SlideShare uma empresa Scribd logo

The Hidden XSS - Attacking the Desktop & Mobile Platforms

K
kosborn

The document discusses cross-site scripting (XSS) attacks that can occur outside of web browsers on desktop and mobile platforms. It provides examples of XSS vulnerabilities found in Skype, Adium, Android's Gmail app, Google Earth, and outlines a tool built to automate discovery and exfiltration of files across platforms like Mac, Android and others. The document encourages developers to properly filter HTML and secure apps from XSS attacks.

Tecnologia
1 de 28
Baixar para ler offline
The Hidden XSS Attacking the Desktop & Mobile Platforms Kos (Kyle Osborn) @theKos
alert(self) » ToorCon Seattle, » Oh, and this guy BlackHat, BSidesLV & DefCon » Red Team guy (or so I pretend) » Pentester » http://kos.io/
XSS within the browser » Usually considered a web browser based attack. » Users fire up their web browsers » Navigate to website with persistent XSS » Open up link with payload in the URL (bank.com?XSS) » iFrame with embedded vulnerable website » etc., etc. » But... not really browser specific...
XSS Definition for xss: Cross-site scripting is a security hazard that allows crackers to interfere with your program’s logic by inserting their own logic into your HTML. .... http://oreilly.com/ruby/excerpts/ruby-learning-rails/ruby-glossary.html
XSS without the browser  » So what's the big deal? » Not really able to steal cookies. » Phishing doesn't make sense. » Content spoofing? » Ad injection? » Meh...
XSS without the browser  » Local filesystem access? » XMLHttpRequest() » WebKit does not block XHR requests to file:/// » OS X, iOS, Android versions of WebKit » Except for Chrome
So... the fun stuff » Demos!
Demo #1 » Skype (5.0.x to <= 5.0.914) on Mac OS X » HTML not filtered in an instance, allowing an attacker to inject malicious JavaScript. » http://kos.io/skype for more info
Demo #2 » Adium <= 1.4.2 (OS X) » Unfiltered HTML in file transfer dialogue. » Almost the same as Skype. » http://www.noptrix.net/advisories/adium_inject.txt
Demo #3 » Skype on iOS 3.0.1 (Fixed as of 3.0.2) » Again, basic Cross Site Scripting » Discovered by while testing Skype on OS X » More info at https://superevr.com/2011/xss-in-skype-for-ios/
Demo #3
Introducing WebOS » Truly web-driven operating system » Easy application development » Posed to compete with iOS / Android » Oh yeah, apps are HTML5 / JavaScript
WebOS » WebOS. Because most apps are HTML/JS, many are susceptible to attacks. » However... actually more secure than previous vulns. » Security (kind-of) done right on it.
Demo #5 » Android's GMail app » Reported a few months ago... » Android (like iOS) uses separate users per application, limiting what each app can reach.
Demo #5 - Continued » GMail.apk allows HTML files to be downloaded. » Handles it in "HTML Viewer" properly, without JS. » However, XSS inside Gmail.app allows attacker to force download file. » Then force browser to open file:///..../attack.html
For my next trick...  Choose an OS » Linux » Windows » OS X » iOS
Demo #6 » Google Earth » Multi-platform - OS X, iOS, Linux & Windows » Payloaded KML file (Google Earth XML file) » Uses HTML for info-boxes » Uses vulnerable WebKit versoin
Tool! » To make it easier, wrote a tool. » JSON arrays for discovery functions() [what users, app] and files » base64 encodes & exfiltrates
Tool! fileList['mac']= { // How do we discover users? "discover" :'/Library/Preferences/com.apple.loginwindow.plist', // Okay, we found them, what do we pillage? "post" :{ 'bashHistory':'.bash_history', 'sshHosts':'.ssh/known_hosts', 'sshKeys':'.ssh/id_rsa.pub', } } fileList['android']= { // Instead of how, just figure out the currently in use appi "discover" :'/proc/self/status', // Okay, we found them, what do we pillage? "post" :{ 'browser_data':'/data/data/com.android.browser/databases/webview. db', 'browser_data2':'/data/data/com.android.browser/databases/browser.db', 'gmail_accounts':'/data/data/com. google.android.gm/shared_prefs/Gmail.xml', 'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview. db', 'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db', 'chromeBookmarks':'. config/chromium/Default/Bookmarks' } }
Conclusion  » XSS is bad, mkay? » Developers don't know how / aren't trained to filter client side. » Easy to exploit. » Ping me at @theKos kos@kos.io http://kos.io/

Recomendados

WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
lpilorz
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 

Recomendados

WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
lpilorz
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
Caleb Sima
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
Jeremiah Grossman
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
Erlend Oftedal
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 

Mais conteúdo relacionado

Mais procurados

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 

Mais procurados (20)

Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 

Destaque

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
CODE BLUE
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
_mr_me
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 

Destaque (20)

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or loose
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod security
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 

