SlideShare une entreprise Scribd logo

Cross Context Scripting attacks & exploitation

Télécharger en tant que PPTX, PDF
Roberto Suggi Liverani
Roberto Suggi Liverani

Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone. XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible. To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload. This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.

Technologie
1  sur  69
From alert(‘xss’) to Meterpreter with a single click Roberto Suggi Liverani Ruhr-Universität Bochum HackPra 2012/2013 1
Who am I?  A guy who likes to find bugs   Speaker at various cons:  DefCON, EUSecWest, HITB, OWASP  Twitter: @malerisch  Research blog: blog.malerisch.net 2
Outline  Cross Context Scripting (XCS)  Past research  Recent discoveries  Further attack surface 3
Cross Context Scripting (XCS) 4
Some concepts  Same origin policy (SOP)  Policy designed to govern interaction between different web sites ○ Domain name ○ Application protocol ○ Port  W3C definition  Although the same-origin policy differs between APIs, the overarching intent is to let users visit untrusted web sites without those web sites interfering with the user's session with honest web sites 5
Cross Context Scripting (XCS)  XCS or Cross-zone scripting  Cross Zone Scripting coined for IE http://en.wikipedia.org/wiki/Cross-zone_scripting  XCS coined for Firefox and injection in chrome://  What is XCS?  An XSS in a privileged browser zone  An indirect Same-Origin Policy (SOP) bypass ?  Each browser has a trusted/privileged zone:  FF - chrome://  Chrome - chrome://  Opera - opera://  Maxthon - mx://  Avant - browser:// 6
7
XCS  Browser privileged/trusted zone  Access to internal API interfaces: ○ Browser  Browser settings  Bookmarks, storage, etc. ○ OS  File system – I/O  Example ○ Firefox model  Firefox addons can run privileged code 8
FF Addon Example - FireFTP 9
Google Chrome – Settings Page 10
Opera History 11
XCS exploitation  XCS exploits are 100% reliable  No memory corruption  Trusted zone  Allows possible direct or indirect invokation of special functions/objects  Challenge  1st - find injection point in trusted zone  2nd - make use of privileged functions/object to achieve code execution 12
Past Research 13
Past research  Pioneers  2005 - Mark Pilgrim - Greasemonkey bug  2006 - Pdp & Michael Daw – publishing Sage xss  2008 - Kuza55 & Stefano Di Paola – Attacking rich internet applications – Tamper Data XSS demo  My research  Opera XSS found in opera:history ○ RCE exploit in opera:config (Kuza55 / Stefano Di Paola / Aviv Raff)  Firefox extensions research with Nick Freeman ○ Multiple RCE exploits released in FF extensions 14
Opera XSS history (1/3)  Opera XSS history – CVE 2008-4696  Metasploit - 'egypt', # msf module  Step 1 - Injection in opera:history via the fragment part 15
Opera XSS Exploit (2/3)  Step 2 - Force redirection to opera:history to trigger execution  Note : SOP bypass 16
Opera XSS Exploit (3/3)  Step 3 – Execute exploit payload 17
DEMO http://www.youtube.com/watch?v=IFejbd03 jls 18
Firefox extensions  Firefox and extensions security model  Extension code is fully trusted by Firefox  No security boundaries between extensions  Extensions vulnerabilities are platform independent  Lack of security policies to allow/deny Firefox access to internal API, XPCOM components, etc.  After 3 years…  No much change  A vulnerable extension can still be used to compromise a system 19
Cool Previews  Vulnerable version: 2.7.2  Injection point: ○ Add to stack function (right-click)  Exploit:  Link with a data: uri + base64 encoded payload ○ <a href=‘data:text/html,base64;payload’>A</a> 20
Remote Code Execution  Invoking cmd.exe 21
DEMO http://www.youtube.com/watch?v=7dJPOR acvXg 22
FireFTP  Vulnerable version: <1.1.4  Injection point:  Server’s welcome message  Exploit:  Simple HTML and JavaScript payload directly evaluated in chrome:// 23
Feed Sidebar  Vulnerable version: 3.2  Injection point:  RSS feed  Exploit:  Use of data: uri + base64 encoded payload ○ &lt;iframe src=&quot;data:text/html;base64,base64enco dedjavascript&quot;&gt;&lt;/iframe&gt; 24
