The Hidden XSS - Attacking the Desktop & Mobile Platforms


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Hidden XSS - Attacking the Desktop & Mobile Platforms

  1. 1. The Hidden XSS Attacking the Desktop & Mobile PlatformsKos (Kyle Osborn)@theKos
  2. 2. alert(self)» ToorCon Seattle, » Oh, and this guy BlackHat, BSidesLV & DefCon» Red Team guy (or soI pretend)» Pentester»
  3. 3. XSS within the browser» Usually considered a web browser based attack.» Users fire up their web browsers » Navigate to website with persistent XSS » Open up link with payload in the URL ( » iFrame with embedded vulnerable website » etc., etc.» But... not really browser specific...
  4. 4. XSSDefinition for xss:Cross-site scripting is a security hazard that allows crackers tointerfere with your program’s logic by inserting their ownlogic into your HTML. ....
  5. 5. XSS without the browser » So whats the big deal?» Not really able to steal cookies.» Phishing doesnt make sense.» Content spoofing?» Ad injection?» Meh...
  6. 6. XSS without the browser » Local filesystem access?» XMLHttpRequest()» WebKit does not block XHR requests to file:///» OS X, iOS, Android versions of WebKit » Except for Chrome
  7. 7. So... the fun stuff» Demos!
  8. 8. Demo #1» Skype (5.0.x to <= 5.0.914) on Mac OS X» HTML not filtered in an instance, allowing an attacker to inject malicious JavaScript.» for more info
  9. 9. Demo #2» Adium <= 1.4.2 (OS X)» Unfiltered HTML in file transfer dialogue.» Almost the same as Skype.»
  10. 10. Demo #3» Skype on iOS 3.0.1 (Fixed as of 3.0.2)» Again, basic Cross Site Scripting» Discovered by while testing Skype on OS X» More info at
  11. 11. Demo #3
  12. 12. Introducing WebOS» Truly web-driven operating system» Easy application development» Posed to compete with iOS / Android» Oh yeah, appsare HTML5 /JavaScript
  13. 13. WebOS» WebOS. Because most apps are HTML/JS, many are susceptible to attacks.» However... actually more secure than previousvulns.» Security (kind-of) done right on it.
  14. 14. Demo #5» Androids GMail app» Reported a few months ago...» Android (like iOS) uses separate users per application, limiting what each app can reach.
  15. 15. Demo #5 - Continued» GMail.apk allows HTML files to be downloaded.» Handles it in "HTML Viewer" properly, without JS.» However, XSS inside allows attackerto force download file.» Then force browser to open file:///..../attack.html
  16. 16. For my next trick...  Choose an OS» Linux» Windows» OS X» iOS
  17. 17. Demo #6» Google Earth» Multi-platform - OS X, iOS, Linux & Windows» Payloaded KML file (Google Earth XML file)» Uses HTML for info-boxes» Uses vulnerable WebKit versoin
  18. 18. Tool!» To make it easier, wrote a tool.» JSON arrays for discovery functions() [what users, app] and files» base64 encodes & exfiltrates
  19. 19. Tool!fileList[mac]= { // How do we discover users? "discover" :/Library/Preferences/, // Okay, we found them,what do we pillage? "post" :{ bashHistory:.bash_history, sshHosts:.ssh/known_hosts, sshKeys:.ssh/, } }fileList[android]= { // Instead of how, just figure out the currently in use appi "discover" :/proc/self/status, // Okay, we found them,what do we pillage? "post" :{ browser_data:/data/data/, browser_data2:/data/data/, gmail_accounts:/data/data/, dolpin_data:/data/data/mobi.mgeek.TunnyBrowser/databases/webview.db, dolpin_data2:/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db, chromeBookmarks:.config/chromium/Default/Bookmarks } }
  20. 20. Conclusion » XSS is bad, mkay?» Developers dont know how / arent trained to filter client side.» Easy to exploit.» Ping me at @theKos