$30 off During Our Annual Pro Sale. View Details »

2000day in Safari

Bo0oM
May 21, 2019
2
2k

2000day in Safari

Bo0oM

May 21, 2019
Tweet

More Decks by Bo0oM

See All by Bo0oM
Защита от вредоносной автоматизации сегодня
bo0om
0
370
Defending against automatization using nginx
bo0om
0
630
Antibot pitch deck
bo0om
0
89
31337
bo0om
0
76
Your back is white
bo0om
0
200
FTP2RCE
bo0om
0
6.5k
Interpret it!
bo0om
0
980
At Home Among Strangers
bo0om
1
3.3k
Partyhack 3.0 - Telegram bugbounty writeup
bo0om
0
3.9k

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
7
2k
The World Runs on Bad Software
bkeepers
PRO
59
6.2k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.3k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Optimizing for Happiness
mojombo
368
68k
Documentation Writing (for coders)
carmenintech
55
3.5k
The Cost Of JavaScript in 2023
addyosmani
10
3.1k
Rails Girls Zürich Keynote
gr2m
90
12k
Statistics for Hackers
jakevdp
788
220k
Teambox: Starting and Learning
jrom
125
8.2k
The Invisible Customer
myddelton
113
12k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k

Transcript

  1. 2000-day in Safari
    Anton Lopanitsyn
    @i_bo0om

    View Slide

  2. phdays.com #PHDays
    XSS
    https://portswigger.net/web-security/cross-site-scripting

    View Slide

  3. phdays.com #PHDays
    UXSS
    https://evil.com
    https://victim.com

    View Slide

  4. phdays.com #PHDays
    Save as webpage, complete

    View Slide

  5. phdays.com #PHDays
    chrome://flags

    View Slide

  6. phdays.com #PHDays
    MHTML

    View Slide

  7. phdays.com #PHDays
    MHTML

    View Slide

  8. phdays.com #PHDays

    View Slide

  9. phdays.com #PHDays
    Safari save as webarchive

    View Slide

  10. phdays.com #PHDays
    Signed
    webarchive

    View Slide

  11. phdays.com #PHDays
    Plaintext webarchive

    View Slide

  12. phdays.com #PHDays
    Plaintext webarchive

    View Slide

  13. phdays.com #PHDays
    Plaintext webarchive

    View Slide

  14. phdays.com #PHDays

    View Slide

  15. phdays.com #PHDays
    https://blog.rapid7.com/2013/04/25/abusing-safaris-webarchive-file-format/

    View Slide

  16. phdays.com #PHDays

    View Slide

  17. phdays.com #PHDays

    View Slide

  18. phdays.com #PHDays

    View Slide

  19. phdays.com #PHDays

    View Slide

  20. phdays.com #PHDays

    View Slide

  21. phdays.com #PHDays
    xhtml

    View Slide

  22. phdays.com #PHDays
    xhtml

    View Slide

  23. phdays.com #PHDays
    file:///Users/bo0om/Library/Containers/com.apple.mail/Data/Library/Mail%20
    Downloads/2F4D2013-CCBF-4341-B05E-CEB4B76F30CE/Document.xhtm
    file:///Users/bo0om/Downloads/33h0ygug3ulny0gvwhh3d.webarchive

    View Slide

  24. phdays.com #PHDays

    View Slide

  25. phdays.com #PHDays
    file:///Users/bo0om/Library/Containers/com.apple.mail/Data/Downloads/x.webarchive
    file:///Users/bo0om/Library/Containers/com.apple.mail/Downloads/x.webarchive
    file:///Users/bo0om/Library/Containers/Downloads/x.webarchive
    file:///Users/bo0om/Library/Downloads/x.webarchive
    file:///Users/bo0om/Downloads/x.webarchive

    View Slide

  26. phdays.com #PHDays
    DEMO
    https://github.com/Bo0oM/Safari2000day)

    View Slide

  27. Thank you!

    View Slide