![Page 1: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/1.jpg)
PRELIMINARY SLIDES
Wednesday, 10 October 2012
![Page 2: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/2.jpg)
THIS WAYWednesday, 10 October 2012
![Page 3: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/3.jpg)
Wednesday, 10 October 2012
![Page 4: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/4.jpg)
NO, it is not about horror stories concerning
JavaScript
WE ALL LOVE FEAR-MONGERING.
Wednesday, 10 October 2012
![Page 5: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/5.jpg)
starting with the credits...Wednesday, 10 October 2012
![Page 6: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/6.jpg)
A Short Historyof the javascript security arsenal
Castcfcd208495d565ef66e7dff9f98764da
c4ca4238a0b923820dcc509a6f75849bc81e728d9d4c2f636f067f89cc14862ceccbc87e4b5ce2fe28308fd9f2a7baf3a87ff679a2f3e71d9181a67b7542122c
e4da3b7fbbce2345d7772b0674a318d51679091c5a880faf6fb5e6087eb1b2dc8f14e45fceea167a5a36dedd4bea2543c9f0f895fb98ab9159f51fd0297e236d45c48cce2e2d7fbdea1afc51c7c6ad26
d3d9446802a44259755d38e6d163e8206512bd43d9caa6e02c990b0a82652dcac20ad4d76fe97759aa27a0c99bff6710c51ce410c124a10e0db5e4b97fc2af39aab3238922bcc25a6f606eb525ffdc569bf31c7ff062936a96d3c8bd1f8f2ff3
c74d97b01eae257e44aa9d5bade97baf70efdf2ec9b086079795c442636b55fb
...
...
Wednesday, 10 October 2012
![Page 7: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/7.jpg)
Web Technologies Of The 90s
Wednesday, 10 October 2012
![Page 8: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/8.jpg)
Web Technologies As Of Today
Wednesday, 10 October 2012
![Page 9: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/9.jpg)
NOISEWednesday, 10 October 2012
![Page 10: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/10.jpg)
THE WWW MAPWednesday, 10 October 2012
![Page 11: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/11.jpg)
SERIOUS BUSINESSWednesday, 10 October 2012
![Page 12: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/12.jpg)
SECURITY IS FASHIONWednesday, 10 October 2012
![Page 13: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/13.jpg)
Top Web Hacking Techniques 2007
• XSS Vulnerabilities in Common Shockwave Flash Files
• Universal XSS in Adobe’s Acrobat Reader Plugin
• Firefox’s JAR: Protocol Issues
• Cross-site Printing (Printer Spamming)
• Hiding JS in Valid Images
• Firefoxurl URI Handler Flow
• Anti-DNS Pinning (DNS Rebinding)
• Google Gmail E-mail Hijack Techniques
• PDF XSS Can Compromise Your Machine
• Port Scan without JavaScript
Wednesday, 10 October 2012
![Page 14: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/14.jpg)
Top Web Hacking Techniques 2008
• GIFAR
• Breaking Google Gears’ Cross-Origin Communication Model
• Safari Carpet Bomb
• Clickjacking/Videojacking
• A Different Opera
• Abusing HTML 5 Structured Client-side Storage
• Cross-domain leaks of site logins via Authenticated CSS
• Tunneling TCP over HTTP over SQL Injection
• ActiveX Repurposing
• Flash Parameter Injection
Wednesday, 10 October 2012
![Page 15: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/15.jpg)
Top Web Hacking Techniques 2009
• Creating a rogue CA certificate
• HTTP Parameter Pollution (HPP)
• Flickr’s API Signature Forgery Vulnerability (MD5 extension attack)
• Cross-domain search timing
• Slowloris HTTP DoS
• Microsoft IIS 0-Day Vulnerability Parsing Files (semi-colon bug)
• Exploiting exploitable XSS
• Our Favorite XSS Filters and how to Attack them
• RFC1918 Caching Security Issues
• DNS Rebinding – Persistent Cookies, Scarping & Spamming and Session Fixation
Wednesday, 10 October 2012
![Page 16: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/16.jpg)
Top Web Hacking Techniques 2010
• Padding Oracle’ Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack in Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Wednesday, 10 October 2012
![Page 17: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/17.jpg)
Top Web Hacking Techniques 2011
• Bypassing Flash’s local-with-filesystem sandbox
• Abusing HTTP Status Codes to Expose Private Information
• SpyTunes: Find out what iTunes music someone else has
• CSRF: Flash + 307 redirect = Game Over
• Close encounter of the third kind (client-side JavaScript vulnerabilities)
• Tracking users that block cookies with a HTTP redirect
• The Failure of Noise-Based Non-Continuous Audio Captchas
• Kindle Touch (5.0) Jailbreak/Root and SSH
• NULLs in entities in Firefox
• Timing Attacks on CSS Shaders
Wednesday, 10 October 2012
![Page 18: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/18.jpg)
0
22.5
45
67.5
90
2007 2008 2009 2010 2011
YEAR
COUNT
Wednesday, 10 October 2012
![Page 19: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/19.jpg)
WARNINGWednesday, 10 October 2012
![Page 20: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/20.jpg)
JAVASCRIPTWednesday, 10 October 2012
![Page 21: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/21.jpg)
NOT AJAXWednesday, 10 October 2012
![Page 22: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/22.jpg)
JUST JAVASCRIPTWednesday, 10 October 2012
![Page 23: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/23.jpg)
XSS
WEBVICTIM
VICTIM
VICTIM
ATTACKER
Wednesday, 10 October 2012
![Page 24: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/24.jpg)
alert(1);
Wednesday, 10 October 2012
![Page 25: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/25.jpg)
Some XSS Attacks• 2005 - Myspace Worm, Facebook Worm
• 2006 - Yammaner Worm
• 2007 - Orkut Worm
• 2008 - Yahoo IM XSS
• 2009 - Twitter hit by multiple XSS variants, Memova XSS
• 2010 - Apache XSS Attack
• 2011 - Obama XSS, PWN2OWN via XSS, Skype XSS
• 2012 - Facebook Math.Random XSS, Gmail Stored XSS
Wednesday, 10 October 2012
![Page 26: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/26.jpg)
...inspiration for this presentation...
