Profile

Cover photo
Krzysztof Kotowicz
233 followers|1,139,771 views
AboutPosts+1's

Stream

Krzysztof Kotowicz

Shared publicly  - 
 
 
Developers of the world! REJOICE and develop apps full of security bugs. Flyyy FLYYYYY FLYYYYYYYYYYYY

/(credits go to +Krzysztof Kotowicz)/

How to do eval in Chrome Packaged Apps

var u=URL.createObjectURL(new Blob(['<script>top.EVAL = function(x) {with(top){return eval(x);}};</script>'], {type: 'text/html'}));document.body.appendChild(document.createElement('iframe')).src=u;

Then you have:
EVAL('chrome.tts.speak("Take that Security! ;P")');
11 comments on original post
1
Jasvir Nagra's profile photoAleksandra Snarska's profile photo
Add a comment...

Krzysztof Kotowicz

Shared publicly  - 
 
 
A few more thoughts on why WebCrypto isn’t such a bad idea:

I enjoyed Thai Duong’s defense of JavaScript crypto in the context of building E2E here:  http://vnhacker.blogspot.com.ar/2014/06/why-javascript-crypto-is-useful.html , but wanted to add one more quick thought.  WebCrypto is just a continuation of the same general ideas that we’ve followed for years to make lower-level platform crypto safer and better; in particular two megatrends:

1. Abstract the crypto implementation away from the program.

Yes, JavaScript is bad at things like guaranteeing constant-time program semantics, strong typing, etc.  Many lower-level languages that use crypto have similar issues, even C code can, and often does.  By depending on an abstract, platform-provided interface instead of an application library, these operations can be transparently routed to the best-available implementation.  That might be a C library in the browser, one that ships with the OS, or it might be an HSM or specialized CPU instructions.  Without these kinds of API abstractions, there’s no way a browser-hosted JS app can possibly access these safer lower-level services.  This pattern also means the end-user of the application can make their own choices about the implementations that meet their requirements without requiring changes in the application.

2. Trust the platform.  You have no choice.  Really.

Sometimes you will find a situation where platform crypto is broken yet an app with its own implementation can be safe. But this is very rare.  Applications are pretty dependent on their platform for security, even if not in ways directly related to the functionality of the app.  A modern platform (whether it is a browser or a traditional OS) uses crypto primitives for things like establishing secure channels, verifying software and updates, authenticating administrative users over the network, etc.  If your adversary is able to exploit weaknesses in your platform crypto, you probably can’t build an application on it that will resist those adversaries just by including your own crypto libraries.  

Also, with a very few notable exceptions (hi, Chrome!), the vast majority applications just don’t have the same incentive and ability to keep crypto dependencies up-to-date that platforms do. In practice, apps that ship with their own crypto dependencies ship with out-of-date libraries that are full of vulnerabilities.* It’s much better to accept as a simplifying assumption that you can’t do better than the platform you run on, and rely on it to keep crypto safe, and the dependencies up to date for you.  

* I worked auditing application security for over five years and it was a given that you’d get some “freebie” critical findings in the first hour of any engagement if an app wasn’t using platform crypto because that meant there was a version of OpenSSL or a Java XMLDSIG library somewhere in the build path that was usually no less than 4 years old. Even apps that themselves were brand-new somehow managed to find the crustiest possible crypto code to include, I don't know where from.
View original post
1
Paweł Krawczyk's profile photo
 
After our discussions at AppSec I think the main challege is not "why JavaScript crypto" but "what else instead of JavaScript crypto". Java applets or ActiveX? Usability sucks... Flash? No way... NaCl? No idea...
Add a comment...

Krzysztof Kotowicz

Shared publicly  - 
 
Note to self: When Internet provider upgrades your broadband, don't forget to update QoS upload limit in your router as well...
1
Paweł Krawczyk's profile photo
 
And you firewall rules - this article was inspired by exactly such an incident too http://ipsec.pl/openwrt/2014/effective-ip-blacklisting-openwrt.html
Add a comment...

