Masters in Information Security
Post Data with malicious code
Store
Fetch
Open App
Get malicious code
Check
Follow link
Response
Make user to follow a link
var url = new URL(location.gref).searchParams.get("user");
$('#form').append('<input type="hidden" value="' + url + '">');
<form id="#form">
<input type="hidden"
value="https://example.com"/><script>alert(1)</script>
</form>
.../?user=something<script>alert(1)</script>...
Inline code
API
CDN
Analytics
3rd party
Injected script
$('#form').append('...some STRING');
el.innerHTML='...some STRING'
el.innerHTML = { toString: () => 'hello' }
el.innerHTML // "hello"
Content-Security-Policy: trusted-types myPolicy
el.innerHTML = location.hash.slice(1); //string
//create via a TrustedTypes policy
el.innerHTML = aTrustedHTML;
Sanitization out of box:
bypassSecurityTrust*
login
action
bad action
done
done!
eBay : The password cannot be updated by using this method.
: However, the information that’s needed to reset the password can.
login
action
bad action
done
Token:
==
Token: ...
NO ACCESS!
!= ...
HttpClientXsrfModule.withOptions({
cookieName: 'My-Xsrf-Cookie',
headerName: 'My-Xsrf-Header'
}),
event-stream v3.3.6
right9ctrl
event-stream v4.0.0
flatmap-stream v0.1.1
flatmap-stream v0.1.0
event-stream v3.3.5
flatmap-stream v0.1.1
require("crypto").decrypt("aes256", data, npm_package_description);
copay-dash
if(!/build\:.*\-release/.test(process.arg[2])) return;
npm run-script command
"build:ios-release": "run-s env:prod && ionic cordova build ios --release"
inject malicious payload to steal private keys from wallet
flatmap-stream v0.1.1
event-stream
npm audit
is looking for superstars!