XSS’ing the security speaker panel via sli.do

One of the things I really enjoy about doing live events is the entirely random, unexpected things that can occur without any warning. In fact, I’m increasingly structuring my talks to present these opportunities, but this one was entirely unexpected:

This was whilst answering questions on a panel – a security panel – at ProgramUtvikling’s security day in Oslo last week (they’re the guys who run the NDC conferences around the world). I was sitting up there on the stage with Erlend Oftedal and Einar Otto Stangvik whilst the big screen behind us scrolled through questions asked by the audience using the sli.do app. The questions were being read out by Niall Merrigan until… he stopped in his tracks and I can’t recall whether his reaction was amusement or horror or a mix of the two, but turning around, we all saw the screen adorned with the XSS alert.

All in good humour, we asked the “perpetrator” to come forward and explain his approach. Nicholas Paulik stepped up and explained that he’d simply worked through the OWASP XSS Filter Evasion Cheat Sheet until he identified that the iframe approach like this worked just fine:

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

This is a pretty basic “attack” and of course it could have been much worse (i.e. much less “appropriate”). I frequently show people this video by Brenno de Winter which gives you a more “impactful” insight into what can be done with XSS and the class of website that’s vulnerable to it:

We disclosed the issue to sli.do the weekend after the event and they resolved it overnight. I’ll use sli.do again – it’s a neat service – and frankly, this was one of the highlights of the day!

Security XSS
Tweet Post Share Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals