEI, Inc. All Rights Reserved UEIPAC HMI.
Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.
Presented by…. Group 2 1. Programming language 2Introduction.
IT 210 The Internet & World Wide Web introduction.
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
Lightning Talk Fred Rodriguez Nguyen Do CPSC 473 May 6, 2012.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
OWL Jan How Websites Work. “The Internet” vs. “The Web”?
Cross Site Integration “mashups” cross site scripting.
Sponsors Gold Silver Bronze Custom REST services and jQuery AJAX Building your own custom REST services and consuming them with jQuery AJAX.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
WEB SCIENCE. What is the difference between the Internet and the World Wide Web? Internet is the entire network of connected computers and routers used.
MediMizer User Group  Users want an iPad application  Users want a web application  IT wants a no-installation client  Can be used anywhere.
Sponsors Gold Silver Bronze Custom REST services and jQuery AJAX Building your own custom REST services and consuming them with jQuery AJAX.
Session: 1. © Aptech Ltd. 2Introduction to the Web / Session 1  Explain the evolution of HTML  Explain the page structure used by HTML  List the drawbacks.
Web Applications Testing By Jamie Rougvie Supported by.
Crash Course in Web Hacking
Ajax. –Asynchronous JavaScript and XML –Umbrella term for technologies that often: Use client-side scripting for layout and formatting Use less than full.
1 3 Computing System Fundamentals 3.4 Networked Computer Systems.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Ajax for Dynamic Web Development Gregory McChesney.
October 7 th, 2010 SDU Webship. What did we learn last week? jQuery makes it really easy to select elements and do stuff with them. jQuery can process.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
INNOV-2: Build a Better Web Interface Using AJAX Chris Morgan Pandora Software Systems
Overview Web Technologies Computing Science Thompson Rivers University.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Some from Chapter 11.9 – “Web” 4 th edition and SY306 Web and Databases for Cyber Operations Cookies and.
Javascript worms By Benjamin Mossé SecPro
An Introduction to Web Application Security
Web Technologies Computing Science Thompson Rivers University
World Wide Web policy.
GeneXus 9.0: Web applications at their higher power
Application with Cross-Platform GUI
AJAX.
COMP 101 Introduction.
DHTML Javascript Internet Technology.
IS 360 Course Introduction
COMP 101 Introduction.
Riding Someone Else’s Wave with CSRF
CSC 495/583 Topics of Software Security Intro to Web Security
Dynamic Web Pages Jin Wu INF 385E Information Architecture
Browser Engine How it works…..
Web Technologies Computing Science Thompson Rivers University
Client-Server Model: Requesting a Web Page
Protecting Browsers from Extension Vulnerabilities
ADTEL WEBSITE
Presentation transcript:

XSS Without the Browser Wait, what? Toorcon Seattle, 2011

# whoami  Kyle Osborn…. Many know me as Kos.    Application Security Specialist at WhiteHat Security

HTML Rendering Engines  Trident – Windows (Internet Explorer)  Webkit – OS X (Safari)  Easily embedded.  Easy to update, add features, style, and include advanced user interaction with HTML, JavaScript and CSS.  HTML5 features offer a more seamless desktop interface.  Very Cheap! HTML/JavaScript/CSS are simple.

Web vulnerabilities… In Desktop Applications Conventional web vulnerabilities can now become desktop vulnerabilities. Forget shellcode, my payload is JavaScript! My exploit isn’t a buffer overflow, it’s double-quotes! Binary foo? More like “I once made a website for Grandma’s knitting company”-foo. What does this mean? Fixed in latest versions of Skype >=

So what, it’s just a little JavaScript! Same Origin Policy  Dictates that JavaScript can not reach content in another context.  Origin based on:  Protocol (http, https)  Hostname (google.com)  Port (:80)  protocol://hostname:port/ But….  The Same Origin Policy is based on an Origin.  What is the “origin” inside desktop applications?  No protocol  No hostname  No Port  So…

Demo #1 (or video…) [picking on Skype]  Payload:  Injects an iframe with Google into the chat DOM.  Injects into the iframe.  Uses Safari cookies and sessions in requests.

Demo #2 (or video…) [picking on Skype]  Payload:  XmlHttpRequest opens file:///etc/passwd and then alerts itfile:///etc/passwd  Can access any files on the local filesystem that the user has permission to read.  Also works for  Can be used to bypass CSRF tokens and requests can be crafted to essentially do anything.

Basically… If Origin = null… then BAD  If the “origin” doesn’t exist, what is there to compare to?  Since === nullhttp:// JavaScript isn’t really breaking an rules  As far as I can tell, just a misconfiguration on the developers side. My point is: The outcome can be very bad, applications like this should be tested.

Where to look OS X  Adium  iChat  Twitter.app  Skype  ….. Windows/Linux  gwibber (Linux twitter client)  AIM  …there has got to be more

Information  Talk to me later. I’ll be around for the parties, and Black Lodge tomorrow.  (will be updated with slides and more info)   Blog coming

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.