[OWASP-Switzerland] OWASP Switzerland Meeting - February 18th 2015

Sven Vetsch sven.vetsch at owasp.org
Tue Jan 27 11:03:18 UTC 2015


Hi everyone,
I’d like to invite you to our next OWASP Switzerland meeting on February 18th 2015. If you want to attend, please make sure to register for the event with your *full name* through http://doodle.com/xa6fxpqnv7mq52hy. Space is limited to 30 attendees.


* When:
Wednesday, February 18th 2015
Starting at 18:00
Doors at 17:30


* What (presentation):
"Abusing JSONP with Rosetta Flash" by Michele Spagnuolo, Google


Abstract:
Michele will present an exploitation technique that involves crafting charset-restricted Flash SWF files in order to abuse JSONP endpoints and allow Cross Site Request Forgery attacks against domains hosting JSONP endpoints, bypassing the Same Origin Policy.


With this attack it is possible to make a victim perform arbitrary requests to the domain with the JSONP endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site.


High profile Google domains, YouTube, Twitter, LinkedIn, Yahoo!, eBay, Mail.ru, Flickr, Baidu, Instagram, Tumblr and Olark have had or still have vulnerable JSONP endpoints at the time of writing. Popular web development framework Ruby on Rails and MediaWiki also addressed this vulnerability.


Rosetta Flash leverages zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to an equivalent one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain. We use ad-hoc Huffman encoders in order to map non-allowed bytes to allowed ones. Naturally, since we are mapping a wider charset to a more restrictive one, this is not a real compression, but an inflation: we are, in a way, using Huffman as a Rosetta stone.


Rosetta Flash has been nominated for a Pwnie Award and won an Internet Bug Bounty by HackerOne.


More information can be found in Michele's blog post: https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/


* Where:
Swisscom AG
Hardturmstrasse 3
8005 Zurich


* Who:
As usual, all of our meetings are open to everyone and free of charge.


* Agenda
17:30 - 18:00 | Drinks and Snacks offered by Swisscom
18:00 – 18:15 | Update on OWASP by Sven Vetsch, OWASP Switzerland
18:20 – 19:00 | "Abusing JSONP with Rosetta Flash" by Michele Spagnuolo, Google
19:15 - **:** | Dinner


regards,
Sven


--
Sven Vetsch
Leader OWASP Switzerland
https://www.owasp.ch
https://www.twitter.com/OWASP_ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-switzerland/attachments/20150127/f5984f1d/attachment.html>


More information about the Owasp-Switzerland mailing list