SlideShare a Scribd company logo

XSS Without Browser

K
kosborn

2011 Seattle Toorcon presentation I gave. go to http://kyleosborn.org/ for more.

EducationTechnology
1 of 10
Download to read offline
Toorcon  Seattle,  2011   XSS  Without  the  Browser   Wait,  what?  
#  whoami     Kyle  Osborn….  Many  know  me  as  Kos.     http://kyleosborn.com/     http://kos.io/     @theKos     Application  Security  Specialist  at  WhiteHat  Security  
HTML  Rendering  Engines     Trident  –  Windows  (Internet  Explorer)     Webkit  –  OS  X  (Safari)     Easily  embedded.     Easy  to  update,  add  features,  style,  and  include  advanced   user  interaction  with  HTML,  JavaScript  and  CSS.       HTML5  features  offer  a  more  seamless  desktop  interface.     Very  Cheap!  HTML/JavaScript/CSS  are  simple.  
What  does  this  mean?   Web  vulnerabilities…   In  Desktop  Applications   •  Conventional  web  vulnerabilities  can   now  become  desktop  vulnerabilities.     •  Forget  shellcode,  my  payload  is   JavaScript!  My  exploit  isn’t  a  buffer   overflow,  it’s  double-­‐quotes!     •  Binary  foo?  More  like  “I  once  made  a   website  for  Grandma’s  knitting   company”-­‐foo.   Fixed  in  latest  versions  of  Skype   >=  5.0.922  
So  what,  it’s  just  a  little  JavaScript!   Same  Origin  Policy   But….     Dictates  that  JavaScript  can     The  Same  Origin  Policy  is   not  reach  content  in  another   based  on  an  Origin.   context.     What  is  the  “origin”  inside     Origin  based  on:   desktop  applications?     Protocol  (http,  https)     No  protocol     Hostname  (google.com)     No  hostname     Port  (:80)     No  Port     protocol://hostname:port/     So…  
Demo  #1  (or  video…)  [picking  on  Skype]     Payload:     Injects  an  iframe  with  Google  into  the  chat  DOM.     Injects  <img  src=x  onerror=alert(document.domain)>  into  the   iframe.     Uses  Safari  cookies  and  sessions  in  requests.  
Demo  #2  (or  video…)  [picking  on  Skype]     Payload:     XmlHttpRequest  opens  file:///etc/passwd  and  then  alerts  it     Can  access  any  files  on  the  local  filesystem  that  the  user  has   permission  to  read.       Also  works  for  https://mail.google.com/     Can  be  used  to  bypass  CSRF  tokens  and  requests  can  be   crafted  to  essentially  do  anything.  
Basically…     If  Origin  =  null…  then  BAD     If  the  “origin”  doesn’t  exist,  what  is  there  to  compare  to?     Since  http://www.google.com:80/  ===  null   JavaScript  isn’t  really  breaking  an  rules     As  far  as  I  can  tell,  just  a  misconfiguration  on  the  developers   side.   My  point  is:  The  outcome  can  be  very  bad,   applications  like  this  should  be  tested.  
Where  to  look   OS  X   Windows/Linux     Adium     gwibber  (Linux  twitter  client)     iChat     AIM     Twitter.app     …there  has  got  to  be  more     Skype     …..  
Information     Talk  to  me  later.  I’ll  be  around  for  the  parties,  and  Black   Lodge  tomorrow.     http://kos.io/skype  (will  be  updated  with  slides  and  more  info)     Twitter  @theKos     Blog  coming  soon  @  http://blog.whitehatsec.com  

Recommended

Modernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsModernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsAlex Sexton
 
Build the mobile web you want
Build the mobile web you wantBuild the mobile web you want
Build the mobile web you wantk88hudson
 
Txjs
TxjsTxjs
TxjsBrian LeRoux
 
Web workers
Web workersWeb workers
Web workersSurbhi Mathur
 
Getting Started with HTML 5 Web workers
Getting Started with HTML 5 Web workersGetting Started with HTML 5 Web workers
Getting Started with HTML 5 Web workersFlumes
 
