Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Bypassing Browser Security Policies for Fun and Profit

Black Hat via YouTube

Overview

Explore a comprehensive analysis of mobile browser security vulnerabilities in this Black Hat conference talk. Delve into the world of bypassing core security policies like Same Origin Policy and Content Security Policy in mobile browsers. Discover various security flaws including Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, and Mixed Content Bypass found in Android browsers. Learn about the testing methodology used to uncover Android zero-day vulnerabilities and examine real-world examples of security weaknesses in popular Android third-party web browsers and Android WebView. Gain insights into the root causes of these bugs, their exploitation techniques, and potential patches. Conclude with a demonstration of a sample test suite for assessing basic security properties of mobile web browsers.

Syllabus

Intro
Agenda
Testing methodology & References
Introduction Same Origin Policy
SOP Bypasses For Android Browsers
SOP Bypass 1 - CVE 2014-6041 (POC)
SOP Bypass 2 - POC
Google Play's Web Remote Installation Feature
Introduction: Cross Scheme Data Exposure
CSDE Vulnerability Android Stock Browser
Cross Scheme Data Exposure Attack Plan
Android Gingerbread CSDE (POC)
Android Jellybean CSDE (POC)
CSP And Mobile Browsers
Problem with Mobile Browsers And CSP
Android Patch Management issues
How Apple Panch management Works? (Will's Graphs)
How Everything else works
Blackhat Sound Bytes

Taught by

Black Hat

Reviews

Start your review of Bypassing Browser Security Policies for Fun and Profit

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.