Sage  Vulnerable Version: <=1.4.3  Injection point:  RSS feed <description> and <link> tags  Exploit:  Use of HTML encoded JavaScript payload ○ <description>&lt;script&gt;dosomethingbad();&lt;sc ript&gt;</description>  Use of data: uri + base64 encoded payload ○ <link>data:text/html;base64,payload</link> 25
InfoRSS  Vulnerable version: <= 1.1.4.2  Injection point:  RSS feed <description> tag  Exploit:  Use of data: uri + base64 encoded payload ○ &lt;iframe src=&quot;data:text/html;base64,base64enco dedjavascript&quot;&gt;&lt;/iframe&gt 26
Yonoo  Vulnerable Version: 6.1.1  Injection point:  Drag & dropping a malicious image into the preview window  Exploit:  Use event handler e.g. onload ○ <img src=‘http://somewebsite.tld/lolcatpicture.jpg’ onLoad=‘evilJavaScript’> 27
Password stealing 28
Local File Disclosure 29
Compromising NoScript  Whitelisting malicious site 30
Reverse VNC using XHR 31
Recent Discoveries 32
Maxthon – case study  Developed by: Maxthon International (China)  Architecture ○ Supports Trident and Webkit layout engines ○ Focus on performance and extra features  Some stats - according to Maxthon  130 million users  Users spread over 120 countries  500,000,000 downloads in 2k10 33
Maxthon: XCS via location.hash  Status: UNPATCHED!  Maliciouspage.html – performs redirection  Injected payload executes in about:history 34
Maxthon: XCS via RSS  Status: UNPATCHED!  Injection via <title>, <link>, <description> tags 35
Exploitation issues  Maxthon major changes  DOM Program object removed in latest versions ○ Cannot invoke exe directly anymore ○ Can only read/write files via maxthon.io  Personal exploit challenge  No user interaction  Targets: Windows XP and Windows 7 36
XCS Exploit – Windows XP  Windows XP  Overwrite any exe which can be directly invoked via HTML/Javascript ○ e.g. Outlook express (wab.exe)  Then use window.location=“ldap://blabla”  Works perfectly!  37
XCS Exploit – Windows 7  In Windows 7 (universal approach)  User is prompted using WinXP approach  Overwrite registry hives?  Touch registry?  Dirty approach but effective: ○ Overwrite one of the exe when Java applet is rendered ○ jp2launcher.exe is a good candidate  Then point to an iframe with a java applet = WIN!  38
Metasploit modules  https://github.com/malerisch/metasploit- framework/blob/maxthon3/modules/exploits/windows/browser/maxt hon_history_xcs.rb  https://github.com/malerisch/metasploit- framework/blob/maxthon3/modules/exploits/windows/browser/maxt hon_rss_xcs.rb 39
DEMO Maxthon – about:history http://www.youtube.com/watch?v=N- 5BkgJX8sI 40
Demo Maxthon XCS – RSS http://www.youtube.com/watch?v=d- 55asVLqNI 41
Maxthon: Trusted site over HTTP  Status: PATCHED  i.maxthon.com  sets privileged DOM objects ○ runtime ○ maxthon 42
Exploit  Leveraging XSS in a trusted “internet” page  Design Issues  i.maxthon.com = trusted domain  i.maxthon.com allows direct access to privileged APIs  No control on resolution of IP address  No use of SSL  MiTM Bug  DNS poisoning ○ Force resolution of i.maxthon.com to a controlled IP address  HTTP MiTM ○ i.maxthon.com served over HTTP – malicious proxy which alters page content  Other implications  XSS in real i.maxthon.com site 43
DEMO – i.maxthon.com (DNS compromised) http://www.youtube.com/watch?v=1IqZBS0 O2Hs 44
Avant Browser  Avant Browser - Avant Force (China)  Custom web browser application  Designed to expand services provided by IE  Two versions: lite (only IE) & ultimate (IE, FF, Chrome)  More downloads than Chrome, IE and Opera in CNET 45
A bit about Avant (1/3) Firefox wrapped version Arguments passed to firefox.exe Avant.exe - parent of firefox.exe 46
A bit about Avant (2/3)  Interesting files  "C:Program FilesAvant Browserres" folder:  Observations  home.tpl is rendered at browser:home  rss.tpl is rendered at browser://localhost/lst?url/path/to/rss/feed  Such pages use privileged JavaScript function window.AFRunCommand()  Pages provided examples on how to call privileged functions and aided exploitation 47
A bit about Avant (3/3)  Testing AFRunCommand()  Undocumented Avant browser function  Try{}/Catch{} no output  Bruteforce only option – passing a single parameter: ○ 60003 - window.external.HistoryUrls() - [used in exploit] ○ 60011 - prompt for download ○ 10021 - add to ad block specified site ○ 3 - spawns an empty tab ○ 10010 - reloads the page ○ 10013 - search for keywords ○ 10014 - pop up blocker ○ 10016 - download a video (argument passed as URL) ○ 10017 - add task for download scheduler ○ 10025 - search keywords 48
