SlideShare a Scribd company logo
1 of 27
Download to read offline
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
The Art of Executing Javascript
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Akhil Mahendra
➢ Web application security enthusiast
➢ CTFer{@teambi0s}
➢ @Akhil_Mahendra
About
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Introduction - XSS
➢ Types of XSS and different context
➢ Same Origin Policy
➢ Content Security Policy
➢ XSS via Angular JS
Agenda
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
Attack with a wrong name ?
Introduction
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Still exists after 18 years !
➢ NO.7 in OWASP top 10 2017
➢ Most commonly reported security vulnerability
Introduction
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Stealing user cookies
➢ Keylogger
➢ Deface website
Introduction - Impact
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Reflected XSS
➢ Stored XSS
➢ DOM based XSS
Types of XSS
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ HTML
➢ Attribute
➢ Script
➢ Style
➢ Url
Different Context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ User input comes inside HTML elements
○ <p>Injection</p>
➢ POC
○ <script>alert(1)</script>
Different Context -html context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ User input comes inside HTML attributes
○ <p class = ” Injection ”> </p>
○ <p Injection = ” test123 ”> </p>
➢ POC
○ " onmouseover="alert(1)">
○ onmouseover="alert(1)" class
Different Context -attribute context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ User input comes inside <script> tags
○ <script> var a = ‘ Injection ‘; </script>
➢ POC
○ ‘;alert(1);//
Different Context -script context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ User input comes inside <script> tags
○ <p style “ color: injection ” > </p>
➢ POC
○ expression(alert(1));
Different Context -style context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ User input comes inside <script> tags
○ <a href = ” injection ” > click </a>
➢ POC
○ javascript:alert(1)
Different Context -url context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Scripts on a page can make HTTP request and process
responses between hosts that has the same:
Protocol, Hostname, Port
➢ An IFRAME loaded cannot read or write data into the page
unless it’s in the same origin !
SOP
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Still exists after 18 years !
➢ NO.7 in OWASP top 10 2017
➢ Most commonly reported security vulnerability
SOP
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Introduced as a mechanism to mitigate code injection
➢ Directives defines:
○ From where and what content are allowed to load
○ In which context the content is allowed to execute
➢ It’s a mitigation not first line of defense!
CSP
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Directives:
○ default-src
○ script-src
○ object-src
○ style-src
○ image-src
○ frame-src
CSP - Directives
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Keywords:
○ ‘*’
○ 'none'
○ 'self'
○ 'unsafe-inline'
○ 'unsafe-eval'
CSP - Keywords
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ HTTP Headers
○ <?php header('Content-Security-Policy: default-src https://cdn.example.net;
object-src 'none'"’);?>
➢ Meta tag in HTML
○ <meta http-equiv="Content-Security-Policy" content="default-src
https://cdn.example.net; object-src 'none'">
CSP
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ unsafe-inline, unsafe-eval, data:
○ whole purpose of CSP is defeated
➢ Eg: default-src: ’self’;script-src: ‘unsafe-inline’
○ Bypass : <script>alert(1)</script>
CSP - Common mistakes
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
CSP - Common mistakes
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Nonces:
○ Nonce must be a random string
○ Should not be reused
○ Should not be guessable
CSP - Common mistakes
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➢ Examples of bad nonce
○ Request 1- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5
○ Request 2- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5
○ e10adc3949ba59abbe56e057f20f883e - md5(123456)
○ 1231441
CSP - Common mistakes
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
Demo
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
CSP Bypass
CSP - bypass
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
Escaping the expression sandbox for XSS
XSS via Angular JS
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
Thanks
@Akhil_Mahendra

More Related Content

What's hot

Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Emily Stark
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 

What's hot (20)

Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
Understanding Non Blocking I/O with Python
Understanding Non Blocking I/O with PythonUnderstanding Non Blocking I/O with Python
Understanding Non Blocking I/O with Python
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
The state of JavaScript Linting - English version
The state of JavaScript Linting - English versionThe state of JavaScript Linting - English version
The state of JavaScript Linting - English version
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Web Uygulamalarının Hacklenmesi
Web Uygulamalarının HacklenmesiWeb Uygulamalarının Hacklenmesi
Web Uygulamalarının Hacklenmesi
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
 
Построение простого REST сервера на Node.js | Odessa Frontend Code challenge
Построение простого REST сервера на Node.js | Odessa Frontend Code challengeПостроение простого REST сервера на Node.js | Odessa Frontend Code challenge
Построение простого REST сервера на Node.js | Odessa Frontend Code challenge
 
Automatic constraints as a team maturity accelerator for startups
Automatic constraints as a team maturity accelerator for startupsAutomatic constraints as a team maturity accelerator for startups
Automatic constraints as a team maturity accelerator for startups
 

Similar to The Art of Executing JavaScript by Akhil Mahendra

Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Week
guest9663eb
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
Symmetric key encryption new approach
Symmetric key encryption new approachSymmetric key encryption new approach
Symmetric key encryption new approach
mdhar123
 

Similar to The Art of Executing JavaScript by Akhil Mahendra (20)

Tsc summit #2 - HTTP Header Security
Tsc summit #2  - HTTP Header SecurityTsc summit #2  - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Week
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)Threat Modeling and OWASP Top 10 (2017 rc1)
Threat Modeling and OWASP Top 10 (2017 rc1)
 
