Upgrade to Pro — share decks privately, control downloads, hide ads and more …

eu-14-Hayak-Same-Origin-Method-Execution-Some-E...

anonymous
September 29, 2016
Programming
1
100

 eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

eu-14-Hayak-Same-Origin-Method-Execution-Some-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass

anonymous

September 29, 2016
Tweet

More Decks by anonymous

See All by anonymous
为什么我退出谷歌为自己工作
webgeeker
0
22
flutter-ui-succinctly
webgeeker
0
97
try jquery part1
webgeeker
0
49
LARACON_2013.pdf
webgeeker
0
48
AngularJS 1
webgeeker
2
110
React
webgeeker
1
290
SVG for vector
webgeeker
2
120
JavaScript 客户端检测
webgeeker
0
100
REC-SVG11-20110816
webgeeker
0
62

Other Decks in Programming

See All in Programming
Formの複雑さに立ち向かう
bmthd
1
810
第3回 Snowflake 中部ユーザ会 - dbt × Snowflake ハンズオン
hoto17296
4
370
JavaScriptツール群「UnJS」を5分で一気に駆け巡る!
k1tikurisu
9
1.8k
2024年のWebフロントエンドのふりかえりと2025年
sakito
1
240
Flutter × Firebase Genkit で加速する生成 AI アプリ開発
coborinai
0
150
Amazon S3 TablesとAmazon S3 Metadataを触ってみた / 20250201-jawsug-tochigi-s3tables-s3metadata
kasacchiful
0
120
パスキーのすべて ── 導入・UX設計・実装の紹介 / 20250213 パスキー開発者の集い
kuralab
3
730
CloudNativePGがCNCF Sandboxプロジェクトになったぞ! 〜CloudNativePGの仕組みの紹介〜
nnaka2992
0
220
CNCF Project の作者が考えている OSS の運営
utam0k
6
710
[JAWS-UG横浜 #79] re:Invent 2024 の DB アップデートは Multi-Region!
maroon1st
1
140
How mixi2 Uses TiDB for SNS Scalability and Performance
kanmo
35
14k
SwiftUI Viewの責務分離
elmetal
PRO
1
220

Featured

See All Featured
Why Our Code Smells
bkeepers
PRO
336
57k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2.1k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Designing for humans not robots
tammielis
250
25k
Adopting Sorbet at Scale
ufuk
74
9.2k
Gamification - CAS2011
davidbonilla
80
5.1k
Building Your Own Lightsaber
phodgson
104
6.2k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.5k
Become a Pro
speakerdeck
PRO
26
5.1k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Bash Introduction
62gerente
610
210k

Transcript

  1. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None

  15. Attacker Bank

  16. • Document Access • Object Access • Ajax Requests •

    Data Leakage

  17. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead
  18. None
  19. None
  20. None

  21. //XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>

  22. None

  23. var person = {“name”:”John”,”credit”:34}

  24. person.name == “John” person.credit == 34 1. person = RequestData

    2. {“name”:”John”,”credit”:34}

  25. Easy Fast Light

  26. www.telize.com/geoip?callback=getgeoip

  27. http://benhayak.com

  28. http://benhayak.com

  29. http://benhayak.com

  30. • <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”>

    [[External resources]] Go Ahead

  31. <script src= “http://external/geo?callback=getgeoip”>

  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. None

  44. SOME

  45. .

  46. None
  47. None
  48. None

  49. SOME

  50. None
  51. None
  52. None
  53. None
  54. None

  55. <script src= “http://emailservice/contacts?callback= ” > initTable Test Attack Function initTable(jsondata)

    { //doSomething in www.google.com (example) }

  56. text/javascript

  57. AttackerInput();

  58. None
  59. None
  60. None
  61. None
  62. None

  63. Callback=<XSS>aaa Only [A-Za-z0-9.] allowed Callback=;alert()

  64. Setup the Environment

  65. 1. Redirect MAIN

  66. Share 1. Redirect MAIN

  67. Share 2. Redirect placeholder to SOME

  68. Share 2. Redirect placeholder to SOME Are you sure? Yes

    No

  69. Are you sure? Yes No 3. Redirect 2nd placeholder to

    SOME

  70. Your Album is now Public Mission Accomplished

  71. None
  72. None

  73. We don’t need them

  74. We only need alphanumeric and a dot

  75. We can use Windows

  76. Use a popup bypass

  77. No restrictions when using windows

  78. None

  79. Ben Hayak Security Researcher [email protected] Twitter: @BenHayak

  80. None