Insecurities 2.0
Upcoming SlideShare
Loading in...5

Insecurities 2.0



Session given at the BarCamp in Hamburg (06/09/07)

Session given at the BarCamp in Hamburg (06/09/07)



Total Views
Views on SlideShare
Embed Views



4 Embeds 33 28 3 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Insecurities 2.0 Insecurities 2.0 Presentation Transcript

  • Insecurities 2.0 Universität Hamburg BarCamp Hamburg 09.06.2007 Martin Johns University of Hamburg Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen
  • A short survey Who in this room is familiar with Cross Site Scripting (XSS)  Cross Site Request Forgery / Session Riding (XSRF)   (SQL Injection, Path Traversal, Remote Command Injection) Web Security 1.0 Attacking the server (SQL Inj., Buffer Overflow)  Attacking the browser (Buffer Overflow)  Web Security 2.0 Attacking the application on the client side  © Martin Johns, UHH, FB Inf, SVS 2
  • Insecurities 2.0 (technological) What’s new, pussycat? AJAX  Badly integrated in existing authentication frameworks   Breaks automatic solutions JSON  Hmmm, let’s use executable code for data transport...   ...does this sound like a good idea? WEB APIs and mashable applications  E.g., Yahoo Pipes, Google translates,...   Provides malware with further cross-domain capabilities Flash  Breaking CSRF protection with crossdomain.xml  Web Browsers  New capabilities of recent JavaScript implementations  © Martin Johns, UHH, FB Inf, SVS 3
  • Insecurities 2.0 (social) “social sites” User provided content  Highly interactive   Interwoven communities Excellent breeding ground for self-replicating XSS  Self-hosting Setting up Wordpress yourself is quite easy nowadays   Blogworms, anyone? © Martin Johns, UHH, FB Inf, SVS 4
  • Web 2.0 == Client Side Attacks are fun again Traditional applications move to the web Finally interesting data via XSS / CSRF  Mighty, mighty web browser Turing complete programming language   Rich network capabilities XMLHttpRequest, Flash, Java Sockets  Malware leaves no traces  Who need botnets anymore?  © Martin Johns, UHH, FB Inf, SVS 5
  • Example 1: Breaking Applications (CSRF) Vulnerable:’s frontpage is determined by the number of “diggs”  a certain story gets Using CSRF a webpage was able to cause the victim’s  browser to “digg” an arbitrary URL  The demo page “digged” itself © Martin Johns, UHH, FB Inf, SVS 6
  • Example 2: Samy is my hero (XSS) The first large scale XSS worm Exploited a stored XSS problem in MySpace  Every user that visited a infected profile involuntarily added  the worm to his profile Exponential growth   Over 1.000.000 profiles infected in 24 hours The worm made heavy use  of the XMLHttpRequest-object © Martin Johns, UHH, FB Inf, SVS 7
  • Example 3: GMail Adressbook disclosure Address-book data is communicated in JSON [[quot;ctquot;,quot;YourNamequot;,quot;foo@gmail.comquot;], [quot;ctquot;,quot;AnotherNamequot;,quot;bar@gmail.comquot;]] But this URL content can also be accessed via script injection <script src=quot;;> By overwriting the global array-constructor this data could be read cross-domain © Martin Johns, UHH, FB Inf, SVS 8