SlideShare a Scribd company logo

[QA Night Recife] Heartbleed SecInf

Download as PPTX, PDF
Guilherme Motta
Guilherme Motta

Talking about Heartbleed, Information Security, Security Testing

Software
1 of 40
Heartbleed e a inseguranca da informacao QA Night Recife Guilherme Motta, @gfcmotta
about @gfcmotta gfcmotta@gmail.com
WTFWTF
Protocolo HTTP GET /index.html HTTP/1.1 Requisicao> GET metodo HTTP, HTTP URI, 1.1 Versao Host: www.example.com Valores no cabecalho (nome: valor)
Protocolo HTTP HTTP/1.1 200 OK Resposta> HTTP/1.1 protocolo e versao, 200 status, OK mensagem Date: Mon, 23 May 2005 22:38:34 GMT Valores no cabecalho (nome: valor) Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT ETag: "3f80f-1b6-3e1cb03b" Content-Type: text/html; charset=UTF-8 Content-Length: 131 Accept-Ranges: bytes Connection: close <html> Corpo da mensagem <head> <title>An Example Page</title> </head> <body> Hello World, this is a very simple HTML document. </body> </html>
Protocolo HTTP cleartext facil de ler :))))
Protocolo HTTPS S de “seguro” TLS/SSL
Protocolo HTTPS S de “seguro” <criptografia> SSL/TLS
Protocolo HTTPS SSL/TLS -> Open SSL
Protocolo HTTPS -> Open SSL todos usa!
SSL/TLS Heartbeat
SSL/TLS Heartbeat
Heartbleed
Heartbleed In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
Heartbleed In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Dr. Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
Look at code examples
Look at code examples
Look at code examplesMetodologias!!! OWASP OSSTMM ISSAF IBM* NIST 800.42 ...
Look at code examples
Look at code examples
Look at code examples http://en.wikipedia.org/wiki/Taint_checking
not so live demo Hacking DVWA - XSS (ultimos 2 minutos do video) http://www.youtube.com/watch?v=-H1qjiwQldw - SQL Injection http://www.youtube.com/watch?v=7NCpvG7nY b
not so live demo Hacking DVWA - remote command execution http://www.youtube.com/watch?v=6hnCGsS- V0Y - Cookie hijacking http://www.youtube.com/watch?v=qB9c01R3a QU
not so live demo Hacking DVWA - CSFR (Cross-Site Request Forgery) http://www.youtube.com/watch?v=2Y7IywV1YB Q
Links www.dvwa.co.uk/ www.backtrack-linux.org http://www.kali.org/ http://portswigger.net/burp/ http://www.wireshark.org/ http://wpepro.net/ http://cheatengine.org/

Recommended

OST2PST
OST2PSTOST2PST
OST2PSTOst To Pst Conversion
 
Html基礎
Html基礎Html基礎
Html基礎光利 吉田
 
Heartbleed
HeartbleedHeartbleed
HeartbleedIbrahim Mosaad
 
The Heartbleed Bug
The Heartbleed BugThe Heartbleed Bug
The Heartbleed Bugn|u - The Open Security Community
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed ExplainedMike Chapple
 
20180823 - Sensu + Puppet
20180823 - Sensu + Puppet20180823 - Sensu + Puppet
20180823 - Sensu + Puppetgarrett honeycutt
 
Pretotyping g motta agile brazil 2013
Pretotyping g motta agile brazil 2013Pretotyping g motta agile brazil 2013
Pretotyping g motta agile brazil 2013Guilherme Motta
 
How to stop friends from stopping your quit efforts
How to stop friends from stopping your quit effortsHow to stop friends from stopping your quit efforts
How to stop friends from stopping your quit effortsJane Allen
 

