DEF CON 27 - JUNYU ZHOU and CE QUIN and JIANING WANG - web2 own attacking desktop apps from web securitys perspective

Web2Own
ATTACKING DESKTOP APPS FROM
WEB SECURITY'S PERSPECTIVE

Who are we
• 9aX.TgU h
• LYbWYbh KYWif hm PiUbki EUV
• FYaVYf cZ )cdg <L? LYUa
• KdYU_Yf cZ RYfcG hg+)*1 UbX ABL;+)*1=iVU

Who are we
• 9AYUfaYb*
• KYWif hm JYgYUfWYf b LYbWYbh KYWif hm PiUbki EUV
• KdYU_Yf cZ :g UKYWOYgh +)*1

Who are we
• 9L)a-hcT
• KYWif hm JYgYUfWYf b LYbWYbh KYWif hm PiUbki EUV
• FYaVYf cZ KmW cjYf KYWif hm LYUa
• KdYU_Yf cZ RYfcG hg+)*1 UbX ABL;+)*1=iVU

I know about web security
I can do little reversing
I know nothing about pwning
Can I pop up a like people in Pwn2Own?

DEF CON 27 - JUNYU ZHOU and CE QUIN and JIANING WANG - web2 own attacking desktop apps from web securitys perspective

LfUX h cbU Uddg jg mVf X Uddg
VS

• HdYbYX dcfhg
• MJB gWYaYg
• :dd ZYUhifYg

Om cdYb dcfhg
• OYVgYfjYf
• cWU XmbUa W kYVg hY
• :IB WU
• =YVi b
• HhYfg

Ack hc UWWYgg hc hYgY dcfhg8
• V bX cb )')')')
• V bX cb cWU cgh
• VfckgYf g cif ccX Zf YbX
• ALLI dfchcWc
• hc YfUbWY cZ Y U WcaaUbXg

KUaY Hf b Ic Wm !KHI"
• Lkc dU Yg UjY gUaY3
• dfchcWc % cgh% dcfh
• =YZUi h VYUj cfg b VfckgYfg
same origin different origin
send simple requests ✓ ✓
send requests with custom headers ✓ ✘
get response ✓ ✘

=GK JYV bX b
Pull Payload bypass SOP
rebind.com
x.x.x.x
rebind.com
127.0.0.1
Attack
rebind.com
127.0.0.1
DNS Changed
Same
Origin

=GK JYV bX b dfYfYei g hYg
• OYV gYfj WY XcYg bch WYW_ hY cghbUaY
• N Wh a kci X kU h ibh =GK Ug WUb YX
• ;fckgYf Ug U =GK WUWY

<KJ? jg =GK JYV bX b
DNS Rebinding CSRF
Bypass SOP ✓ ✘
Pass hostname check ✘ ✓
effective immediately ✘ ✓

<UgY ghiXm3 : dcdi Uf h fX dUfhm d i b
• OY<UhI i b FUWHK
• DYYd hY fYWU YX aYggU Y
• :ihc fYd m U aYggU Y
• o
• *,))) ghUf ( +))) Zcf_g
• Khcd aU bhU bYX acbhg U c
hhdg3(( hiV'Wca(LD__ HKYf(OY<UhI i b FUWHK

:hhUW_ b k h =GK JYV bX b
• ; bX cb *+0')')'*3.+0))
• (kYWUh d i b(igYf
• (kYWUh d i b(WUh c
• (kYWUh d i b(gYbX aYggU Y
• KhUm cb hY Yj dU Y% UhhUW_Yf WUb'''
• @Yh U Zf YbXg
• @Yh U WUh c g
• KYbX Ubm aYggU Y hc Ubm igYf
https://xlab.tencent.com/cn/2018/10/23/weixin-cheater-risks/

