Your SlideShare is downloading. ×
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk

1,107
views

Published on

Published in: Technology, Education

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,107
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Web security as example of easiest to attack
  • Add ZOOM
  • Own experiment
  • Explanation
  • Engine issues
  • How hash works (whole hash is calculated from each block step by step)
  • Padding detail
  • Hacker uses padding to calculate new hash
  • Padding+Extention
  • Problem in key place in hash calculation
  • Where is located
  • Transcript

    • 1. Unusual security vulnerabilities Yuriy Bilyk
    • 2. Agenda RegExp Cryptography
    • 3. RegExp? It’s simple! e-mail validation RegExp
    • 4. Not sure if Chinese or Egyptian
    • 5. Problems RegExp DoS attacks Issues in RegExp engine
    • 6. RegExp: ^(([a-z])+.)+[A-Z]([a-z])+$ Input data: aaaaaaaaaaaaaaaa…aa 45 40 30 20 CHARS 0.003 TIME 0.339 41 466 RegExp DoS attacks
    • 7. For the input aaaaX there are 16 possible paths in the above graph. But for aaaaaaaaaaaaaaaaX there are 65536 possible paths RegExp: ^(a+)+$ Where is the problem? a a 2 51 4 3 a a a a a a
    • 8. Broken engine
    • 9. • OpenID like auth, but we trust only local host • EXT HOST send AUTENICATED, if OK • We can set EXT HOST URL • RegExp to check RESPOND: /[^w]AUTHENTICATED[^w]*$/ RegExp Engine Issues Example
    • 10. OpenID example TO EXTERNAL HOST->login:pass AUTHENTICATED LOCAL EXTERNAL HOST 1 2
    • 11. Movie time
    • 12. Double Request http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 TO EXTERNAL HOST->login:pass !AUTHENTICATED!n TO LOCAL HOST->login:pass 1 2 3
    • 13. RegExp attack (Step 1) http://192.168.130 responded with: !AUTHENTICATED!n RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED 2 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 !AUTHENTICATED!n
    • 14. RegExp attack (Step 2) http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n TO LOCAL HOST->login:pass 3 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED AGAIN
    • 15. RegExp attack (Final Step) [Problem is]: body =~ /[^w]AUTHENTICATED[^w]*$/ • Normal RegExp engine stop after first line ($ - EOL): blablabla !AUTHENTICATED!n … blabla • Ruby interpreter $ as just EOL character, but scans next lines in the “file” http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n
    • 16. • ReDoS Static Analysis – RXXR – http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml • Issues – know features of platform/language How to mitigate
    • 17. Cryptography in God we trust the rest we test
    • 18. Cryptography is cool Bitcoin – distributed cryptocurrency Kryptos - encrypted sculpture. One of the most famous unsolved codes in the world Crypto is widely used – wireless (WiFi,GSM,RFID etc.), banking, games (X- Box, PS3 etc.), e-mail anti-spam (DKIM)
    • 19. I changed all my passwords to "incorrect", So whenever I forget, It will tell me "Your password is incorrect." some ideas need audit
    • 20. Wrong usage is bad Using hash algorithms as crypto, and weak or custom realizations of crypto algorithms Neutralization all advantages of crypto through user comfort The believe, that crypto will secure you by itself Low level of understanding, why you need crypto
    • 21. • User can send points to other user • All URL options/values signed by secret key • All transactions are visible to all SHA Length Extension Example
    • 22. SHA: Message sign (MAC) http://...?to_user=guest&points=200|sign:675fsdg87gs3vh MSG Block 1 Block 2 Block N … HASH KEY +
    • 23. SHA Padding: Theory (Hash BOX) KEY MESSAGE NULL Bytes Padding MESSAGE+KEY Length Just 1 Bit
    • 24. SHA: Length extension attack MSG Block 1 Block 2 Block N … http://...?to_user=guest&points=200 &<PADDING>to_user=hacker|sign:f97h23n483a2ce PADDING + DATA HASH + KEY
    • 25. SHA Padding: Theory (Attack) KEY Original MSG NULL Bytes Padding MESSAGE Length BOX 1 BOX 2 Extended Part
    • 26. Where is the problem? HASH (KEY+MSG) is BAD - extension attack is possible HASH (MSG+KEY) is GOOD - extension attack is impossible
    • 27. Order is important
    • 28. • Use HMAC for signing • Use SHA-256 etc • Don’t create own crypto (only if you are not a genius in mathematic, but even you’re don’t do it!) How to mitigate
    • 29. Kryptography is kind of art
    • 30. Review • RegExp is powerful tool: –Even for DoS –Some engines work not as expected • Cryptography isn’t safe by itself: –Use industry standards –Understand how crypto is working –Make sure that your implementation/improvement isn’t broken
    • 31. Questions?

    ×