Xss without the browser
1 / 10

XSS Without the Browser - PowerPoint PPT Presentation

  • Uploaded on

Toorcon Seattle, 2011. XSS Without the Browser. Wait, what?. # whoami. Kyle Osborn…. Many know me as Kos. http:// kyleosborn.com / http:// kos.io / @ theKos Application Security Specialist at WhiteHat Security. HTML Rendering Engines. Trident – Windows (Internet Explorer)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' XSS Without the Browser' - tatyana-ruiz

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Xss without the browser

Toorcon Seattle, 2011

XSS Without the Browser

Wait, what?

# whoami

  • Kyle Osborn…. Many know me as Kos.

  • http://kyleosborn.com/

  • http://kos.io/

  • @theKos

  • Application Security Specialist at WhiteHat Security

Html rendering engines
HTML Rendering Engines

  • Trident – Windows (Internet Explorer)

  • Webkit – OS X (Safari)

  • Easily embedded.

  • Easy to update, add features, style, and include advanced user interaction with HTML, JavaScript and CSS.

  • HTML5 features offer a more seamless desktop interface.

  • Very Cheap! HTML/JavaScript/CSS are simple.

Web vulnerabilities in d esktop applications

What does this mean?

Web vulnerabilities…In Desktop Applications

Conventional web vulnerabilities can now become desktop vulnerabilities.

Forget shellcode, my payload is JavaScript! My exploit isn’t a buffer overflow, it’s double-quotes!

Binary foo? More like “I once made a website for Grandma’s knitting company”-foo.

Fixed in latest versions of Skype

>= 5.0.922

So what it s just a little javascript
So what, it’s just a little JavaScript!

Same Origin Policy


The Same Origin Policy is based on an Origin.

What is the “origin” inside desktop applications?

No protocol

No hostname

No Port


  • Dictates that JavaScript can not reach content in another context.

  • Origin based on:

    • Protocol (http, https)

    • Hostname (google.com)

    • Port (:80)

    • protocol://hostname:port/

Demo 1 or video picking on skype
Demo #1 (or video…) [picking on Skype]

  • Payload:

    • Injects an iframe with Google into the chat DOM.

    • Injects <imgsrc=x onerror=alert(document.domain)> into the iframe.

  • Uses Safari cookies and sessions in requests.

Demo 2 or video picking on skype
Demo #2 (or video…) [picking on Skype]

  • Payload:

    • XmlHttpRequest opens file:///etc/passwdand then alerts it

  • Can access any files on the local filesystem that the user has permission to read.

  • Also works for https://mail.google.com/

  • Can be used to bypass CSRF tokens and requests can be crafted to essentially do anything.

Basically if origin null then bad
Basically… If Origin = null… then BAD

  • If the “origin” doesn’t exist, what is there to compare to?

  • Since http://www.google.com:80/ === null

    JavaScript isn’t really breaking an rules

  • As far as I can tell, just a misconfiguration on the developers side.

My point is: The outcome can be very bad, applications like this should be tested.

Where to look
Where to look



gwibber(Linux twitter client)


…there has got to be more

  • Adium

  • iChat

  • Twitter.app

  • Skype

  • …..


  • Talk to me later. I’ll be around for the parties, and Black Lodge tomorrow.

  • http://kos.io/skype (will be updated with slides and more info)

  • Twitter @theKos

  • Blog coming soon @ http://blog.whitehatsec.com