Avant Browser – SOP Bypass  Status: UNPATCHED!  Works if Firefox is set as the rendering engine 49
Avant BeEF Module https://github.com/malerisch/beef/tree/ava nt_browser/modules/exploits/avant_steal_ history 50
DEMO – BeEF Module In Action http://www.youtube.com/watch?v=I4LiSfT muM0 51
Avant Browser – XCS in browser:home  Status: UNPATCHED  Injection via <title> HTML element  Cross Site Scripting Payload Rendered In browser:home Privileged Zone 52
DEMO – Avant Browser – XCS in browser:home via <title> http://www.youtube.com/watch?v=cHHtsO pYGH4 53
Avant Browser – Stored XSS via RSS  Injection via <title>, <link> and <description> tags 54
DEMO – Avant Browser – RSS Stored XSS http://www.youtube.com/watch?v=- mShxsspxy8 55
Further attack surface 56
Injection in bookmarks  Attack based on:  Origin inheritance – injection using javascript: uri  Input validation – injecting into bookmark trusted zone  Injection via bookmarks using javascript:  Ancient bug reported in 2k5 by M. Krax  User is lured into bookmarking a malicious javascript: URI + payload  User clicks on malicious bookmark  Focus on standard web page – Impact: XSS  Focus on privileged browser zone – Impact: XCS  Many ways to fool users:  Security controls on status bar can be partially fooled  JavaScript can be compressed and obfuscated 57
javascript:  I invented the javascript: URL along with JavaScript in 1995, and intended that javascript: URLs could be used as any other kind of URL, including being bookmark-able. In particular, I made it possible to generate a new document by loading, e.g. javascript:'hello, world', but also (key for bookmarklets) to run arbitrary script against the DOM of the current document, e.g.javascript:alert(document.links[0].href). The difference is that the latter kind of URL uses an expression that evaluates to the undefined type in JS. I added the void operator to JS before Netscape 2 shipped to make it easy to discard any non-undefined value in a javascript: URL.  —Brendan Eich 58
Firefox Case  Firefox 10.0.2 vulnerable  Malicious bookmark clicked while using an extension (from chrome://)  Payload will execute in chrome://  Issue fixed in FF >11 59
Demo – Firefox XCS via bookmark http://www.youtube.com/watch?v=gSuLV9 RjhGQ 60
Opera  Opera 12.10  javascript: can be bookmarked  Origin inheritance - opera:config vulnerable to XCS if javascript:// bookmarklet is triggered  Mail app handler can be set with a UNC path e.g. myremotemeterpreter.exe 61
Demo – Opera XCS via Bookmarks http://www.youtube.com/watch?v=wWtLHi 4Imr4 62
Maxthon - XCS in bookmarks 63
Demo – Maxthon XCS in bookmarks http://www.youtube.com/watch?v=YR0RQ z45t3M 64
Conclusions  More browser capability/functionality  increased attack surface for XCS  Untrusted content - rendering options  about:blank  Security model for extensions/addons  Sandbox 65
Questions? Roberto Suggi Liverani - @malerisch blog.malerisch.net 66
References  Blog – Roberto Suggi Liverani  http://blog.malerisch.net/  Twitter account - @malerisch  https://twitter.com/malerisch  Security-Assessment.com Research  http://www.security- assessment.com/page/archive.htm  Nick Freeman – Publications  http://atta.cked.me/publications 67
References  Cross Context Scripting with Firefox - http://malerisch.net/docs/cross_context_scr ipting/cross_context_scripting_with_firefox. pdf  Opera - XCS in opera:history http://malerisch.net/docs/advisories/opera_ stored_cross_site_scripting.html  Firefox addon Coolpreviews – XCS - http://malerisch.net/docs/advisories/coolpre views_chrome_privileged_code_injection.h tml 68
References  Firefox addon Update Scanner - XCS - http://malerisch.net/docs/advisories/updatesca nner_chrome_privileged_code_injection.html  Exploiting XCS in Firefox - http://www.security- assessment.com/files/whitepapers/Exploiting_ Cross_Context_Scripting_vulnerabilities_in_Fir efox.pdf  HITB2012AMS - Browser Bug Hunting in 2012 - http://www.security- assessment.com/files/documents/presentation s/window_shopping_browser_bug_hunting_in _2012_roberto_suggi_liverani_scott_bell.pdf 69