Recommended

OST2PST
OST2PSTOST2PST
OST2PSTOst To Pst Conversion
 
Html基礎
Html基礎Html基礎
Html基礎光利 吉田
 
Heartbleed
HeartbleedHeartbleed
HeartbleedIbrahim Mosaad
 
The Heartbleed Bug
The Heartbleed BugThe Heartbleed Bug
The Heartbleed Bugn|u - The Open Security Community
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed ExplainedMike Chapple
 
20180823 - Sensu + Puppet
20180823 - Sensu + Puppet20180823 - Sensu + Puppet
20180823 - Sensu + Puppetgarrett honeycutt
 
Pretotyping g motta agile brazil 2013
Pretotyping g motta agile brazil 2013Pretotyping g motta agile brazil 2013
Pretotyping g motta agile brazil 2013Guilherme Motta
 
How to stop friends from stopping your quit efforts
How to stop friends from stopping your quit effortsHow to stop friends from stopping your quit efforts
How to stop friends from stopping your quit effortsJane Allen
 
wolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarwolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarJacob Barthelmeh
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
Evolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabEvolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabCefalo
 
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveOWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveCheckmarx
 
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...NETWAYS
 
HTTP
HTTPHTTP
HTTPDaniel Kummer
 
Http2 kotlin
Http2 kotlinHttp2 kotlin
Http2 kotlinAndrii Bezruchko
 
Http methods
Http methodsHttp methods
Http methodsmaamir farooq
 
API Design Workshop
API Design WorkshopAPI Design Workshop
API Design WorkshopOtavio Ferreira
 
HTTP
HTTPHTTP
HTTPTricode (part of Dept)
 
Heartbleed
HeartbleedHeartbleed
HeartbleedMohammed Danish Amber
 
ConferenceASL Instructions
ConferenceASL InstructionsConferenceASL Instructions
ConferenceASL InstructionsTEDxBaltimore
 
HTTP/2 for Developers
HTTP/2 for DevelopersHTTP/2 for Developers
HTTP/2 for DevelopersSvetlin Nakov
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWebsecurify
 
demo1
demo1demo1
demo1googli
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
Netty @Apple: Large Scale Deployment/Connectivity
Netty @Apple: Large Scale Deployment/ConnectivityNetty @Apple: Large Scale Deployment/Connectivity
Netty @Apple: Large Scale Deployment/ConnectivityC4Media
 
[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speaker[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speakerGuilherme Motta
 
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...Guilherme Motta
 

More Related Content

Similar to [QA Night Recife] Heartbleed SecInf

wolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarwolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarJacob Barthelmeh
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
Evolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabEvolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabCefalo
 
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveOWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveCheckmarx
 
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...NETWAYS
 
ConferenceASL Instructions
ConferenceASL InstructionsConferenceASL Instructions
ConferenceASL InstructionsTEDxBaltimore
 
HTTP/2 for Developers
HTTP/2 for DevelopersHTTP/2 for Developers
HTTP/2 for DevelopersSvetlin Nakov
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWebsecurify
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
Netty @Apple: Large Scale Deployment/Connectivity
Netty @Apple: Large Scale Deployment/ConnectivityNetty @Apple: Large Scale Deployment/Connectivity
Netty @Apple: Large Scale Deployment/ConnectivityC4Media
 

Similar to [QA Night Recife] Heartbleed SecInf (20)

wolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarwolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinar
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)
 
Evolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabEvolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al Mehrab
 
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveOWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
 
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
 
HTTP
HTTPHTTP
HTTP
 
Http2 kotlin
Http2 kotlinHttp2 kotlin
Http2 kotlin
 
Http methods
Http methodsHttp methods
Http methods
 
API Design Workshop
API Design WorkshopAPI Design Workshop
API Design Workshop
 
HTTP
HTTPHTTP
HTTP
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
ConferenceASL Instructions
ConferenceASL InstructionsConferenceASL Instructions
ConferenceASL Instructions
 
