xss without the browser n.
Skip this Video
Loading SlideShow in 5 Seconds..
XSS Without the Browser PowerPoint Presentation
Download Presentation
XSS Without the Browser

Loading in 2 Seconds...

play fullscreen
1 / 10

XSS Without the Browser - PowerPoint PPT Presentation

  • Uploaded on

Toorcon Seattle, 2011. XSS Without the Browser. Wait, what?. # whoami. Kyle Osborn…. Many know me as Kos. http:// kyleosborn.com / http:// kos.io / @ theKos Application Security Specialist at WhiteHat Security. HTML Rendering Engines. Trident – Windows (Internet Explorer)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'XSS Without the Browser' - tatyana-ruiz

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
# whoami
  • Kyle Osborn…. Many know me as Kos.
  • http://kyleosborn.com/
  • http://kos.io/
  • @theKos
  • Application Security Specialist at WhiteHat Security
html rendering engines
HTML Rendering Engines
  • Trident – Windows (Internet Explorer)
  • Webkit – OS X (Safari)
  • Easily embedded.
  • Easy to update, add features, style, and include advanced user interaction with HTML, JavaScript and CSS.
  • HTML5 features offer a more seamless desktop interface.
  • Very Cheap! HTML/JavaScript/CSS are simple.
web vulnerabilities in d esktop applications

What does this mean?

Web vulnerabilities…In Desktop Applications

Conventional web vulnerabilities can now become desktop vulnerabilities.

Forget shellcode, my payload is JavaScript! My exploit isn’t a buffer overflow, it’s double-quotes!

Binary foo? More like “I once made a website for Grandma’s knitting company”-foo.

Fixed in latest versions of Skype

>= 5.0.922

so what it s just a little javascript
So what, it’s just a little JavaScript!

Same Origin Policy


The Same Origin Policy is based on an Origin.

What is the “origin” inside desktop applications?

No protocol

No hostname

No Port


  • Dictates that JavaScript can not reach content in another context.
  • Origin based on:
    • Protocol (http, https)
    • Hostname (google.com)
    • Port (:80)
    • protocol://hostname:port/
demo 1 or video picking on skype
Demo #1 (or video…) [picking on Skype]
  • Payload:
    • Injects an iframe with Google into the chat DOM.
    • Injects <imgsrc=x onerror=alert(document.domain)> into the iframe.
  • Uses Safari cookies and sessions in requests.
demo 2 or video picking on skype
Demo #2 (or video…) [picking on Skype]
  • Payload:
    • XmlHttpRequest opens file:///etc/passwdand then alerts it
  • Can access any files on the local filesystem that the user has permission to read.
  • Also works for https://mail.google.com/
  • Can be used to bypass CSRF tokens and requests can be crafted to essentially do anything.
basically if origin null then bad
Basically… If Origin = null… then BAD
  • If the “origin” doesn’t exist, what is there to compare to?
  • Since http://www.google.com:80/ === null

JavaScript isn’t really breaking an rules

  • As far as I can tell, just a misconfiguration on the developers side.

My point is: The outcome can be very bad, applications like this should be tested.

where to look
Where to look



gwibber(Linux twitter client)


…there has got to be more

  • Adium
  • iChat
  • Twitter.app
  • Skype
  • …..
  • Talk to me later. I’ll be around for the parties, and Black Lodge tomorrow.
  • http://kos.io/skype (will be updated with slides and more info)
  • Twitter @theKos
  • Blog coming soon @ http://blog.whitehatsec.com