Upgrade to Pro — share decks privately, control downloads, hide ads and more …

eu-14-Hayak-Same-Origin-Method-Execution-Some-E...

Avatar for anonymous anonymous
September 29, 2016
Programming
1
100

 eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

Avatar for anonymous

anonymous

September 29, 2016
Tweet

More Decks by anonymous

See All by anonymous
为什么我退出谷歌为自己工作
Avatar for anonymous webgeeker
0
31
flutter-ui-succinctly
Avatar for anonymous webgeeker
0
110
try jquery part1
Avatar for anonymous webgeeker
0
50
LARACON_2013.pdf
Avatar for anonymous webgeeker
0
53
AngularJS 1
Avatar for anonymous webgeeker
2
120
React
Avatar for anonymous webgeeker
1
300
SVG for vector
Avatar for anonymous webgeeker
2
130
JavaScript 客户端检测
Avatar for anonymous webgeeker
0
110
REC-SVG11-20110816
Avatar for anonymous webgeeker
0
66

Other Decks in Programming

See All in Programming
DevFest Android in Korea 2025 - 개발자 커뮤니티를 통해 얻는 가치
Avatar for Suhyeon Kim wisemuji
0
180
Canon EOS R50 V と R5 Mark II 購入でみえてきた最近のデジイチ VR180 事情、そして VR180 静止画に活路を見出すまで
Avatar for kazuhiro hara karad
0
140
Claude Codeの「Compacting Conversation」を体感50%減! CLAUDE.md + 8 Skills で挑むコンテキスト管理術
Avatar for Kazuki Murahama kmurahama
1
690
Java 25, Nuevas características
Avatar for Carlos Zela Bueno czelabueno
0
120
Rubyで鍛える仕組み化プロヂュース力
Avatar for muryoimpl muryoimpl
0
260
AIエンジニアリングのご紹介 / Introduction to AI Engineering
Avatar for r-kagaya rkaga
8
3.5k
実は歴史的なアップデートだと思う AWS Interconnect - multicloud
Avatar for maroon1st maroon1st
0
290
Basic Architectures
Avatar for Denys Poltorak denyspoltorak
0
150
Jetpack XR SDKから紐解くAndroid XR開発と技術選定のヒント / about-androidxr-and-jetpack-xr-sdk
Avatar for にー兄さん drumath2237
1
220
組み合わせ爆発にのまれない - 責務分割 x テスト
Avatar for HAL halhorn
1
170
LLMで複雑な検索条件アセットから脱却する!! 生成的検索インタフェースの設計論
Avatar for po3rin po3rin
4
1k
Combinatorial Interview Problems with Backtracking Solutions - From Imperative Procedural Programming to Declarative Functional Programming - Part 2
Avatar for Philip Schwarz philipschwarz
PRO
0
130

Featured

See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.3k
What’s in a name? Adding method to the madness
Avatar for The Alliance productmarketing
PRO
24
3.9k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
880
The Mindset for Success: Future Career Progression
Avatar for Greg Gifford greggifford
PRO
0
200
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
35
2.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.1k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
65
8.3k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.7k

Transcript

  1. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None

  15. Attacker Bank

  16. • Document Access • Object Access • Ajax Requests •

    Data Leakage

  17. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead
  18. None
  19. None
  20. None

  21. //XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>

  22. None

  23. var person = {“name”:”John”,”credit”:34}

  24. person.name == “John” person.credit == 34 1. person = RequestData

    2. {“name”:”John”,”credit”:34}

  25. Easy Fast Light

  26. www.telize.com/geoip?callback=getgeoip

  27. http://benhayak.com

  28. http://benhayak.com

  29. http://benhayak.com

  30. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead

  31. <script src= “http://external/geo?callback=getgeoip”>

  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None

  44. SOME

  45. .

  46. None
  47. None
  48. None

  49. SOME

  50. None
  51. None
  52. None
  53. None
  54. None

  55. <script src= “http://emailservice/contacts?callback= ” > initTable Test Attack Function initTable(jsondata)

    { //doSomething in www.google.com (example) }

  56. text/javascript

  57. AttackerInput();

  58. None
  59. None
  60. None
  61. None
  62. None

  63. Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()

  64. Setup the Environment

  65. 1. Redirect MAIN

  66. Share 1. Redirect MAIN

  67. Share 2. Redirect placeholder to SOME

  68. Share 2. Redirect placeholder to SOME Are you sure? Yes

    No

  69. Are you sure? Yes No 3. Redirect 2nd placeholder to

    SOME

  70. Your Album is now Public Mission Accomplished

  71. None
  72. None

  73. We don’t need them

  74. We only need alphanumeric and a dot

  75. We can use Windows

  76. Use a popup bypass

  77. No restrictions when using windows

  78. None

  79. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  80. None