Click here to load reader
View
520
Download
4
Embed Size (px)
DESCRIPTION
Adam Baldwin is the Team Lead at Lift Security, a web application security consultancy and the Chief Security Officer at &yet (andyet.net). He at one time possessed a GCIA and CISSP. Adam is a highly knowledegable information security expert having created the DVCS pillaging toolkit, helmet: the security header middleware for node.js, a minor contributor to the W3AF project, and has previously spoken at DEF CON, Toorcon, Toorcamp, Djangcon, and JSconf.
Citation preview
BLIND XSS@adam_baldwin
Tuesday, February 26, 13
Adam Baldwin
• Chief Security Officer at &yet• Security Lead for ^Lift Security• Also @liftsecurity & @nodesecurity
Tuesday, February 26, 13
• What is it?• Using it in penetration tests• Challenges• xss.io
LET’S TALK BLIND XSS
Tuesday, February 26, 13
BLIND XSSWTF IS
Tuesday, February 26, 13
• Reflected• Persistent (stored)• DOM
XSS IS:
Tuesday, February 26, 13
• Reflected• Persistent (stored)• DOM
BLIND XSS IS:
Tuesday, February 26, 13
IT’S A DIFFERENT CHALLENGE.
Tuesday, February 26, 13
IT’S NOT LIKE BLIND SQLI WHERE YOU GET IMMEDIATE FEEDBACK.
Tuesday, February 26, 13
YOU HAVE NO IDEA WHERE YOUR PAYLOAD’S GOING TO END UP.
Tuesday, February 26, 13
YOU DON’T EVEN KNOW WHETHER YOUR PAYLOAD WILL EXECUTE (OR WHEN!)
Tuesday, February 26, 13
YOU MUST THINK AHEAD ABOUT WHAT YOU WANT TO ACCOMPLISH.
Tuesday, February 26, 13
... AND YOU HAVE TO BE LISTENING.
Tuesday, February 26, 13
FOR EXAMPLE...From a penetration test
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
Tuesday, February 26, 13
1.Carefully choose the right payload for the right situation.
STEPS TO A SUCCESSFUL BLIND XSS EXPLOIT:
Tuesday, February 26, 13
1.Carefully choose the right payload for the right situation.
2.Get lucky!
STEPS TO A SUCCESSFUL BLIND XSS EXPLOIT:
Tuesday, February 26, 13
• Lots of payloads for various situations.
• ...but doing everything would be overkill.
HTML5SEC.ORG
Tuesday, February 26, 13
PLAN YOUR PAYLOAD.HOW WILL THE APP USE YOUR DATA?
Tuesday, February 26, 13
• log viewers• exception handlers• customer service apps (chats,
tickets, forums, etc)• anything moderated
NICE TARGETS:
Tuesday, February 26, 13
Tuesday, February 26, 13
BLIND XSS MANAGEMENT
Tuesday, February 26, 13
XSS.IO CAN HELP!
Tuesday, February 26, 13
SIZE MATTERS... RIGHT?• Sometimes you need all the
character space you can get.• No short-url GUID• xss.io uses custom referrer-
based redirects instead
Tuesday, February 26, 13
EXPLOIT CREATOR• Snippets for common tasks• Quickly create and reference
dynamic payloads
Tuesday, February 26, 13
DEAD DROP BLIND XSS API AND MANAGER
Tuesday, February 26, 13
(XSS.IO DEMO)
Tuesday, February 26, 13
</PRESENTATION>@adam_baldwin | @LiftSecurity
Tuesday, February 26, 13