Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Ben Hayak
Security Researcher
Ben.Hayak@gmail.com
Twitter: @BenHayak
Attacker
Bank
• Document Access
• Object Access
• AJAX Requests
• Data Leakage
• <img src=“[[URL]]”>
• <link rel href=“[[URL]]”>
• <script src=“[[URL]]”>
[[External resources]] Go Ahead
<script src=“[[URL]]”>
External Scripts are Allowed!
//XML..
<xml>
<person>
<name>john</name>
<credit>34</credit>
</person>
</xml>
{“name”:”John”,”credit”:34}
person.name == “John”
person.credit == 34
1. person = RequestData()
2. {“name”:”John”,”credit”:34}
• Use 3rd Party services
• Overcome SoP
http://benhayak.com
http://benhayak.com
www.telize.com/geoip?callback=getgeoip
http://benhayak.com



SOME
.
Ballpoint pen
SOME
Contacts from YAHOO
<script src=
“http://yahoo.com/contacts?callback= ” >initTable
Function initTable(jsondata) {
//Build a table with the con...
<script src=
“http://yahoo.com/contacts?callback= ” >Attack
Function initTable(jsondata) {
//Build a table with the contac...
text/javascript
Attack
www.google.com?callback=Attack
Attack
www.google.com?callback=Attack
www.google.com?callback=Attack
Execute Attack on www.google.com
Attack();
Click();
submit();
Gmail
Send Contacts
To Gmail
Gmail
Redirect….Gmail
Gmail JSONP Endpoint
Gmail
JSONP
Page(endpoint)
Gmail
Attacker controls the Callback
mail.google.com?callback= Attack
Gmail JSONP Endpoint
Attack
mail.google.com?callback2=Attack
Attack
mail.google.com?callback2=Attack
mail.google.com?callback2=Attack
Execute Attack on mail.google.com
Callback=<XSS>aaa
Only [A-Za-z0-9.] allowed
Callback=;alert()
Set up the environment
1. Redirect Main
SelectAll
1. Redirect Main
SelectAll
2. Redirect first
window to “SOME”
2. Redirect first
window to “SOME”
Confirm
3. Redirect 2nd
window to “SOME”
Confirm
Your photos are now
publicly available
Mission Accomplished
We simulate UI clicks
We only need
alphanumeric and a dot
We can use Windows
User Clicks
Use a popup bypass
Currently no restrictions
when using windows
1. Use a static function name as a Callback
2. Whitelist callbacks
3. Register CBs: __SOME__[‘callback’]({json})
• Hijack User’s action without interaction
• Can follow limitless flow of actions
dependent/not.
• Invisible to the victim...
Ben Hayak
Security Researcher
Ben.Hayak@gmail.com
Twitter: @BenHayak
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Upcoming SlideShare
Loading in …5
×

of

Same Origin Method Execution (BlackHat EU2014) Slide 1 Same Origin Method Execution (BlackHat EU2014) Slide 2 Same Origin Method Execution (BlackHat EU2014) Slide 3 Same Origin Method Execution (BlackHat EU2014) Slide 4 Same Origin Method Execution (BlackHat EU2014) Slide 5 Same Origin Method Execution (BlackHat EU2014) Slide 6 Same Origin Method Execution (BlackHat EU2014) Slide 7 Same Origin Method Execution (BlackHat EU2014) Slide 8 Same Origin Method Execution (BlackHat EU2014) Slide 9 Same Origin Method Execution (BlackHat EU2014) Slide 10 Same Origin Method Execution (BlackHat EU2014) Slide 11 Same Origin Method Execution (BlackHat EU2014) Slide 12 Same Origin Method Execution (BlackHat EU2014) Slide 13 Same Origin Method Execution (BlackHat EU2014) Slide 14 Same Origin Method Execution (BlackHat EU2014) Slide 15 Same Origin Method Execution (BlackHat EU2014) Slide 16 Same Origin Method Execution (BlackHat EU2014) Slide 17 Same Origin Method Execution (BlackHat EU2014) Slide 18 Same Origin Method Execution (BlackHat EU2014) Slide 19 Same Origin Method Execution (BlackHat EU2014) Slide 20 Same Origin Method Execution (BlackHat EU2014) Slide 21 Same Origin Method Execution (BlackHat EU2014) Slide 22 Same Origin Method Execution (BlackHat EU2014) Slide 23 Same Origin Method Execution (BlackHat EU2014) Slide 24 Same Origin Method Execution (BlackHat EU2014) Slide 25 Same Origin Method Execution (BlackHat EU2014) Slide 26 Same Origin Method Execution (BlackHat EU2014) Slide 27 Same Origin Method Execution (BlackHat EU2014) Slide 28 Same Origin Method Execution (BlackHat EU2014) Slide 29 Same Origin Method Execution (BlackHat EU2014) Slide 30 Same Origin Method Execution (BlackHat EU2014) Slide 31 Same Origin Method Execution (BlackHat EU2014) Slide 32 Same Origin Method Execution (BlackHat EU2014) Slide 33 Same Origin Method Execution (BlackHat EU2014) Slide 34 Same Origin Method Execution (BlackHat EU2014) Slide 35 Same Origin Method Execution (BlackHat EU2014) Slide 36 Same Origin Method Execution (BlackHat EU2014) Slide 37 Same Origin Method Execution (BlackHat EU2014) Slide 38 Same Origin Method Execution (BlackHat EU2014) Slide 39 Same Origin Method Execution (BlackHat EU2014) Slide 40 Same Origin Method Execution (BlackHat EU2014) Slide 41

