XSS Without Browser

9,984 views

Published on

2011 Seattle Toorcon presentation I gave. go to http://kyleosborn.org/ for more.

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
9,984
On SlideShare
0
From Embeds
0
Number of Embeds
8,835
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

XSS Without Browser

  1. 1. Toorcon  Seattle,  2011   XSS  Without  the  Browser   Wait,  what?  
  2. 2. #  whoami    Kyle  Osborn….  Many  know  me  as  Kos.    http://kyleosborn.com/    http://kos.io/    @theKos    Application  Security  Specialist  at  WhiteHat  Security  
  3. 3. HTML  Rendering  Engines    Trident  –  Windows  (Internet  Explorer)    Webkit  –  OS  X  (Safari)    Easily  embedded.    Easy  to  update,  add  features,  style,  and  include  advanced   user  interaction  with  HTML,  JavaScript  and  CSS.      HTML5  features  offer  a  more  seamless  desktop  interface.    Very  Cheap!  HTML/JavaScript/CSS  are  simple.  
  4. 4. What  does  this  mean?   Web  vulnerabilities…   In  Desktop  Applications  •  Conventional  web  vulnerabilities  can   now  become  desktop  vulnerabilities.    •  Forget  shellcode,  my  payload  is   JavaScript!  My  exploit  isn’t  a  buffer   overflow,  it’s  double-­‐quotes!    •  Binary  foo?  More  like  “I  once  made  a   website  for  Grandma’s  knitting   company”-­‐foo.   Fixed  in  latest  versions  of  Skype   >=  5.0.922  
  5. 5. So  what,  it’s  just  a  little  JavaScript!   Same  Origin  Policy   But….    Dictates  that  JavaScript  can     The  Same  Origin  Policy  is   not  reach  content  in  another   based  on  an  Origin.   context.     What  is  the  “origin”  inside    Origin  based  on:   desktop  applications?     Protocol  (http,  https)     No  protocol     Hostname  (google.com)     No  hostname     Port  (:80)     No  Port     protocol://hostname:port/     So…  
  6. 6. Demo  #1  (or  video…)  [picking  on  Skype]    Payload:     Injects  an  iframe  with  Google  into  the  chat  DOM.     Injects  <img  src=x  onerror=alert(document.domain)>  into  the   iframe.    Uses  Safari  cookies  and  sessions  in  requests.  
  7. 7. Demo  #2  (or  video…)  [picking  on  Skype]    Payload:     XmlHttpRequest  opens  file:///etc/passwd  and  then  alerts  it    Can  access  any  files  on  the  local  filesystem  that  the  user  has   permission  to  read.      Also  works  for  https://mail.google.com/    Can  be  used  to  bypass  CSRF  tokens  and  requests  can  be   crafted  to  essentially  do  anything.  
  8. 8. Basically…     If  Origin  =  null…  then  BAD     If  the  “origin”  doesn’t  exist,  what  is  there  to  compare  to?     Since  http://www.google.com:80/  ===  null   JavaScript  isn’t  really  breaking  an  rules     As  far  as  I  can  tell,  just  a  misconfiguration  on  the  developers   side.  My  point  is:  The  outcome  can  be  very  bad,  applications  like  this  should  be  tested.  
  9. 9. Where  to  look   OS  X   Windows/Linux    Adium     gwibber  (Linux  twitter  client)    iChat     AIM    Twitter.app     …there  has  got  to  be  more    Skype    …..  
  10. 10. Information    Talk  to  me  later.  I’ll  be  around  for  the  parties,  and  Black   Lodge  tomorrow.    http://kos.io/skype  (will  be  updated  with  slides  and  more  info)    Twitter  @theKos    Blog  coming  soon  @  http://blog.whitehatsec.com  

×