Upgrade to Pro — share decks privately, control downloads, hide ads and more …

eu-14-Hayak-Same-Origin-Method-Execution-Some-E...

Avatar for anonymous anonymous
September 29, 2016
Programming
1
100

 eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

Avatar for anonymous

anonymous

September 29, 2016
Tweet

More Decks by anonymous

See All by anonymous
为什么我退出谷歌为自己工作
Avatar for anonymous webgeeker
0
27
flutter-ui-succinctly
Avatar for anonymous webgeeker
0
110
try jquery part1
Avatar for anonymous webgeeker
0
50
LARACON_2013.pdf
Avatar for anonymous webgeeker
0
51
AngularJS 1
Avatar for anonymous webgeeker
2
110
React
Avatar for anonymous webgeeker
1
300
SVG for vector
Avatar for anonymous webgeeker
2
130
JavaScript 客户端检测
Avatar for anonymous webgeeker
0
110
REC-SVG11-20110816
Avatar for anonymous webgeeker
0
65

Other Decks in Programming

See All in Programming
XP, Testing and ninja testing ZOZ5
Avatar for seki at druby.org m_seki
3
620
バッチ処理を「状態の記録」から「事実の記録」へ
Avatar for HideyukiKitao panda728
PRO
0
150
大規模アプリのDIフレームワーク刷新戦略 ~過去最大規模の並行開発を止めずにアプリ全体に導入するまで~
Avatar for GO Inc. dev mot_techtalk
1
430
非同期jobをtransaction内で 呼ぶなよ!絶対に呼ぶなよ!
Avatar for Yuto Urushima alstrocrack
0
710
ポスターセッション: 「まっすぐ行って、右!」って言ってラズパイカーを動かしたい 〜生成AI × Raspberry Pi Pico × Gradioの試作メモ〜
Avatar for komo_fr komofr
0
1.3k
overlayPreferenceValue で実現する ピュア SwiftUI な AdMob ネイティブ広告
Avatar for Takashi uhucream
0
180
Devvox Belgium - Agentic AI Patterns
Avatar for Kevin Dubois kdubois
1
110
CSC509 Lecture 04
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
300
Railsだからできる 例外業務に禍根を残さない 設定設計パターン
Avatar for えいえい ei_ei_eiichi
0
460
Software Architecture
Avatar for Henning Schwentner hschwentner
6
2.3k
アメ車でサンノゼを走ってきたよ!
Avatar for Shigure Shimotori s_shimotori
0
220
登壇は dynamic! な営みである / speech is dynamic
Avatar for Daichi KUDO da1chi
0
300

Featured

See All Featured
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
PRO
23
1.5k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
280
24k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
96
6.3k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
45
2.5k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
95
14k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
9
590
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.8k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.5k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
49
3.1k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.7k

Transcript

  1. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None

  15. Attacker Bank

  16. • Document Access • Object Access • Ajax Requests •

    Data Leakage

  17. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead
  18. None
  19. None
  20. None

  21. //XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>

  22. None

  23. var person = {“name”:”John”,”credit”:34}

  24. person.name == “John” person.credit == 34 1. person = RequestData

    2. {“name”:”John”,”credit”:34}

  25. Easy Fast Light

  26. www.telize.com/geoip?callback=getgeoip

  27. http://benhayak.com

  28. http://benhayak.com

  29. http://benhayak.com

  30. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead

  31. <script src= “http://external/geo?callback=getgeoip”>

  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None

  44. SOME

  45. .

  46. None
  47. None
  48. None

  49. SOME

  50. None
  51. None
  52. None
  53. None
  54. None

  55. <script src= “http://emailservice/contacts?callback= ” > initTable Test Attack Function initTable(jsondata)

    { //doSomething in www.google.com (example) }

  56. text/javascript

  57. AttackerInput();

  58. None
  59. None
  60. None
  61. None
  62. None

  63. Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()

  64. Setup the Environment

  65. 1. Redirect MAIN

  66. Share 1. Redirect MAIN

  67. Share 2. Redirect placeholder to SOME

  68. Share 2. Redirect placeholder to SOME Are you sure? Yes

    No

  69. Are you sure? Yes No 3. Redirect 2nd placeholder to

    SOME

  70. Your Album is now Public Mission Accomplished

  71. None
  72. None

  73. We don’t need them

  74. We only need alphanumeric and a dot

  75. We can use Windows

  76. Use a popup bypass

  77. No restrictions when using windows

  78. None

  79. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  80. None