XSS in the Real World

[00:00:00]
>> Steve Kinney: One from 2014 is way simple with the Sammy Worm. I told this story at lunch, I'll tell it again. The original sent like the FBI showed up at its door and they were not happy. The original punishment was I think, a fine some operation. And I think the sentence was no internet for the rest of his life, which I think a court overturned.

[00:00:25]
But so if you're thinking, I'm gonna do this stuff for fun, most of these stories do end with law enforcement and charges and fines. So, let's keep that in mind. This one was shockingly easy. Basically, the back then, at least in 2014, TweetDeck was an electron app. And back then, electron apps, I did a course on it a year ago or something like that.

[00:00:49]
And it's kind of annoying because you have to put CSP on everything now all the time. But you know why you have to do that now? Cuz back then you didn't. And so just the act of seeing this, because they didn't do any Eecaping apparently on the tweets.

[00:01:01]
If you saw this in the Twitter web client you're fine, but if you open it up in the TweetDeck app, you then too retweeted this as well, and then you got an alert. So it was definitely somebody who is not being particularly malicious. You can see there, I'll put it somewhere else as well.

[00:01:18]
What's really funny is the comments are, people code reviewing it and looking at, getting really pedantic on how to make it better. It's the most JavaScript thing I've ever seen in my life. eBay had a bad several months where they had, I think the social adapt technically has it, or one of the other apps I made has something very similar for you to play around with and exploit in your free time.

[00:01:46]
They sanitize their stuff and but they had a redirect to query parameter. The problem is, you could set that to anything you wanted, right? And some of the sites that you could set it to on eBay's own properties didn't have the same protections as the main site, right?

[00:02:00]
And so you could send someone a link. It looks like an eBay link. They log in, it then parses the redirect thing and then injects code into wherever they landed after they logged in, right? And people would change the prices on stuff from the seller's perspective. A whole bunch of nasty stuff that they spent months tracking down.

[00:02:25]
McDonald's had something very similar. There was a flaw in Angular sandbox. We can blame Angular sandbox and the fact that someone got access to it. The fact that they decrypted the password's client side, was the problem, cuz then you could just get access to decrypted passwords, send a fetch request off to your server and collect a whole bunch of passwords as well.

[00:02:48]
So you can see, yeah, are these easy to execute? No, but once they're in, they have the keys to the castle, because they are you at that point, there's no cores that protect at you, right? It's not cross origin, it's same site, same origin at that point. In a library called Feedify on British Airways, quarter million people had their names, addresses, credit cards, and CVVs stolen, right?

[00:03:12]
Cuz again, no amount of stuff is going to protect you, it is now same site, same origin. None of the stuff we talked about before will save you. Some stuff will save you, we'll get there. Fortnite, I think this one was disclosed, which means we don't know if it was exploited, right?

[00:03:28]
People could have been quietly doing it, but it was disclosed, where an attacker was able to get access to basically anyone's data. This was actually really cool, too, and how it worked. They used something very similar to the redirect, right, where you would send someone a link and the redirect would go to, like an unreal 2004 leader board, Unreal Tournament, whatever.

[00:03:59]
From, yeah, 15 years ago, that was just a subdomain shared with Fortnite. That page had no CSRF protections, right? And so they basically send you a Fortnite one, you logged in, it redirects you to this other site. That they could then inject into and send a bunch of requests back to the main site.

[00:04:24]
So all this stuff we're talking about, you need these multiple layers, and we'll see some more layers in a second, because you could have a legacy page somewhere. And someone's going to figure out something very clever as well. And then I don't really know how this one happened as much as I looked.

[00:04:38]
It's just somebody posted a screenshot, and they work as a security researcher at Google now, so I'm gonna believe it, but someone did find a way to do it to the CIA. This one is from last week, maybe yeah, it was thing May 24th which if you're watching this later, this one happened in 2024, I think about yeah, a week ago.

[00:05:01]
Which is there was one in the VS code plugin that allowed it's very this one I did some research but it's very new at the time of this recording but literally a week ago used a vulnerability of VS code plugin. So again this stuff can happen outside the browser as well to exfiltrate sensitive user information maybe by the time someone watches this later there's more information on this one, but it is very new and track.

[00:05:24]
So this stuff is still an ever present, that can still happen to all of us as we go along. And then for funsies later, you can watch someone happen to them in real time on Twitch, right? Where some plugin that they installed, allowed people to just basically cross-site scripting all day.

[00:05:42]
So how does it work? Pretty straightforward. I mean, it's not easy to do, but the actual, should you do the first part, the rest is easy. You inject a Malicious Script either that comes to the query param. You store it in the database somehow and then it starts to access code.

[00:06:00]
This is the thing about the web is great, the web is terrible simultaneously and then once you are the person that cookies all yours right like arguably HTV only will save you on the cookie part, but the requests are all gonna have it as well.