DC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsDC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsTroy Goode
 
Riereta Node.js session 3 (with notes)
Riereta Node.js session 3 (with notes)Riereta Node.js session 3 (with notes)
Riereta Node.js session 3 (with notes)Tekno Paul
 
JavaScript Web Workers
JavaScript Web WorkersJavaScript Web Workers
JavaScript Web WorkersTobias Pfeiffer
 

Recommended

Modernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsModernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsAlex Sexton
 
Build the mobile web you want
Build the mobile web you wantBuild the mobile web you want
Build the mobile web you wantk88hudson
 
Txjs
TxjsTxjs
TxjsBrian LeRoux
 
Web workers
Web workersWeb workers
Web workersSurbhi Mathur
 
Getting Started with HTML 5 Web workers
Getting Started with HTML 5 Web workersGetting Started with HTML 5 Web workers
Getting Started with HTML 5 Web workersFlumes
 
DC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsDC Alt.Net: Building Web Apps With node.js
DC Alt.Net: Building Web Apps With node.jsTroy Goode
 
Riereta Node.js session 3 (with notes)
Riereta Node.js session 3 (with notes)Riereta Node.js session 3 (with notes)
Riereta Node.js session 3 (with notes)Tekno Paul
 
JavaScript Web Workers
JavaScript Web WorkersJavaScript Web Workers
JavaScript Web WorkersTobias Pfeiffer
 
Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programmingbenvinegar
 
CSS3: The Future is Now at DrupalCon San Francisco
CSS3: The Future is Now at DrupalCon San FranciscoCSS3: The Future is Now at DrupalCon San Francisco
CSS3: The Future is Now at DrupalCon San FranciscoJen Simmons
 
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)Eddie Lau
 
Desktop Apps in a Javascript World - Electron
Desktop Apps in a Javascript World - ElectronDesktop Apps in a Javascript World - Electron
Desktop Apps in a Javascript World - ElectronMarc MacLeod
 
Progressive Enhancement
Progressive EnhancementProgressive Enhancement
Progressive EnhancementZach Leatherman
 
That's crazy! how to build single page web apps
That's crazy! how to build single page web appsThat's crazy! how to build single page web apps
That's crazy! how to build single page web appsChris Love
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
Building desktop applications with web technologies - ELECTRON the easy way
Building desktop applications with web technologies - ELECTRON the easy wayBuilding desktop applications with web technologies - ELECTRON the easy way
Building desktop applications with web technologies - ELECTRON the easy waystefanjudis
 
Real-time Ruby for the Real-time Web
Real-time Ruby for the Real-time WebReal-time Ruby for the Real-time Web
Real-time Ruby for the Real-time WebIlya Grigorik
 
Building a Single Page Application using Ember.js ... for fun and profit
Building a Single Page Application using Ember.js ... for fun and profitBuilding a Single Page Application using Ember.js ... for fun and profit
Building a Single Page Application using Ember.js ... for fun and profitBen Limmer
 
.NET no Browser - Webassembly com Blazor!
.NET no Browser - Webassembly com Blazor!.NET no Browser - Webassembly com Blazor!
.NET no Browser - Webassembly com Blazor!Rodrigo Kono
 
Brief Intro to Phoenix - Elixir Meetup at BukaLapak
Brief Intro to Phoenix - Elixir Meetup at BukaLapakBrief Intro to Phoenix - Elixir Meetup at BukaLapak
Brief Intro to Phoenix - Elixir Meetup at BukaLapakRiza Fahmi
 
Electron - Build cross platform desktop apps
Electron - Build cross platform desktop appsElectron - Build cross platform desktop apps
Electron - Build cross platform desktop appsPriyaranjan Mohanty
 
Building a Desktop Streaming console with Electron and ReactJS
Building a Desktop Streaming console with Electron and ReactJSBuilding a Desktop Streaming console with Electron and ReactJS
Building a Desktop Streaming console with Electron and ReactJSEmanuele Rampichini
 
Building a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared ToBuilding a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared ToRaymond Camden
 
