Presentation is loading. Please wait.

Presentation is loading. Please wait.

XSS Without the Browser Wait, what? Toorcon Seattle, 2011.

Published byByron Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "XSS Without the Browser Wait, what? Toorcon Seattle, 2011."— Presentation transcript:

1 XSS Without the Browser Wait, what? Toorcon Seattle, 2011

2 # whoami  Kyle Osborn…. Many know me as Kos.  http://kyleosborn.com/  http://kos.io/  @theKos  Application Security Specialist at WhiteHat Security

3 HTML Rendering Engines  Trident – Windows (Internet Explorer)  Webkit – OS X (Safari)  Easily embedded.  Easy to update, add features, style, and include advanced user interaction with HTML, JavaScript and CSS.  HTML5 features offer a more seamless desktop interface.  Very Cheap! HTML/JavaScript/CSS are simple.

4 Web vulnerabilities… In Desktop Applications Conventional web vulnerabilities can now become desktop vulnerabilities. Forget shellcode, my payload is JavaScript! My exploit isn’t a buffer overflow, it’s double-quotes! Binary foo? More like “I once made a website for Grandma’s knitting company”-foo. What does this mean? Fixed in latest versions of Skype >= 5.0.922

5 So what, it’s just a little JavaScript! Same Origin Policy  Dictates that JavaScript can not reach content in another context.  Origin based on:  Protocol (http, https)  Hostname (google.com)  Port (:80)  protocol://hostname:port/ But….  The Same Origin Policy is based on an Origin.  What is the “origin” inside desktop applications?  No protocol  No hostname  No Port  So…

6 Demo #1 (or video…) [picking on Skype]  Payload:  Injects an iframe with Google into the chat DOM.  Injects into the iframe.  Uses Safari cookies and sessions in requests.

7 Demo #2 (or video…) [picking on Skype]  Payload:  XmlHttpRequest opens file:///etc/passwd and then alerts itfile:///etc/passwd  Can access any files on the local filesystem that the user has permission to read.  Also works for https://mail.google.com/https://mail.google.com/  Can be used to bypass CSRF tokens and requests can be crafted to essentially do anything.

8 Basically… If Origin = null… then BAD  If the “origin” doesn’t exist, what is there to compare to?  Since http://www.google.com:80/ === nullhttp://www.google.com:80/ JavaScript isn’t really breaking an rules  As far as I can tell, just a misconfiguration on the developers side. My point is: The outcome can be very bad, applications like this should be tested.

9 Where to look OS X  Adium  iChat  Twitter.app  Skype  ….. Windows/Linux  gwibber (Linux twitter client)  AIM  …there has got to be more

10 Information  Talk to me later. I’ll be around for the parties, and Black Lodge tomorrow.  http://kos.io/skype (will be updated with slides and more info) http://kos.io/skype  Twitter @theKos  Blog coming soon @ http://blog.whitehatsec.comhttp://blog.whitehatsec.com

Download ppt "XSS Without the Browser Wait, what? Toorcon Seattle, 2011."

Similar presentations

Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Web browsers It’s a software application for retrieving and presenting information on WWW. An information resource is identified by a Uniform Resource.

Web browsers It’s a software application for retrieving and presenting information on WWW. An information resource is identified by a Uniform Resource.
Introduction to JavaScript Module 1 Client Side JS Programming M-GO Sponsored By

Introduction to JavaScript Module 1 Client Side JS Programming M-GO Sponsored By
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
MWD1001 – Website Production Web Browsers Week 11.

MWD1001 – Website Production Web Browsers Week 11.
SharePoint Saturday Sponsors Gold Bronze Custom REST services and jQuery AJAX Building your own custom REST services and consuming them with jQuery AJAX.

SharePoint Saturday Sponsors Gold Bronze Custom REST services and jQuery AJAX Building your own custom REST services and consuming them with jQuery AJAX.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!

INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
© 2010 UEI, Inc. All Rights Reserved www.UEIDAQ.com UEIPAC HMI.

© 2010 UEI, Inc. All Rights Reserved UEIPAC HMI.
Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.

Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.
Presented by…. Group 2 1. Programming language 2Introduction.

Presented by…. Group 2 1. Programming language 2Introduction.
IT 210 The Internet & World Wide Web introduction.

IT 210 The Internet & World Wide Web introduction.

Similar presentations

Ads by Google