The Hidden XSS - Attacking the Desktop & Mobile Platforms
-
Upload
kosborn -
Category
Technology
-
view
11.560 -
download
3
Transcript of The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSSAttacking the Desktop & Mobile Platforms
Kos (Kyle Osborn)@theKos
alert(self)
» ToorCon Seattle, BlackHat, BSidesLV & DefCon
» Red Team guy (or so I pretend)
» Pentester
» http://kos.io/
» Oh, and this guy
XSS within the browser
» Usually considered a web browser based attack.» Users fire up their web browsers » Navigate to website with persistent XSS » Open up link with payload in the URL (bank.com?XSS) » iFrame with embedded vulnerable website » etc., etc.
» But... not really browser specific...
XSS
Definition for xss:
Cross-site scripting is a security hazard that allows crackers to interfere with your program’s logic by inserting their own logic into your HTML. ....
http://oreilly.com/ruby/excerpts/ruby-learning-rails/ruby-glossary.html
XSS without the browser
» So what's the big deal?
» Not really able to steal cookies.
» Phishing doesn't make sense.
» Content spoofing?
» Ad injection?
» Meh...
XSS without the browser
» Local filesystem access?
» WebKit does not block XHR requests to file:///
» OS X, iOS, Android versions of WebKit » Except for Chrome
» XMLHttpRequest()
So... the fun stuff
» Demos!
Demo #1
» HTML not filtered in an instance, allowing an attacker to inject malicious JavaScript.
» http://kos.io/skype for more info
» Skype (5.0.x to <= 5.0.914) on Mac OS X
Demo #2
» Adium <= 1.4.2 (OS X)
» Unfiltered HTML in file transfer dialogue.
» Almost the same as Skype.
» http://www.noptrix.net/advisories/adium_inject.txt
Demo #3
» Skype on iOS 3.0.1 (Fixed as of 3.0.2)
» Again, basic Cross Site Scripting
» Discovered by while testing Skype on OS X
» More info athttps://superevr.com/2011/xss-in-skype-for-ios/
Demo #3
Introducing WebOS
» Truly web-driven operating system» Easy application development» Posed to compete with iOS / Android
» Oh yeah, apps are HTML5 / JavaScript
WebOS
» WebOS. Because most apps are HTML/JS, many are susceptible to attacks.
» However... actually more secure than previous vulns.
» Security (kind-of) done right on it.
Demo #5
» Android's GMail app
» Reported a few months ago...
» Android (like iOS) uses separate users per application, limiting what each app can reach.
Demo #5 - Continued
» GMail.apk allows HTML files to be downloaded.
» Handles it in "HTML Viewer" properly, without JS.
» However, XSS inside Gmail.app allows attacker to force download file.
» Then force browser to open file:///..../attack.html
For my next trick... Choose an OS
» Linux
» Windows
» OS X
» iOS
Demo #6
» Google Earth
» Multi-platform - OS X, iOS, Linux & Windows
» Payloaded KML file (Google Earth XML file)
» Uses HTML for info-boxes
» Uses vulnerable WebKit versoin
Tool!
» To make it easier, wrote a tool.
» JSON arrays for discovery functions() [what users, app] and files
» base64 encodes & exfiltrates
Tool!fileList['mac']= { // How do we discover users? "discover" :'/Library/Preferences/com.apple.loginwindow.plist', // Okay, we found them, what do we pillage? "post" :{ 'bashHistory':'.bash_history', 'sshHosts':'.ssh/known_hosts', 'sshKeys':'.ssh/id_rsa.pub', } }
fileList['android']= { // Instead of how, just figure out the currently in use appi "discover" :'/proc/self/status', // Okay, we found them, what do we pillage? "post" :{ 'browser_data':'/data/data/com.android.browser/databases/webview.db', 'browser_data2':'/data/data/com.android.browser/databases/browser.db', 'gmail_accounts':'/data/data/com.google.android.gm/shared_prefs/Gmail.xml', 'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview.db', 'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db', 'chromeBookmarks':'.config/chromium/Default/Bookmarks' } }
Conclusion
» XSS is bad, mkay?
» Developers don't know how / aren't trained to filter client side.
» Easy to exploit.
» Ping me at @theKos [email protected] http://kos.io/