Building a Desktop Streaming console with Node.js and WebKit
Building a Desktop Streaming console with Node.js and WebKitBuilding a Desktop Streaming console with Node.js and WebKit
Building a Desktop Streaming console with Node.js and WebKitEmanuele Rampichini
 
node-webkit : Make a magic from your a desktop app to desktop app!
node-webkit : Make a magic from your a desktop app to desktop app!node-webkit : Make a magic from your a desktop app to desktop app!
node-webkit : Make a magic from your a desktop app to desktop app!욱진 양
 
Fav
FavFav
Favhelloppt
 
Mozilla the web and you
Mozilla the web and youMozilla the web and you
Mozilla the web and youChristian Heilmann
 
Cross-Platform Desktop Apps with Electron
Cross-Platform Desktop Apps with ElectronCross-Platform Desktop Apps with Electron
Cross-Platform Desktop Apps with ElectronDavid Neal
 
Essential Software, Inc. Step Process
Essential Software, Inc. Step ProcessEssential Software, Inc. Step Process
Essential Software, Inc. Step Processessentialsoftware
 
The project gutenberg e book, fairy tales every child should know
The project gutenberg e book, fairy tales every child should knowThe project gutenberg e book, fairy tales every child should know
The project gutenberg e book, fairy tales every child should knowAndrei Hortúa
 

More Related Content

What's hot

Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programmingbenvinegar
 
CSS3: The Future is Now at DrupalCon San Francisco
CSS3: The Future is Now at DrupalCon San FranciscoCSS3: The Future is Now at DrupalCon San Francisco
CSS3: The Future is Now at DrupalCon San FranciscoJen Simmons
 
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)Eddie Lau
 
Desktop Apps in a Javascript World - Electron
Desktop Apps in a Javascript World - ElectronDesktop Apps in a Javascript World - Electron
Desktop Apps in a Javascript World - ElectronMarc MacLeod
 
That's crazy! how to build single page web apps
That's crazy! how to build single page web appsThat's crazy! how to build single page web apps
That's crazy! how to build single page web appsChris Love
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
Building desktop applications with web technologies - ELECTRON the easy way
Building desktop applications with web technologies - ELECTRON the easy wayBuilding desktop applications with web technologies - ELECTRON the easy way
Building desktop applications with web technologies - ELECTRON the easy waystefanjudis
 
Real-time Ruby for the Real-time Web
Real-time Ruby for the Real-time WebReal-time Ruby for the Real-time Web
Real-time Ruby for the Real-time WebIlya Grigorik
 
Building a Single Page Application using Ember.js ... for fun and profit
Building a Single Page Application using Ember.js ... for fun and profitBuilding a Single Page Application using Ember.js ... for fun and profit
Building a Single Page Application using Ember.js ... for fun and profitBen Limmer
 
.NET no Browser - Webassembly com Blazor!
.NET no Browser - Webassembly com Blazor!.NET no Browser - Webassembly com Blazor!
.NET no Browser - Webassembly com Blazor!Rodrigo Kono
 
Brief Intro to Phoenix - Elixir Meetup at BukaLapak
Brief Intro to Phoenix - Elixir Meetup at BukaLapakBrief Intro to Phoenix - Elixir Meetup at BukaLapak
Brief Intro to Phoenix - Elixir Meetup at BukaLapakRiza Fahmi
 
Electron - Build cross platform desktop apps
Electron - Build cross platform desktop appsElectron - Build cross platform desktop apps
Electron - Build cross platform desktop appsPriyaranjan Mohanty
 
Building a Desktop Streaming console with Electron and ReactJS
Building a Desktop Streaming console with Electron and ReactJSBuilding a Desktop Streaming console with Electron and ReactJS
Building a Desktop Streaming console with Electron and ReactJSEmanuele Rampichini
 
Building a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared ToBuilding a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared ToRaymond Camden
 
Building a Desktop Streaming console with Node.js and WebKit
Building a Desktop Streaming console with Node.js and WebKitBuilding a Desktop Streaming console with Node.js and WebKit
Building a Desktop Streaming console with Node.js and WebKitEmanuele Rampichini
 
node-webkit : Make a magic from your a desktop app to desktop app!
node-webkit : Make a magic from your a desktop app to desktop app!node-webkit : Make a magic from your a desktop app to desktop app!
node-webkit : Make a magic from your a desktop app to desktop app!욱진 양
 
