SlideShare a Scribd company logo

XSS Without Browser

K
kosborn

The document summarizes a talk given at Toorcon Seattle 2011 about cross-site scripting (XSS) vulnerabilities in desktop applications that use HTML, JavaScript and CSS for their user interfaces. The speaker demonstrates how XSS payloads can exploit Skype to inject content from other sites and access local files, since desktop apps do not enforce the same origin policy in the same way web browsers do. He urges testing applications like Skype, Adium and iChat that embed web technologies for similar vulnerabilities.

Related slideshows

Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programming
 
CSS3: The Future is Now at DrupalCon San Francisco
CSS3: The Future is Now at DrupalCon San FranciscoCSS3: The Future is Now at DrupalCon San Francisco
CSS3: The Future is Now at DrupalCon San Francisco
 
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
Native Desktop App with Node.js Webkit (HTML, CSS & Javascript)
 
1 of 10
Download to read offline
Toorcon  Seattle,  2011   XSS  Without  the  Browser   Wait,  what?  
#  whoami     Kyle  Osborn….  Many  know  me  as  Kos.     http://kyleosborn.com/     http://kos.io/     @theKos     Application  Security  Specialist  at  WhiteHat  Security  
HTML  Rendering  Engines     Trident  –  Windows  (Internet  Explorer)     Webkit  –  OS  X  (Safari)     Easily  embedded.     Easy  to  update,  add  features,  style,  and  include  advanced   user  interaction  with  HTML,  JavaScript  and  CSS.       HTML5  features  offer  a  more  seamless  desktop  interface.     Very  Cheap!  HTML/JavaScript/CSS  are  simple.  
What  does  this  mean?   Web  vulnerabilities…   In  Desktop  Applications   •  Conventional  web  vulnerabilities  can   now  become  desktop  vulnerabilities.     •  Forget  shellcode,  my  payload  is   JavaScript!  My  exploit  isn’t  a  buffer   overflow,  it’s  double-­‐quotes!     •  Binary  foo?  More  like  “I  once  made  a   website  for  Grandma’s  knitting   company”-­‐foo.   Fixed  in  latest  versions  of  Skype   >=  5.0.922  
So  what,  it’s  just  a  little  JavaScript!   Same  Origin  Policy   But….     Dictates  that  JavaScript  can     The  Same  Origin  Policy  is   not  reach  content  in  another   based  on  an  Origin.   context.     What  is  the  “origin”  inside     Origin  based  on:   desktop  applications?     Protocol  (http,  https)     No  protocol     Hostname  (google.com)     No  hostname     Port  (:80)     No  Port     protocol://hostname:port/     So…  
Demo  #1  (or  video…)  [picking  on  Skype]     Payload:     Injects  an  iframe  with  Google  into  the  chat  DOM.     Injects  <img  src=x  onerror=alert(document.domain)>  into  the   iframe.     Uses  Safari  cookies  and  sessions  in  requests.  
Demo  #2  (or  video…)  [picking  on  Skype]     Payload:     XmlHttpRequest  opens  file:///etc/passwd  and  then  alerts  it     Can  access  any  files  on  the  local  filesystem  that  the  user  has   permission  to  read.       Also  works  for  https://mail.google.com/     Can  be  used  to  bypass  CSRF  tokens  and  requests  can  be   crafted  to  essentially  do  anything.  
Basically…     If  Origin  =  null…  then  BAD     If  the  “origin”  doesn’t  exist,  what  is  there  to  compare  to?     Since  http://www.google.com:80/  ===  null   JavaScript  isn’t  really  breaking  an  rules     As  far  as  I  can  tell,  just  a  misconfiguration  on  the  developers   side.   My  point  is:  The  outcome  can  be  very  bad,   applications  like  this  should  be  tested.  
Where  to  look   OS  X   Windows/Linux     Adium     gwibber  (Linux  twitter  client)     iChat     AIM     Twitter.app     …there  has  got  to  be  more     Skype     …..  
Information     Talk  to  me  later.  I’ll  be  around  for  the  parties,  and  Black   Lodge  tomorrow.     http://kos.io/skype  (will  be  updated  with  slides  and  more  info)     Twitter  @theKos     Blog  coming  soon  @  http://blog.whitehatsec.com  

More Related Content

XSS Without Browser

  • 1. Toorcon  Seattle,  2011   XSS  Without  the  Browser   Wait,  what?  
  • 2. #  whoami     Kyle  Osborn….  Many  know  me  as  Kos.     http://kyleosborn.com/     http://kos.io/     @theKos     Application  Security  Specialist  at  WhiteHat  Security  
  • 3. HTML  Rendering  Engines     Trident  –  Windows  (Internet  Explorer)     Webkit  –  OS  X  (Safari)     Easily  embedded.     Easy  to  update,  add  features,  style,  and  include  advanced   user  interaction  with  HTML,  JavaScript  and  CSS.       HTML5  features  offer  a  more  seamless  desktop  interface.     Very  Cheap!  HTML/JavaScript/CSS  are  simple.  
  • 4. What  does  this  mean?   Web  vulnerabilities…   In  Desktop  Applications   •  Conventional  web  vulnerabilities  can   now  become  desktop  vulnerabilities.     •  Forget  shellcode,  my  payload  is   JavaScript!  My  exploit  isn’t  a  buffer   overflow,  it’s  double-­‐quotes!     •  Binary  foo?  More  like  “I  once  made  a   website  for  Grandma’s  knitting   company”-­‐foo.   Fixed  in  latest  versions  of  Skype   >=  5.0.922  
  • 5. So  what,  it’s  just  a  little  JavaScript!   Same  Origin  Policy   But….     Dictates  that  JavaScript  can     The  Same  Origin  Policy  is   not  reach  content  in  another   based  on  an  Origin.   context.     What  is  the  “origin”  inside     Origin  based  on:   desktop  applications?     Protocol  (http,  https)     No  protocol     Hostname  (google.com)     No  hostname     Port  (:80)     No  Port     protocol://hostname:port/     So…  
  • 6. Demo  #1  (or  video…)  [picking  on  Skype]     Payload:     Injects  an  iframe  with  Google  into  the  chat  DOM.     Injects  <img  src=x  onerror=alert(document.domain)>  into  the   iframe.     Uses  Safari  cookies  and  sessions  in  requests.  
  • 7. Demo  #2  (or  video…)  [picking  on  Skype]     Payload:     XmlHttpRequest  opens  file:///etc/passwd  and  then  alerts  it     Can  access  any  files  on  the  local  filesystem  that  the  user  has   permission  to  read.       Also  works  for  https://mail.google.com/     Can  be  used  to  bypass  CSRF  tokens  and  requests  can  be   crafted  to  essentially  do  anything.  
  • 8. Basically…     If  Origin  =  null…  then  BAD     If  the  “origin”  doesn’t  exist,  what  is  there  to  compare  to?     Since  http://www.google.com:80/  ===  null   JavaScript  isn’t  really  breaking  an  rules     As  far  as  I  can  tell,  just  a  misconfiguration  on  the  developers   side.   My  point  is:  The  outcome  can  be  very  bad,   applications  like  this  should  be  tested.  
  • 9. Where  to  look   OS  X   Windows/Linux     Adium     gwibber  (Linux  twitter  client)     iChat     AIM     Twitter.app     …there  has  got  to  be  more     Skype     …..  
  • 10. Information     Talk  to  me  later.  I’ll  be  around  for  the  parties,  and  Black   Lodge  tomorrow.     http://kos.io/skype  (will  be  updated  with  slides  and  more  info)     Twitter  @theKos     Blog  coming  soon  @  http://blog.whitehatsec.com