? l8
• Kh UZZYWhYX Vm <KJ? UhhUW_
• KYbX Ubm aYggU Y hc U _bckb igYf
https://github.com/TKkk-iOSer/WeChatPlugin-
MacOS/commit/3bf0a352ddbd85250eb00c3f4ed21bb7810b77f4
NSString *hostname = request.headers[@"Host"];
NSString *url1 = [NSString stringWithFormat:@"127.0.0.1:%d", port];
NSString *url2 = [NSString stringWithFormat:@"localhost:%d", port];
if(!([hostname isEqualToString:url1] | [hostname isEqualToString:url2])){
return [GCDWebServerResponse responseWithStatusCode:404];
}

EYggcb YUfbYX
• : kUmg WYW_ hY cgh
• DYYd =GK fYV bX b UkUm
• MgY ibdfYX WhUV Y XUhU(dUh
• IfYjYbh <KJ? UhhUW_
• :jc X ig b h fX dUfhm d i bg

<UgY ghiXm3 PXYVi
• IAI XYVi b YlhYbg cb
• Ack XcYg h kcf_8
• JYeiYgh k h P=>;M@TK>KKBHGTKL:JL b dUfUag
• hhd3((*+0')')'*( bXYl'dd8P=>;M@TK>KKBHGTKL:JL
• PXYVi WcbbYWhg hc U gYfjYf
• KYfjYf bhYfUWhg k h PXYVi ig b =;@I WcaaUbXg
• O W gYfjYf hc WcbbYWh8 ! b U ZU VUW_ cfXYf"
• lXYVi 'fYachYTcgh
• P ?cfkUfXYX ?cf
• JYachY :XXf

PXYVi JYachY :hhUW_
• IfYfYei g hYg
• lXYVi 'fYachYTWcbbYWhTVUW_ 6 *
• lXYVi 'fYachYTYbUV Y 6 *
• lXYVi 'fYachYTcgh g GcbY
• ?cf acgh cZ hY IAI XYjY cdYfg% mYg
• :hhUW_ b
• KYh id U Yj gYfjYf kU h b Zcf PXYVi hc WcbbYWh
• MgY =GK fYV bX b UhhUW_ hc gYbX U P ?cfkUfXYX ?cf YUXYf
• >j gYfjYf gYbX dUm cUX hc PXYVi
• @Yh U fYjYfgY gY
https://bugs.php.net/bug.php?id=76149

:hhUW_ gWYbUf c
ci UfY U IAI XYjY cdYf
ci igY PXYVi
BZ mci ghUm cb Ub Yj dU Y Zcf -) .) gYWcbXg
ci aUm VY UW_YX

HhYf WUgYg
• GcXYCK =YVi b dcfh
• hhd3((V iYW)fY'V c gdch'Wca(+)*1(),(WjY +)*1 0*/) dkb b
bcXY g XYjY cdYfg'ha
• CUjU JFB !Z lYX b :df +)*1"
• JFB giddcfhg ALLI
• CUjU XYgYf U nY UhhUW_g
• hhdg3((aVYW Yf' hiV' c(+)*1().(+*(CUjU <N> +)*1 +1))(

open port
bind on
0.0.0.0
bind on
127.0.0.1
attack
remotely
DNS
Rebinding
CSRF

MJB KWYaYg
• UibW Uddg
• gYbX aYggU Y b Udd

MJB KWYaY cb O bXckg
• KY >lYWihYO!GMEE% E cdYb % E WcXY'YlY cdYb if * % GMEE% GMEE
% KOTKAHO "4
• :jc X gdUWYg% eichYg% cf VUW_g UgYg b mcif MJB
• *

> YWhfcb <N> +)*1 *)))))/
• <fca ia dUfUaYhYf b YWh cb
• fYbXYfYf WaX dfYZ l
• di UibWYf
• ih hm WaX dfYZ l
• ddUd d i b UibWYf
• ''''
• KY >lYWihYO!GMEE% E cdYb % E <fca ia'YlY bUW
XV6WaX'YlY % GMEE% GMEE % KOTKAHO "4
• : ZfUaYkcf_g VUgYX cb <fca ia aUm UjY hY gUaY ggiY

bk' g ZfUaYkcf_
• : ZUacig XYg_hcd bchY Udd WUh cb
• +)) F cbg cZ igYfg
• Bb YWh dUfUaYhYf hc YlYWihY WcaaUbX