Recommandé

Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox ExtensionsRoberto Suggi Liverani
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxyRoberto Suggi Liverani
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 

Recommandé

Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox ExtensionsRoberto Suggi Liverani
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxyRoberto Suggi Liverani
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flashjoepangus
 
BeEF
BeEFBeEF
BeEFAlexandraLacatus
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 n|u - The Open Security Community
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorialimlaurel2
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Browser exploit framework
Browser exploit frameworkBrowser exploit framework
Browser exploit frameworkPrashanth Sivarajan
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsYan Cui
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScriptRoberto Suggi Liverani
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingRoberto Suggi Liverani
 

Contenu connexe

Tendances

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flashjoepangus
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorialimlaurel2
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsYan Cui
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 

Tendances (20)

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Flashack
FlashackFlashack
Flashack
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
 
BeEF
BeEFBeEF
BeEF
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorial
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Browser exploit framework
Browser exploit frameworkBrowser exploit framework
Browser exploit framework
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 

En vedette

Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingRoberto Suggi Liverani
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
Let's creating your own PHP (tejimaya version)
Let's creating your own PHP (tejimaya version)Let's creating your own PHP (tejimaya version)
Let's creating your own PHP (tejimaya version)Kousuke Ebihara
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Xml external entities [xxe]
Xml external entities [xxe]Xml external entities [xxe]
Xml external entities [xxe]mattymcfatty
 
Philip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begunPhilip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begunSecurity Bootcamp
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-huntingbob dobbs
 
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...Security Bootcamp
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...
XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...
XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...Kousuke Ebihara
 
Trần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cận
Trần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cậnTrần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cận
Trần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cậnSecurity Bootcamp
 

En vedette (20)

Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
Let's creating your own PHP (tejimaya version)
Let's creating your own PHP (tejimaya version)Let's creating your own PHP (tejimaya version)
Let's creating your own PHP (tejimaya version)
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
Bug Hunting Safari
Bug Hunting SafariBug Hunting Safari
Bug Hunting Safari
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Xml external entities [xxe]
Xml external entities [xxe]Xml external entities [xxe]
Xml external entities [xxe]
 
Philip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begunPhilip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begun
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting
 
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
 
XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...
XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...
XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...
 
