SlideShare a Scribd company logo

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-application XSS

Mario Heiderich
Mario Heiderich

The clipboard is one of the most commonly used tools across operating systems, window managers and devices. Pressing Ctrl-C and Ctrl-V has become so fundamentally important to productivity and usability that we cannot get rid of it anymore. We happily and often thoughtlessly copy things from one source and paste them into another. URLs into address-bars, lengthy commands into console windows, text segments into web editors and mail interfaces. And we never worry about security when doing so. Because what could possibly go wrong, right? But have we ever asked ourselves what the clipboard content actually consists of? Do we really know what it contains? And are we aware of the consequences a thoughtless copy&paste interaction can have? Who else can control the contents of the clipboard? Is it really just us doing Ctrl-C or is there other forces in the realm who are able to infect what we believe to be clean, who can desecrate what we trust so blindly that we never question or observe it? This talk is about the clipboard and the technical details behind it. How it works, what it really contains – and who can influence its complex range of contents. We will learn about a new breed of targeted attacks, including cross-application XSS from PDF, ODT, DOC and XPS that allow to steal website accounts faster than you can click, turn your excel sheet into a monster and learn about ways to smuggle creepy payload that is hidden from sight until it executes. Oh, and we’ll also see what can be done about that and what defensive measures we achieved to create so far.

