Same Origin Method Execution (BlackHat EU2014)

1,649 views

Published on

Exploiting A Callback For Same Origin Policy Bypass.
SOME - "Same Origin Method Execution" is a new technique that abuses callback endpoints in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed frames and/or windows. Despite the similarity to click-jacking, this attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to "SOME", the entire domain becomes vulnerable. During this talk, I intend to demonstrate how JSONP opens a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage without any user-interaction.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,649
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
50
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Same Origin Method Execution (BlackHat EU2014)

  1. 1. Ben Hayak Security Researcher Ben.Hayak@gmail.com Twitter: @BenHayak
  2. 2. Attacker Bank
  3. 3. • Document Access • Object Access • AJAX Requests • Data Leakage
  4. 4. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”> [[External resources]] Go Ahead
  5. 5. <script src=“[[URL]]”> External Scripts are Allowed!
  6. 6. //XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>
  7. 7. {“name”:”John”,”credit”:34}
  8. 8. person.name == “John” person.credit == 34 1. person = RequestData() 2. {“name”:”John”,”credit”:34}
  9. 9. • Use 3rd Party services • Overcome SoP
  10. 10. http://benhayak.com
  11. 11. http://benhayak.com
  12. 12. www.telize.com/geoip?callback=getgeoip
  13. 13. http://benhayak.com
  14. 14.   
  15. 15. SOME
  16. 16. . Ballpoint pen
  17. 17. SOME
  18. 18. Contacts from YAHOO
  19. 19. <script src= “http://yahoo.com/contacts?callback= ” >initTable Function initTable(jsondata) { //Build a table with the contacts }
  20. 20. <script src= “http://yahoo.com/contacts?callback= ” >Attack Function initTable(jsondata) { //Build a table with the contacts }
  21. 21. text/javascript
  22. 22. Attack www.google.com?callback=Attack
  23. 23. Attack www.google.com?callback=Attack
  24. 24. www.google.com?callback=Attack Execute Attack on www.google.com
  25. 25. Attack();
  26. 26. Click();
  27. 27. submit();
  28. 28. Gmail
  29. 29. Send Contacts To Gmail Gmail
  30. 30. Redirect….Gmail
  31. 31. Gmail JSONP Endpoint
  32. 32. Gmail JSONP Page(endpoint) Gmail
  33. 33. Attacker controls the Callback mail.google.com?callback= Attack
  34. 34. Gmail JSONP Endpoint
  35. 35. Attack mail.google.com?callback2=Attack
  36. 36. Attack mail.google.com?callback2=Attack
  37. 37. mail.google.com?callback2=Attack Execute Attack on mail.google.com
  38. 38. Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()
  39. 39. Set up the environment
  40. 40. 1. Redirect Main
  41. 41. SelectAll 1. Redirect Main
  42. 42. SelectAll 2. Redirect first window to “SOME”
  43. 43. 2. Redirect first window to “SOME” Confirm
  44. 44. 3. Redirect 2nd window to “SOME” Confirm
  45. 45. Your photos are now publicly available Mission Accomplished
  46. 46. We simulate UI clicks
  47. 47. We only need alphanumeric and a dot
  48. 48. We can use Windows
  49. 49. User Clicks Use a popup bypass
  50. 50. Currently no restrictions when using windows
  51. 51. 1. Use a static function name as a Callback 2. Whitelist callbacks 3. Register CBs: __SOME__[‘callback’]({json})
  52. 52. • Hijack User’s action without interaction • Can follow limitless flow of actions dependent/not. • Invisible to the victim • Any page on the domain becomes vulnerable
  53. 53. Ben Hayak Security Researcher Ben.Hayak@gmail.com Twitter: @BenHayak

×