SlideShare a Scribd company logo
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
The Art of Executing Javascript
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Akhil Mahendra
➱ Web application security enthusiast
➱ CTFer{@teambi0s}
➱ @Akhil_Mahendra
About
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Introduction - XSS
➱ Types of XSS and different context
➱ Same Origin Policy
➱ Content Security Policy
➱ XSS via Angular JS
Agenda
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
Attack with a wrong name ?
Introduction
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Still exists after 18 years !
➱ NO.7 in OWASP top 10 2017
➱ Most commonly reported security vulnerability
Introduction
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Stealing user cookies
➱ Keylogger
➱ Deface website
Introduction - Impact
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Reflected XSS
➱ Stored XSS
➱ DOM based XSS
Types of XSS
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ HTML
➱ Attribute
➱ Script
➱ Style
➱ Url
Different Context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ User input comes inside HTML elements
○ <p>Injection</p>
➱ POC
○ <script>alert(1)</script>
Different Context -html context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ User input comes inside HTML attributes
○ <p class = ” Injection ”> </p>
○ <p Injection = ” test123 ”> </p>
➱ POC
○ " onmouseover="alert(1)">
○ onmouseover="alert(1)" class
Different Context -attribute context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ User input comes inside <script> tags
○ <script> var a = ‘ Injection ‘; </script>
➱ POC
○ ‘;alert(1);//
Different Context -script context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ User input comes inside <script> tags
○ <p style “ color: injection ” > </p>
➱ POC
○ expression(alert(1));
Different Context -style context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ User input comes inside <script> tags
○ <a href = ” injection ” > click </a>
➱ POC
○ javascript:alert(1)
Different Context -url context
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Scripts on a page can make HTTP request and process
responses between hosts that has the same:
Protocol, Hostname, Port
➱ An IFRAME loaded cannot read or write data into the page
unless it’s in the same origin !
SOP
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Still exists after 18 years !
➱ NO.7 in OWASP top 10 2017
➱ Most commonly reported security vulnerability
SOP
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Introduced as a mechanism to mitigate code injection
➱ Directives defines:
○ From where and what content are allowed to load
○ In which context the content is allowed to execute
➱ It’s a mitigation not first line of defense!
CSP
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Directives:
○ default-src
○ script-src
○ object-src
○ style-src
○ image-src
○ frame-src
CSP - Directives
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Keywords:
○ ‘*’
○ 'none'
○ 'self'
○ 'unsafe-inline'
○ 'unsafe-eval'
CSP - Keywords
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ HTTP Headers
○ <?php header('Content-Security-Policy: default-src https://cdn.example.net;
object-src 'none'"’);?>
➱ Meta tag in HTML
○ <meta http-equiv="Content-Security-Policy" content="default-src
https://cdn.example.net; object-src 'none'">
CSP
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ unsafe-inline, unsafe-eval, data:
○ whole purpose of CSP is defeated
➱ Eg: default-src: ’self’;script-src: ‘unsafe-inline’
○ Bypass : <script>alert(1)</script>
CSP - Common mistakes
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
CSP - Common mistakes
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Nonces:
○ Nonce must be a random string
○ Should not be reused
○ Should not be guessable
CSP - Common mistakes
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
➱ Examples of bad nonce
○ Request 1- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5
○ Request 2- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5
○ e10adc3949ba59abbe56e057f20f883e - md5(123456)
○ 1231441
CSP - Common mistakes
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
Demo
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
CSP Bypass
CSP - bypass
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
Escaping the expression sandbox for XSS
XSS via Angular JS
Team bi0s
Amrita Center for Cybersecurity, Amritapuri
Thanks
@Akhil_Mahendra

More Related Content

PDF
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
PDF
Veil-Ordnance
PPTX
An introduction to Node.js application development
PDF
Ever Present Persistence - Established Footholds Seen in the Wild
PDF
Wordlist Generation and Wifi Cracking
PDF
The Supporting Role of Antivirus Evasion while Persisting
PDF
Generamba
PDF
Wordpress security
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Veil-Ordnance
An introduction to Node.js application development
Ever Present Persistence - Established Footholds Seen in the Wild
Wordlist Generation and Wifi Cracking
The Supporting Role of Antivirus Evasion while Persisting
Generamba
Wordpress security

What's hot (20)