Internet
1 of 55
Download to read offline
Copy & Pest A case-study on the clipboard, blind trust and invisible cross-application XSS A talk by Mario Heiderich mario@cure53.de || @0x6D6172696F
Don't accept any documents from this man ● Dr.-Ing. Mario Heiderich ● Researcher and Post-Doc, Ruhr-Uni Bochum – PhD Thesis about Client Side Security and Defense ● Founder of Cure53 – Pentest- & Security-Firm located in Berlin – Consulting, Workshops, Trainings – „Simply the Best Company in the World“ ● Published Author and Speaker – Specialized on HTML5, DOM and SVG Security – JavaScript, XSS and Client Side Attacks ● HTML5 Security Cheatsheet ● And DOMPurify! – @0x6D6172696F – mario@cure53.de
So, this happened several months ago,  Mr. Derp opens Gmail and writes a message. (you, fellow attendees will see the live demo,  for everyone else we have screen­shots)
We open a document
We copy & paste into Gmail
Tada!
Technical Background ● There's some things we need to talk about – and will in a few minutes ● What did just happen here? ● Why did it happen? ● How else can this happen? ● What can we do against it? ● Who should actually fix it? ● Now let's get to it, shall we
Thanks, Ange Albertini :D
What did just happen here? ● We have seen an attack that abuses a copy&paste interaction ● We copied from a seemingly harmless document, here LibreOffice ● We then pasted into the browser, here the Gmail compose window ● And all of a sudden, HTML and JavaScript unfold and cause XSS. Or even XAS. ● Although the application we pasted from doesn't understand HTML at all. Strange, right?
Why did it happen? ● To understand, why it happened, we first must understand where the HTML came from ● And what is the transport medium for the rogue data ● We also need to understand what is expected behavior ● And then we can learn how to deviate from that. But how can we find out in the first place?
Let's go back in time In the years before computers were around, even before photocopiers were around, manuscript editing was a tedious craft. And it involved scissors and often what was called “cut and paste”. Editors were actually cutting text passages and images and pasted them somewhere else. With actual glue.
Let's stay back in time That is Apple's Lisa. This computer supported something that has been fist implemented in text editors in the mid seventies That feature was called “cut and paste” and allowed developers to move segments of text in a more convenient way. No scissors involved. Apple however was the one to name the interim memory to store cut and paste data. They called it “The Clipboard”.
The Origins of the Clipboard Data transfer with expanded clipboard formats EP 0717354 A1, 1995, MSFT
The Clipboard Today ● It stores intermediate data ● Sometimes the data goes from one position in a document to another position ● Sometimes across documents ● Sometimes across applications ● Sometimes across systems ● Usually triggered by user-interaction ● Such as copy&paste ● Or cut&paste ● Or drag&drop ● The clipboard can handle many different data formats ● And that's where it's getting interesting!
A simple example ● Let's now copy a piece of text and see what happens in the clipboard ● For examination, we use the tool ClipView from Peter Büttner, written in July 2003 ● So, we simply open the editor, notepad.exe, copy something and use the tool
It also runs with Wine
Clipboard & Notepad
Clipboard & Word 2013
<![endif]--> </head> <body lang=EN-US style='tab-interval:.5in'> <!--StartFragment--> <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span style='font-size:22.0pt;line-height:107%'>JUSTIN <span style='color:red'>B</span><span style='color:#70AD47;mso-themecolor:accent6'>e</span><span style='background: yellow;mso-highlight:yellow'>i</span>b<span style='color:#4472C4;mso- themecolor: accent5'>er</span>! U are my HERO!<o:p></o:p></span></b></p> <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><u><span style='font-size:22.0pt;line-height:107%;background:yellow;mso- highlight:yellow'>Please foollw me on Twertr</span></u></b><b style='mso-bidi-font- weight:normal'><u><span style='font-size:22.0pt;line- height:107%'><o:p></o:p></span></u></b></p> <!--EndFragment--> </body> </html>
Let's Recap ● The clipboard is a complex object containing more than just text. ● It can hold several different data formats at the same time. Let's call those “buckets” for simplicity sake ● An application, upon copying or similar creates those buckets and fills them with data ● Another application can pick one of these upon pasting ● If e.g. Office creates an HTML bucket from DOC, MSIE can say “Hey – I'll take that one” ● There's almost unlimited types of buckets – it's all up to the application ● A bucket can also contain file information, whole folders, bitmaps, sound waves, whatever is necessary
Now, Security ● If one application creates data that other applications may use, injections might be possible ● One application might be able to produce data that harms the other application. Or its user. ● But how can we get test if that is possible? And how can we find injection points?
Let's analyze it! We create a ODT file in LibreOffice. We add some interesting and meaningful text with styles and set it to a non- standard font. Then we copy the text so we have it in our clipboard.
What's in our clipboard? We paste the copied text into the browser. Specifically a small tool we created for getting more intelligence on the HTML bucket of the clipboard.
<style type="text/css">H1 { margin-bottom: 0.21cm; } H1.western { font-family: "Liberation Sans",sans-serif; font-size: 16pt; }H1.cjk { font-family: "WenQuanYi Micro Hei"; font-size: 16pt; }H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt; }P { margin-bottom: 0.21cm; }</style> <h1 class="western" style="background: #6666ff" align="CENTER"><font color="#800000"><font face="Gentium Book Basic"><font style="font-size: 28pt" size="6"><span style="background: #ffff00">Aaaaw Gaaawd J<font color="#ff0000">u</font><span style="background: #00ccff">st</span><font color="#00cc00">iii</font>n! </span></font></font></font> </h1> <h1 class="western" align="CENTER"><font color="#800000"><font face="Gentium Book Basic"><font style="font-size: 28pt" size="6"><span style="background: #ffff00">Falllaaaaw maw ahn Twataaaah!</span></font></font></font></h1>
Does it correspond? ● Now, we can see that certain seemingly influencable parts from the document are in the generated HTML ● If we have a look into the document itself, will we find and can we change those parts? ● And create a HTML injection with them? ● Let's try. OpenOffice documents are ZIP files. ● One of the contained files is called styles.xml ● It looks like this
The ODT's Content
The File styles.xml
Let's play with that!
Now, what can we do? ● We can in fact inject into the clipboard HTML! ● We can have a valid doc with no traces of an attack by editing styles.xml ● We specifically change font family names. ● We can copy from that document and paste into the browser. ● And we will be able to generate HTML from thin air. ● Because our injected text breaks the generated style element and keeps going from there. ● We cannot inject scripts or iframes though. ● Because browsers sanitize the HTML clipboard!