Krzysztof Kotowicz

Shared publicly  - 
 
Yesterday me and @antisnatchor gave a talk at Insomni'hack entitled "When you don't have 0days. Client-side exploitation for the masses". We described different tricks that one can use during a pentesting assignment to achieve goals without burning any of those precious 0days.
1
Add a comment...

Krzysztof Kotowicz

Shared publicly  - 
 
Exploiting EasyXDM part 2: & considered harmful
tldr: URL parsing is hard, encode stuff. This is a second post describing easyXDM vulnerabilities. Reading the first part might come in handy: Exploiting EasyXDM part 1: Not the usual Flash XSS Intro "EasyXDM is a Javascript library that enables you as a de...
Exploiting EasyXDM part 2: & considered harmful. tldr: URL parsing is hard, encode stuff. This is a second post describing easyXDM vulnerabilities. Reading the first part might come in handy: Exploiting EasyXDM part 1: Not the usual Flash XSS ...
1
Add a comment...
Have him in circles
233 people
Tomas Dambrauskas's profile photo
Dariusz Sznajder's profile photo
Dominika Kołodziej's profile photo
Tom 'WaxVax' Wołek's profile photo
Claudio Criscione's profile photo
Marcus Niemietz's profile photo
Kuba Janus's profile photo
Paulina Barczyk's profile photo
Arashi Coldwind's profile photo

Krzysztof Kotowicz

Shared publicly  - 
 
tldr; A long, passionate discussion about JS crypto. Use slides for an overview. Javascript cryptography is on the rise. What used to be a rich source of vulnerabilities and regarded as "not a serious research area", suddenly becomes used by many. Over the last few years, there was a serious ...
5
1
Ryan Sleevi's profile photo
Add a comment...

Krzysztof Kotowicz

Shared publicly  - 
 
 
"For most developers, the security team at Google is a black box. Yet Safe Browsing and its API have been around for years and currently protect over a billion users. We also recently launched the source code to End-To-End, an encryption extension for Chrome, where we're explicitly calling for community feedback. And then there's the Google Transparency Report, which includes information both from Safe Browsing and from our Safer Email effort to understand how much encrypted email we send and receive. Please join us for a session about how Google's security team approaches its work, updates about End-To-End, Safe Browsing, and Safer Email, and how developers can tap into what we do."
View original post
1
Add a comment...

Krzysztof Kotowicz

Shared publicly  - 
 
 
We just released one of the projects I've contributed to: "End-To-End is a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP."

It was great working on it with +Eduardo Vela , +radi v , Thai, Krzysztof, Frank, Stephan, and everyone else!
6 comments on original post
1
Kyle Osborn (Kos)'s profile photo
 
Hopefully it's not vulnerable to XSS... or code injection :)
Add a comment...

Krzysztof Kotowicz

Shared publicly  - 
 
While Juliet probably was a pretty smart girl, this time she got it wrong. There is something special in a name. At least in window.name. For example, it can ignore Same Origin Policy restrictions. Documents from https://example.com and https://foo.bar are isolated from each other, ...
2
Add a comment...

Krzysztof Kotowicz

Shared publicly  - 
 
Breaking Google AppEngine webapp2 applications with a single hash
What's this, you think? 07667c4d55d8d81a0f0ac47b2edba75cb948d3a2$sha1$1FsWaTxdaa5i It's easy to tell that this is a salted password hash, using sha1 as the hashing algorithm. What do you do with it? You crack it, obviously! No wonder that when talking about...
2
2
Paweł Krawczyk's profile photoKacper Kwapisz's profile photo
Add a comment...
People
Have him in circles
233 people
Tomas Dambrauskas's profile photo
Dariusz Sznajder's profile photo
Dominika Kołodziej's profile photo
Tom 'WaxVax' Wołek's profile photo
Claudio Criscione's profile photo
Marcus Niemietz's profile photo
Kuba Janus's profile photo
Paulina Barczyk's profile photo
Arashi Coldwind's profile photo
Basic Information
Gender
Male
Links
Work
Occupation
web security researcher
Contact Information
Home
Email
Krzysztof Kotowicz's +1's are the things they like, agree with, or want to recommend.
Rapportive XSSes Gmail or have yourself a merry little botnet...
blog.kotowicz.net

