Toorcon Seattle, 2011. XSS Without the Browser. Wait, what?. # whoami. Kyle Osborn…. Many know me as Kos. http:// kyleosborn.com / http:// kos.io / @ theKos Application Security Specialist at WhiteHat Security. HTML Rendering Engines. Trident – Windows (Internet Explorer)
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Toorcon Seattle, 2011
XSS Without the Browser
What does this mean?
Conventional web vulnerabilities can now become desktop vulnerabilities.
Binary foo? More like “I once made a website for Grandma’s knitting company”-foo.
Fixed in latest versions of Skype
Same Origin Policy
The Same Origin Policy is based on an Origin.
What is the “origin” inside desktop applications?
My point is: The outcome can be very bad, applications like this should be tested.
gwibber(Linux twitter client)
…there has got to be more