PPTX
Hacking - Breaking Into It
PDF
Understanding Non Blocking I/O with Python
PPTX
Same-origin Policy (SOP)
PDF
Bringing Down the House - How One Python Script Ruled Over AntiVirus
PDF
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Cháș„n Việt
PDF
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
PDF
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
PDF
The state of JavaScript Linting - English version
PDF
The State of the Veil Framework
PDF
Web security at Meteor (Pivotal Labs)
PDF
AntiVirus Evasion Reconstructed - Veil 3.0
PDF
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
PDF
Web Uygulamalarının Hacklenmesi
PDF
An EyeWitness View into your Network
PPTX
Phu appsec13
PDF
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
PDF
Make CSRF Again
PDF
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
PDF
ĐŸĐŸŃŃ‚Ń€ĐŸĐ”ĐœĐžĐ” ĐżŃ€ĐŸŃŃ‚ĐŸĐłĐŸ REST сДрĐČДра ĐœĐ° Node.js | Odessa Frontend Code challenge
PDF
Automatic constraints as a team maturity accelerator for startups
Hacking - Breaking Into It
Understanding Non Blocking I/O with Python
Same-origin Policy (SOP)
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Cháș„n Việt
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
The state of JavaScript Linting - English version
The State of the Veil Framework
Web security at Meteor (Pivotal Labs)
AntiVirus Evasion Reconstructed - Veil 3.0
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Web Uygulamalarının Hacklenmesi
An EyeWitness View into your Network
Phu appsec13
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Make CSRF Again
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
ĐŸĐŸŃŃ‚Ń€ĐŸĐ”ĐœĐžĐ” ĐżŃ€ĐŸŃŃ‚ĐŸĐłĐŸ REST сДрĐČДра ĐœĐ° Node.js | Odessa Frontend Code challenge
Automatic constraints as a team maturity accelerator for startups
Ad

Similar to The Art of Executing JavaScript by Akhil Mahendra (20)

PDF
Let's talk Security
PPT
XSS Primer - Noob to Pro in 1 hour
PDF
DefCamp 2013 - Http header analysis
PPTX
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
KEY
Application Security for Rich Internet Applicationss (Jfokus 2012)
KEY
Application Security for RIAs
PDF
Web Application Security
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
PDF
Web Development Security
PPTX
Dmk sb2010 web_defense
PDF
Securing your AngularJS Application
PDF
Making Web Development "Secure By Default"
PPT
Web Apps Security
KEY
Cross Site Scripting - Mozilla Security Learning Center
DOCX
Pantallas escaneo Sitio Web
PDF
Penetration testing web application web application (in) security
PDF
Chapter 13 web security
PDF
Neoito — Secure coding practices
 
PPT
Same Origin Policy Weaknesses
 
Let's talk Security
XSS Primer - Noob to Pro in 1 hour
DefCamp 2013 - Http header analysis
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for RIAs
Web Application Security
Devouring Security Insufficient data validation risks Cross Site Scripting
Web Development Security
Dmk sb2010 web_defense
Securing your AngularJS Application
Making Web Development "Secure By Default"
Web Apps Security
Cross Site Scripting - Mozilla Security Learning Center
Pantallas escaneo Sitio Web
Penetration testing web application web application (in) security
Chapter 13 web security
Neoito — Secure coding practices
 
Same Origin Policy Weaknesses
 
Ad

More from Cysinfo Cyber Security Community (20)

PDF
Understanding Malware Persistence Techniques by Monnappa K A
PDF
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
PPTX
Emerging Trends in Cybersecurity by Amar Prusty
PDF
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
PDF
Closer look at PHP Unserialization by Ashwin Shenoi
PDF
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
PDF
Reversing and Decrypting Malware Communications by Monnappa
PPTX
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
PPTX
Analysis of android apk using adhrit by Abhishek J.M
PDF
Understanding evasive hollow process injection techniques monnappa k a
PPTX
Security challenges in d2d communication by ajithkumar vyasarao
PPTX
S2 e (selective symbolic execution) -shivkrishna a
PPTX
Dynamic binary analysis using angr siddharth muralee
PPTX
Bit flipping attack on aes cbc - ashutosh ahelleya
PDF
Security Analytics using ELK stack
PDF
Linux Malware Analysis
ODP
Introduction to Binary Exploitation
PDF
ATM Malware: Understanding the threat
PPTX
XXE - XML External Entity Attack
PPT
Image (PNG) Forensic Analysis
Understanding Malware Persistence Techniques by Monnappa K A
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Emerging Trends in Cybersecurity by Amar Prusty
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
Closer look at PHP Unserialization by Ashwin Shenoi
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Reversing and Decrypting Malware Communications by Monnappa
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
Analysis of android apk using adhrit by Abhishek J.M
Understanding evasive hollow process injection techniques monnappa k a
Security challenges in d2d communication by ajithkumar vyasarao
S2 e (selective symbolic execution) -shivkrishna a
Dynamic binary analysis using angr siddharth muralee
Bit flipping attack on aes cbc - ashutosh ahelleya
Security Analytics using ELK stack
Linux Malware Analysis
Introduction to Binary Exploitation
ATM Malware: Understanding the threat
XXE - XML External Entity Attack
Image (PNG) Forensic Analysis

Recently uploaded (20)

PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
PDF
Digital Strategies for Manufacturing Companies
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
PPTX
ai tools demonstartion for schools and inter college
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
PDF
PTS Company Brochure 2025 (1).pdf.......
PPTX
L1 - Introduction to python Backend.pptx
PDF
Odoo Companies in India – Driving Business Transformation.pdf
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
PDF
Softaken Excel to vCard Converter Software.pdf
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
PPTX
Operating system designcfffgfgggggggvggggggggg
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
Digital Strategies for Manufacturing Companies
Wondershare Filmora 15 Crack With Activation Key [2025
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
VVF-Customer-Presentation2025-Ver1.9.pptx
Adobe Illustrator 28.6 Crack My Vision of Vector Design
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
ai tools demonstartion for schools and inter college
Upgrade and Innovation Strategies for SAP ERP Customers
PTS Company Brochure 2025 (1).pdf.......
L1 - Introduction to python Backend.pptx
Odoo Companies in India – Driving Business Transformation.pdf
Which alternative to Crystal Reports is best for small or large businesses.pdf
Softaken Excel to vCard Converter Software.pdf
Navsoft: AI-Powered Business Solutions & Custom Software Development
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
Operating system designcfffgfgggggggvggggggggg
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025

