[OWASP-Switzerland] OWASP Switzerland Meeting - February 18th 2015

Reto Ischi reto.ischi at ergon.ch
Tue Jan 27 12:18:57 UTC 2015

Neue Sitzungsanfrage:

Betreff: [OWASP-Switzerland] OWASP Switzerland Meeting - February 18th 2015 
Organisator: "Reto Ischi" <reto.ischi at ergon.ch> 

Uhrzeit: Mittwoch, 18. Februar 2015, 18:00:00 - 21:00:00 GMT +01:00 Amsterdam, Berlin, Bern, Rom, Stockholm, Wien
Eingeladene Teilnehmer: sven.vetsch at owasp.org; owasp-switzerland at lists.owasp.org 


Hi everyone, 
I’d like to invite you to our next OWASP Switzerland meeting on February 18th 2015. If you want to attend, please make sure to register for the event with your *full name* through http://doodle.com/xa6fxpqnv7mq52hy. Space is limited to 30 attendees. 

* When: 
Wednesday, February 18th 2015 
Starting at 18:00 
Doors at 17:30 

* What (presentation): 
"Abusing JSONP with Rosetta Flash" by Michele Spagnuolo, Google 

Michele will present an exploitation technique that involves crafting charset-restricted Flash SWF files in order to abuse JSONP endpoints and allow Cross Site Request Forgery attacks against domains hosting JSONP endpoints, bypassing the Same Origin Policy. 

With this attack it is possible to make a victim perform arbitrary requests to the domain with the JSONP endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site. 

High profile Google domains, YouTube, Twitter, LinkedIn, Yahoo!, eBay, Mail.ru, Flickr, Baidu, Instagram, Tumblr and Olark have had or still have vulnerable JSONP endpoints at the time of writing. Popular web development framework Ruby on Rails and MediaWiki also addressed this vulnerability. 

Rosetta Flash leverages zlib, Huffman encoding and ADLER32 checksum bruteforcing to convert any SWF file to an equivalent one composed of only alphanumeric characters, so that it can be passed as a JSONP callback and then reflected by the endpoint, effectively hosting the Flash file on the vulnerable domain. We use ad-hoc Huffman encoders in order to map non-allowed bytes to allowed ones. Naturally, since we are mapping a wider charset to a more restrictive one, this is not a real compression, but an inflation: we are, in a way, using Huffman as a Rosetta stone. 

Rosetta Flash has been nominated for a Pwnie Award and won an Internet Bug Bounty by HackerOne. 

More information can be found in Michele's blog post: https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ 

* Where: 
Swisscom AG 
Hardturmstrasse 3 
8005 Zurich 

* Who: 
As usual, all of our meetings are open to everyone and free of charge. 

* Agenda 
17:30 - 18:00 | Drinks and Snacks offered by Swisscom 
18:00 – 18:15 | Update on OWASP by Sven Vetsch, OWASP Switzerland 
18:20 – 19:00 | "Abusing JSONP with Rosetta Flash" by Michele Spagnuolo, Google 
19:15 - **:** | Dinner 


Sven Vetsch 
Leader OWASP Switzerland 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-switzerland/attachments/20150127/17042819/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: meeting.ics
Type: text/calendar
Size: 9033 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-switzerland/attachments/20150127/17042819/attachment.ics>

More information about the Owasp-Switzerland mailing list