Blackbox Reversing Of XSS Filters

Presented at REcon 2008, June 14, 2008, 4:30 p.m. (60 minutes)

Many of us limit ourselves to what we already know and don't look for new challanges. I've spent a long time reversing x86 code, but there are a lot of other interesting targets out there. Cross site scripting vulnerabilities and web security in general are perceived to not be interesting enough for hardcode reversers, but this talk aims to dispel this notion. We all know that web apps are the future, but where do we, reversers, fit in this brave new world? I will present the challanges of blackbox reversing and the beauty of reconstructing complicated algorithms based on nothing but some well chosen inputs and outputs. I will demonstrate the tools I've written to make this easier and perhaps drop a few 0days as well :-)

Presenters:

• Alexander Sotirov
  Alexander Sotirov has been involved in computer security since 1998, when he started contributing to Phreedom Magazine, a Bulgarian underground technical publication. For the past ten years he has been working on advanced exploitation, reverse engineering and vulnerability research. His recent work includes the discovery of the ANI vulnerability in Windows Vista and the development of the Heap Feng Shui browser exploitation technique. Alexander is one of the organizers of the Pwnie Awards. He is currently employed as a security researcher at VMware.

Links:

• https://recon.cx/2008/speakers.html#xss
• https://infocon.org/cons/REcon/REcon 2008/REcon 2008 videos/Alexander Sotirov-Blackbox Reversing Of XSS Filters.mp4
• https://recon.cx/2008/a/alexander_sotirov/recon-08-sotirov.pdf

Similar Presentations:

• BSidesLV 2014 / FAP Fully Automated Pwning Techniques for Automated Reversing