Download - XSS Without Browser
![Page 1: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/1.jpg)
XSS Without the Browser Wait, what?
Toorcon Seattle, 2011
![Page 2: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/2.jpg)
# whoami
Kyle Osborn…. Many know me as Kos.
http://kyleosborn.com/
http://kos.io/
@theKos
Application Security Specialist at WhiteHat Security
![Page 3: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/3.jpg)
HTML Rendering Engines
Trident – Windows (Internet Explorer)
Webkit – OS X (Safari)
Easily embedded.
Easy to update, add features, style, and include advanced user interaction with HTML, JavaScript and CSS.
HTML5 features offer a more seamless desktop interface.
Very Cheap! HTML/JavaScript/CSS are simple.
![Page 4: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/4.jpg)
Web vulnerabilities… In Desktop Applications
• Conventional web vulnerabilities can now become desktop vulnerabilities.
• Forget shellcode, my payload is JavaScript! My exploit isn’t a buffer overflow, it’s double-‐quotes!
• Binary foo? More like “I once made a website for Grandma’s knitting company”-‐foo.
What does this mean?
Fixed in latest versions of Skype >= 5.0.922
![Page 5: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/5.jpg)
So what, it’s just a little JavaScript!
Same Origin Policy
Dictates that JavaScript can not reach content in another context.
Origin based on: Protocol (http, https) Hostname (google.com)
Port (:80) protocol://hostname:port/
But….
The Same Origin Policy is based on an Origin.
What is the “origin” inside desktop applications? No protocol
No hostname
No Port
So…
![Page 6: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/6.jpg)
Demo #1 (or video…) [picking on Skype]
Payload: Injects an iframe with Google into the chat DOM.
Injects <img src=x onerror=alert(document.domain)> into the iframe.
Uses Safari cookies and sessions in requests.
![Page 7: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/7.jpg)
Demo #2 (or video…) [picking on Skype]
Payload: XmlHttpRequest opens file:///etc/passwd and then alerts it
Can access any files on the local filesystem that the user has permission to read.
Also works for https://mail.google.com/
Can be used to bypass CSRF tokens and requests can be crafted to essentially do anything.
![Page 8: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/8.jpg)
Basically… If Origin = null… then BAD
If the “origin” doesn’t exist, what is there to compare to?
Since http://www.google.com:80/ === null JavaScript isn’t really breaking an rules
As far as I can tell, just a misconfiguration on the developers side.
My point is: The outcome can be very bad, applications like this should be tested.
![Page 9: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/9.jpg)
Where to look
OS X
Adium
iChat
Twitter.app
Skype
…..
Windows/Linux
gwibber (Linux twitter client)
AIM
…there has got to be more
![Page 10: XSS Without Browser](https://reader034.vdocuments.us/reader034/viewer/2022042607/556575fad8b42a7b518b51ff/html5/thumbnails/10.jpg)
Information
Talk to me later. I’ll be around for the parties, and Black Lodge tomorrow.
http://kos.io/skype (will be updated with slides and more info)
Twitter @theKos
Blog coming soon @ http://blog.whitehatsec.com