The document discusses cross-site scripting (XSS) attacks that can occur outside of web browsers on desktop and mobile platforms. It provides examples of XSS vulnerabilities found in Skype, Adium, Android's Gmail app, Google Earth, and outlines a tool built to automate discovery and exfiltration of files across platforms like Mac, Android and others. The document encourages developers to properly filter HTML and secure apps from XSS attacks.
Report
Share
Report
Share
1 of 28
Download to read offline
More Related Content
The Hidden XSS - Attacking the Desktop & Mobile Platforms
1. The Hidden XSS
Attacking the Desktop & Mobile Platforms
Kos (Kyle Osborn)
@theKos
2. alert(self)
» ToorCon Seattle, » Oh, and this guy
BlackHat, BSidesLV
& DefCon
» Red Team guy (or so
I
pretend)
» Pentester
» http://kos.io/
3. XSS within the browser
» Usually considered a web browser based attack.
» Users fire up their web browsers
» Navigate to website with persistent XSS
» Open up link with payload in the URL
(bank.com?XSS)
» iFrame with embedded vulnerable website
» etc., etc.
» But... not really browser specific...
4. XSS
Definition for xss:
Cross-site scripting is a security hazard that allows crackers to
interfere with your program’s logic by inserting their own
logic into your HTML. ....
http://oreilly.com/ruby/excerpts/ruby-learning-rails/ruby-glossary.html
6. XSS without the browser
» So what's the big deal?
» Not really able to steal cookies.
» Phishing doesn't make sense.
» Content spoofing?
» Ad injection?
» Meh...
7. XSS without the browser
» Local filesystem access?
» XMLHttpRequest()
» WebKit does not block XHR requests to file:///
» OS X, iOS, Android versions of WebKit
» Except for Chrome
9. Demo #1
» Skype (5.0.x to <= 5.0.914) on Mac OS X
» HTML not filtered in
an instance, allowing
an attacker to inject
malicious JavaScript.
» http://kos.io/skype
for more info
10. Demo #2
» Adium <= 1.4.2 (OS X)
» Unfiltered HTML in file transfer dialogue.
» Almost the same as Skype.
» http://www.noptrix.net/advisories/adium_inject.txt
11. Demo #3
» Skype on iOS 3.0.1 (Fixed as of 3.0.2)
» Again, basic Cross Site Scripting
» Discovered by while testing Skype on OS X
» More info at
https://superevr.com/2011/xss-in-skype-for-ios/
14. Introducing WebOS
» Truly web-driven
operating system
» Easy application
development
» Posed to compete
with iOS / Android
» Oh yeah, apps
are HTML5 /
JavaScript
15. WebOS
» WebOS. Because most apps are HTML/JS, many
are susceptible to attacks.
» However... actually more secure than previous
vulns.
» Security (kind-of) done right on it.
20. Demo #5
» Android's GMail app
» Reported a few months ago...
» Android (like iOS) uses separate users per
application, limiting what each app can reach.
23. Demo #5 - Continued
» GMail.apk allows HTML files to be downloaded.
» Handles it in "HTML Viewer" properly, without JS.
» However, XSS inside Gmail.app allows attacker
to
force download file.
» Then force browser to open file:///..../attack.html
24. For my next trick... Choose an OS
» Linux
» Windows
» OS X
» iOS
25. Demo #6
» Google Earth
» Multi-platform - OS X, iOS, Linux & Windows
» Payloaded KML file (Google Earth XML file)
» Uses HTML for info-boxes
» Uses vulnerable WebKit versoin
26. Tool!
» To make it easier, wrote a tool.
» JSON arrays for
discovery functions() [what users, app]
and files
» base64 encodes & exfiltrates
27. Tool!
fileList['mac']= { // How do we discover users? "discover" :'/Library/Preferences/com.apple.loginwindow.plist', // Okay, we found them,
what do we pillage? "post" :{ 'bashHistory':'.bash_history', 'sshHosts':'.ssh/known_hosts', 'sshKeys':'.ssh/id_rsa.pub', } }
fileList['android']= { // Instead of how, just figure out the currently in use appi "discover" :'/proc/self/status', // Okay, we found them,
what do we pillage? "post" :{ 'browser_data':'/data/data/com.android.browser/databases/webview.
db', 'browser_data2':'/data/data/com.android.browser/databases/browser.db', 'gmail_accounts':'/data/data/com.
google.android.gm/shared_prefs/Gmail.xml', 'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview.
db', 'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db', 'chromeBookmarks':'.
config/chromium/Default/Bookmarks' } }
28. Conclusion
» XSS is bad, mkay?
» Developers don't know how / aren't trained to filter
client side.
» Easy to exploit.
» Ping me at
@theKos
kos@kos.io
http://kos.io/