JYgdcbg V Y X gW cgifY
• )+(+*(+)*2 fYdcfhYX hc >jYfbchY
• )-(*1(+)*2 Z lYX
• OBGGHL> *22-*

MJB KWYaY g =>:=8
• ? lYX b D;--202,. Vm F WfcgcZh !).(+2(+)*2"
• MJB KWYaY g if YbWcXYX
• <Ub bch b YWh dUfUaYhYfg
https://support.microsoft.com/en-hk/help/4497935/windows-10-update-kb4497935

• <fcgg K hY KWf dh b ! PKK "
• If j Y YX :IB
• IfchcWc UbX Yf

LY PKK ghcfm VY bg Zfca aUf_Xckb YX hcfg

g YlYWihYX b hY dfYj Yk k bXck
• b hY mYUf cZ +)*/
• aUf_Xckb YX hcfg
• Fci ( FUWXckb ( NK<cXY '''

Ack hc Yld c h8
• dfYj Yk dU Y fYbXYfYX b Z Y XcaU b
• ghYU Z Yg cb X g_
• ghYU WfYXYbh U g !UWWcibh W cbY"
• J<>
• df j Y YX :IBg
• ;fckgYf *XUm

<UgY ghiXm3 FUW=ckb cWU Z Y fYUX
• 010. ghUfg ( 2/* Zcf_g

• )1(+.(+)*/ fYdcfhYX hc hY Uihcf j U YaU
• )2().(+)*/ Uihcf d UbYX hc fYacjY bYhkcf_ WUdUV h Yg
• )2()/(+)*/ bg ghYX cb U dfcdYf Z l
• Kh UZZYWhYX bck

L b g UfY Yhh b UfXYf
• hh Y PKK b aUf_Xckb YX hcfg bckUXUmg
• <cbhYbh KYWif hm Ic Wm !<KI"
• KUbXVcl
• gc UhYX WcbhYlh
• bc bcXY acXi Yg !bcXY bhY fUh cb6ZU gY"
• AUfXYf hc Z bX% UfXYf hc Yld c h

EYh g cc_ Uh VfUf Yg igYX Vm aUf_Xckb YX hcfg

aYfaU X
• WUfhg ( X U fUa
• **2, igYX ( +-+)0 ghUfg ( *-/+ Zcf_g
• UhYgh jYfg cb
https://mermaidjs.github.io/

aYfaU X lgg # ,
graph TD
B --> C{<iframe src=javascript:alert`1`>}
graph LR;
A-->B;
click B callback "<iframe src=javascript:alert`1`>"
graph LR;
xss-->B;
click xss alert "callback"
click B "javascript:alert`1`" "link"

DUhYl ( FUh Ul
• aUh hmdYgYhh b
• DUhYl VYZcfY j)'*)') fW !/-)1 igYX ( *)0). ghUf ( 0,1 Zcf_"
• FUhCUl VYZcfY j, VYhU',!*+*/ igYX( /12. ghUf ( 21+ Zcf_"
• fYdcfhYX Vm chYf img 3!

Z ckWUfh' g
• Z ck WUfh X U fUag
• --1 igYX ( /))) ghUfg ( 120 Zcf_g
• UhYgh jYfg cb

Kia h id
• aYfaU X ! UhYgh"
• FUhCUl !VYZcfY j, VYhU', "
• DUhYl !VYZcfY j)'*)') fW"
• ? ck<Ufh' g ! UhYgh"
• :ZZYWh acfY Uddg hUb kY Z bX

