Ben Hayak Security Researcher
[email protected]
Twitter: @BenHayak
• Document Access • Object Access • AJAX Requests • Data Leakage
• <img src=“[[URL]]”> • <link rel href=“[[URL]]”> • <script src=“[[URL]]”> [[External resources]]
Go Ahead
<script src=“[[URL]]”>
External Scripts are Allowed!
//XML.. <xml> <person> <name>john</name> <credit>34</credit> </person> </xml>
{“name”:”John”,”credit”:34}
person.name == “John” person.credit == 34
1. person = RequestData()
2. {“name”:”John”,”credit”:34}
• Use 3rd Party services
• Overcome SoP
http://benhayak.com
http://benhayak.com
www.telize.com/geoip?callback=getgeoip
http://benhayak.com
Contacts from YAHOO
<script src= “http://yahoo.com/contacts?callback= ” > initTable
Function initTable(jsondata) { //Build a table with the contacts }
<script src= “http://yahoo.com/contacts?callback= ” > Attack
Function initTable(jsondata) { //Build a table with the contacts }
Attack
www.google.com?callback=Attack
Attack
www.google.com?callback=Attack
www.google.com?callback=Attack
Execute Attack on www.google.com
Send Contacts To Gmail
Gmail
Gmail JSONP Endpoint
Gmail JSONP
Page(endpoint)
Gmail
Attacker controls the Callback mail.google.com?callback= Attack
Gmail JSONP Endpoint
Attack
mail.google.com?callback2=Attack
Attack
mail.google.com?callback2=Attack
mail.google.com?callback2=Attack
Execute Attack on mail.google.com
Callback=<XSS>aaa
Only [A-Za-z0-9.] allowed
Callback=;alert()
Set up the environment
SelectAll
1. Redirect Main
SelectAll
2. Redirect first window to “SOME”
2. Redirect first window to “SOME”
Confirm
3. Redirect 2nd window to “SOME”
Confirm
Your photos are now publicly available
Mission Accomplished
We simulate UI clicks
We only need alphanumeric and a dot
We can use Windows
User Clicks Use a popup bypass
Currently no restrictions when using windows
1. Use a static function name as a Callback
2. Whitelist callbacks
3. Register CBs: __SOME__[‘callback’]({json})
• Hijack User’s action without interaction
• Can follow limitless flow of actions
dependent/not.
• Invisible to the victim
• Any page on the domain becomes vulnerable
Ben Hayak Security Researcher
[email protected]
Twitter: @BenHayak