HTTP/2 for Developers
HTTP/2 for DevelopersHTTP/2 for Developers
HTTP/2 for Developers
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstration
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
 
demo1
demo1demo1
demo1
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
Netty @Apple: Large Scale Deployment/Connectivity
Netty @Apple: Large Scale Deployment/ConnectivityNetty @Apple: Large Scale Deployment/Connectivity
Netty @Apple: Large Scale Deployment/Connectivity
 

More from Guilherme Motta

[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speaker[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speakerGuilherme Motta
 
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...Guilherme Motta
 
[Agilidade recife 2017] Scrum com lego
[Agilidade recife 2017] Scrum com lego [Agilidade recife 2017] Scrum com lego
[Agilidade recife 2017] Scrum com lego Guilherme Motta
 
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
[Agile Trends Floripa 2017] Aprendendo com transformações ágeisGuilherme Motta
 
[Caipira 2017] workshop métricas oct 2017
[Caipira 2017] workshop métricas oct 2017[Caipira 2017] workshop métricas oct 2017
[Caipira 2017] workshop métricas oct 2017Guilherme Motta
 
[Agile Brazil 2017] Guildas e comunidades de prática
[Agile Brazil 2017] Guildas e comunidades de prática[Agile Brazil 2017] Guildas e comunidades de prática
[Agile Brazil 2017] Guildas e comunidades de práticaGuilherme Motta
 
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipesGuilherme Motta
 
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalistaGuilherme Motta
 
[TDC Floripa 2017] Ruby Koans e a prática Zen
[TDC Floripa 2017] Ruby Koans e a prática Zen [TDC Floripa 2017] Ruby Koans e a prática Zen
[TDC Floripa 2017] Ruby Koans e a prática Zen Guilherme Motta
 
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.com
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.comTabela Periódica das Retrospectivas - RetroAgil.wordpress.com
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.comGuilherme Motta
 
[Scrum Day Peru 2017] Beyond Agile Ceremonies
[Scrum Day Peru 2017] Beyond Agile Ceremonies[Scrum Day Peru 2017] Beyond Agile Ceremonies
[Scrum Day Peru 2017] Beyond Agile CeremoniesGuilherme Motta
 
[Agile Brazil 2016] Julgamento da TI Bimodal
[Agile Brazil 2016] Julgamento da TI Bimodal[Agile Brazil 2016] Julgamento da TI Bimodal
[Agile Brazil 2016] Julgamento da TI BimodalGuilherme Motta
 
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não OrtodoxasGuilherme Motta
 
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de softwareGuilherme Motta
 
[TDC POA 2016] Valores individuais? E de sua equipe?
[TDC POA 2016] Valores individuais? E de sua equipe?[TDC POA 2016] Valores individuais? E de sua equipe?
[TDC POA 2016] Valores individuais? E de sua equipe?Guilherme Motta
 
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...Guilherme Motta
 
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...Guilherme Motta
 
[Desconf 2015] Oito traços que levam o profissional ao sucesso
[Desconf 2015] Oito traços que levam o profissional ao sucesso[Desconf 2015] Oito traços que levam o profissional ao sucesso
[Desconf 2015] Oito traços que levam o profissional ao sucessoGuilherme Motta
 
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...Guilherme Motta
 
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0Guilherme Motta
 

More from Guilherme Motta (20)

[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speaker[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speaker
 
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
 
[Agilidade recife 2017] Scrum com lego
[Agilidade recife 2017] Scrum com lego [Agilidade recife 2017] Scrum com lego
[Agilidade recife 2017] Scrum com lego
 
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
 
[Caipira 2017] workshop métricas oct 2017
[Caipira 2017] workshop métricas oct 2017[Caipira 2017] workshop métricas oct 2017
[Caipira 2017] workshop métricas oct 2017
 
[Agile Brazil 2017] Guildas e comunidades de prática
[Agile Brazil 2017] Guildas e comunidades de prática[Agile Brazil 2017] Guildas e comunidades de prática
[Agile Brazil 2017] Guildas e comunidades de prática
 