The Art of Executing JavaScript by Akhil Mahendra

  • 1. Team bi0s Amrita Center for Cybersecurity, Amritapuri The Art of Executing Javascript
  • 2. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Akhil Mahendra ➱ Web application security enthusiast ➱ CTFer{@teambi0s} ➱ @Akhil_Mahendra About
  • 3. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Introduction - XSS ➱ Types of XSS and different context ➱ Same Origin Policy ➱ Content Security Policy ➱ XSS via Angular JS Agenda
  • 4. Team bi0s Amrita Center for Cybersecurity, Amritapuri Attack with a wrong name ? Introduction
  • 5. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Still exists after 18 years ! ➱ NO.7 in OWASP top 10 2017 ➱ Most commonly reported security vulnerability Introduction
  • 6. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Stealing user cookies ➱ Keylogger ➱ Deface website Introduction - Impact
  • 7. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Reflected XSS ➱ Stored XSS ➱ DOM based XSS Types of XSS
  • 8. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ HTML ➱ Attribute ➱ Script ➱ Style ➱ Url Different Context
  • 9. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ User input comes inside HTML elements ○ <p>Injection</p> ➱ POC ○ <script>alert(1)</script> Different Context -html context
  • 10. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ User input comes inside HTML attributes ○ <p class = ” Injection ”> </p> ○ <p Injection = ” test123 ”> </p> ➱ POC ○ " onmouseover="alert(1)"> ○ onmouseover="alert(1)" class Different Context -attribute context
  • 11. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ User input comes inside <script> tags ○ <script> var a = ‘ Injection ‘; </script> ➱ POC ○ ‘;alert(1);// Different Context -script context
  • 12. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ User input comes inside <script> tags ○ <p style “ color: injection ” > </p> ➱ POC ○ expression(alert(1)); Different Context -style context
  • 13. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ User input comes inside <script> tags ○ <a href = ” injection ” > click </a> ➱ POC ○ javascript:alert(1) Different Context -url context
  • 14. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Scripts on a page can make HTTP request and process responses between hosts that has the same: Protocol, Hostname, Port ➱ An IFRAME loaded cannot read or write data into the page unless it’s in the same origin ! SOP
  • 15. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Still exists after 18 years ! ➱ NO.7 in OWASP top 10 2017 ➱ Most commonly reported security vulnerability SOP
  • 16. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Introduced as a mechanism to mitigate code injection ➱ Directives defines: ○ From where and what content are allowed to load ○ In which context the content is allowed to execute ➱ It’s a mitigation not first line of defense! CSP
  • 17. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Directives: ○ default-src ○ script-src ○ object-src ○ style-src ○ image-src ○ frame-src CSP - Directives
  • 18. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Keywords: ○ ‘*’ ○ 'none' ○ 'self' ○ 'unsafe-inline' ○ 'unsafe-eval' CSP - Keywords
  • 19. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ HTTP Headers ○ <?php header('Content-Security-Policy: default-src https://cdn.example.net; object-src 'none'"’);?> ➱ Meta tag in HTML ○ <meta http-equiv="Content-Security-Policy" content="default-src https://cdn.example.net; object-src 'none'"> CSP
  • 20. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ unsafe-inline, unsafe-eval, data: ○ whole purpose of CSP is defeated ➱ Eg: default-src: ’self’;script-src: ‘unsafe-inline’ ○ Bypass : <script>alert(1)</script> CSP - Common mistakes
  • 21. Team bi0s Amrita Center for Cybersecurity, Amritapuri CSP - Common mistakes
  • 22. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Nonces: ○ Nonce must be a random string ○ Should not be reused ○ Should not be guessable CSP - Common mistakes
  • 23. Team bi0s Amrita Center for Cybersecurity, Amritapuri ➱ Examples of bad nonce ○ Request 1- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ Request 2- D29162F1B99108DDA2406C697FFAC27586F42C7D021669F01F720CEEACBB06F5 ○ e10adc3949ba59abbe56e057f20f883e - md5(123456) ○ 1231441 CSP - Common mistakes
  • 24. Team bi0s Amrita Center for Cybersecurity, Amritapuri Demo
  • 25. Team bi0s Amrita Center for Cybersecurity, Amritapuri CSP Bypass CSP - bypass
  • 26. Team bi0s Amrita Center for Cybersecurity, Amritapuri Escaping the expression sandbox for XSS XSS via Angular JS
  • 27. Team bi0s Amrita Center for Cybersecurity, Amritapuri Thanks @Akhil_Mahendra