Toorcon Seattle, 2011 XSS Without the Browser Wait, what?
# whoami Kyle Osborn…. Many know me as Kos. http://kyleosborn.com/ http://kos.io/ @theKos Application Security Specialist at WhiteHat Security
Demo #1 (or video…) [picking on Skype] Payload: Injects an iframe with Google into the chat DOM. Injects <img src=x onerror=alert(document.domain)> into the iframe. Uses Safari cookies and sessions in requests.
Demo #2 (or video…) [picking on Skype] Payload: XmlHttpRequest opens ﬁle:///etc/passwd and then alerts it Can access any ﬁles on the local ﬁlesystem that the user has permission to read. Also works for https://mail.google.com/ Can be used to bypass CSRF tokens and requests can be crafted to essentially do anything.
Where to look OS X Windows/Linux Adium gwibber (Linux twitter client) iChat AIM Twitter.app …there has got to be more Skype …..
Information Talk to me later. I’ll be around for the parties, and Black Lodge tomorrow. http://kos.io/skype (will be updated with slides and more info) Twitter @theKos Blog coming soon @ http://blog.whitehatsec.com