YouTube videos are no longer supported on SlideShare

View original on YouTube

Same Origin Method Execution (BlackHat EU2014) Slide 43 Same Origin Method Execution (BlackHat EU2014) Slide 44 Same Origin Method Execution (BlackHat EU2014) Slide 45 Same Origin Method Execution (BlackHat EU2014) Slide 46 Same Origin Method Execution (BlackHat EU2014) Slide 47 Same Origin Method Execution (BlackHat EU2014) Slide 48 Same Origin Method Execution (BlackHat EU2014) Slide 49 Same Origin Method Execution (BlackHat EU2014) Slide 50 Same Origin Method Execution (BlackHat EU2014) Slide 51 Same Origin Method Execution (BlackHat EU2014) Slide 52 Same Origin Method Execution (BlackHat EU2014) Slide 53 Same Origin Method Execution (BlackHat EU2014) Slide 54 Same Origin Method Execution (BlackHat EU2014) Slide 55 Same Origin Method Execution (BlackHat EU2014) Slide 56 Same Origin Method Execution (BlackHat EU2014) Slide 57 Same Origin Method Execution (BlackHat EU2014) Slide 58 Same Origin Method Execution (BlackHat EU2014) Slide 59 Same Origin Method Execution (BlackHat EU2014) Slide 60 Same Origin Method Execution (BlackHat EU2014) Slide 61 Same Origin Method Execution (BlackHat EU2014) Slide 62 Same Origin Method Execution (BlackHat EU2014) Slide 63 Same Origin Method Execution (BlackHat EU2014) Slide 64 Same Origin Method Execution (BlackHat EU2014) Slide 65 Same Origin Method Execution (BlackHat EU2014) Slide 66 Same Origin Method Execution (BlackHat EU2014) Slide 67 Same Origin Method Execution (BlackHat EU2014) Slide 68 Same Origin Method Execution (BlackHat EU2014) Slide 69 Same Origin Method Execution (BlackHat EU2014) Slide 70 Same Origin Method Execution (BlackHat EU2014) Slide 71 Same Origin Method Execution (BlackHat EU2014) Slide 72 Same Origin Method Execution (BlackHat EU2014) Slide 73 Same Origin Method Execution (BlackHat EU2014) Slide 74 Same Origin Method Execution (BlackHat EU2014) Slide 75 Same Origin Method Execution (BlackHat EU2014) Slide 76 Same Origin Method Execution (BlackHat EU2014) Slide 77 Same Origin Method Execution (BlackHat EU2014) Slide 78 Same Origin Method Execution (BlackHat EU2014) Slide 79 Same Origin Method Execution (BlackHat EU2014) Slide 80 Same Origin Method Execution (BlackHat EU2014) Slide 81 Same Origin Method Execution (BlackHat EU2014) Slide 82 Same Origin Method Execution (BlackHat EU2014) Slide 83 Same Origin Method Execution (BlackHat EU2014) Slide 84 Same Origin Method Execution (BlackHat EU2014) Slide 85 Same Origin Method Execution (BlackHat EU2014) Slide 86 Same Origin Method Execution (BlackHat EU2014) Slide 87 Same Origin Method Execution (BlackHat EU2014) Slide 88 Same Origin Method Execution (BlackHat EU2014) Slide 89 Same Origin Method Execution (BlackHat EU2014) Slide 90 Same Origin Method Execution (BlackHat EU2014) Slide 91 Same Origin Method Execution (BlackHat EU2014) Slide 92 Same Origin Method Execution (BlackHat EU2014) Slide 93 Same Origin Method Execution (BlackHat EU2014) Slide 94 Same Origin Method Execution (BlackHat EU2014) Slide 95 Same Origin Method Execution (BlackHat EU2014) Slide 96 Same Origin Method Execution (BlackHat EU2014) Slide 97 Same Origin Method Execution (BlackHat EU2014) Slide 98 Same Origin Method Execution (BlackHat EU2014) Slide 99
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

4 Likes

Share

Download to read offline

Same Origin Method Execution (BlackHat EU2014)

Download to read offline

Exploiting A Callback For Same Origin Policy Bypass.
SOME - "Same Origin Method Execution" is a new technique that abuses callback endpoints in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed frames and/or windows. Despite the similarity to click-jacking, this attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to "SOME", the entire domain becomes vulnerable. During this talk, I intend to demonstrate how JSONP opens a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage without any user-interaction.

