Xss without the browser
This presentation is the property of its rightful owner.
Sponsored Links
1 / 10

XSS Without the Browser PowerPoint PPT Presentation


  • 54 Views
  • Uploaded on
  • Presentation posted in: General

Toorcon Seattle, 2011. XSS Without the Browser. Wait, what?. # whoami. Kyle Osborn…. Many know me as Kos. http:// kyleosborn.com / http:// kos.io / @ theKos Application Security Specialist at WhiteHat Security. HTML Rendering Engines. Trident – Windows (Internet Explorer)

Download Presentation

XSS Without the Browser

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Xss without the browser

Toorcon Seattle, 2011

XSS Without the Browser

Wait, what?


Whoami

# whoami

  • Kyle Osborn…. Many know me as Kos.

  • http://kyleosborn.com/

  • http://kos.io/

  • @theKos

  • Application Security Specialist at WhiteHat Security


Html rendering engines

HTML Rendering Engines

  • Trident – Windows (Internet Explorer)

  • Webkit – OS X (Safari)

  • Easily embedded.

  • Easy to update, add features, style, and include advanced user interaction with HTML, JavaScript and CSS.

  • HTML5 features offer a more seamless desktop interface.

  • Very Cheap! HTML/JavaScript/CSS are simple.


Web vulnerabilities in d esktop applications

What does this mean?

Web vulnerabilities…In Desktop Applications

Conventional web vulnerabilities can now become desktop vulnerabilities.

Forget shellcode, my payload is JavaScript! My exploit isn’t a buffer overflow, it’s double-quotes!

Binary foo? More like “I once made a website for Grandma’s knitting company”-foo.

Fixed in latest versions of Skype

>= 5.0.922


So what it s just a little javascript

So what, it’s just a little JavaScript!

Same Origin Policy

But….

The Same Origin Policy is based on an Origin.

What is the “origin” inside desktop applications?

No protocol

No hostname

No Port

So…

  • Dictates that JavaScript can not reach content in another context.

  • Origin based on:

    • Protocol (http, https)

    • Hostname (google.com)

    • Port (:80)

    • protocol://hostname:port/


Demo 1 or video picking on skype

Demo #1 (or video…) [picking on Skype]

  • Payload:

    • Injects an iframe with Google into the chat DOM.

    • Injects <imgsrc=x onerror=alert(document.domain)> into the iframe.

  • Uses Safari cookies and sessions in requests.


Demo 2 or video picking on skype

Demo #2 (or video…) [picking on Skype]

  • Payload:

    • XmlHttpRequest opens file:///etc/passwdand then alerts it

  • Can access any files on the local filesystem that the user has permission to read.

  • Also works for https://mail.google.com/

  • Can be used to bypass CSRF tokens and requests can be crafted to essentially do anything.


Basically if origin null then bad

Basically… If Origin = null… then BAD

  • If the “origin” doesn’t exist, what is there to compare to?

  • Since http://www.google.com:80/ === null

    JavaScript isn’t really breaking an rules

  • As far as I can tell, just a misconfiguration on the developers side.

My point is: The outcome can be very bad, applications like this should be tested.


Where to look

Where to look

OS X

Windows/Linux

gwibber(Linux twitter client)

AIM

…there has got to be more

  • Adium

  • iChat

  • Twitter.app

  • Skype

  • …..


Information

Information

  • Talk to me later. I’ll be around for the parties, and Black Lodge tomorrow.

  • http://kos.io/skype (will be updated with slides and more info)

  • Twitter @theKos

  • Blog coming soon @ http://blog.whitehatsec.com


  • Login