OpenOffice → Browser ● Well, we know already that by injecting into the font- family names inside styles.xml we can inject HTML on paste ● But we cannot simply inject HTML that executes JavaScript ● It will be stripped by the in-browser clipboard sanitizer ● So we need a bypass for that filter. And we need to squeeze that into the font-family name ● Is there a bypass? Yes there is – even a multi-browser bypass working on both Chrome and Firefox!
OpenOffice → Browser </style><svg><style>svg {position:fixed}</style><style>svg {top:0}</style><style>svg {left:0}</style> <style>svg {height:10000px}</style> <style>svg {width:10000px}</style> <style>svg {opacity:0}</style> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"><circle r="4000"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(document.domain)" to="&" /> </a>
OpenOffice → Browser <office:font-face-decls><style:font-face style:name="&lt;/style&gt;&lt;div contenteditable=false&gt;&lt;svg&gt;&lt;style&gt;svg {position:fixed}&lt;/style&gt;&lt;style&gt;svg {top:0}&lt;/style&gt;&lt;style&gt;svg {left:0}&lt;/style&gt; &lt;style&gt;svg {height:10000px}&lt;/style&gt; &lt;style&gt;svg {width:10000px}&lt;/style&gt; &lt;style&gt;svg {opacity:0}&lt;/style&gt; &lt;a xmlns:xlink=&quot;http://www.w3.org/1999/xlink&quot; xlink:href=&quot;?&quot;&gt; &lt;circle r=&quot;4000&quot;&gt;&lt;/circle&gt; &lt;animate attributeName=&quot;xlink:href&quot; begin=&quot;0&quot; from=&quot;javascript:alert(document.domain)&quot; to=&quot;&amp;&quot; /&gt; &lt;/a&gt;1" svg:font- family="Harmless"/>
OpenOffice → Browser
OpenOffice → Browser I. We create an OpenOffice document II. We rename the file from ODT to ZIP III. We open the ZIP and then edit the file styles.xml IV. Inside that file we find “Micro Hei” and change it V. We use a HTML-encoded closing style element and an animatable SVG VI. We do this because Firefox and Chrome sanitize the clipboard VII. By using the SVG trick, we bypass the sanitizer VIII.We save the styles.xml, rename the file from ZIP to ODT IX. We copy from OpenOffice, paste into the browser X. We have XSS on Firefox and Chrome
PDF → Browser
PDF → Browser
PDF → Browser
PDF → Browser I. We create a benign PDF II. We find the section on font-family names III. We modify them carefully with a hex editor IV. We learn that parenthesis is not allowed in font-family names V. We evade that by using I. VBS for IE10 or IE11 in IE10-docmode II. ES6 and execution via alert`1` for IE12 VI. Adobe Reader produces a RTF bucket VII. IE “understands” the RTF bucket and turns it into HTML I. This alone should be another interesting research topic VIII. We have another XSS
MS Office → Browser
MS Office → Browser
MS Office → Browser
MS Office → Browser
MS Office → Browser I. We create a DOC file with a hyperlink II. We carefully edit it via hex editor III. We add some HTML around the hyperlink IV. We use contenteditable=false to make it “clickable” V. Word creates a HTML bucket on copy VI. MSIE “understands” that upon pasting VII.We have an XSS Or we do it just as with OpenOffice and use a DOCX instead of a DOC, we open it as ZIP, edit around in the content file and cause XSS like that
XPS → Browser
XPS → Browser
XPS → Browser
XPS → Browser: Cookbook I. We take some free font from somewhere II. We modify its properties using font-forge III. We add XSS payload into one of the properties IV. We install the font on our system V. We create a document and save it as XPS VI. The font will now be embedded VII. We use the XPS on a different system VIII.The font-family name will contain XSS payload IX. IE understands that X. We have another XSS Again upon paste, this time no other user interaction required
Overview ● PDF → Browser, works in MSIE. PDF readers do not create a HTML Bucket but MSIE also understands RTF buckets and transforms them to HTML on its own. ● DOC/DOCX → Browser, works in MSIE – from Office 2013 but not the Word Viewer. Similarly works in other office products ● XPS → Browser, works in MSIE because of a bug in the clipboard sanitizer. Necessary tools here are a malicious font created with font- forge ● ODT → Browser, works in Chrome and Firefox because of clipboard sanitizer bugs. Sanitizer between tabs is fine, sanitizer between applications is broken ● Most of the attacks survive changes in the document! ● “Affected” office software ● Office 2013, LibreOffice and similar tools, PDF Reader, FoxIT Reader ● They can be used to poison the clipboard with malicious markup ● Affected browsers ● Just MSIE, Chrome, Opera, Safari, Firefox, anything WebKit or Blink. Strangely, Blink on Windows behaves differently from Blink on *nix
More Surface ● Attackers can use Flash to stuff your clipboard too ● Flash can fill the HTML and the RTF bucket ● All you need is a click ● You can also embed a Flash in a PDF and once it's clicked it fills your clipboard ● On MSIE, you also have ways to fill the clipboard without user consent, but no HTML or RTF buckets ● So Flash remains the most attractive vector here ● Yet, abusing that smartly is a different story
Defense ● All discovered attack techniques were reported to browser vendors. They need to fix their clipboard sanitizers ● Websites can fix the shortcomings of browsers too – and sanitize after paste ● We can for instance utilize our tool DOMPurify to do the job ● To illustrate how it works, we created a browser extension that does two things: ● We called it PastePurify. Don't use it, it's just a PoC! ● It sanitizes the HTML of an element pasted into after pasting. Not optimal but good enough for a proof of concept ● It allows to show the HTML bucket of the clipboard. Very useful. ● Let's have a look at that! ● Oh, and NoScript has a fix too! ● And consider using Ctrl+Shift+V a bit more often :)
How it works window.addEventListener('load', function(){ var cb = document.getElementById('clipboard'); cb.focus(); cb.addEventListener('paste', function(){ cb.value=event.clipboardData.getData('text/html'); }, false); document.execCommand('paste'); }, false);
Future Work ● We have seen data being copied from one software into another ● The manipulated documents were used to inject data into the clipboard – that will then execute in a whole different context ● We mainly focused on office software and browsers. Plausible attack and proper impact. Any why not, right? ● But we didn't have a look at different directions. Or different types of software ● That said, the attack surface is huge! ● Clipboard interaction is a major convenience tool and cannot be replaced easily ● But it's completely transparent to the common user and much damage can be dealt ● And by just looking at different software, you might find bugs and attack vectors within hours ● Maybe a PoC || GTFO with some copy&paste surprises?
Conclusion Be careful when you copy & paste. Don't trust that invisible thing that contains and deals out complex data. One day, it's gonna bite you :)
The End ● Question? ● Comments? ● Thanks a lot! ● Talk Material & PoCs