Semelhante a The Hidden XSS - Attacking the Desktop & Mobile Platforms

Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
PROIDEA
 

Semelhante a The Hidden XSS - Attacking the Desktop & Mobile Platforms (20)

Not only a XSS
Not only a XSSNot only a XSS
Not only a XSS
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Application Context and Discovering XSS without
Application Context and Discovering XSS without Application Context and Discovering XSS without
Application Context and Discovering XSS without
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
Understand study
Understand studyUnderstand study
Understand study
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
CONFidence 2015: iOS Hacking: Advanced Pentest & Forensic Techniques - Omer S...
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

The Hidden XSS - Attacking the Desktop & Mobile Platforms

  • 1. The Hidden XSS Attacking the Desktop & Mobile Platforms Kos (Kyle Osborn) @theKos
  • 2. alert(self) » ToorCon Seattle, » Oh, and this guy BlackHat, BSidesLV & DefCon » Red Team guy (or so I pretend) » Pentester » http://kos.io/
  • 3. XSS within the browser » Usually considered a web browser based attack. » Users fire up their web browsers » Navigate to website with persistent XSS » Open up link with payload in the URL (bank.com?XSS) » iFrame with embedded vulnerable website » etc., etc. » But... not really browser specific...
  • 4. XSS Definition for xss: Cross-site scripting is a security hazard that allows crackers to interfere with your program’s logic by inserting their own logic into your HTML. .... http://oreilly.com/ruby/excerpts/ruby-learning-rails/ruby-glossary.html
  • 5.
  • 6. XSS without the browser  » So what's the big deal? » Not really able to steal cookies. » Phishing doesn't make sense. » Content spoofing? » Ad injection? » Meh...
  • 7. XSS without the browser  » Local filesystem access? » XMLHttpRequest() » WebKit does not block XHR requests to file:/// » OS X, iOS, Android versions of WebKit » Except for Chrome
  • 8. So... the fun stuff » Demos!
  • 9. Demo #1 » Skype (5.0.x to <= 5.0.914) on Mac OS X » HTML not filtered in an instance, allowing an attacker to inject malicious JavaScript. » http://kos.io/skype for more info
  • 10. Demo #2 » Adium <= 1.4.2 (OS X) » Unfiltered HTML in file transfer dialogue. » Almost the same as Skype. » http://www.noptrix.net/advisories/adium_inject.txt
  • 11. Demo #3 » Skype on iOS 3.0.1 (Fixed as of 3.0.2) » Again, basic Cross Site Scripting » Discovered by while testing Skype on OS X » More info at https://superevr.com/2011/xss-in-skype-for-ios/
  • 13.
  • 14. Introducing WebOS » Truly web-driven operating system » Easy application development » Posed to compete with iOS / Android » Oh yeah, apps are HTML5 / JavaScript
  • 15. WebOS » WebOS. Because most apps are HTML/JS, many are susceptible to attacks. » However... actually more secure than previous vulns. » Security (kind-of) done right on it.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20. Demo #5 » Android's GMail app » Reported a few months ago... » Android (like iOS) uses separate users per application, limiting what each app can reach.
  • 21.
  • 22.
  • 23. Demo #5 - Continued » GMail.apk allows HTML files to be downloaded. » Handles it in "HTML Viewer" properly, without JS. » However, XSS inside Gmail.app allows attacker to force download file. » Then force browser to open file:///..../attack.html
  • 24. For my next trick...  Choose an OS » Linux » Windows » OS X » iOS
  • 25. Demo #6 » Google Earth » Multi-platform - OS X, iOS, Linux & Windows » Payloaded KML file (Google Earth XML file) » Uses HTML for info-boxes » Uses vulnerable WebKit versoin
  • 26. Tool! » To make it easier, wrote a tool. » JSON arrays for discovery functions() [what users, app] and files » base64 encodes & exfiltrates
  • 27. Tool! fileList['mac']= { // How do we discover users? "discover" :'/Library/Preferences/com.apple.loginwindow.plist', // Okay, we found them, what do we pillage? "post" :{ 'bashHistory':'.bash_history', 'sshHosts':'.ssh/known_hosts', 'sshKeys':'.ssh/id_rsa.pub', } } fileList['android']= { // Instead of how, just figure out the currently in use appi "discover" :'/proc/self/status', // Okay, we found them, what do we pillage? "post" :{ 'browser_data':'/data/data/com.android.browser/databases/webview. db', 'browser_data2':'/data/data/com.android.browser/databases/browser.db', 'gmail_accounts':'/data/data/com. google.android.gm/shared_prefs/Gmail.xml', 'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview. db', 'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db', 'chromeBookmarks':'. config/chromium/Default/Bookmarks' } }
  • 28. Conclusion  » XSS is bad, mkay? » Developers don't know how / aren't trained to filter client side. » Easy to exploit. » Ping me at @theKos kos@kos.io http://kos.io/