Cenzic 232 Patent
Paid Advertising
web application security lab

XSS talk at BlackHat

Jeremiah Grossman is doing a talk at BlackHat that was spawned via conversation he and I had a while back. Originally I was looking into creative ways for XSS to move out of the application later and into the other OSI layers. I spoke with him and he was able to take my idea from just that, an idea, to a working prototype. Without completely blowing his talk, all I’ll say, is that it will probably go a long way to legitimize XSS as an attack vector, far beyond what is currently known about it. If you happen to be in Las Vegas this summer, I’d suggest dropping on by to hear his talk.

I won’t actually be there. The time I talked there, I had a lot more free time on my hands than I do now, but I will probably be there for DefCon. If any of you webappsec folks want to grab a drink and you’re Las Vegas around that time let me know.

4 Responses to “XSS talk at BlackHat”

  1. yawnmoth Says:

    It’s recently occured to me that an XSS vulnerability in one page on a website can pretty much open any web app on that website to attack. For example, if /echo.php has an XSS exploit, then that can be used to conduct attacks against /wordpress/. Just use an XMLHttpRequest to send a request to the admin panel that’ll delete some story. Then, if any admin visits the XSS-exploited /echo.php, they’ll delete a story, as well.

    Is this what the talk is going to be about or is it going to be about something else? ’cause this would certainly seem to legitimize XSS as an attack vector…

  2. RSnake Says:

    Nice guess but no cigar. It’s about something completely different actually. You’ll have to wait untill Blackhat (which is July 29th-30th in Vegas). I’ll probably comment on it heavily once I get back from Vegas based on how the talk goes. There are several other issues that his talk won’t be going into that are worth discussing after it’s released, but I want to give him the chance to get the code working perfectly before releasing any more information. I will say I’ve seen an advance prototype and it’s pretty scary.

  3. ha.ckers.org security lab - Archive » XSS in Lycos and Hotbot Says:

    […] As a fast follow up to my Hotbox XSS, David “Aesthetico” Vieira-Kurz just found another XSS exploit in Hotbot and one in Lycos. I can’t stress more how nasty things like this are.  These are trusted brands, and with the advent of nastier and nastier things that can be done with XSS (which I’ll go more into in August after Jeremiah Grossman returns from Blackhat) it is critical that these companies invest some time and money into penetration testing and security assessments in general. […]

  4. ha.ckers.org web application security lab - Archive » JavaScript Port Scanners Says:

    […] In case you were living in a cave the last few days or aren’t subscribed to any of the security mailing lists out there, you probably already have seen these links but I’m putting them up here anyway.  First, SPI Dynamics released their version of what Jeremiah is working on (although not nearly as feature rich, it does isolate one of the various things Jeremiah will be discussing in his speech at BlackHat).  This is in an Intranet port scanner written in JavaScript.  Then a few days later PDP (architect) released his tool which did internet port scanning in JavaScript (which is not what will be covered by Jeremiah’s talk so it is actually slightly different, although using the same ideas). Both of these tools don’t go into most of the problems that we were able to overcome, because they weren’t working with our original idea - they took it and built their own based off the idea (despite what the press releases claim) which can be proven by the fact that I’ve been talking about this publically for months and have been working on it for most of this year.  Oh well… at least the rest of the world knows the truth.  I’m not really into conspiracy theories, but read SPI’s paper (the first paragraph) and then read Jeremiah’s talk overview and tell me that idea is legitimately theirs.  It’s a little disheartening that security companies are stealing ideas.  As if we don’t have enough actual bad guys to battle.  Alas. […]