Cross-Platform Desktop Apps with Electron
Cross-Platform Desktop Apps with ElectronCross-Platform Desktop Apps with Electron
Cross-Platform Desktop Apps with ElectronDavid Neal
 

What's hot (20)

Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programming
 
CSS3: The Future is Now at DrupalCon San Francisco
CSS3: The Future is Now at DrupalCon San FranciscoCSS3: The Future is Now at DrupalCon San Francisco
CSS3: The Future is Now at DrupalCon San Francisco
 
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
 
Desktop Apps in a Javascript World - Electron
Desktop Apps in a Javascript World - ElectronDesktop Apps in a Javascript World - Electron
Desktop Apps in a Javascript World - Electron
 
Progressive Enhancement
Progressive EnhancementProgressive Enhancement
Progressive Enhancement
 
That's crazy! how to build single page web apps
That's crazy! how to build single page web appsThat's crazy! how to build single page web apps
That's crazy! how to build single page web apps
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
Building desktop applications with web technologies - ELECTRON the easy way
Building desktop applications with web technologies - ELECTRON the easy wayBuilding desktop applications with web technologies - ELECTRON the easy way
Building desktop applications with web technologies - ELECTRON the easy way
 
Real-time Ruby for the Real-time Web
Real-time Ruby for the Real-time WebReal-time Ruby for the Real-time Web
Real-time Ruby for the Real-time Web
 
Building a Single Page Application using Ember.js ... for fun and profit
Building a Single Page Application using Ember.js ... for fun and profitBuilding a Single Page Application using Ember.js ... for fun and profit
Building a Single Page Application using Ember.js ... for fun and profit
 
.NET no Browser - Webassembly com Blazor!
.NET no Browser - Webassembly com Blazor!.NET no Browser - Webassembly com Blazor!
.NET no Browser - Webassembly com Blazor!
 
Brief Intro to Phoenix - Elixir Meetup at BukaLapak
Brief Intro to Phoenix - Elixir Meetup at BukaLapakBrief Intro to Phoenix - Elixir Meetup at BukaLapak
Brief Intro to Phoenix - Elixir Meetup at BukaLapak
 
Electron - Build cross platform desktop apps
Electron - Build cross platform desktop appsElectron - Build cross platform desktop apps
Electron - Build cross platform desktop apps
 
Building a Desktop Streaming console with Electron and ReactJS
Building a Desktop Streaming console with Electron and ReactJSBuilding a Desktop Streaming console with Electron and ReactJS
Building a Desktop Streaming console with Electron and ReactJS
 
Building a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared ToBuilding a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared To
 
Building a Desktop Streaming console with Node.js and WebKit
Building a Desktop Streaming console with Node.js and WebKitBuilding a Desktop Streaming console with Node.js and WebKit
Building a Desktop Streaming console with Node.js and WebKit
 
node-webkit : Make a magic from your a desktop app to desktop app!
node-webkit : Make a magic from your a desktop app to desktop app!node-webkit : Make a magic from your a desktop app to desktop app!
node-webkit : Make a magic from your a desktop app to desktop app!
 
Fav
FavFav
Fav
 
Mozilla the web and you
Mozilla the web and youMozilla the web and you
Mozilla the web and you
 
Cross-Platform Desktop Apps with Electron
Cross-Platform Desktop Apps with ElectronCross-Platform Desktop Apps with Electron
Cross-Platform Desktop Apps with Electron
 

Viewers also liked

Essential Software, Inc. Step Process
Essential Software, Inc. Step ProcessEssential Software, Inc. Step Process
Essential Software, Inc. Step Processessentialsoftware
 
The project gutenberg e book, fairy tales every child should know
The project gutenberg e book, fairy tales every child should knowThe project gutenberg e book, fairy tales every child should know
The project gutenberg e book, fairy tales every child should knowAndrei Hortúa
 
