XSS Without Browser

  • 9,530 views
Uploaded on

2011 Seattle Toorcon presentation I gave. go to http://kyleosborn.org/ for more.

2011 Seattle Toorcon presentation I gave. go to http://kyleosborn.org/ for more.

More in: Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
9,530
On Slideshare
0
From Embeds
0
Number of Embeds
7

Actions

Shares
Downloads
15
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Toorcon  Seattle,  2011   XSS  Without  the  Browser   Wait,  what?  
  • 2. #  whoami    Kyle  Osborn….  Many  know  me  as  Kos.    http://kyleosborn.com/    http://kos.io/    @theKos    Application  Security  Specialist  at  WhiteHat  Security  
  • 3. HTML  Rendering  Engines    Trident  –  Windows  (Internet  Explorer)    Webkit  –  OS  X  (Safari)    Easily  embedded.    Easy  to  update,  add  features,  style,  and  include  advanced   user  interaction  with  HTML,  JavaScript  and  CSS.      HTML5  features  offer  a  more  seamless  desktop  interface.    Very  Cheap!  HTML/JavaScript/CSS  are  simple.  
  • 4. What  does  this  mean?   Web  vulnerabilities…   In  Desktop  Applications  •  Conventional  web  vulnerabilities  can   now  become  desktop  vulnerabilities.    •  Forget  shellcode,  my  payload  is   JavaScript!  My  exploit  isn’t  a  buffer   overflow,  it’s  double-­‐quotes!    •  Binary  foo?  More  like  “I  once  made  a   website  for  Grandma’s  knitting   company”-­‐foo.   Fixed  in  latest  versions  of  Skype   >=  5.0.922  
  • 5. So  what,  it’s  just  a  little  JavaScript!   Same  Origin  Policy   But….    Dictates  that  JavaScript  can     The  Same  Origin  Policy  is   not  reach  content  in  another   based  on  an  Origin.   context.     What  is  the  “origin”  inside    Origin  based  on:   desktop  applications?     Protocol  (http,  https)     No  protocol     Hostname  (google.com)     No  hostname     Port  (:80)     No  Port     protocol://hostname:port/     So…  
  • 6. Demo  #1  (or  video…)  [picking  on  Skype]    Payload:     Injects  an  iframe  with  Google  into  the  chat  DOM.     Injects  <img  src=x  onerror=alert(document.domain)>  into  the   iframe.    Uses  Safari  cookies  and  sessions  in  requests.  
  • 7. Demo  #2  (or  video…)  [picking  on  Skype]    Payload:     XmlHttpRequest  opens  file:///etc/passwd  and  then  alerts  it    Can  access  any  files  on  the  local  filesystem  that  the  user  has   permission  to  read.      Also  works  for  https://mail.google.com/    Can  be  used  to  bypass  CSRF  tokens  and  requests  can  be   crafted  to  essentially  do  anything.  
  • 8. Basically…     If  Origin  =  null…  then  BAD     If  the  “origin”  doesn’t  exist,  what  is  there  to  compare  to?     Since  http://www.google.com:80/  ===  null   JavaScript  isn’t  really  breaking  an  rules     As  far  as  I  can  tell,  just  a  misconfiguration  on  the  developers   side.  My  point  is:  The  outcome  can  be  very  bad,  applications  like  this  should  be  tested.  
  • 9. Where  to  look   OS  X   Windows/Linux    Adium     gwibber  (Linux  twitter  client)    iChat     AIM    Twitter.app     …there  has  got  to  be  more    Skype    …..  
  • 10. Information    Talk  to  me  later.  I’ll  be  around  for  the  parties,  and  Black   Lodge  tomorrow.    http://kos.io/skype  (will  be  updated  with  slides  and  more  info)    Twitter  @theKos    Blog  coming  soon  @  http://blog.whitehatsec.com