Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Browser security is not all about memory corruption vulnerabilities. In fact, there are a lot of bugs around the thin line of web page and access to everything on your computer. Since Opera is built onto of Chromium, the author took a look at the new features. One of these was the Pinboard.

The Pinboard API accepted an HREF when something was added. By setting the link to a JavaScript URI, we had stored XSS. In particular, the payload was javascript:’@opera.com/’;alert(1), to pop an alert box. Since this was opened within the opera URI, it has special permissions that other web pages do not.

Since the attribute target=_blank was set, the XSS would only execute on the page if a middle click on control click was done. This is still a one click XSS though! What damage can be caused within the opera URI? This is similar to the firefox or chrome URI.

The Opera scheme has the ability to view other pages, bypass the same origin policy (SOP) request files and many other things. However, there are some restrictions in place to make an XSS in the browser not a complete game over. The author made an exploit that opened a new tab with /etc/passwd inside of it. Next, they take a screenshot of this page to see the information. Finally, they base64 encode the password and send it to themselves.

Overall, good post with an interesting exploitation method.