Same Origin Method Execution (BlackHat EU2014)
Report
Ben HayakFollow
Apr. 29, 2015•0 likes•6,393 views
Same Origin Method Execution (BlackHat EU2014)
Apr. 29, 2015•0 likes•6,393 views
Download to read offline
Report
Presentations & Public Speaking
Exploiting A Callback For Same Origin Policy Bypass. SOME - "Same Origin Method Execution" is a new technique that abuses callback endpoints in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed frames and/or windows. Despite the similarity to click-jacking, this attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to "SOME", the entire domain becomes vulnerable. During this talk, I intend to demonstrate how JSONP opens a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage without any user-interaction.
Ben HayakFollow
Recommended
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
A story of the passive aggressive sysadmin of AEMFrans Rosén
Hacking Adobe Experience Manager sitesMikhail Egorov
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Hunting for security bugs in AEM webappsMikhail Egorov
Building Advanced XSS VectorsRodolfo Assis (Brute)
More Related Content
What's hot
A Forgotten HTTP Invisibility CloakSoroush Dalili
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
Securing AEM webapps by hacking themMikhail Egorov
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
Cross Site Scripting ( XSS)Amit Tyagi
Similar to Same Origin Method Execution (BlackHat EU2014)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
Selenium再入門Norio Suzuki
Devbeat Conference - Developer First SecurityMichael Coates
Html5: something wicked this way comesKrzysztof Kotowicz
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
OmniAuth: From the Ground UpMichael Bleigh
Recently uploaded
IR_Astyli_ENG.pptxssuser97e5d3
Unlocking the DNA of Our Community: A Data-Driven Deep DiveIldikoGyimesi
AGRICULTURE DRONES.pptxDOuLIKEit
stackconf 2023 | Database Infrastructure with Open Source Kubernetes Database...NETWAYS
Flirtation or Faceoff (D.C. Eagles Hockey #2)Roman441369
OTX Compensation Plan.pdfShaikhNoorulAmin
Same Origin Method Execution (BlackHat EU2014)
- 1. Ben Hayak Security Researcher Ben.Hayak@gmail.com Twitter: @BenHayak
- 15. Attacker Bank
- 16. • Document Access • Object Access • AJAX Requests • Data Leakage
- 17. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”> [[External resources]] Go Ahead
- 18. <script src=“[[URL]]”> External Scripts are Allowed!
- 24. //XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>
- 25. {“name”:”John”,”credit”:34}
- 26. person.name == “John” person.credit == 34 1. person = RequestData() 2. {“name”:”John”,”credit”:34}
- 27. • Use 3rd Party services • Overcome SoP
- 28. http://benhayak.com
- 29. http://benhayak.com
- 30. www.telize.com/geoip?callback=getgeoip
- 32. http://benhayak.com
- 33.
- 46. SOME
- 47. . Ballpoint pen
- 51. SOME
- 55. Contacts from YAHOO
- 56. <script src= “http://yahoo.com/contacts?callback= ” >initTable Function initTable(jsondata) { //Build a table with the contacts }
- 57. <script src= “http://yahoo.com/contacts?callback= ” >Attack Function initTable(jsondata) { //Build a table with the contacts }
- 58. text/javascript
- 59. Attack www.google.com?callback=Attack
- 60. Attack www.google.com?callback=Attack
- 61. www.google.com?callback=Attack Execute Attack on www.google.com
- 62. Attack();
- 63. Click();
- 64. submit();
- 67. Gmail
- 68. Send Contacts To Gmail Gmail
- 69. Redirect….Gmail
- 70. Gmail JSONP Endpoint
- 71. Gmail JSONP Page(endpoint) Gmail
- 72. Attacker controls the Callback mail.google.com?callback= Attack
- 73. Gmail JSONP Endpoint
- 74. Attack mail.google.com?callback2=Attack
- 75. Attack mail.google.com?callback2=Attack
- 76. mail.google.com?callback2=Attack Execute Attack on mail.google.com
- 80. Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()
- 82. Set up the environment
- 83. 1. Redirect Main
- 84. SelectAll 1. Redirect Main
- 85. SelectAll 2. Redirect first window to “SOME”
- 86. 2. Redirect first window to “SOME” Confirm
- 87. 3. Redirect 2nd window to “SOME” Confirm
- 88. Your photos are now publicly available Mission Accomplished
- 90. We simulate UI clicks
- 91. We only need alphanumeric and a dot
- 92. We can use Windows
- 93. User Clicks Use a popup bypass
- 94. Currently no restrictions when using windows
- 96. 1. Use a static function name as a Callback 2. Whitelist callbacks 3. Register CBs: __SOME__[‘callback’]({json})
- 97. • Hijack User’s action without interaction • Can follow limitless flow of actions dependent/not. • Invisible to the victim • Any page on the domain becomes vulnerable
- 98. Ben Hayak Security Researcher Ben.Hayak@gmail.com Twitter: @BenHayak