Toorcon Seattle, 2011. XSS Without the Browser. Wait, what?. # whoami. Kyle Osborn…. Many know me as Kos. http:// kyleosborn.com / http:// kos.io / @ theKos Application Security Specialist at WhiteHat Security. HTML Rendering Engines. Trident – Windows (Internet Explorer)
Toorcon Seattle, 2011
XSS Without the Browser
What does this mean?
Conventional web vulnerabilities can now become desktop vulnerabilities.
Binary foo? More like “I once made a website for Grandma’s knitting company”-foo.
Fixed in latest versions of Skype
Same Origin Policy
The Same Origin Policy is based on an Origin.
What is the “origin” inside desktop applications?
My point is: The outcome can be very bad, applications like this should be tested.
gwibber(Linux twitter client)
…there has got to be more