Same Origin Method Execution (BlackHat EU2014)
98
-
Upload
ben-hayak -
Category
Presentations & Public Speaking
-
view
479 -
download
0
Transcript of Same Origin Method Execution (BlackHat EU2014)
Attacker
Bank
• Document Access • Object Access • AJAX Requests • Data Leakage
• <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”> [[External resources]]
Go Ahead
<script src=“[[URL]]”>
External Scripts are Allowed!
//XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>
{“name”:”John”,”credit”:34}
person.name == “John” person.credit == 34
1. person = RequestData()
2. {“name”:”John”,”credit”:34}
• Use 3rd Party services
• Overcome SoP
http://benhayak.com
http://benhayak.com
www.telize.com/geoip?callback=getgeoip
http://benhayak.com
SOM
E
.
Ballpoint pen
SOM
E
Contacts from YAHOO
<script src= “http://yahoo.com/contacts?callback= ” > initTable
Function initTable(jsondata) { //Build a table with the contacts }
<script src= “http://yahoo.com/contacts?callback= ” > Attack
Function initTable(jsondata) { //Build a table with the contacts }
text/javascript
Attack
www.google.com?callback=Attack
Attack
www.google.com?callback=Attack
www.google.com?callback=Attack
Execute Attack on www.google.com
Attack();
Click();
submit();
Gmail
Send Contacts To Gmail
Gmail
Redirect…. Gmail
Gmail JSONP Endpoint
Gmail JSONP
Page(endpoint)
Gmail
Attacker controls the Callback mail.google.com?callback= Attack
Gmail JSONP Endpoint
Attack
mail.google.com?callback2=Attack
Attack
mail.google.com?callback2=Attack
mail.google.com?callback2=Attack
Execute Attack on mail.google.com
Callback=<XSS>aaa
Only [A-Za-z0-9.] allowed
Callback=;alert()
Set up the environment
1. Redirect Main
SelectAll
1. Redirect Main
SelectAll
2. Redirect first window to “SOME”
2. Redirect first window to “SOME”
Confirm
3. Redirect 2nd window to “SOME”
Confirm
Your photos are now publicly available
Mission Accomplished
We simulate UI clicks
We only need alphanumeric and a dot
We can use Windows
User Clicks Use a popup bypass
Currently no restrictions when using windows
1. Use a static function name as a Callback
2. Whitelist callbacks
3. Register CBs: __SOME__[‘callback’]({json})
• Hijack User’s action without interaction
• Can follow limitless flow of actions
dependent/not.
• Invisible to the victim
• Any page on the domain becomes vulnerable
![[BlackHat]Eagle Ida Pro 06](https://static.fdocuments.in/doc/165x107/547f1510b4af9fbe158b5953/blackhateagle-ida-pro-06.jpg)
