Everybody Wants SOME: Advance Same Origin Method Execution

PRESENTATION SLIDES (PDF)

SOME – “Same Origin Method Execution” is a new technique (2 years since its first big exposure) that abuses callback endpoints in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed iframes and/or windows.

The attack was proven against vast platforms such as WordPress and various web applications built by Google, Paypal, Microsoft and etc. This attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to “SOME”, the entire domain becomes vulnerable.

During this talk I intend to show and demonstrate the cleverest SOME attacks performed against real case scenarios, in addition I will demo a XSS attacks that became possible ONLY after using the SOME technique. I am going to emphasize the advance aspects of the SOME attack including a new approach in terms of interaction, in addition I am going to clarify some queries and confusions that were raised after the exposure of SOME in relation to JSONP.

This talk will show you how web pages used as callback endpoints open a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage.

CONFERENCE
Location: Track 1 Date: April 14, 2017 Time: 10:45 am - 11:45 am Ben Hayak