Upgrade to Pro — share decks privately, control downloads, hide ads and more …

eu-14-Hayak-Same-Origin-Method-Execution-Some-E...

Avatar for anonymous anonymous
September 29, 2016
Programming
1
110

 eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

Avatar for anonymous

anonymous

September 29, 2016
Tweet

More Decks by anonymous

See All by anonymous
为什么我退出谷歌为自己工作
Avatar for anonymous webgeeker
0
32
flutter-ui-succinctly
Avatar for anonymous webgeeker
0
120
try jquery part1
Avatar for anonymous webgeeker
0
51
LARACON_2013.pdf
Avatar for anonymous webgeeker
0
55
AngularJS 1
Avatar for anonymous webgeeker
2
120
React
Avatar for anonymous webgeeker
1
310
SVG for vector
Avatar for anonymous webgeeker
2
130
JavaScript 客户端检测
Avatar for anonymous webgeeker
0
110
REC-SVG11-20110816
Avatar for anonymous webgeeker
0
67

Other Decks in Programming

See All in Programming
2026年は Rust 置き換えが流行る! / 20260220-niigata-5min-tech
Avatar for girigiribauer girigiribauer
0
230
Claude Codeセッション現状確認 2026福岡 / fukuoka-aicoding-00-beacon
Avatar for monochromegane monochromegane
4
400
米国のサイバーセキュリティタイムラインと見る Goの暗号パッケージの進化
Avatar for tom twinkle tomtwinkle
2
530
手戻りゼロ? Spec Driven Developmentとは@KAG AI week
Avatar for Tomoki Hirai tmhirai
1
170
コーディングルールの鮮度を保ちたい / keep-fresh-go-internal-conventions
Avatar for NAGATA Hiroaki handlename
0
170
Claude Code、ちょっとした工夫で開発体験が変わる
Avatar for Toranosuke Minamikawa tigertora7571
0
200
AI時代のソフトウェア開発でも「人が仕様を書く」から始めよう-医療IT現場での実践とこれから
Avatar for kouki.miura koukimiura
0
140
NOT A HOTEL - 建築や人と融合し、自由を創り出すソフトウェア
Avatar for Hokuto Shimokawa not_a_hokuts
2
910
猫の手も借りたい!ので AIエージェント猫を作って社内に放した話 Claude Code × Container Lambda の Slack Bot "DevNeko"
Avatar for naramomi7 naramomi7
0
260
AIとペアプロして処理時間を97%削減した話 #pyconshizu
Avatar for Kashun Yoshida kashewnuts
1
210
encoding/json/v2のUnmarshalはこう変わった:内部実装で見る設計改善
Avatar for Hiroki Kurasawa kurakura0916
0
370
AHC061解説
Avatar for Shun_PI shun_pi
0
350

Featured

See All Featured
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
Avatar for UX Y'all uxyall
0
200
Visual Storytelling: How to be a Superhuman Communicator
Avatar for David Neal reverentgeek
2
460
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
61k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.5k
Fireside Chat
Avatar for paigeccino paigeccino
42
3.8k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.4k
Deep Space Network (abreviated)
Avatar for Tony Rice tonyrice
0
86
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
400
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
37
6.3k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
210
24k
Docker and Python
Avatar for Tania Allard trallard
47
3.8k

Transcript

  1. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None

  15. Attacker Bank

  16. • Document Access • Object Access • Ajax Requests •

    Data Leakage

  17. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead
  18. None
  19. None
  20. None

  21. //XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>

  22. None

  23. var person = {“name”:”John”,”credit”:34}

  24. person.name == “John” person.credit == 34 1. person = RequestData

    2. {“name”:”John”,”credit”:34}

  25. Easy Fast Light

  26. www.telize.com/geoip?callback=getgeoip

  27. http://benhayak.com

  28. http://benhayak.com

  29. http://benhayak.com

  30. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead

  31. <script src= “http://external/geo?callback=getgeoip”>

  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None

  44. SOME

  45. .

  46. None
  47. None
  48. None

  49. SOME

  50. None
  51. None
  52. None
  53. None
  54. None

  55. <script src= “http://emailservice/contacts?callback= ” > initTable Test Attack Function initTable(jsondata)

    { //doSomething in www.google.com (example) }

  56. text/javascript

  57. AttackerInput();

  58. None
  59. None
  60. None
  61. None
  62. None

  63. Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()

  64. Setup the Environment

  65. 1. Redirect MAIN

  66. Share 1. Redirect MAIN

  67. Share 2. Redirect placeholder to SOME

  68. Share 2. Redirect placeholder to SOME Are you sure? Yes

    No

  69. Are you sure? Yes No 3. Redirect 2nd placeholder to

    SOME

  70. Your Album is now Public Mission Accomplished

  71. None
  72. None

  73. We don’t need them

  74. We only need alphanumeric and a dot

  75. We can use Windows

  76. Use a popup bypass

  77. No restrictions when using windows

  78. None

  79. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  80. None