The project gutenberg e book of welsh fairy tales, by william elliot griffis
The project gutenberg e book of welsh fairy tales, by william elliot griffisThe project gutenberg e book of welsh fairy tales, by william elliot griffis
The project gutenberg e book of welsh fairy tales, by william elliot griffisAndrei Hortúa
 
Usability Testing Fundamentals
Usability Testing FundamentalsUsability Testing Fundamentals
Usability Testing Fundamentalsdebcook
 
Hacking Google Chrome OS
Hacking Google Chrome OSHacking Google Chrome OS
Hacking Google Chrome OSkosborn
 
Motivational Maps explained
Motivational Maps explainedMotivational Maps explained
Motivational Maps explainedlindaesale
 
A / B Testing
A / B Testing A / B Testing
A / B Testing SWAAM Tech
 
Power Over Vs. Power With !!
Power Over Vs. Power With !!Power Over Vs. Power With !!
Power Over Vs. Power With !!SWAAM Tech
 
Kids Can Code - an interactive IT workshop
Kids Can Code - an interactive IT workshopKids Can Code - an interactive IT workshop
Kids Can Code - an interactive IT workshopTricode (part of Dept)
 
Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolGabor Paller
 
How Technology is Affecting Society - STM 6
How Technology is Affecting Society - STM 6How Technology is Affecting Society - STM 6
How Technology is Affecting Society - STM 6Tricode (part of Dept)
 
12 hot features to engage and save time with aem 6.2
12 hot features to engage and save time with aem 6.212 hot features to engage and save time with aem 6.2
12 hot features to engage and save time with aem 6.2Tricode (part of Dept)
 
Usability Testing Fundamentals
Usability Testing FundamentalsUsability Testing Fundamentals
Usability Testing Fundamentalsdebcook
 
Monkey runner & Monkey testing
Monkey runner & Monkey testingMonkey runner & Monkey testing
Monkey runner & Monkey testingSWAAM Tech
 
Android & iPhone App Testing
Android & iPhone App Testing Android & iPhone App Testing
Android & iPhone App TestingSWAAM Tech
 
Quality For Service Organizations
Quality For Service OrganizationsQuality For Service Organizations
Quality For Service OrganizationsTrupti Jethva
 
03 software test-plan-template
03 software test-plan-template03 software test-plan-template
03 software test-plan-templateAndrei Hortúa
 

Viewers also liked (20)

Essential Software, Inc. Step Process
Essential Software, Inc. Step ProcessEssential Software, Inc. Step Process
Essential Software, Inc. Step Process
 
The project gutenberg e book, fairy tales every child should know
The project gutenberg e book, fairy tales every child should knowThe project gutenberg e book, fairy tales every child should know
The project gutenberg e book, fairy tales every child should know
 
The project gutenberg e book of welsh fairy tales, by william elliot griffis
The project gutenberg e book of welsh fairy tales, by william elliot griffisThe project gutenberg e book of welsh fairy tales, by william elliot griffis
The project gutenberg e book of welsh fairy tales, by william elliot griffis
 
Usability Testing Fundamentals
Usability Testing FundamentalsUsability Testing Fundamentals
Usability Testing Fundamentals
 
Hacking Google Chrome OS
Hacking Google Chrome OSHacking Google Chrome OS
Hacking Google Chrome OS
 
Motivational Maps explained
Motivational Maps explainedMotivational Maps explained
Motivational Maps explained
 
A / B Testing
A / B Testing A / B Testing
A / B Testing
 
Power Over Vs. Power With !!
Power Over Vs. Power With !!Power Over Vs. Power With !!
Power Over Vs. Power With !!
 
