2. #
whoami
Kyle
Osborn….
Many
know
me
as
Kos.
http://kyleosborn.com/
http://kos.io/
@theKos
Application
Security
Specialist
at
WhiteHat
Security
3. HTML
Rendering
Engines
Trident
–
Windows
(Internet
Explorer)
Webkit
–
OS
X
(Safari)
Easily
embedded.
Easy
to
update,
add
features,
style,
and
include
advanced
user
interaction
with
HTML,
JavaScript
and
CSS.
HTML5
features
offer
a
more
seamless
desktop
interface.
Very
Cheap!
HTML/JavaScript/CSS
are
simple.
4. What
does
this
mean?
Web
vulnerabilities…
In
Desktop
Applications
• Conventional
web
vulnerabilities
can
now
become
desktop
vulnerabilities.
• Forget
shellcode,
my
payload
is
JavaScript!
My
exploit
isn’t
a
buffer
overflow,
it’s
double-‐quotes!
• Binary
foo?
More
like
“I
once
made
a
website
for
Grandma’s
knitting
company”-‐foo.
Fixed
in
latest
versions
of
Skype
>=
5.0.922
5. So
what,
it’s
just
a
little
JavaScript!
Same
Origin
Policy
But….
Dictates
that
JavaScript
can
The
Same
Origin
Policy
is
not
reach
content
in
another
based
on
an
Origin.
context.
What
is
the
“origin”
inside
Origin
based
on:
desktop
applications?
Protocol
(http,
https)
No
protocol
Hostname
(google.com)
No
hostname
Port
(:80)
No
Port
protocol://hostname:port/
So…
6. Demo
#1
(or
video…)
[picking
on
Skype]
Payload:
Injects
an
iframe
with
Google
into
the
chat
DOM.
Injects
<img
src=x
onerror=alert(document.domain)>
into
the
iframe.
Uses
Safari
cookies
and
sessions
in
requests.
7. Demo
#2
(or
video…)
[picking
on
Skype]
Payload:
XmlHttpRequest
opens
file:///etc/passwd
and
then
alerts
it
Can
access
any
files
on
the
local
filesystem
that
the
user
has
permission
to
read.
Also
works
for
https://mail.google.com/
Can
be
used
to
bypass
CSRF
tokens
and
requests
can
be
crafted
to
essentially
do
anything.
8. Basically…
If
Origin
=
null…
then
BAD
If
the
“origin”
doesn’t
exist,
what
is
there
to
compare
to?
Since
http://www.google.com:80/
===
null
JavaScript
isn’t
really
breaking
an
rules
As
far
as
I
can
tell,
just
a
misconfiguration
on
the
developers
side.
My
point
is:
The
outcome
can
be
very
bad,
applications
like
this
should
be
tested.
9. Where
to
look
OS
X
Windows/Linux
Adium
gwibber
(Linux
twitter
client)
iChat
AIM
Twitter.app
…there
has
got
to
be
more
Skype
…..
10. Information
Talk
to
me
later.
I’ll
be
around
for
the
parties,
and
Black
Lodge
tomorrow.
http://kos.io/skype
(will
be
updated
with
slides
and
more
info)
Twitter
@theKos
Blog
coming
soon
@
http://blog.whitehatsec.com