Upgrade to Pro — share decks privately, control downloads, hide ads and more …

eu-14-Hayak-Same-Origin-Method-Execution-Some-E...

Avatar for anonymous anonymous
September 29, 2016
Programming
1
100

 eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

Avatar for anonymous

anonymous

September 29, 2016
Tweet

More Decks by anonymous

See All by anonymous
为什么我退出谷歌为自己工作
Avatar for anonymous webgeeker
0
29
flutter-ui-succinctly
Avatar for anonymous webgeeker
0
110
try jquery part1
Avatar for anonymous webgeeker
0
50
LARACON_2013.pdf
Avatar for anonymous webgeeker
0
51
AngularJS 1
Avatar for anonymous webgeeker
2
120
React
Avatar for anonymous webgeeker
1
300
SVG for vector
Avatar for anonymous webgeeker
2
130
JavaScript 客户端检测
Avatar for anonymous webgeeker
0
110
REC-SVG11-20110816
Avatar for anonymous webgeeker
0
66

Other Decks in Programming

See All in Programming
仕様がそのままテストになる!Javaで始める振る舞い駆動開発
Avatar for uutan1108 ohmori_yusuke
8
4.6k
Doc Translate - LLMを活用したコードドキュメント自動翻訳VSCode拡張機能
Avatar for kmuto eycjur
0
110
ソフトウェア設計の課題・原則・実践技法
Avatar for 増田 亨 masuda220
PRO
21
16k
社内オペレーション改善のためのTypeScript / TSKaigi Hokuriku 2025
Avatar for dachi023 dachi023
1
120
Rails Girls Sapporo 2ndの裏側―準備の日々から見えた、私が得たもの / SAPPORO ENGINEER BASE #11
Avatar for はる lemonade_37
2
190
AI 時代だからこそ抑えたい「価値のある」PHP ユニットテストを書く技術 #phpconfuk / phpcon-fukuoka-2025
Avatar for shogogg shogogg
1
580
目的で駆動する、AI時代のアーキテクチャ設計 / purpose-driven-architecture
Avatar for MinoDriven minodriven
10
3.3k
Building AI Agents with TypeScript #TSKaigiHokuriku
Avatar for izumin5210 izumin5210
5
990
「10分以内に機能を消せる状態」 の実現のためにやっていること
Avatar for おぎ togishima
1
530
GraalVM Native Image トラブルシューティング機能の最新状況(2025年版)
Avatar for NTTドコモソリューションズ Java担当 ntt_dsol_java
0
160
詳細の決定を遅らせつつ実装を早くする
Avatar for shimabox shimabox
2
1.3k
Micro Frontendsで築いた 共通基盤と運用の試行錯誤 / Building a Shared Platform with Micro Frontends: Operational Learnings
Avatar for Yuto Kaneko kyntk
0
120

Featured

See All Featured
Docker and Python
Avatar for Tania Allard trallard
46
3.7k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
697
190k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
791
250k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
680
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
57
6.1k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
340
57k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
132
19k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
432
66k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
65
8k
Done Done
Avatar for chrislema chrislema
186
16k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k

Transcript

  1. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None

  15. Attacker Bank

  16. • Document Access • Object Access • Ajax Requests •

    Data Leakage

  17. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead
  18. None
  19. None
  20. None

  21. //XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>

  22. None

  23. var person = {“name”:”John”,”credit”:34}

  24. person.name == “John” person.credit == 34 1. person = RequestData

    2. {“name”:”John”,”credit”:34}

  25. Easy Fast Light

  26. www.telize.com/geoip?callback=getgeoip

  27. http://benhayak.com

  28. http://benhayak.com

  29. http://benhayak.com

  30. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead

  31. <script src= “http://external/geo?callback=getgeoip”>

  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None

  44. SOME

  45. .

  46. None
  47. None
  48. None

  49. SOME

  50. None
  51. None
  52. None
  53. None
  54. None

  55. <script src= “http://emailservice/contacts?callback= ” > initTable Test Attack Function initTable(jsondata)

    { //doSomething in www.google.com (example) }

  56. text/javascript

  57. AttackerInput();

  58. None
  59. None
  60. None
  61. None
  62. None

  63. Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()

  64. Setup the Environment

  65. 1. Redirect MAIN

  66. Share 1. Redirect MAIN

  67. Share 2. Redirect placeholder to SOME

  68. Share 2. Redirect placeholder to SOME Are you sure? Yes

    No

  69. Are you sure? Yes No 3. Redirect 2nd placeholder to

    SOME

  70. Your Album is now Public Mission Accomplished

  71. None
  72. None

  73. We don’t need them

  74. We only need alphanumeric and a dot

  75. We can use Windows

  76. Use a popup bypass

  77. No restrictions when using windows

  78. None

  79. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  80. None