Kids Can Code - an interactive IT workshop
Kids Can Code - an interactive IT workshopKids Can Code - an interactive IT workshop
Kids Can Code - an interactive IT workshop
 
Tricode = Career + Fun
Tricode = Career + FunTricode = Career + Fun
Tricode = Career + Fun
 
Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer tool
 
How Technology is Affecting Society - STM 6
How Technology is Affecting Society - STM 6How Technology is Affecting Society - STM 6
How Technology is Affecting Society - STM 6
 
12 hot features to engage and save time with aem 6.2
12 hot features to engage and save time with aem 6.212 hot features to engage and save time with aem 6.2
12 hot features to engage and save time with aem 6.2
 
Usability Testing Fundamentals
Usability Testing FundamentalsUsability Testing Fundamentals
Usability Testing Fundamentals
 
Distributed deadlock
Distributed deadlockDistributed deadlock
Distributed deadlock
 
Monkey runner & Monkey testing
Monkey runner & Monkey testingMonkey runner & Monkey testing
Monkey runner & Monkey testing
 
Android & iPhone App Testing
Android & iPhone App Testing Android & iPhone App Testing
Android & iPhone App Testing
 
Quality For Service Organizations
Quality For Service OrganizationsQuality For Service Organizations
Quality For Service Organizations
 
03 software test-plan-template
03 software test-plan-template03 software test-plan-template
03 software test-plan-template
 
All About Bug
All About BugAll About Bug
All About Bug
 

Similar to XSS Without Browser

Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011Ilya Grigorik
 
Building a Simple Mobile-optimized Web App Using the jQuery Mobile Framework
Building a Simple Mobile-optimized Web App Using the jQuery Mobile FrameworkBuilding a Simple Mobile-optimized Web App Using the jQuery Mobile Framework
Building a Simple Mobile-optimized Web App Using the jQuery Mobile FrameworkSt. Petersburg College
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Fast, concurrent ruby web applications with EventMachine and EM::Synchrony
Fast, concurrent ruby web applications with EventMachine and EM::SynchronyFast, concurrent ruby web applications with EventMachine and EM::Synchrony
Fast, concurrent ruby web applications with EventMachine and EM::SynchronyKyle Drake
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Dependent things dependency management for apple sw - slideshare
Dependent things dependency management for apple sw - slideshareDependent things dependency management for apple sw - slideshare
Dependent things dependency management for apple sw - slideshareCavelle Benjamin
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do ThatNathan Smith
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
Bringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkersBringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkersCorey Clark, Ph.D.
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There TodayHTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There Todaydavyjones
 
CC-Castle; The best Real-Time/Embedded/HighTech language EVER?
CC-Castle; The best Real-Time/Embedded/HighTech language EVER?CC-Castle; The best Real-Time/Embedded/HighTech language EVER?
CC-Castle; The best Real-Time/Embedded/HighTech language EVER?Albert Mietus
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureSimon Willison
 
HTML5 Real-Time and Connectivity
HTML5 Real-Time and ConnectivityHTML5 Real-Time and Connectivity
HTML5 Real-Time and ConnectivityPeter Lubbers
 
IronRuby for the Rubyist
IronRuby for the RubyistIronRuby for the Rubyist
IronRuby for the RubyistWill Green
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 

Similar to XSS Without Browser (20)

Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011
 
Building a Simple Mobile-optimized Web App Using the jQuery Mobile Framework
Building a Simple Mobile-optimized Web App Using the jQuery Mobile FrameworkBuilding a Simple Mobile-optimized Web App Using the jQuery Mobile Framework
Building a Simple Mobile-optimized Web App Using the jQuery Mobile Framework
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Fast, concurrent ruby web applications with EventMachine and EM::Synchrony
Fast, concurrent ruby web applications with EventMachine and EM::SynchronyFast, concurrent ruby web applications with EventMachine and EM::Synchrony
Fast, concurrent ruby web applications with EventMachine and EM::Synchrony
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
Dependent things dependency management for apple sw - slideshare
Dependent things dependency management for apple sw - slideshareDependent things dependency management for apple sw - slideshare
Dependent things dependency management for apple sw - slideshare
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do That
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Bringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkersBringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkers
 
Nano S O A
Nano S O ANano S O A
Nano S O A
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There TodayHTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
 
CC-Castle; The best Real-Time/Embedded/HighTech language EVER?
CC-Castle; The best Real-Time/Embedded/HighTech language EVER?CC-Castle; The best Real-Time/Embedded/HighTech language EVER?
CC-Castle; The best Real-Time/Embedded/HighTech language EVER?
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big Picture
 