Recommended

ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 

Recommended

ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Lena Petsenchuk
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
ES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern JavascriptES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern Javascript
Wojciech Dzikowski
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP
 
HTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.pptHTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.ppt
raghavanp4
 
css.ppt
css.pptcss.ppt
css.ppt
DakshPratapSingh1
 

More Related Content

What's hot

XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Lena Petsenchuk
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
ES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern JavascriptES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern Javascript
Wojciech Dzikowski
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP
 

What's hot (20)

XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Nikto
NiktoNikto
Nikto
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
XSS
XSSXSS
XSS
 
ES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern JavascriptES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern Javascript
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 

Similar to Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-application XSS

HTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.pptHTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.ppt
raghavanp4
 
css.ppt
css.pptcss.ppt
css.ppt
DakshPratapSingh1
 
css.ppt
css.pptcss.ppt
css.ppt
Sana903754
 
Class 4 handout two column layout w mobile web design
Class 4 handout two column layout w mobile web designClass 4 handout two column layout w mobile web design
Class 4 handout two column layout w mobile web designErin M. Kidwell
 
モダンなCSS設計パターンを考える
モダンなCSS設計パターンを考えるモダンなCSS設計パターンを考える
モダンなCSS設計パターンを考える
拓樹 谷
 
UTEP AITP Presentation - 10/17/2012
UTEP AITP Presentation - 10/17/2012UTEP AITP Presentation - 10/17/2012
UTEP AITP Presentation - 10/17/2012impulsedev
 
GDI Seattle Intermediate HTML and CSS Class 1
GDI Seattle Intermediate HTML and CSS Class 1GDI Seattle Intermediate HTML and CSS Class 1
GDI Seattle Intermediate HTML and CSS Class 1Heather Rock
 
Introduction to HTML and CSS
Introduction to HTML and CSSIntroduction to HTML and CSS
Introduction to HTML and CSS
danpaquette
 
Using HTML5 sensibly
Using HTML5 sensiblyUsing HTML5 sensibly
Using HTML5 sensibly
Christian Heilmann
 
モダンなCSS設計パターンを考える
モダンなCSS設計パターンを考えるモダンなCSS設計パターンを考える
モダンなCSS設計パターンを考える
拓樹 谷
 
Diazo: Bridging Designers and Programmers
Diazo: Bridging Designers and ProgrammersDiazo: Bridging Designers and Programmers
Diazo: Bridging Designers and Programmers
TsungWei Hu
 
Use Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile AppsUse Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile Apps
Nathan Smith
 
Slow kinda sucks
Slow kinda sucksSlow kinda sucks
Slow kinda sucks
Tim Wright
 
Introduction to Responsive Web Design
Introduction to Responsive Web DesignIntroduction to Responsive Web Design
Introduction to Responsive Web Design
Clarissa Peterson
 
