Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blind xss

4,079 views

Published on

Researcher : Adam Baldwin
Conference Presented : DEFCON 20

Flavor of cross site scripting, where the attacker “blindly” deploys a series of malicious payloads on web pages that are likely to save them to a persistent state (like in a database, or in a log file).

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Blind xss

  1. 1. • Researcher : Adam Baldwin • Conference Presented :DEFCON 20
  2. 2. • Reflected • Persistent (stored) • DOM
  3. 3. • It is a flavor of cross site scripting, where the attacker “blindly” deploys a series of malicious payloads on web pages that are likely to save them to a persistent state (like in a database, or in a log file). • Then without knowing where the payloads have ended up, or if they are going to be executed, the attacker waits for the payloads to be pulled out of storage and rendered on a web page loaded by a user. • In-fact it would be BLIND-STORED XSS.
  4. 4. • Persistent type of XSS that relies on vulnerabilities in the code of the target web pages, which allow malicious scripts, inserted into web controls, to be saved by the server in a database or web site file. • These are then “served” to other users as part of HTML page responses, without begin “sanitized” first.
  5. 5. • Payload gets sent to a database and all input in application are been stored somewhere and it going to be used by different tools. • Also going to be used in different contexts by different developers. • Could be minutes, days, months and even years when it executes (if it executes).... • Historical data. Good example would be chat sites etc... • Admin might think something is fishy with a users account, so the Admin could go back an look at the account - opened the database, opened the profile and rendered the payload in the page an call the XSS back to the attacker. • Targets: Log Viewers, Exception Handlers. Anywhere that an Admin or Owner can go back an view old records.
  6. 6. Link to tutorial • Demonstration that Adam Baldwin did at DEFCON 20 using xss.io to identify blind xss vectors, quickly build reusable exploits and use the referrer redirect feature to shorten payload length. • http://vimeo.com/46897322
  7. 7. • Don't mind me, I'm just going to hang out for a few decades until a programmer makes a mistake – But the fact is "Programmers will make the mistake"! • Some people previously called this unverified XSS and then explain how it can be verified through looking trough the Logs. • At the end of day the vulnerability is BLIND.
  8. 8. • Code Review and ensure that any user input is properly sanitized. – If this is not done, there is a risk that user input does not get scraped of any scripting tags before being saved to storage or served to the user’s browser. • Never trust data provided.

×