WebOS developers work with a large spectrum of web and system languages, including JavaScript, Java, and C++. WebOS is the first mobile platform that primarily uses web languages; however, we believe that they will become more common as platform vendors court the massive web developer community. But, web developers do not understand how the subtleties of how the mobile security model differs from that of the web. For example, WebOS does not enforce the Same Origin Policy (SOP) and some valuable user data is shared. Consequently, minor web application vulnerabilities have a much larger impact on WebOS phones. Almost all WebOS applications run as JavaScript within a WebKit process. However, the same privileges do not apply to all applications. Attackers can use attacks, such as Cross-Site Scripting or buffer overflows, to compromise low-privileged applications and then exploit WebOS unique vulnerabilities classes, such as Card Parameter Injection, to compromise system services and elevate privileges. This presentation will show how to find and exploit these vulnerabilities, a topic which has never been discussed in a public forum. Combined, the presenters published the first WebOS security information and responsibly disclosed over ten WebOS vulnerabilities. Discovering these vulnerabilities required developing innovative security testing techniques. For example, we created a WebOS specific fuzzing agent that uses JavaScript to monitor and detect application failures. We plan on releasing these tools at SOURCE Boston.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.