Related Books

Free with a 30 day trial from Scribd

See all

Same Origin Method Execution (BlackHat EU2014)

  1. 1. Ben Hayak Security Researcher Ben.Hayak@gmail.com Twitter: @BenHayak
  2. 2. Attacker Bank
  3. 3. • Document Access • Object Access • AJAX Requests • Data Leakage
  4. 4. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”> [[External resources]] Go Ahead
  5. 5. <script src=“[[URL]]”> External Scripts are Allowed!
  6. 6. //XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>
  7. 7. {“name”:”John”,”credit”:34}
  8. 8. person.name == “John” person.credit == 34 1. person = RequestData() 2. {“name”:”John”,”credit”:34}
  9. 9. • Use 3rd Party services • Overcome SoP
  10. 10. http://benhayak.com
  11. 11. http://benhayak.com
  12. 12. www.telize.com/geoip?callback=getgeoip
  13. 13. http://benhayak.com
  14. 14.   
  15. 15. SOME
  16. 16. . Ballpoint pen
  17. 17. SOME
  18. 18. Contacts from YAHOO
  19. 19. <script src= “http://yahoo.com/contacts?callback= ” >initTable Function initTable(jsondata) { //Build a table with the contacts }
  20. 20. <script src= “http://yahoo.com/contacts?callback= ” >Attack Function initTable(jsondata) { //Build a table with the contacts }
  21. 21. text/javascript
  22. 22. Attack www.google.com?callback=Attack
  23. 23. Attack www.google.com?callback=Attack
  24. 24. www.google.com?callback=Attack Execute Attack on www.google.com
  25. 25. Attack();
  26. 26. Click();
  27. 27. submit();
  28. 28. Gmail
  29. 29. Send Contacts To Gmail Gmail
  30. 30. Redirect….Gmail
  31. 31. Gmail JSONP Endpoint
  32. 32. Gmail JSONP Page(endpoint) Gmail
  33. 33. Attacker controls the Callback mail.google.com?callback= Attack
  34. 34. Gmail JSONP Endpoint
  35. 35. Attack mail.google.com?callback2=Attack
  36. 36. Attack mail.google.com?callback2=Attack
  37. 37. mail.google.com?callback2=Attack Execute Attack on mail.google.com
  38. 38. Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()
  39. 39. Set up the environment
  40. 40. 1. Redirect Main
  41. 41. SelectAll 1. Redirect Main
  42. 42. SelectAll 2. Redirect first window to “SOME”
  43. 43. 2. Redirect first window to “SOME” Confirm
  44. 44. 3. Redirect 2nd window to “SOME” Confirm
  45. 45. Your photos are now publicly available Mission Accomplished
  46. 46. We simulate UI clicks
  47. 47. We only need alphanumeric and a dot
  48. 48. We can use Windows
  49. 49. User Clicks Use a popup bypass
  50. 50. Currently no restrictions when using windows
  51. 51. 1. Use a static function name as a Callback 2. Whitelist callbacks 3. Register CBs: __SOME__[‘callback’]({json})
  52. 52. • Hijack User’s action without interaction • Can follow limitless flow of actions dependent/not. • Invisible to the victim • Any page on the domain becomes vulnerable
  53. 53. Ben Hayak Security Researcher Ben.Hayak@gmail.com Twitter: @BenHayak
  • pouryonng

    May. 13, 2018
  • ManikandanD16

    Mar. 11, 2017
  • esouillat

    Jun. 20, 2015
  • napat2000

    Jun. 18, 2015

Exploiting A Callback For Same Origin Policy Bypass. SOME - "Same Origin Method Execution" is a new technique that abuses callback endpoints in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed frames and/or windows. Despite the similarity to click-jacking, this attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to "SOME", the entire domain becomes vulnerable. During this talk, I intend to demonstrate how JSONP opens a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage without any user-interaction.

Views

Total views

5,628

On Slideshare

0

From embeds

0

Number of embeds

41

Actions

Downloads

71

Shares

0

Comments

0

Likes

4

×