Symmetric key encryption new approach
Symmetric key encryption new approachSymmetric key encryption new approach
Symmetric key encryption new approach
 
Toronto mule meetup #5
Toronto mule meetup #5Toronto mule meetup #5
Toronto mule meetup #5
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
 
Sitecore might be secure, but your site isn't
Sitecore might be secure, but your site isn'tSitecore might be secure, but your site isn't
Sitecore might be secure, but your site isn't
 

More from Cysinfo Cyber Security Community

More from Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay AjayanUnicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
 
Analysis of android apk using adhrit by Abhishek J.M
 Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques   	monnappa k aUnderstanding evasive hollow process injection techniques   	monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication  by ajithkumar vyasaraoSecurity challenges in d2d communication  by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
S2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna aS2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna a
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr   siddharth muraleeDynamic binary analysis using angr   siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc -	ashutosh ahelleyaBit flipping attack on aes cbc -	ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack	Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis	Linux Malware Analysis
Linux Malware Analysis
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation	Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat	ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack	XXE - XML External Entity Attack
XXE - XML External Entity Attack
 
Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis	Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis
 

Recently uploaded

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Lisi Hocke
 

Recently uploaded (20)

Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insights
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 

The Art of Executing JavaScript by Akhil Mahendra

  • 1. Team bi0s Amrita Center for Cybersecurity, Amritapuri The Art of Executing Javascript
  • 2. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Akhil Mahendra ➢ Web application security enthusiast ➢ CTFer{@teambi0s} ➢ @Akhil_Mahendra About
  • 3. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Introduction - XSS ➢ Types of XSS and different context ➢ Same Origin Policy ➢ Content Security Policy ➢ XSS via Angular JS Agenda
  • 4. Team bi0s Amrita Center for Cybersecurity, Amritapuri Attack with a wrong name ? Introduction
  • 5. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability Introduction
  • 6. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Stealing user cookies ➢ Keylogger ➢ Deface website Introduction - Impact
  • 7. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Reflected XSS ➢ Stored XSS ➢ DOM based XSS Types of XSS
  • 8. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ HTML ➢ Attribute ➢ Script ➢ Style ➢ Url Different Context
  • 9. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside HTML elements ○ <p>Injection</p> ➢ POC ○ <script>alert(1)</script> Different Context -html context
  • 10. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside HTML attributes ○ <p class = ” Injection ”> </p> ○ <p Injection = ” test123 ”> </p> ➢ POC ○ " onmouseover="alert(1)"> ○ onmouseover="alert(1)" class Different Context -attribute context
  • 11. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <script> var a = ‘ Injection ‘; </script> ➢ POC ○ ‘;alert(1);// Different Context -script context
  • 12. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <p style “ color: injection ” > </p> ➢ POC ○ expression(alert(1)); Different Context -style context
  • 13. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ User input comes inside <script> tags ○ <a href = ” injection ” > click </a> ➢ POC ○ javascript:alert(1) Different Context -url context
  • 14. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Scripts on a page can make HTTP request and process responses between hosts that has the same: Protocol, Hostname, Port ➢ An IFRAME loaded cannot read or write data into the page unless it’s in the same origin ! SOP
  • 15. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Still exists after 18 years ! ➢ NO.7 in OWASP top 10 2017 ➢ Most commonly reported security vulnerability SOP
  • 16. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Introduced as a mechanism to mitigate code injection ➢ Directives defines: ○ From where and what content are allowed to load ○ In which context the content is allowed to execute ➢ It’s a mitigation not first line of defense! CSP
  • 17. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Directives: ○ default-src ○ script-src ○ object-src ○ style-src ○ image-src ○ frame-src CSP - Directives
  • 18. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Keywords: ○ ‘*’ ○ 'none' ○ 'self' ○ 'unsafe-inline' ○ 'unsafe-eval' CSP - Keywords
  • 19. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ HTTP Headers ○ <?php header('Content-Security-Policy: default-src https://cdn.example.net; object-src 'none'"’);?> ➢ Meta tag in HTML ○ <meta http-equiv="Content-Security-Policy" content="default-src https://cdn.example.net; object-src 'none'"> CSP
  • 20. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ unsafe-inline, unsafe-eval, data: ○ whole purpose of CSP is defeated ➢ Eg: default-src: ’self’;script-src: ‘unsafe-inline’ ○ Bypass : <script>alert(1)</script> CSP - Common mistakes
  • 21. Team bi0s Amrita Center for Cybersecurity, Amritapuri CSP - Common mistakes
  • 22. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Nonces: ○ Nonce must be a random string ○ Should not be reused ○ Should not be guessable CSP - Common mistakes
  • 23. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➢ Examples of bad nonce ○ Request 1- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ Request 2- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ e10adc3949ba59abbe56e057f20f883e - md5(123456) ○ 1231441 CSP - Common mistakes
  • 24. Team bi0s Amrita Center for Cybersecurity, Amritapuri Demo
  • 25. Team bi0s Amrita Center for Cybersecurity, Amritapuri CSP Bypass CSP - bypass
  • 26. Team bi0s Amrita Center for Cybersecurity, Amritapuri Escaping the expression sandbox for XSS XSS via Angular JS
  • 27. Team bi0s Amrita Center for Cybersecurity, Amritapuri Thanks @Akhil_Mahendra