<UgY ghiXm3 AUW_F= !ig b aYfaU X"
• */)%))) UWh jY igYfg

AUW_F= <KI
script-src 'self' vimeo.com https://gist.github.com www.slideshare.net 'unsafe-eval'
https://assets.hackmd.io https://www.google.com https://apis.google.com
https://docs.google.com https://www.dropbox.com https://*.disqus.com
https://*.disquscdn.com https://www.google-analytics.com
https://stats.g.doubleclick.net https://secure.quantserve.com
https://rules.quantcount.com https://pixel.quantserve.com https://js.driftt.com
https://embed.small.chat https://static.small.chat
https://www.googletagmanager.com https://cdn.ravenjs.com https://browser.sentry-
cdn.com 'nonce-cdbbafd5-903e-443c-bb33-c25b0cc73e21' 'sha256-
EtvSSxRwce5cLeFBZbvZvDrTiRoyoXbWWwvEVciM5Ag=' 'sha256-
NZb7w9GYJNUrMEidK01d3/DEtYztrtnXC/dQw7agdY4=' 'sha256-
L0TsyAQLAc0koby5DCbFAwFfRs9ZxesA+4xg0QDSrdI=';
https://csp-evaluator.withgoogle.com/

;mdUgg <KI ig b @cc Y LU FUbU Yf
• <KI VmdUgg ZcibX Vm 9_*hhYb
https://github.com/k1tten/writeups/blob/master/bugbounty_writeup/HackMD_XSS_
%26_Bypass_CSP.md

AUW_F= XYg_hcd Udd
• fYbXYfYf' g b df j Y YX WcbhYlh
• kYVj Yk hU fYbXYfg dU Y b gUbXVcl
• bc bcXY bhYf fUh cb
• Ack hc hifb PKK hc J<> b XYg_hcd Udd8

fYbXYfYf' g
• fYbXYf ha Zfca gUbXVcl b U df j Y YX WcbhYlh
webview.addEventListener('dom-ready', function () {
// set webview title
document.querySelector('#navbar-
container .title').innerHTML = webview.getTitle()
document.querySelector('title').innerHTML =
webview.getTitle()
})

JYX fYWh hc Yld c h dU Y ig b PKK
• cWUh cb6hhd3((llll(Yld c h'ha
• Lf Yf Xca fYUXm
<head>
<title>
<img src=1
onerror="process.mainModule.require('child_process').exec
('open /Applications/Calculator.app')">
</title>
</head>

• )0()1(+)*2 fYdcfhYX hc AUW_F=
• )0(**(+)*2 Z lYX

ALFE b YWh cb b Uddg
• bc CUjUKWf dh YlYWih cb
• d g b 8 UXjYfh g b 8

If j Y YX :IBg
• bcXY acXi Yg
• Wighca :IB
• CK;f X Y k h kfUddYf
• igiU m UjY diV W XcWg

<UgY ghiXm3 U dcdi Uf WUh Udd
• ; cbg cZ igYfg
• >aVYXYX VfckgYf k h Wighca :IBg
• <ighca :IBg k hcih XcaU b fYghf Wh cb
• OY XcWiaYbhYX Zcf XYjY cdYfg
• HdYb MJEg b YaVYXXYX VfckgYf
• KYbX U gdYW U hmdY cZ aYggU Y !?YYX<UfX FYggU Y"
• Bb Udd MJB gWYaY

<ighca :IBg
• Udd'Xckb cUX? Y
• igYf WccgY U cWUh cb hc gUjY hY Z Y
• Udd'cdYbEcWU ? Y
• cdYb hY Z Y X fYWh m k hcih WcbZ faUh cb !aUWHK"

OY bYYX l
• >E? WUb bch YlYWihY k hcih l
• ;Ug ( Imhcb o UfY cdYbYX Vm hYlh YX hcfg
• ' Uf kcf_g

:hhUW_ gWYbUf c
ci UjY CUjU
ci W W_ U ?YYX<UfX aYggU Y Zfca U UW_Yf
: X U c Ug_g mci hc gUjY U Z Y
KUj b U Z Y igiU m Ufa Ygg% gc mci W W_YX gUjY
ci UfY UW_YX

• fYdcfhYX cb )*(+,(+)*2
• Z lYX b hY UhYgh jYfg cb
• HdYb hY Zc XYf bghYUX cZ hY Z Y

