Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass
Search
anonymous
September 29, 2016
Programming
1
97
eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass
eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass
anonymous
September 29, 2016
Tweet
Share
More Decks by anonymous
See All by anonymous
为什么我退出谷歌为自己工作
webgeeker
0
14
flutter-ui-succinctly
webgeeker
0
81
try jquery part1
webgeeker
0
47
LARACON_2013.pdf
webgeeker
0
47
AngularJS 1
webgeeker
2
110
React
webgeeker
1
250
SVG for vector
webgeeker
2
120
JavaScript 客户端检测
webgeeker
0
94
REC-SVG11-20110816
webgeeker
0
59
Other Decks in Programming
See All in Programming
哲学史とモデリング
tanakahisateru
2
390
Going beyond Apache Parquet's default settings
xhochy
0
150
SIMD Parallel Programming with the Vector API
josepaumard
0
250
酒飲んでたらテックリードになった話
spbaya0141
0
200
PHPコードの実行モデルを理解する / Understanding-the-PHP-Execution-Model
shin1x1
0
890
“Seeing Like a Programmer”—Resiliency, Limits, and Moral Hazards in Software Engineering (LambdaConf 2024)
chriskrycho
0
430
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
0
120
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
74k
Open AI APIを使う前に知っておきたいアカウントTier の話
akki_megane
0
130
TypeScriptで使いやすいOpenAPIの書き方
yukimochi_dwango
1
540
Docker_OSS_ホスティング入門
satokoki645
0
140
Runtime Objects in Rust
mitsuhiko
0
210
Featured
See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
49
30k
Designing on Purpose - Digital PM Summit 2013
jponch
111
6.5k
A Tale of Four Properties
chriscoyier
153
22k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
126
32k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
21
1.6k
The Cost Of JavaScript in 2023
addyosmani
21
4k
Navigating Team Friction
lara
179
13k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
In The Pink: A Labor of Love
frogandcode
138
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
244
12k
Gamification - CAS2011
davidbonilla
77
4.6k
Transcript
Ben Hayak Security Researcher
[email protected]
Twitter: @BenHayak
None
None
None
None
None
None
None
None
None
None
None
None
None
Attacker Bank
• Document Access • Object Access • Ajax Requests •
Data Leakage
• <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>
[[External resources]] Go Ahead
None
None
None
//XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>
None
var person = {“name”:”John”,”credit”:34}
person.name == “John” person.credit == 34 1. person = RequestData
2. {“name”:”John”,”credit”:34}
Easy Fast Light
www.telize.com/geoip?callback=getgeoip
http://benhayak.com
http://benhayak.com
http://benhayak.com
• <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>
[[External resources]] Go Ahead
<script src= “http://external/geo?callback=getgeoip”>
None
None
None
None
None
None
None
None
None
None
None
None
SOME
.
None
None
None
SOME
None
None
None
None
None
<script src= “http://emailservice/contacts?callback= ” > initTable Test Attack Function initTable(jsondata)
{ //doSomething in www.google.com (example) }
text/javascript
AttackerInput();
None
None
None
None
None
Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()
Setup the Environment
1. Redirect MAIN
Share 1. Redirect MAIN
Share 2. Redirect placeholder to SOME
Share 2. Redirect placeholder to SOME Are you sure? Yes
No
Are you sure? Yes No 3. Redirect 2nd placeholder to
SOME
Your Album is now Public Mission Accomplished
None
None
We don’t need them
We only need alphanumeric and a dot
We can use Windows
Use a popup bypass
No restrictions when using windows
None
Ben Hayak Security Researcher
[email protected]
Twitter: @BenHayak
None