• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
The Hidden XSS - Attacking the Desktop & Mobile Platforms

The Hidden XSS - Attacking the Desktop & Mobile Platforms






Total Views
Views on SlideShare
Embed Views



9 Embeds 9,261

http://kyleosborn.org 9221
http://abtasty.com 17
http://webcache.googleusercontent.com 12
http://paper.li 5
http://translate.googleusercontent.com 2 1
http://cache.baidu.com 1
http://localhost 1
http://xianguo.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    The Hidden XSS - Attacking the Desktop & Mobile Platforms The Hidden XSS - Attacking the Desktop & Mobile Platforms Presentation Transcript

    • The Hidden XSS Attacking the Desktop & Mobile PlatformsKos (Kyle Osborn)@theKos
    • alert(self)» ToorCon Seattle, » Oh, and this guy BlackHat, BSidesLV & DefCon» Red Team guy (or soI pretend)» Pentester» http://kos.io/
    • XSS within the browser» Usually considered a web browser based attack.» Users fire up their web browsers » Navigate to website with persistent XSS » Open up link with payload in the URL (bank.com?XSS) » iFrame with embedded vulnerable website » etc., etc.» But... not really browser specific...
    • XSSDefinition for xss:Cross-site scripting is a security hazard that allows crackers tointerfere with your program’s logic by inserting their ownlogic into your HTML. ....http://oreilly.com/ruby/excerpts/ruby-learning-rails/ruby-glossary.html
    • XSS without the browser » So whats the big deal?» Not really able to steal cookies.» Phishing doesnt make sense.» Content spoofing?» Ad injection?» Meh...
    • XSS without the browser » Local filesystem access?» XMLHttpRequest()» WebKit does not block XHR requests to file:///» OS X, iOS, Android versions of WebKit » Except for Chrome
    • So... the fun stuff» Demos!
    • Demo #1» Skype (5.0.x to <= 5.0.914) on Mac OS X» HTML not filtered in an instance, allowing an attacker to inject malicious JavaScript.» http://kos.io/skype for more info
    • Demo #2» Adium <= 1.4.2 (OS X)» Unfiltered HTML in file transfer dialogue.» Almost the same as Skype.» http://www.noptrix.net/advisories/adium_inject.txt
    • Demo #3» Skype on iOS 3.0.1 (Fixed as of 3.0.2)» Again, basic Cross Site Scripting» Discovered by while testing Skype on OS X» More info athttps://superevr.com/2011/xss-in-skype-for-ios/
    • Demo #3
    • Introducing WebOS» Truly web-driven operating system» Easy application development» Posed to compete with iOS / Android» Oh yeah, appsare HTML5 /JavaScript
    • WebOS» WebOS. Because most apps are HTML/JS, many are susceptible to attacks.» However... actually more secure than previousvulns.» Security (kind-of) done right on it.
    • Demo #5» Androids GMail app» Reported a few months ago...» Android (like iOS) uses separate users per application, limiting what each app can reach.
    • Demo #5 - Continued» GMail.apk allows HTML files to be downloaded.» Handles it in "HTML Viewer" properly, without JS.» However, XSS inside Gmail.app allows attackerto force download file.» Then force browser to open file:///..../attack.html
    • For my next trick...  Choose an OS» Linux» Windows» OS X» iOS
    • Demo #6» Google Earth» Multi-platform - OS X, iOS, Linux & Windows» Payloaded KML file (Google Earth XML file)» Uses HTML for info-boxes» Uses vulnerable WebKit versoin
    • Tool!» To make it easier, wrote a tool.» JSON arrays for discovery functions() [what users, app] and files» base64 encodes & exfiltrates
    • Tool!fileList[mac]= { // How do we discover users? "discover" :/Library/Preferences/com.apple.loginwindow.plist, // Okay, we found them,what do we pillage? "post" :{ bashHistory:.bash_history, sshHosts:.ssh/known_hosts, sshKeys:.ssh/id_rsa.pub, } }fileList[android]= { // Instead of how, just figure out the currently in use appi "discover" :/proc/self/status, // Okay, we found them,what do we pillage? "post" :{ browser_data:/data/data/com.android.browser/databases/webview.db, browser_data2:/data/data/com.android.browser/databases/browser.db, gmail_accounts:/data/data/com.google.android.gm/shared_prefs/Gmail.xml, dolpin_data:/data/data/mobi.mgeek.TunnyBrowser/databases/webview.db, dolpin_data2:/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db, chromeBookmarks:.config/chromium/Default/Bookmarks } }
    • Conclusion » XSS is bad, mkay?» Developers dont know how / arent trained to filter client side.» Easy to exploit.» Ping me at @theKos kos@kos.io http://kos.io/