One of the things I really enjoy about doing live events is the entirely random, unexpected things that can occur without any warning. In fact, I’m increasingly structuring my talks to present these opportunities, but this one was entirely unexpected:
When someone whacks XSS in the live question feed whilst you're answering security questions on a panel... pic.twitter.com/paLp7ECXHF
— Troy Hunt (@troyhunt) January 22, 2016 This was whilst answering questions on a panel – a security panel – at ProgramUtvikling’s security day in Oslo last week (they’re the guys who run the NDC conferences around the world). I was sitting up there on the stage with Erlend Oftedal and Einar Otto Stangvik whilst the big screen behind us scrolled through questions asked by the audience using the sli.do app. The questions were being read out by Niall Merrigan until… he stopped in his tracks and I can’t recall whether his reaction was amusement or horror or a mix of the two, but turning around, we all saw the screen adorned with the XSS alert.
All in good humour, we asked the “perpetrator” to come forward and explain his approach. Nicholas Paulik stepped up and explained that he’d simply worked through the OWASP XSS Filter Evasion Cheat Sheet until he identified that the iframe approach like this worked just fine:
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
This is a pretty basic “attack” and of course it could have been much worse (i.e. much less “appropriate”). I frequently show people this video by Brenno de Winter which gives you a more “impactful” insight into what can be done with XSS and the class of website that’s vulnerable to it:
We disclosed the issue to sli.do the weekend after the event and they resolved it overnight. I’ll use sli.do again – it’s a neat service – and frankly, this was one of the highlights of the day!