Web Accessibility for the 21st Century
Web Accessibility for the 21st CenturyWeb Accessibility for the 21st Century
Web Accessibility for the 21st Century
dreamwidth
 
Using a CSS Framework
Using a CSS FrameworkUsing a CSS Framework
Using a CSS Framework
Gareth Saunders
 
Html5 intro
Html5 introHtml5 intro
Html5 intro
Wilfred Nas
 
WebDev Simplified Day 1 ppt.ppt
WebDev Simplified Day 1 ppt.pptWebDev Simplified Day 1 ppt.ppt
WebDev Simplified Day 1 ppt.ppt
SarikaPurohit1
 
Emerging threats jonkman_sans_cti_summit_2015
Emerging threats jonkman_sans_cti_summit_2015Emerging threats jonkman_sans_cti_summit_2015
Emerging threats jonkman_sans_cti_summit_2015
Emerging Threats
 

Similar to Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-application XSS (20)

HTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.pptHTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.ppt
 
css.ppt
css.pptcss.ppt
css.ppt
 
css.ppt
css.pptcss.ppt
css.ppt
 
Class 4 handout two column layout w mobile web design
Class 4 handout two column layout w mobile web designClass 4 handout two column layout w mobile web design
Class 4 handout two column layout w mobile web design
 
Juggling
JugglingJuggling
Juggling
 
モダンなCSS設計パターンを考える
モダンなCSS設計パターンを考えるモダンなCSS設計パターンを考える
モダンなCSS設計パターンを考える
 
UTEP AITP Presentation - 10/17/2012
UTEP AITP Presentation - 10/17/2012UTEP AITP Presentation - 10/17/2012
UTEP AITP Presentation - 10/17/2012
 
GDI Seattle Intermediate HTML and CSS Class 1
GDI Seattle Intermediate HTML and CSS Class 1GDI Seattle Intermediate HTML and CSS Class 1
GDI Seattle Intermediate HTML and CSS Class 1
 
Introduction to HTML and CSS
Introduction to HTML and CSSIntroduction to HTML and CSS
Introduction to HTML and CSS
 
Using HTML5 sensibly
Using HTML5 sensiblyUsing HTML5 sensibly
Using HTML5 sensibly
 
モダンなCSS設計パターンを考える
モダンなCSS設計パターンを考えるモダンなCSS設計パターンを考える
モダンなCSS設計パターンを考える
 
Diazo: Bridging Designers and Programmers
Diazo: Bridging Designers and ProgrammersDiazo: Bridging Designers and Programmers
Diazo: Bridging Designers and Programmers
 
Use Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile AppsUse Web Skills To Build Mobile Apps
Use Web Skills To Build Mobile Apps
 
Slow kinda sucks
Slow kinda sucksSlow kinda sucks
Slow kinda sucks
 
Introduction to Responsive Web Design
Introduction to Responsive Web DesignIntroduction to Responsive Web Design
Introduction to Responsive Web Design
 
Web Accessibility for the 21st Century
Web Accessibility for the 21st CenturyWeb Accessibility for the 21st Century
Web Accessibility for the 21st Century
 
Using a CSS Framework
Using a CSS FrameworkUsing a CSS Framework
Using a CSS Framework
 
Html5 intro
Html5 introHtml5 intro
Html5 intro
 
WebDev Simplified Day 1 ppt.ppt
WebDev Simplified Day 1 ppt.pptWebDev Simplified Day 1 ppt.ppt
WebDev Simplified Day 1 ppt.ppt
 
Emerging threats jonkman_sans_cti_summit_2015
Emerging threats jonkman_sans_cti_summit_2015Emerging threats jonkman_sans_cti_summit_2015
Emerging threats jonkman_sans_cti_summit_2015
 

More from Mario Heiderich

The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Web Wuermer
Web WuermerWeb Wuermer
Web Wuermer
Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
Mario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 

More from Mario Heiderich (14)

The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Web Wuermer
Web WuermerWeb Wuermer
Web Wuermer
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 

Recently uploaded

How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
ShahulHameed54211
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 

Recently uploaded (16)