IfchcWc UbX Yf
• hhd
• fYbXYf dU Y b Ub ibhfighYX WcbhYlh
• VfckgYf *XUm
• CUjUKWf dh
• gYbX fYeiYgh b Z Y XcaU b
• ghYU cWU Z Yg
• Z Y ( KF;
• UibW dfc fUa
• GLEF JY Um
be careful of
<a>

<UgY ghiXm3 Xi V
• ,)22 ghUfg ( *-,- Zcf_g
• O XY m igYX Vm < bYgY XYg_hcd Uddg cb O bXckg
• ha _Y hU g ! gckha 6hfiY "
• 5U l7hYlh5(U7 Zcf mdYf b_
• 5 l m n7 Zcf aU Y
• 5W llllll7hYlh5(W7 Zcf Wc cf
https://github.com/duilib/duilib

U WUh Udd
• gckha 6hfiY
• fYbXYf hU g b hY WUh fcid bUaY cf dYfgcbU ghUhig

GLEF JY Um UhhUW_ ig b 5 7 hU
• 5 SSUhhUW_Yf * *7
• gYbX k bXckg WfYXYbh U g UihcaUh WU m
• cbWY hY hU g fYbXYfYX cb hY j Wh a g aUW bY
• igiU m k hcih igYf bhYfUWh cb
• cZZ bY VfihY ZcfWY
• fY Um hY WfYXYbh U g hc chYf gYfj WYg
• fY Um hc >lWUb Y !ghYU YaU g"
• fY Um hc UbchYf aUW bY hUh UjY hY gUaY dUggkcfX
• o

<UgY ghiXm3 @ XfU
• VUgYX cb C:N:
• ig b PFE hc XYgWf VY U dfc YWh

@ XfU PP>
• ZcibX Vm 9g WhcaU

PP> g bch Ybci
• ghYU Z Yg
• gYbX hhd fYeiYghg
• <Ub kY hifb h hc J<>8

@ XfU Zfca PP> hc J<>
• CUjU k gYbX WfYXYbh U g kYb YbWcibhYfg GLEF VUgYX
-)* hhd fYgdcbgY
• :hhUW_Yf gYh id U aU W cig hhd gYfjYf
• JY Um hY WfYXYbh U g hc KF; gYfj WY
https://xlab.tencent.com/en/2019/03/18/ghidra-from-xxe-to-rce/

feature
XSS
Privileged
API
Protocol
Handler
http
JavaScript
file

;Y WUfYZi k Y XYVi b
• IAI
• GcXYCK
• CUjU !jYfg cbg VYZcfY :df +)*1"

;Y WUfYZi k Y ig b hYgY VfUf Yg
• aYfaU X ! UhYgh"
• FUhCUl !VYZcfY j, VYhU',"
• DUhYl !VYZcfY j)'*)') fW"
• ? ck<Ufh ! UhYgh"
• Xi V !k h gckha 6hfiY"
• bk' g !fY ghYf b MJB gWYaY"

:W_bck YX YaYbhg
• 9hcaV_YYdYf
• 9>j F))b
• 9<cXY<c cf gh
• 9aVYW Yf !hhdg3(( hiV'Wca(aVYW Yf"
• 9V iYW)fY !hhd3((V iYW)fY'V c gdch'Wca"
• 9_*hhYb !hhdg3(( hiV'Wca(_*hhYb"
• 9g WhcaU
• 9J WhYfR !hhdg3(( hiV'Wca(J WhYfR"
• o

DEF CON 27 - JUNYU ZHOU and CE QUIN and JIANING WANG - web2 own attacking desktop apps from web securitys perspective

More Related Content

What's hot (20)

Similar to DEF CON 27 - JUNYU ZHOU and CE QUIN and JIANING WANG - web2 own attacking desktop apps from web securitys perspective (20)

More from Felipe Prado (20)

Recently uploaded (20)

DEF CON 27 - JUNYU ZHOU and CE QUIN and JIANING WANG - web2 own attacking desktop apps from web securitys perspective