Upgrade to Pro — share decks privately, control downloads, hide ads and more …

eu-14-Hayak-Same-Origin-Method-Execution-Some-E...

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for anonymous anonymous
September 29, 2016
Programming
1
100

 eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

Avatar for anonymous

anonymous

September 29, 2016
Tweet

More Decks by anonymous

See All by anonymous
为什么我退出谷歌为自己工作
Avatar for anonymous webgeeker
0
31
flutter-ui-succinctly
Avatar for anonymous webgeeker
0
120
try jquery part1
Avatar for anonymous webgeeker
0
50
LARACON_2013.pdf
Avatar for anonymous webgeeker
0
53
AngularJS 1
Avatar for anonymous webgeeker
2
120
React
Avatar for anonymous webgeeker
1
310
SVG for vector
Avatar for anonymous webgeeker
2
130
JavaScript 客户端检测
Avatar for anonymous webgeeker
0
110
REC-SVG11-20110816
Avatar for anonymous webgeeker
0
66

Other Decks in Programming

See All in Programming
Patterns of Patterns
Avatar for Denys Poltorak denyspoltorak
0
1.4k
余白を設計しフロントエンド開発を 加速させる
Avatar for karacoro / からころ tsukuha
7
2.1k
インターン生でもAuth0で 認証基盤刷新が出来るのか
Avatar for takumi taku271
0
190
ノイジーネイバー問題を解決する 公平なキューイング
Avatar for Shoichi Ochi occhi
0
110
QAフローを最適化し、品質水準を満たしながらリリースまでの期間を最短化する #RSGT2026
Avatar for shibayu36 shibayu36
2
4.4k
AIで開発はどれくらい加速したのか?AIエージェントによるコード生成を、現場の評価と研究開発の評価の両面からdeep diveしてみる
Avatar for どすこい daisuketakeda
1
2.5k
Basic Architectures
Avatar for Denys Poltorak denyspoltorak
0
680
CSC307 Lecture 07
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
550
KIKI_MBSD Cybersecurity Challenges 2025
Avatar for ikema ikema
0
1.3k
Apache Iceberg V3 and migration to V3
Avatar for Tomohiro Tanaka tomtanaka
0
160
CSC307 Lecture 10
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
660
AWS re:Invent 2025参加 直前 Seattle-Tacoma Airport(SEA)におけるハードウェア紛失インシデントLT
Avatar for tetutetu214 tetutetu214
2
120

Featured

See All Featured
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
200
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
0
150
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
196
71k
Neural Spatial Audio Processing for Sound Field Analysis and Control
Avatar for NII S. Koyama's Lab skoyamalab
0
170
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
Avatar for Helen Beal helenjbeal
1
130
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.3k
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
Avatar for Ines Montani inesmontani
PRO
0
220
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
2.3M
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
330
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
Avatar for Kenny Baas-Schwegler baasie
0
450
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
254
22k
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
Avatar for Szymon szymonslowik
1
910

Transcript

  1. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None

  15. Attacker Bank

  16. • Document Access • Object Access • Ajax Requests •

    Data Leakage

  17. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead
  18. None
  19. None
  20. None

  21. //XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>

  22. None

  23. var person = {“name”:”John”,”credit”:34}

  24. person.name == “John” person.credit == 34 1. person = RequestData

    2. {“name”:”John”,”credit”:34}

  25. Easy Fast Light

  26. www.telize.com/geoip?callback=getgeoip

  27. http://benhayak.com

  28. http://benhayak.com

  29. http://benhayak.com

  30. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead

  31. <script src= “http://external/geo?callback=getgeoip”>

  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None

  44. SOME

  45. .

  46. None
  47. None
  48. None

  49. SOME

  50. None
  51. None
  52. None
  53. None
  54. None

  55. <script src= “http://emailservice/contacts?callback= ” > initTable Test Attack Function initTable(jsondata)

    { //doSomething in www.google.com (example) }

  56. text/javascript

  57. AttackerInput();

  58. None
  59. None
  60. None
  61. None
  62. None

  63. Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()

  64. Setup the Environment

  65. 1. Redirect MAIN

  66. Share 1. Redirect MAIN

  67. Share 2. Redirect placeholder to SOME

  68. Share 2. Redirect placeholder to SOME Are you sure? Yes

    No

  69. Are you sure? Yes No 3. Redirect 2nd placeholder to

    SOME

  70. Your Album is now Public Mission Accomplished

  71. None
  72. None

  73. We don’t need them

  74. We only need alphanumeric and a dot

  75. We can use Windows

  76. Use a popup bypass

  77. No restrictions when using windows

  78. None

  79. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  80. None