blind xss - def con® hacking conference · •what is it? • using it in penetration tests •...
TRANSCRIPT
![Page 1: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/1.jpg)
BLIND XSS@adam_baldwin
![Page 2: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/2.jpg)
HI, I’M ADAM BALDWIN
![Page 3: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/3.jpg)
NOT THAT ADAM BALDWIN
![Page 4: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/4.jpg)
THIS ADAM BALDWIN
• Chief Security Officer at &yet• Security Lead for ^Lift Security• @adam_baldwin + @liftsecurity
![Page 5: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/5.jpg)
• What is it?• Using it in penetration tests• Challenges• xss.io
LET’S TALK BLIND XSS
![Page 6: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/6.jpg)
BLIND XSSWTF IS
![Page 7: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/7.jpg)
BLIND XSSWTF IS
![Page 8: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/8.jpg)
• Reflected• Persistent (stored)• DOM
XSS IS:
![Page 9: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/9.jpg)
• Reflected• Persistent (stored)• DOM
BLIND XSS IS:
![Page 10: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/10.jpg)
IT’S A DIFFERENT CHALLENGE.
![Page 11: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/11.jpg)
IT’S NOT LIKE BLIND SQLI WHERE YOU GET IMMEDIATE FEEDBACK.
![Page 12: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/12.jpg)
YOU HAVE NO IDEA WHERE YOUR PAYLOAD’S GOING TO END UP.
![Page 13: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/13.jpg)
YOU DON’T EVEN KNOW WHETHER YOUR PAYLOAD WILL EXECUTE (OR WHEN!)
![Page 14: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/14.jpg)
YOU MUST THINK AHEAD ABOUT WHAT YOU WANT TO ACCOMPLISH.
![Page 15: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/15.jpg)
... AND YOU HAVE TO BE LISTENING.
![Page 16: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/16.jpg)
BLIND XSS IS
![Page 17: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/17.jpg)
BLIND XSS ISCALL ME MAYBE?
![Page 18: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/18.jpg)
FOR EXAMPLE...From a recent penetration test
![Page 19: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/19.jpg)
![Page 20: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/20.jpg)
![Page 21: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/21.jpg)
![Page 22: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/22.jpg)
![Page 23: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/23.jpg)
![Page 24: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/24.jpg)
![Page 25: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/25.jpg)
![Page 26: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/26.jpg)
![Page 27: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/27.jpg)
![Page 28: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/28.jpg)
![Page 29: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/29.jpg)
![Page 30: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/30.jpg)
![Page 31: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/31.jpg)
![Page 32: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/32.jpg)
![Page 33: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/33.jpg)
![Page 34: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/34.jpg)
![Page 35: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/35.jpg)
![Page 36: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/36.jpg)
![Page 37: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/37.jpg)
![Page 38: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/38.jpg)
![Page 39: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/39.jpg)
![Page 40: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/40.jpg)
![Page 41: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/41.jpg)
![Page 42: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/42.jpg)
![Page 43: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/43.jpg)
![Page 44: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/44.jpg)
![Page 45: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/45.jpg)
1.Carefully choose the right payload for the right situation.
STEPS TO A SUCCESSFUL BLIND XSS EXPLOIT:
![Page 46: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/46.jpg)
1.Carefully choose the right payload for the right situation.
2.Get lucky!
STEPS TO A SUCCESSFUL BLIND XSS EXPLOIT:
![Page 47: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/47.jpg)
• Lots of payloads for various situations.
• ...but doing everything would be overkill.
HTML5SEC.ORG
![Page 48: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/48.jpg)
PLAN YOUR PAYLOAD.HOW WILL THE APP USE YOUR DATA?
![Page 49: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/49.jpg)
• log viewers• exception handlers• customer service apps (chats,
tickets, forums, etc)• anything moderated
NICE TARGETS:
![Page 50: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/50.jpg)
BLIND XSS MANAGEMENT
![Page 51: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/51.jpg)
XSS.IO CAN HELP!
![Page 52: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/52.jpg)
SIZE MATTERS... RIGHT?• Sometimes you need all the
character space you can get.• No short-url GUID• xss.io uses custom referrer-
based redirects instead
![Page 53: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/53.jpg)
EXPLOIT CREATOR• Snippets for common tasks• Quickly create and reference
dynamic payloads
![Page 54: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/54.jpg)
DEAD DROP BLIND XSS API AND MANAGER
![Page 55: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/55.jpg)
(XSS.IO DEMO)
![Page 56: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/56.jpg)
BUT WAIT, THERE’S MOREUnrelated but equally awesome
![Page 57: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/57.jpg)
CSRF.IO
![Page 58: Blind XSS - DEF CON® Hacking Conference · •What is it? • Using it in penetration tests • Challenges • xss.io LET’S TALK BLIND XSS](https://reader031.vdocument.in/reader031/viewer/2022022521/5b24391d7f8b9af7308b481e/html5/thumbnails/58.jpg)
</PRESENTATION>@adam_baldwin | @LiftSecurity