Trần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cận
Trần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cậnTrần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cận
Trần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cận
 

Similaire à Cross Context Scripting attacks & exploitation

Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extensionchaykaborya
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Githubhubx
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
 
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...Frédéric Harper
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27Frédéric Harper
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxC4Media
 
Opera and the Open Web platform
Opera and the Open Web platformOpera and the Open Web platform
Opera and the Open Web platformAndreas Bovens
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Session on Selenium 4 : What’s coming our way? by Hitesh Prajapati
Session on Selenium 4 : What’s coming our way? by Hitesh PrajapatiSession on Selenium 4 : What’s coming our way? by Hitesh Prajapati
Session on Selenium 4 : What’s coming our way? by Hitesh PrajapatiAgile Testing Alliance
 
Selenium 4 - What's coming our way - v1.0.pptx
Selenium 4 - What's coming our way - v1.0.pptxSelenium 4 - What's coming our way - v1.0.pptx
Selenium 4 - What's coming our way - v1.0.pptxHitesh Prajapati
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017Patrick Chanezon
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPagesCsaba Kiss
 

Similaire à Cross Context Scripting attacks & exploitation (20)

Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extension
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Github
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
Firefox OS - The platform you deserve - Athens App Days - 2013-11-27
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
Opera and the Open Web platform
Opera and the Open Web platformOpera and the Open Web platform
Opera and the Open Web platform
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Session on Selenium 4 : What’s coming our way? by Hitesh Prajapati
Session on Selenium 4 : What’s coming our way? by Hitesh PrajapatiSession on Selenium 4 : What’s coming our way? by Hitesh Prajapati
Session on Selenium 4 : What’s coming our way? by Hitesh Prajapati
 
Selenium 4 - What's coming our way - v1.0.pptx
Selenium 4 - What's coming our way - v1.0.pptxSelenium 4 - What's coming our way - v1.0.pptx
Selenium 4 - What's coming our way - v1.0.pptx
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPages
 

Dernier

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Dernier (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Cross Context Scripting attacks & exploitation

