0
Vulnerabilities and Exploitation
APPLICATION SECURITY SCI-FI HIPSTER EDITION!
peter magnusson
twitter: @blaufish_
omegapoi...
DEFENDER
Imperial Death Star
(legacy application)
ATTACKERS
X-Wing squad
(hackers, agile)
VULNERABILITY
Reactor core
(document.write, s
printf, eval)
ATTACK VECTOR
Exhaust port / shaft
(code paths etc.
connecting input to
vulnerability )
EXPLOIT
Torpedo fitting into
exhaust port
Reach and gain
control over
vulnerability,
?id=%27%20SQL
EXPLOIT PAYLOAD
Exploding proton warhead
(metasploit meterpreter,
connect back shells, sqli
downloading database,
etc)
Improving the
Imperial Death Star
ATTACK SURFACE
REDUCTION
Disable by default
Close unused port
Force-field
(firewall)
FIX
VULNERABILITY
Exploding core ->
safe non-exploding
core
(sprintf -> snprintf)
DON’T JUST FIX
ONE ATTACK
VECTOR
Often multiple
paths to same
vulnernability
EXPLOIT
MITIGATION
ASLR: Randomize
location of
vulnerability
FIN
Questions?
Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition
Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition
Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition
Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition
Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition
Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition
Upcoming SlideShare
Loading in...5
×

Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition

195

Published on

Explaining vulnerabilities, exploits, attack vectors, attack surface reduction, aslr etc to someone who understands The Imperial Deathstar.

Presented at Opkoko 2013.1. Live presentation recording in Swedish here: http://www.youtube.com/watch?v=Xi9SRFENiO4

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
195
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition"

  1. 1. Vulnerabilities and Exploitation APPLICATION SECURITY SCI-FI HIPSTER EDITION! peter magnusson twitter: @blaufish_ omegapoint.se sakerhetspodcasten.se
  2. 2. DEFENDER Imperial Death Star (legacy application)
  3. 3. ATTACKERS X-Wing squad (hackers, agile)
  4. 4. VULNERABILITY Reactor core (document.write, s printf, eval)
  5. 5. ATTACK VECTOR Exhaust port / shaft (code paths etc. connecting input to vulnerability )
  6. 6. EXPLOIT Torpedo fitting into exhaust port Reach and gain control over vulnerability, ?id=%27%20SQL
  7. 7. EXPLOIT PAYLOAD Exploding proton warhead (metasploit meterpreter, connect back shells, sqli downloading database, etc)
  8. 8. Improving the Imperial Death Star
  9. 9. ATTACK SURFACE REDUCTION Disable by default Close unused port Force-field (firewall)
  10. 10. FIX VULNERABILITY Exploding core -> safe non-exploding core (sprintf -> snprintf)
  11. 11. DON’T JUST FIX ONE ATTACK VECTOR Often multiple paths to same vulnernability
  12. 12. EXPLOIT MITIGATION ASLR: Randomize location of vulnerability
  13. 13. FIN Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×