The Hidden XSS Attacking the Desktop & Mobile Platforms – Slides & VideoPosted by Kos on 10/09/2011 at 10:12 pm | Last modified: 11/08/2011 6:08 pm
A few weeks ago (October 2th) I was in Louisville, Kentucky, giving a talk at Derbycon. I also gave the same talk in San Diego (October 9th) at Toorcon 13. It’s a much expanded version of a talk I did back in June at Toorcon Seattle, “XSS Without the Browser”.
Slides are below, and video is after the break. The slides are a bit different than the video. I modified, reordered, and added a few slides, and also included a new Google application vulnerability.
The code is currently available at : http://kos.io/xsspwn/
A few notes I want to add about this video:
- At roughly 41:30, when I send myself an email, it juts so happened that early that morning, Google rolled out a server side fix (notice the unread email which was received at 2:27AM, thanks Google (; ), which broke my first attempt at the demo. Fortunately, I had the local offline email database to rely on for that demo to work.
- I said “CORS” a little before the 5 minute mark, I actually meant Same Origin Policy
- I said something along the liens of “file:// as specified in the RFC”, while it’s technically true since I was speaking about the Origin Policy, it should be noted that the file:/// rules in the RFS are little fuzzy. Webkit by standard allows file:///, Chrome denies access to file:/// all together, Firefox ony let’s file:/// access the subdirectories. I have on clue what Triden (IE) and Opera do.