  • 1. From alert(‘xss’) to Meterpreter with a single click Roberto Suggi Liverani Ruhr-Universität Bochum HackPra 2012/2013 1
  • 2. Who am I?  A guy who likes to find bugs   Speaker at various cons:  DefCON, EUSecWest, HITB, OWASP  Twitter: @malerisch  Research blog: blog.malerisch.net 2
  • 3. Outline  Cross Context Scripting (XCS)  Past research  Recent discoveries  Further attack surface 3
  • 5. Some concepts  Same origin policy (SOP)  Policy designed to govern interaction between different web sites ○ Domain name ○ Application protocol ○ Port  W3C definition  Although the same-origin policy differs between APIs, the overarching intent is to let users visit untrusted web sites without those web sites interfering with the user's session with honest web sites 5
  • 6. Cross Context Scripting (XCS)  XCS or Cross-zone scripting  Cross Zone Scripting coined for IE http://en.wikipedia.org/wiki/Cross-zone_scripting  XCS coined for Firefox and injection in chrome://  What is XCS?  An XSS in a privileged browser zone  An indirect Same-Origin Policy (SOP) bypass ?  Each browser has a trusted/privileged zone:  FF - chrome://  Chrome - chrome://  Opera - opera://  Maxthon - mx://  Avant - browser:// 6
  • 7. 7
  • 8. XCS  Browser privileged/trusted zone  Access to internal API interfaces: ○ Browser  Browser settings  Bookmarks, storage, etc. ○ OS  File system – I/O  Example ○ Firefox model  Firefox addons can run privileged code 8
  • 9. FF Addon Example - FireFTP 9
  • 10. Google Chrome – Settings Page 10
  • 12. XCS exploitation  XCS exploits are 100% reliable  No memory corruption  Trusted zone  Allows possible direct or indirect invokation of special functions/objects  Challenge  1st - find injection point in trusted zone  2nd - make use of privileged functions/object to achieve code execution 12
  • 14. Past research  Pioneers  2005 - Mark Pilgrim - Greasemonkey bug  2006 - Pdp & Michael Daw – publishing Sage xss  2008 - Kuza55 & Stefano Di Paola – Attacking rich internet applications – Tamper Data XSS demo  My research  Opera XSS found in opera:history ○ RCE exploit in opera:config (Kuza55 / Stefano Di Paola / Aviv Raff)  Firefox extensions research with Nick Freeman ○ Multiple RCE exploits released in FF extensions 14
  • 15. Opera XSS history (1/3)  Opera XSS history – CVE 2008-4696  Metasploit - 'egypt', # msf module  Step 1 - Injection in opera:history via the fragment part 15
  • 16. Opera XSS Exploit (2/3)  Step 2 - Force redirection to opera:history to trigger execution  Note : SOP bypass 16
  • 17. Opera XSS Exploit (3/3)  Step 3 – Execute exploit payload 17
  • 19. Firefox extensions  Firefox and extensions security model  Extension code is fully trusted by Firefox  No security boundaries between extensions  Extensions vulnerabilities are platform independent  Lack of security policies to allow/deny Firefox access to internal API, XPCOM components, etc.  After 3 years…  No much change  A vulnerable extension can still be used to compromise a system 19
  • 20. Cool Previews  Vulnerable version: 2.7.2  Injection point: ○ Add to stack function (right-click)  Exploit:  Link with a data: uri + base64 encoded payload ○ <a href=‘data:text/html,base64;payload’>A</a> 20
  • 21. Remote Code Execution  Invoking cmd.exe 21
  • 23. FireFTP  Vulnerable version: <1.1.4  Injection point:  Server’s welcome message  Exploit:  Simple HTML and JavaScript payload directly evaluated in chrome:// 23
  • 24. Feed Sidebar  Vulnerable version: 3.2  Injection point:  RSS feed  Exploit:  Use of data: uri + base64 encoded payload ○ &lt;iframe src=&quot;data:text/html;base64,base64enco dedjavascript&quot;&gt;&lt;/iframe&gt; 24
  • 25. Sage  Vulnerable Version: <=1.4.3  Injection point:  RSS feed <description> and <link> tags  Exploit:  Use of HTML encoded JavaScript payload ○ <description>&lt;script&gt;dosomethingbad();&lt;sc ript&gt;</description>  Use of data: uri + base64 encoded payload ○ <link>data:text/html;base64,payload</link> 25
  • 26. InfoRSS  Vulnerable version: <= 1.1.4.2  Injection point:  RSS feed <description> tag  Exploit:  Use of data: uri + base64 encoded payload ○ &lt;iframe src=&quot;data:text/html;base64,base64enco dedjavascript&quot;&gt;&lt;/iframe&gt 26
