xss without browser
DESCRIPTION
2011 Seattle Toorcon presentation I gave. go to http://kyleosborn.org/ for more.TRANSCRIPT
XSS Without the Browser Wait, what?
Toorcon Seattle, 2011
# whoami
Kyle Osborn…. Many know me as Kos.
http://kyleosborn.com/
http://kos.io/
@theKos
Application Security Specialist at WhiteHat Security
HTML Rendering Engines
Trident – Windows (Internet Explorer)
Webkit – OS X (Safari)
Easily embedded.
Easy to update, add features, style, and include advanced user interaction with HTML, JavaScript and CSS.
HTML5 features offer a more seamless desktop interface.
Very Cheap! HTML/JavaScript/CSS are simple.
Web vulnerabilities… In Desktop Applications
• Conventional web vulnerabilities can now become desktop vulnerabilities.
• Forget shellcode, my payload is JavaScript! My exploit isn’t a buffer overflow, it’s double-‐quotes!
• Binary foo? More like “I once made a website for Grandma’s knitting company”-‐foo.
What does this mean?
Fixed in latest versions of Skype >= 5.0.922
So what, it’s just a little JavaScript!
Same Origin Policy
Dictates that JavaScript can not reach content in another context.
Origin based on: Protocol (http, https) Hostname (google.com)
Port (:80) protocol://hostname:port/
But….
The Same Origin Policy is based on an Origin.
What is the “origin” inside desktop applications? No protocol
No hostname
No Port
So…
Demo #1 (or video…) [picking on Skype]
Payload: Injects an iframe with Google into the chat DOM.
Injects <img src=x onerror=alert(document.domain)> into the iframe.
Uses Safari cookies and sessions in requests.
Demo #2 (or video…) [picking on Skype]
Payload: XmlHttpRequest opens file:///etc/passwd and then alerts it
Can access any files on the local filesystem that the user has permission to read.
Also works for https://mail.google.com/
Can be used to bypass CSRF tokens and requests can be crafted to essentially do anything.
Basically… If Origin = null… then BAD
If the “origin” doesn’t exist, what is there to compare to?
Since http://www.google.com:80/ === null JavaScript isn’t really breaking an rules
As far as I can tell, just a misconfiguration on the developers side.
My point is: The outcome can be very bad, applications like this should be tested.
Where to look
OS X
Adium
iChat
Twitter.app
Skype
…..
Windows/Linux
gwibber (Linux twitter client)
AIM
…there has got to be more
Information
Talk to me later. I’ll be around for the parties, and Black Lodge tomorrow.
http://kos.io/skype (will be updated with slides and more info)
Twitter @theKos
Blog coming soon @ http://blog.whitehatsec.com