How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-application XSS

  • 1. Copy & Pest A case-study on the clipboard, blind trust and invisible cross-application XSS A talk by Mario Heiderich mario@cure53.de || @0x6D6172696F
  • 2. Don't accept any documents from this man ● Dr.-Ing. Mario Heiderich ● Researcher and Post-Doc, Ruhr-Uni Bochum – PhD Thesis about Client Side Security and Defense ● Founder of Cure53 – Pentest- & Security-Firm located in Berlin – Consulting, Workshops, Trainings – „Simply the Best Company in the World“ ● Published Author and Speaker – Specialized on HTML5, DOM and SVG Security – JavaScript, XSS and Client Side Attacks ● HTML5 Security Cheatsheet ● And DOMPurify! – @0x6D6172696F – mario@cure53.de
  • 4. We open a document
  • 5. We copy & paste into Gmail
  • 7. Technical Background ● There's some things we need to talk about – and will in a few minutes ● What did just happen here? ● Why did it happen? ● How else can this happen? ● What can we do against it? ● Who should actually fix it? ● Now let's get to it, shall we
  • 9. What did just happen here? ● We have seen an attack that abuses a copy&paste interaction ● We copied from a seemingly harmless document, here LibreOffice ● We then pasted into the browser, here the Gmail compose window ● And all of a sudden, HTML and JavaScript unfold and cause XSS. Or even XAS. ● Although the application we pasted from doesn't understand HTML at all. Strange, right?
  • 10. Why did it happen? ● To understand, why it happened, we first must understand where the HTML came from ● And what is the transport medium for the rogue data ● We also need to understand what is expected behavior ● And then we can learn how to deviate from that. But how can we find out in the first place?
  • 11. Let's go back in time In the years before computers were around, even before photocopiers were around, manuscript editing was a tedious craft. And it involved scissors and often what was called “cut and paste”. Editors were actually cutting text passages and images and pasted them somewhere else. With actual glue.
  • 12. Let's stay back in time That is Apple's Lisa. This computer supported something that has been fist implemented in text editors in the mid seventies That feature was called “cut and paste” and allowed developers to move segments of text in a more convenient way. No scissors involved. Apple however was the one to name the interim memory to store cut and paste data. They called it “The Clipboard”.
  • 13. The Origins of the Clipboard Data transfer with expanded clipboard formats EP 0717354 A1, 1995, MSFT
  • 14. The Clipboard Today ● It stores intermediate data ● Sometimes the data goes from one position in a document to another position ● Sometimes across documents ● Sometimes across applications ● Sometimes across systems ● Usually triggered by user-interaction ● Such as copy&paste ● Or cut&paste ● Or drag&drop ● The clipboard can handle many different data formats ● And that's where it's getting interesting!
  • 15. A simple example ● Let's now copy a piece of text and see what happens in the clipboard ● For examination, we use the tool ClipView from Peter Büttner, written in July 2003 ● So, we simply open the editor, notepad.exe, copy something and use the tool
  • 16. It also runs with Wine
  • 19. <![endif]--> </head> <body lang=EN-US style='tab-interval:.5in'> <!--StartFragment--> <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span style='font-size:22.0pt;line-height:107%'>JUSTIN <span style='color:red'>B</span><span style='color:#70AD47;mso-themecolor:accent6'>e</span><span style='background: yellow;mso-highlight:yellow'>i</span>b<span style='color:#4472C4;mso- themecolor: accent5'>er</span>! U are my HERO!<o:p></o:p></span></b></p> <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><u><span style='font-size:22.0pt;line-height:107%;background:yellow;mso- highlight:yellow'>Please foollw me on Twertr</span></u></b><b style='mso-bidi-font- weight:normal'><u><span style='font-size:22.0pt;line- height:107%'><o:p></o:p></span></u></b></p> <!--EndFragment--> </body> </html>
  • 20. Let's Recap ● The clipboard is a complex object containing more than just text. ● It can hold several different data formats at the same time. Let's call those “buckets” for simplicity sake ● An application, upon copying or similar creates those buckets and fills them with data ● Another application can pick one of these upon pasting ● If e.g. Office creates an HTML bucket from DOC, MSIE can say “Hey – I'll take that one” ● There's almost unlimited types of buckets – it's all up to the application ● A bucket can also contain file information, whole folders, bitmaps, sound waves, whatever is necessary