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
 
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
 
[TDC Floripa 2017] Ruby Koans e a prática Zen
[TDC Floripa 2017] Ruby Koans e a prática Zen [TDC Floripa 2017] Ruby Koans e a prática Zen
[TDC Floripa 2017] Ruby Koans e a prática Zen
 
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.com
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.comTabela Periódica das Retrospectivas - RetroAgil.wordpress.com
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.com
 
[Scrum Day Peru 2017] Beyond Agile Ceremonies
[Scrum Day Peru 2017] Beyond Agile Ceremonies[Scrum Day Peru 2017] Beyond Agile Ceremonies
[Scrum Day Peru 2017] Beyond Agile Ceremonies
 
[Agile Brazil 2016] Julgamento da TI Bimodal
[Agile Brazil 2016] Julgamento da TI Bimodal[Agile Brazil 2016] Julgamento da TI Bimodal
[Agile Brazil 2016] Julgamento da TI Bimodal
 
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
 
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
 
[TDC POA 2016] Valores individuais? E de sua equipe?
[TDC POA 2016] Valores individuais? E de sua equipe?[TDC POA 2016] Valores individuais? E de sua equipe?
[TDC POA 2016] Valores individuais? E de sua equipe?
 
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
 
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
 
[Desconf 2015] Oito traços que levam o profissional ao sucesso
[Desconf 2015] Oito traços que levam o profissional ao sucesso[Desconf 2015] Oito traços que levam o profissional ao sucesso
[Desconf 2015] Oito traços que levam o profissional ao sucesso
 
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
 
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
 

Recently uploaded

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 

Recently uploaded (20)

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 

[QA Night Recife] Heartbleed SecInf

  • 1. Heartbleed e a inseguranca da informacao QA Night Recife Guilherme Motta, @gfcmotta
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 16.
  • 17. Protocolo HTTP GET /index.html HTTP/1.1 Requisicao> GET metodo HTTP, HTTP URI, 1.1 Versao Host: www.example.com Valores no cabecalho (nome: valor)
  • 18. Protocolo HTTP HTTP/1.1 200 OK Resposta> HTTP/1.1 protocolo e versao, 200 status, OK mensagem Date: Mon, 23 May 2005 22:38:34 GMT Valores no cabecalho (nome: valor) Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT ETag: "3f80f-1b6-3e1cb03b" Content-Type: text/html; charset=UTF-8 Content-Length: 131 Accept-Ranges: bytes Connection: close <html> Corpo da mensagem <head> <title>An Example Page</title> </head> <body> Hello World, this is a very simple HTML document. </body> </html>
  • 20. Protocolo HTTPS S de “seguro” TLS/SSL
  • 21. Protocolo HTTPS S de “seguro” <criptografia> SSL/TLS
  • 23. Protocolo HTTPS -> Open SSL todos usa!
  • 26.
  • 27.
  • 29. Heartbleed In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
  • 30. Heartbleed In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Dr. Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
  • 31. Look at code examples
  • 32. Look at code examples
  • 33. Look at code examplesMetodologias!!! OWASP OSSTMM ISSAF IBM* NIST 800.42 ...
  • 34. Look at code examples
  • 35. Look at code examples
  • 36. Look at code examples http://en.wikipedia.org/wiki/Taint_checking
  • 37. not so live demo Hacking DVWA - XSS (ultimos 2 minutos do video) http://www.youtube.com/watch?v=-H1qjiwQldw - SQL Injection http://www.youtube.com/watch?v=7NCpvG7nY b
  • 38. not so live demo Hacking DVWA - remote command execution http://www.youtube.com/watch?v=6hnCGsS- V0Y - Cookie hijacking http://www.youtube.com/watch?v=qB9c01R3a QU
  • 39. not so live demo Hacking DVWA - CSFR (Cross-Site Request Forgery) http://www.youtube.com/watch?v=2Y7IywV1YB Q