Mosquito gets new features. It's that magical time of the year, when wonders happen... Everyone's getting big presents. I was apparently nau

Exploiting EasyXDM part 2: &amp; considered harmful
blog.kotowicz.net

Exploiting EasyXDM part 2: &amp; considered harmful. tldr: URL parsing is hard, encode stuff. This is a second post describing easyXDM vulnerabi

Exploiting EasyXDM part 1: Not the usual Flash XSS
blog.kotowicz.net

tldr: You're using easyXDM? Upgrade NOW. Otherwise - read up on exploiting difficult Flash vulnerabilities in practice. Secure cross-domain

Jealous of PRISM? Use "Amazon 1 Button" Chrome extension to sniff all HT...
blog.kotowicz.net

tldr: Insecure browser addons may leak all your encrypted SSL traffic, exploits included. So, Snowden let the cat out of the bag. They're li

Virtual Sweatshops Defeat Bot-or-Not Tests — Krebs on Security
feedproxy.google.com

Virtual Sweatshops Defeat Bot-or-Not Tests. WP Greet Box icon. Hello there! If you are new here, you might want to subscribe to the RSS feed

Cryptography
www.crypto-class.org

Cryptography is a free online class taught by Dan Boneh.

Google Plus Nick
gplus.to

Make short url for google+ profile.

Perfect Tool for Picasa
market.android.com

Love "Google Photos", "Picasa Web Albums"? Try the BEST Android app for them!Your Beautiful photos deserve a Beautiful app. This app helps y

Chrome Multitask Mode
www.google.com

Chrome Multitask Mode lets you browse the web with multiple mice at the same time, so you can get more done, clickety-split.

Fun with data: URLs
feedproxy.google.com

But what if particular XSS filter knows about data: URIs and tries to reject them? We bypass, of course :) I&#39;ve been fuzzing data: URIs

WulffMorgenthaler.com – Daily strip 22.11.2011
feedproxy.google.com

Entertainment - Since 2002. Wulff &amp; Morgenthaler&#39;s Personal humoristic social commentary on life, nostalgia and the World in general

The future of electronic currency
feedproxy.google.com

Crypto is fantastic for many things, but those who read this blog know that I have a particular fascination for its privacy applications. Sp

Moxie Marlinspike :: Blog
blog.thoughtcrime.org

The Cryptographic Doom Principle. December 13, 2011. Edit; Delete; Tags; Autopost. When it comes to designing secure protocols, I have a pri

Doing evil with the Cloud 9 IDE and Socket.io | nGenuity Information Sec...
ngenuity-is.com

The transition to the real time web is happening. Along with that I&#39;m seeing more and more applications using the awesome functionality

a little bit of something - not shit web design.
www.alittlebitofsomething.co.uk

a little bit of something is a web design agency in Cornwall that designs good websites.

Tunneling traffic through DNS using Iodine - for fun and profit
bottiger.org

Tunneling traffic through DNS using Iodine - for fun and profit. Just how much should we put into DNS ? I remember reading the wonderful blo

JavaScript Obfuscations Contest: We Have a Winner | BreakingPoint
www.breakingpointsystems.com

JavaScript obfuscations are an important client-side attack affecting large organizations. BreakingPoint's JavaScript contest challenged hac

Enea Android Blog: The Android boot process from power on
www.androidenea.com

The Android boot process from power on. Since mobile platforms and embedded systems has some differences compared to Desktop systems in how

Minded Security Blog: Ye Olde Crockford JSON regexp is Bypassable
blog.mindedsecurity.com

Ye Olde Crockford JSON regexp is Bypassable. Introduction While doing some test with DOMinator I found several sites and applications using

TVP INFO przeciwne ACTA!
www.wykop.pl

Nareszcie i oni widzą niejasności w ACTA..