  • 21.
  • 22. Now, Security ● If one application creates data that other applications may use, injections might be possible ● One application might be able to produce data that harms the other application. Or its user. ● But how can we get test if that is possible? And how can we find injection points?
  • 23. Let's analyze it! We create a ODT file in LibreOffice. We add some interesting and meaningful text with styles and set it to a non- standard font. Then we copy the text so we have it in our clipboard.
  • 24. What's in our clipboard? We paste the copied text into the browser. Specifically a small tool we created for getting more intelligence on the HTML bucket of the clipboard.
  • 25. <style type="text/css">H1 { margin-bottom: 0.21cm; } H1.western { font-family: "Liberation Sans",sans-serif; font-size: 16pt; }H1.cjk { font-family: "WenQuanYi Micro Hei"; font-size: 16pt; }H1.ctl { font-family: "Lohit Hindi"; font-size: 16pt; }P { margin-bottom: 0.21cm; }</style> <h1 class="western" style="background: #6666ff" align="CENTER"><font color="#800000"><font face="Gentium Book Basic"><font style="font-size: 28pt" size="6"><span style="background: #ffff00">Aaaaw Gaaawd J<font color="#ff0000">u</font><span style="background: #00ccff">st</span><font color="#00cc00">iii</font>n! </span></font></font></font> </h1> <h1 class="western" align="CENTER"><font color="#800000"><font face="Gentium Book Basic"><font style="font-size: 28pt" size="6"><span style="background: #ffff00">Falllaaaaw maw ahn Twataaaah!</span></font></font></font></h1>
  • 26. Does it correspond? ● Now, we can see that certain seemingly influencable parts from the document are in the generated HTML ● If we have a look into the document itself, will we find and can we change those parts? ● And create a HTML injection with them? ● Let's try. OpenOffice documents are ZIP files. ● One of the contained files is called styles.xml ● It looks like this
  • 30. Now, what can we do? ● We can in fact inject into the clipboard HTML! ● We can have a valid doc with no traces of an attack by editing styles.xml ● We specifically change font family names. ● We can copy from that document and paste into the browser. ● And we will be able to generate HTML from thin air. ● Because our injected text breaks the generated style element and keeps going from there. ● We cannot inject scripts or iframes though. ● Because browsers sanitize the HTML clipboard!
  • 31. OpenOffice → Browser ● Well, we know already that by injecting into the font- family names inside styles.xml we can inject HTML on paste ● But we cannot simply inject HTML that executes JavaScript ● It will be stripped by the in-browser clipboard sanitizer ● So we need a bypass for that filter. And we need to squeeze that into the font-family name ● Is there a bypass? Yes there is – even a multi-browser bypass working on both Chrome and Firefox!
  • 32. OpenOffice → Browser </style><svg><style>svg {position:fixed}</style><style>svg {top:0}</style><style>svg {left:0}</style> <style>svg {height:10000px}</style> <style>svg {width:10000px}</style> <style>svg {opacity:0}</style> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"><circle r="4000"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(document.domain)" to="&" /> </a>
  • 33. OpenOffice → Browser <office:font-face-decls><style:font-face style:name="&lt;/style&gt;&lt;div contenteditable=false&gt;&lt;svg&gt;&lt;style&gt;svg {position:fixed}&lt;/style&gt;&lt;style&gt;svg {top:0}&lt;/style&gt;&lt;style&gt;svg {left:0}&lt;/style&gt; &lt;style&gt;svg {height:10000px}&lt;/style&gt; &lt;style&gt;svg {width:10000px}&lt;/style&gt; &lt;style&gt;svg {opacity:0}&lt;/style&gt; &lt;a xmlns:xlink=&quot;http://www.w3.org/1999/xlink&quot; xlink:href=&quot;?&quot;&gt; &lt;circle r=&quot;4000&quot;&gt;&lt;/circle&gt; &lt;animate attributeName=&quot;xlink:href&quot; begin=&quot;0&quot; from=&quot;javascript:alert(document.domain)&quot; to=&quot;&amp;&quot; /&gt; &lt;/a&gt;1" svg:font- family="Harmless"/>
  • 35. OpenOffice → Browser I. We create an OpenOffice document II. We rename the file from ODT to ZIP III. We open the ZIP and then edit the file styles.xml IV. Inside that file we find “Micro Hei” and change it V. We use a HTML-encoded closing style element and an animatable SVG VI. We do this because Firefox and Chrome sanitize the clipboard VII. By using the SVG trick, we bypass the sanitizer VIII.We save the styles.xml, rename the file from ZIP to ODT IX. We copy from OpenOffice, paste into the browser X. We have XSS on Firefox and Chrome