HTML5 Real-Time and Connectivity
HTML5 Real-Time and ConnectivityHTML5 Real-Time and Connectivity
HTML5 Real-Time and Connectivity
 
IronRuby for the Rubyist
IronRuby for the RubyistIronRuby for the Rubyist
IronRuby for the Rubyist
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Intro to PhoneGap
Intro to PhoneGapIntro to PhoneGap
Intro to PhoneGap
 

Recently uploaded

Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 

Recently uploaded (20)

Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 

XSS Without Browser

  • 1. Toorcon  Seattle,  2011   XSS  Without  the  Browser   Wait,  what?  
  • 2. #  whoami     Kyle  Osborn….  Many  know  me  as  Kos.     http://kyleosborn.com/     http://kos.io/     @theKos     Application  Security  Specialist  at  WhiteHat  Security  
  • 3. HTML  Rendering  Engines     Trident  –  Windows  (Internet  Explorer)     Webkit  –  OS  X  (Safari)     Easily  embedded.     Easy  to  update,  add  features,  style,  and  include  advanced   user  interaction  with  HTML,  JavaScript  and  CSS.       HTML5  features  offer  a  more  seamless  desktop  interface.     Very  Cheap!  HTML/JavaScript/CSS  are  simple.  
  • 4. What  does  this  mean?   Web  vulnerabilities…   In  Desktop  Applications   •  Conventional  web  vulnerabilities  can   now  become  desktop  vulnerabilities.     •  Forget  shellcode,  my  payload  is   JavaScript!  My  exploit  isn’t  a  buffer   overflow,  it’s  double-­‐quotes!     •  Binary  foo?  More  like  “I  once  made  a   website  for  Grandma’s  knitting   company”-­‐foo.   Fixed  in  latest  versions  of  Skype   >=  5.0.922  
  • 5. So  what,  it’s  just  a  little  JavaScript!   Same  Origin  Policy   But….     Dictates  that  JavaScript  can     The  Same  Origin  Policy  is   not  reach  content  in  another   based  on  an  Origin.   context.     What  is  the  “origin”  inside     Origin  based  on:   desktop  applications?     Protocol  (http,  https)     No  protocol     Hostname  (google.com)     No  hostname     Port  (:80)     No  Port     protocol://hostname:port/     So…  
  • 6. Demo  #1  (or  video…)  [picking  on  Skype]     Payload:     Injects  an  iframe  with  Google  into  the  chat  DOM.     Injects  <img  src=x  onerror=alert(document.domain)>  into  the   iframe.     Uses  Safari  cookies  and  sessions  in  requests.  
  • 7. Demo  #2  (or  video…)  [picking  on  Skype]     Payload:     XmlHttpRequest  opens  file:///etc/passwd  and  then  alerts  it     Can  access  any  files  on  the  local  filesystem  that  the  user  has   permission  to  read.       Also  works  for  https://mail.google.com/     Can  be  used  to  bypass  CSRF  tokens  and  requests  can  be   crafted  to  essentially  do  anything.  
  • 8. Basically…     If  Origin  =  null…  then  BAD     If  the  “origin”  doesn’t  exist,  what  is  there  to  compare  to?     Since  http://www.google.com:80/  ===  null   JavaScript  isn’t  really  breaking  an  rules     As  far  as  I  can  tell,  just  a  misconfiguration  on  the  developers   side.   My  point  is:  The  outcome  can  be  very  bad,   applications  like  this  should  be  tested.  
  • 9. Where  to  look   OS  X   Windows/Linux     Adium     gwibber  (Linux  twitter  client)     iChat     AIM     Twitter.app     …there  has  got  to  be  more     Skype     …..  
  • 10. Information     Talk  to  me  later.  I’ll  be  around  for  the  parties,  and  Black   Lodge  tomorrow.     http://kos.io/skype  (will  be  updated  with  slides  and  more  info)     Twitter  @theKos     Blog  coming  soon  @  http://blog.whitehatsec.com