Wednesday, 10 October 2012
![Page 27: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/27.jpg)
JIKTOWednesday, 10 October 2012
![Page 28: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/28.jpg)
ATTACKAPI
Wednesday, 10 October 2012
![Page 29: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/29.jpg)
MYSPACEWORMWednesday, 10 October 2012
![Page 30: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/30.jpg)
3 Evil Plans
Wednesday, 10 October 2012
![Page 31: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/31.jpg)
EVIL PLAN 01
WEBVICTIM
VICTIM
ATTACKER
TARGET
TARGET
User the victim’s browser to attack other web targets.
Wednesday, 10 October 2012
![Page 32: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/32.jpg)
Evil Plan 01
JIKTO
Wednesday, 10 October 2012
![Page 33: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/33.jpg)
EVIL PLAN 02
NETWORKVICTIM
RESOURCE
RESOURCE
ATTACKER
User the victim’s browser to compromise the local network.
Wednesday, 10 October 2012
![Page 34: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/34.jpg)
Evil Plan 02
★ JavaScript Port Scanner
★ JavaScript Authorisation Brutforcer
★ Attacking UPnP
★ CSRF and Authentication Bypass in home routers
★ Attacking Linksys cameras
★ Attacking other embedded network devices
Wednesday, 10 October 2012
![Page 35: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/35.jpg)
EVIL PLAN 03
SOCIALNETWORK
VICTIM
VICTIM
VICTIM
ATTACKER
User the victim’s browser to attack other people’s profiles.
Wednesday, 10 October 2012
![Page 36: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/36.jpg)
Evil Plan 03
ALL OF ‘EM
Wednesday, 10 October 2012
![Page 37: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/37.jpg)
...but there is also this...
Wednesday, 10 October 2012
![Page 38: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/38.jpg)
BONUS EVIL PLAN
OSTORJY
VIRI
VIRI
TROJY
User the victim’s browser to compromise the system.
Wednesday, 10 October 2012
![Page 39: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/39.jpg)
Bonus Evil Plan
★ Attacking Browsers and Browser Chrome
★ Abuse Browser Extension System
★ Weaken Browser Security Controls
★ Use other system tools like JScript, etc.
2005, 2006, 2007, 2008
Wednesday, 10 October 2012
![Page 40: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/40.jpg)
TOOLSWednesday, 10 October 2012
![Page 41: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/41.jpg)
&&
JUST...but also...
SET, XSSF, XSSER, WebSploit
Client-Side Exploitation
Wednesday, 10 October 2012
![Page 42: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/42.jpg)
...it is about using the browser for security testing....
Wednesday, 10 October 2012
![Page 43: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/43.jpg)
THE WEB IN A BOXWednesday, 10 October 2012
![Page 44: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/44.jpg)
2009, 2010, 2011, 2012
Wednesday, 10 October 2012
![Page 45: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/45.jpg)
JS Port Scanner AttackAPI Websecurify Suite Weaponry
Wednesday, 10 October 2012
![Page 46: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/46.jpg)
Weapony ...
Wednesday, 10 October 2012
![Page 47: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/47.jpg)
★ Create a Client-side Security Scanner
★ Create Client-side Security Tools
Wednesday, 10 October 2012
![Page 48: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/48.jpg)
BUT JAVASCRIPT ****SWednesday, 10 October 2012
![Page 49: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/49.jpg)
ARCHITECTURE
TARGET
COMPILER
OBJECTIVE-C
CODE
JAVASCRIPT OTHER
Wednesday, 10 October 2012
![Page 50: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/50.jpg)
ARCHITECTURE
BROWSER PLUGIN
ENGINE
BROWSER
Wednesday, 10 October 2012
![Page 51: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/51.jpg)
I BELIEVE IN THISWednesday, 10 October 2012
![Page 52: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/52.jpg)
So Long, and Thanks for All the
Fish@ryancbarnett @securityshell @soaj1664ashar
@olemoudi @troyhunt @bdpuk @BGInfoSecKnight @mcarli @Rob_OEM @antisnatchor @ethicalhack3r
@madpowah @marcwickenden
~LinsenSchussTkgd2007
Anonymous Contributors
Universal Pictures, MGM, etc...
Wednesday, 10 October 2012
![Page 53: PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •](https://reader034.vdocuments.us/reader034/viewer/2022042419/5f365fbb1ea0b048c2174b46/html5/thumbnails/53.jpg)
Pentesting In Action
Wednesday, 10 October 2012