  • 39. PDF → Browser I. We create a benign PDF II. We find the section on font-family names III. We modify them carefully with a hex editor IV. We learn that parenthesis is not allowed in font-family names V. We evade that by using I. VBS for IE10 or IE11 in IE10-docmode II. ES6 and execution via alert`1` for IE12 VI. Adobe Reader produces a RTF bucket VII. IE “understands” the RTF bucket and turns it into HTML I. This alone should be another interesting research topic VIII. We have another XSS
  • 40. MS Office → Browser
  • 41. MS Office → Browser
  • 42. MS Office → Browser
  • 43. MS Office → Browser
  • 44. MS Office → Browser I. We create a DOC file with a hyperlink II. We carefully edit it via hex editor III. We add some HTML around the hyperlink IV. We use contenteditable=false to make it “clickable” V. Word creates a HTML bucket on copy VI. MSIE “understands” that upon pasting VII.We have an XSS Or we do it just as with OpenOffice and use a DOCX instead of a DOC, we open it as ZIP, edit around in the content file and cause XSS like that
  • 48. XPS → Browser: Cookbook I. We take some free font from somewhere II. We modify its properties using font-forge III. We add XSS payload into one of the properties IV. We install the font on our system V. We create a document and save it as XPS VI. The font will now be embedded VII. We use the XPS on a different system VIII.The font-family name will contain XSS payload IX. IE understands that X. We have another XSS Again upon paste, this time no other user interaction required
  • 49. Overview ● PDF → Browser, works in MSIE. PDF readers do not create a HTML Bucket but MSIE also understands RTF buckets and transforms them to HTML on its own. ● DOC/DOCX → Browser, works in MSIE – from Office 2013 but not the Word Viewer. Similarly works in other office products ● XPS → Browser, works in MSIE because of a bug in the clipboard sanitizer. Necessary tools here are a malicious font created with font- forge ● ODT → Browser, works in Chrome and Firefox because of clipboard sanitizer bugs. Sanitizer between tabs is fine, sanitizer between applications is broken ● Most of the attacks survive changes in the document! ● “Affected” office software ● Office 2013, LibreOffice and similar tools, PDF Reader, FoxIT Reader ● They can be used to poison the clipboard with malicious markup ● Affected browsers ● Just MSIE, Chrome, Opera, Safari, Firefox, anything WebKit or Blink. Strangely, Blink on Windows behaves differently from Blink on *nix
  • 50. More Surface ● Attackers can use Flash to stuff your clipboard too ● Flash can fill the HTML and the RTF bucket ● All you need is a click ● You can also embed a Flash in a PDF and once it's clicked it fills your clipboard ● On MSIE, you also have ways to fill the clipboard without user consent, but no HTML or RTF buckets ● So Flash remains the most attractive vector here ● Yet, abusing that smartly is a different story
  • 51. Defense ● All discovered attack techniques were reported to browser vendors. They need to fix their clipboard sanitizers ● Websites can fix the shortcomings of browsers too – and sanitize after paste ● We can for instance utilize our tool DOMPurify to do the job ● To illustrate how it works, we created a browser extension that does two things: ● We called it PastePurify. Don't use it, it's just a PoC! ● It sanitizes the HTML of an element pasted into after pasting. Not optimal but good enough for a proof of concept ● It allows to show the HTML bucket of the clipboard. Very useful. ● Let's have a look at that! ● Oh, and NoScript has a fix too! ● And consider using Ctrl+Shift+V a bit more often :)
  • 52. How it works window.addEventListener('load', function(){ var cb = document.getElementById('clipboard'); cb.focus(); cb.addEventListener('paste', function(){ cb.value=event.clipboardData.getData('text/html'); }, false); document.execCommand('paste'); }, false);
  • 53. Future Work ● We have seen data being copied from one software into another ● The manipulated documents were used to inject data into the clipboard – that will then execute in a whole different context ● We mainly focused on office software and browsers. Plausible attack and proper impact. Any why not, right? ● But we didn't have a look at different directions. Or different types of software ● That said, the attack surface is huge! ● Clipboard interaction is a major convenience tool and cannot be replaced easily ● But it's completely transparent to the common user and much damage can be dealt ● And by just looking at different software, you might find bugs and attack vectors within hours ● Maybe a PoC || GTFO with some copy&paste surprises?
  • 54. Conclusion Be careful when you copy & paste. Don't trust that invisible thing that contains and deals out complex data. One day, it's gonna bite you :)
  • 55. The End ● Question? ● Comments? ● Thanks a lot! ● Talk Material & PoCs