  • 27. Yonoo  Vulnerable Version: 6.1.1  Injection point:  Drag & dropping a malicious image into the preview window  Exploit:  Use event handler e.g. onload ○ <img src=‘http://somewebsite.tld/lolcatpicture.jpg’ onLoad=‘evilJavaScript’> 27
  • 33. Maxthon – case study  Developed by: Maxthon International (China)  Architecture ○ Supports Trident and Webkit layout engines ○ Focus on performance and extra features  Some stats - according to Maxthon  130 million users  Users spread over 120 countries  500,000,000 downloads in 2k10 33
  • 34. Maxthon: XCS via location.hash  Status: UNPATCHED!  Maliciouspage.html – performs redirection  Injected payload executes in about:history 34
  • 35. Maxthon: XCS via RSS  Status: UNPATCHED!  Injection via <title>, <link>, <description> tags 35
  • 36. Exploitation issues  Maxthon major changes  DOM Program object removed in latest versions ○ Cannot invoke exe directly anymore ○ Can only read/write files via maxthon.io  Personal exploit challenge  No user interaction  Targets: Windows XP and Windows 7 36
  • 37. XCS Exploit – Windows XP  Windows XP  Overwrite any exe which can be directly invoked via HTML/Javascript ○ e.g. Outlook express (wab.exe)  Then use window.location=“ldap://blabla”  Works perfectly!  37
  • 38. XCS Exploit – Windows 7  In Windows 7 (universal approach)  User is prompted using WinXP approach  Overwrite registry hives?  Touch registry?  Dirty approach but effective: ○ Overwrite one of the exe when Java applet is rendered ○ jp2launcher.exe is a good candidate  Then point to an iframe with a java applet = WIN!  38
  • 39. Metasploit modules  https://github.com/malerisch/metasploit- framework/blob/maxthon3/modules/exploits/windows/browser/maxt hon_history_xcs.rb  https://github.com/malerisch/metasploit- framework/blob/maxthon3/modules/exploits/windows/browser/maxt hon_rss_xcs.rb 39
  • 41. Demo Maxthon XCS – RSS http://www.youtube.com/watch?v=d- 55asVLqNI 41
  • 42. Maxthon: Trusted site over HTTP  Status: PATCHED  i.maxthon.com  sets privileged DOM objects ○ runtime ○ maxthon 42
  • 43. Exploit  Leveraging XSS in a trusted “internet” page  Design Issues  i.maxthon.com = trusted domain  i.maxthon.com allows direct access to privileged APIs  No control on resolution of IP address  No use of SSL  MiTM Bug  DNS poisoning ○ Force resolution of i.maxthon.com to a controlled IP address  HTTP MiTM ○ i.maxthon.com served over HTTP – malicious proxy which alters page content  Other implications  XSS in real i.maxthon.com site 43
  • 44. DEMO – i.maxthon.com (DNS compromised) http://www.youtube.com/watch?v=1IqZBS0 O2Hs 44
  • 45. Avant Browser  Avant Browser - Avant Force (China)  Custom web browser application  Designed to expand services provided by IE  Two versions: lite (only IE) & ultimate (IE, FF, Chrome)  More downloads than Chrome, IE and Opera in CNET 45
  • 46. A bit about Avant (1/3) Firefox wrapped version Arguments passed to firefox.exe Avant.exe - parent of firefox.exe 46
  • 47. A bit about Avant (2/3)  Interesting files  "C:Program FilesAvant Browserres" folder:  Observations  home.tpl is rendered at browser:home  rss.tpl is rendered at browser://localhost/lst?url/path/to/rss/feed  Such pages use privileged JavaScript function window.AFRunCommand()  Pages provided examples on how to call privileged functions and aided exploitation 47
  • 48. A bit about Avant (3/3)  Testing AFRunCommand()  Undocumented Avant browser function  Try{}/Catch{} no output  Bruteforce only option – passing a single parameter: ○ 60003 - window.external.HistoryUrls() - [used in exploit] ○ 60011 - prompt for download ○ 10021 - add to ad block specified site ○ 3 - spawns an empty tab ○ 10010 - reloads the page ○ 10013 - search for keywords ○ 10014 - pop up blocker ○ 10016 - download a video (argument passed as URL) ○ 10017 - add task for download scheduler ○ 10025 - search keywords 48
  • 49. Avant Browser – SOP Bypass  Status: UNPATCHED!  Works if Firefox is set as the rendering engine 49
  • 51. DEMO – BeEF Module In Action http://www.youtube.com/watch?v=I4LiSfT muM0 51
  • 52. Avant Browser – XCS in browser:home  Status: UNPATCHED  Injection via <title> HTML element  Cross Site Scripting Payload Rendered In browser:home Privileged Zone 52
