Exploiting A Callback For Same Origin Policy Bypass. SOME - "Same Origin Method Execution" is a new technique that abuses callback endpoints in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed frames and/or windows. Despite the similarity to click-jacking, this attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to "SOME", the entire domain becomes vulnerable. During this talk, I intend to demonstrate how JSONP opens a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage without any user-interaction.

1. Ben Hayak
Security Researcher
Ben.Hayak@gmail.com
Twitter: @BenHayak

15. Attacker
Bank

16. • Document Access
• Object Access
• AJAX Requests
• Data Leakage

17. • <img src=“[[URL]]”>
• <link rel href=“[[URL]]”>
• <script src=“[[URL]]”>
[[External resources]] Go Ahead

18. <script src=“[[URL]]”>
External Scripts are Allowed!

24. //XML..
<xml>
<person>
<name>john</name>
<credit>34</credit>
</person>
</xml>

25. {“name”:”John”,”credit”:34}

26. person.name == “John”
person.credit == 34
1. person = RequestData()
2. {“name”:”John”,”credit”:34}

27. • Use 3rd Party services
• Overcome SoP

28. http://benhayak.com

29. http://benhayak.com

30. www.telize.com/geoip?callback=getgeoip

32. http://benhayak.com

33. 



46. SOME

47. .
Ballpoint pen

51. SOME

55. Contacts from YAHOO

56. <script src=
“http://yahoo.com/contacts?callback= ” >initTable
Function initTable(jsondata) {
//Build a table with the contacts
}

57. <script src=
“http://yahoo.com/contacts?callback= ” >Attack
Function initTable(jsondata) {
//Build a table with the contacts
}

58. text/javascript

59. Attack
www.google.com?callback=Attack

60. Attack
www.google.com?callback=Attack

61. www.google.com?callback=Attack
Execute Attack on www.google.com

62. Attack();

63. Click();

64. submit();

67. Gmail

68. Send Contacts
To Gmail
Gmail

69. Redirect….Gmail

70. Gmail JSONP Endpoint

71. Gmail
JSONP
Page(endpoint)
Gmail

72. Attacker controls the Callback
mail.google.com?callback= Attack

73. Gmail JSONP Endpoint

74. Attack
mail.google.com?callback2=Attack

75. Attack
mail.google.com?callback2=Attack

76. mail.google.com?callback2=Attack
Execute Attack on mail.google.com

80. Callback=<XSS>aaa
Only [A-Za-z0-9.] allowed
Callback=;alert()

82. Set up the environment

83. 1. Redirect Main

84. SelectAll
1. Redirect Main

85. SelectAll
2. Redirect first
window to “SOME”

86. 2. Redirect first
window to “SOME”
Confirm

87. 3. Redirect 2nd
window to “SOME”
Confirm

88. Your photos are now
publicly available
Mission Accomplished

90. We simulate UI clicks

91. We only need
alphanumeric and a dot

92. We can use Windows

93. User Clicks
Use a popup bypass

94. Currently no restrictions
when using windows

96. 1. Use a static function name as a Callback
2. Whitelist callbacks
3. Register CBs: __SOME__[‘callback’]({json})

97. • Hijack User’s action without interaction
• Can follow limitless flow of actions
dependent/not.
• Invisible to the victim
• Any page on the domain becomes vulnerable

98. Ben Hayak
Security Researcher
Ben.Hayak@gmail.com
Twitter: @BenHayak