  • 53. DEMO – Avant Browser – XCS in browser:home via <title> http://www.youtube.com/watch?v=cHHtsO pYGH4 53
  • 54. Avant Browser – Stored XSS via RSS  Injection via <title>, <link> and <description> tags 54
  • 55. DEMO – Avant Browser – RSS Stored XSS http://www.youtube.com/watch?v=- mShxsspxy8 55
  • 57. Injection in bookmarks  Attack based on:  Origin inheritance – injection using javascript: uri  Input validation – injecting into bookmark trusted zone  Injection via bookmarks using javascript:  Ancient bug reported in 2k5 by M. Krax  User is lured into bookmarking a malicious javascript: URI + payload  User clicks on malicious bookmark  Focus on standard web page – Impact: XSS  Focus on privileged browser zone – Impact: XCS  Many ways to fool users:  Security controls on status bar can be partially fooled  JavaScript can be compressed and obfuscated 57
  • 58. javascript:  I invented the javascript: URL along with JavaScript in 1995, and intended that javascript: URLs could be used as any other kind of URL, including being bookmark-able. In particular, I made it possible to generate a new document by loading, e.g. javascript:'hello, world', but also (key for bookmarklets) to run arbitrary script against the DOM of the current document, e.g.javascript:alert(document.links[0].href). The difference is that the latter kind of URL uses an expression that evaluates to the undefined type in JS. I added the void operator to JS before Netscape 2 shipped to make it easy to discard any non-undefined value in a javascript: URL.  —Brendan Eich 58
  • 59. Firefox Case  Firefox 10.0.2 vulnerable  Malicious bookmark clicked while using an extension (from chrome://)  Payload will execute in chrome://  Issue fixed in FF >11 59
  • 60. Demo – Firefox XCS via bookmark http://www.youtube.com/watch?v=gSuLV9 RjhGQ 60
  • 61. Opera  Opera 12.10  javascript: can be bookmarked  Origin inheritance - opera:config vulnerable to XCS if javascript:// bookmarklet is triggered  Mail app handler can be set with a UNC path e.g. myremotemeterpreter.exe 61
  • 62. Demo – Opera XCS via Bookmarks http://www.youtube.com/watch?v=wWtLHi 4Imr4 62
  • 63. Maxthon - XCS in bookmarks 63
  • 64. Demo – Maxthon XCS in bookmarks http://www.youtube.com/watch?v=YR0RQ z45t3M 64
  • 65. Conclusions  More browser capability/functionality  increased attack surface for XCS  Untrusted content - rendering options  about:blank  Security model for extensions/addons  Sandbox 65
  • 66. Questions? Roberto Suggi Liverani - @malerisch blog.malerisch.net 66
  • 67. References  Blog – Roberto Suggi Liverani  http://blog.malerisch.net/  Twitter account - @malerisch  https://twitter.com/malerisch  Security-Assessment.com Research  http://www.security- assessment.com/page/archive.htm  Nick Freeman – Publications  http://atta.cked.me/publications 67
  • 68. References  Cross Context Scripting with Firefox - http://malerisch.net/docs/cross_context_scr ipting/cross_context_scripting_with_firefox. pdf  Opera - XCS in opera:history http://malerisch.net/docs/advisories/opera_ stored_cross_site_scripting.html  Firefox addon Coolpreviews – XCS - http://malerisch.net/docs/advisories/coolpre views_chrome_privileged_code_injection.h tml 68
  • 69. References  Firefox addon Update Scanner - XCS - http://malerisch.net/docs/advisories/updatesca nner_chrome_privileged_code_injection.html  Exploiting XCS in Firefox - http://www.security- assessment.com/files/whitepapers/Exploiting_ Cross_Context_Scripting_vulnerabilities_in_Fir efox.pdf  HITB2012AMS - Browser Bug Hunting in 2012 - http://www.security- assessment.com/files/documents/presentation s/window_shopping_browser_bug_hunting_in _2012_roberto_suggi_liverani_scott_bell.pdf 69

Notes de l'éditeur

  1. http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/ http://mozdev.org/pipermail/greasemonkey/2005-July/004022.html
  2. Split in two slides
  3. Increase font size for each screen shot
  4. Bug id 288164 -> in the thread, no one mentions about the fact that chrome:// is used by addons too and not just within the bookmark zone Ref: https://bug338459.bugzilla.mozilla.org/attachment.cgi?id=222524 http://www.agarri.fr/op00.html