Blended Threat Concept in Web Applications - DefCamp 2012

DefCamp
DefCampDefCamp
“Blended Threat” Concept in web applications Bogdan Sergiu Dragos a.k.a Domnul.Do Student at Drăgan European University in Lugoj
Legal Disclame This is only a proof of concept , for demostrating only .
“Blended Threat Concept” • It has no clear definition because it’s more a concept that an attack . • But we have the following definition from different sites:
Blended Threat Concept • Definition from Wikipedia: “A blended threat is a software vulnerability which in turn involves a combination of attacks against different vulnerabilities. For example, many worm, a trojan horse and a computer virus exploit multiple techniques to attack and propagate. It is a kind of computer threat.” Link: http://en.wikipedia.org/wiki/Blended_threat
Blended Threat Concept • Definition from TrendMicro: “ (…) A blended threat refers to a single threat that attacks via multiple vectors (e.g., a worm gains entry via email and then leverages back-door vulnerabilities for further infection and destruction). “ Link: http://apac.trendmicro.com/apac/threats/enterprise/threats-summary/blended-threats/
Blended Threat Concept • My own definition: “A Blended Threat: is a non-limited vector that need two or more different attack,that are mutually dependent, for manipulation of the usual application logic.“
History of Blended Threat’s • The person who introduce this kind of method was: Billy (BK) Rios • In his presentation: “Will it Blend” • With this P.o.C : Blended Threat from Combined Attack Using Apple’s
The P.o.C My Proof Concept is: • In a Yahoo! Service , called YQL • Based on CSRF and one user interaction In this presentation I will show a method to validate YQL commands, without the console , more exactly : ! To change the status in the Yahoo! Profile YQL = Yahoo Query Language
What is YQL YQL is: • A SQL-like language • A clowd service • W can create API’s or using other API’s and manipulating the rezults in the “cloud” • We can make authentificated YQL commands in Yahoo!Inbox or Yahoo!Profile
YQL- Open Data Tables • It’s a way to connect to the remote web API (EndPoint) and understanding what to do with the data that will get • How it look like:
YQL-Open Data Table Example
YQL –Use verb • We can use simple server side javascripts in the <execute> tab of the xml ,here some exemple: • To make an object request we can use request: Request.accept(‘application/json’) .header(‘Authorization’, ‘…’) .query(‘searchterm’, ‘foo’).get() • The response.object can transmit the user the final result : Response.object = data
YQL – JS API • Some key feature , what can do: - use external JS files - convert between XML JSON - can make other YQL in the same YQL
How it look like in console Link: http://developer.yahoo.com/yql/console/#h=update%20social.profile.status%20set%20status%3D%22EasterEgg %22%20where%20guid%3Dme
How it look like in request • First the console read the crumb (Yahoo! Token ) • Second the console send the YQL command with the crumb to the “cloud”
First Step: Read the crumb Note: The crumb is generated no matter if the user is logged in
Second step: Sending the data
The P.o.C • I have the “location” of the crumb • I know where to send the data,but how to convise the user to give us the crumb?!
The P.o.C • I have the “location” of the crumb • I know where to send the data,but how to convise the user to give us the crumb?! • Is simple …
Meanwhile … • Why do dogs (and other animals) eat poop? “Herbivores such as rabbits eat their own poop because their diet of plants is hard to digest efficiently, and they have to make two passes at it to get everything out of the meal. “
The P.o.C This is another version of the attack named “Fake Captcha” by Kotowicz
The sourse of the P.o.C
How to gather the status We can confirm by using the YQL command: Link : http://developer.yahoo.com/yql/console/#h=select%20message%20from%20social.profile.status%20where%20guid%3Dme
My recommendation is: Is enough to add the response header: ”X-FRAME-OPTIONS”
Credits • Billy (BK) Rios • Kotowicz • Dragan European University , Lugoj , Timis • Dan Kaminsky , in 2008 he “own-ed” the internet. His work must not be forgoten!
Want to ask something?
1 of 26

Blended Threat Concept in Web Applications - DefCamp 2012

Download to read offline
DefCamp
DefCampDefCamp

Recommended

Digipass Instrumentation for Fun and Profit - DefCamp 2012 by
Digipass Instrumentation for Fun and Profit - DefCamp 2012Digipass Instrumentation for Fun and Profit - DefCamp 2012
Digipass Instrumentation for Fun and Profit - DefCamp 2012DefCamp
962 views30 slides
Project Smart - DefCamp 2012 by
Project Smart - DefCamp 2012Project Smart - DefCamp 2012
Project Smart - DefCamp 2012DefCamp
694 views12 slides
Social Engineering - DefCamp 2012 by
Social Engineering - DefCamp 2012Social Engineering - DefCamp 2012
Social Engineering - DefCamp 2012DefCamp
1.1K views19 slides
Attacks Against Captcha Systems - DefCamp 2012 by
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012DefCamp
1.9K views41 slides
Hacking WebApps for fun and profit : how to approach a target? by
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
3.1K views49 slides
Locking the Doors -7 Pernicious Pitfalls to avoid with Java by
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaSteve Poole
547 views104 slides

More Related Content

Similar to Blended Threat Concept in Web Applications - DefCamp 2012

Application Context and Discovering XSS without by
Application Context and Discovering XSS without Application Context and Discovering XSS without
Application Context and Discovering XSS without Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
1.9K views25 slides
OWASP Free Training - SF2014 - Keary and Manico by
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
8.4K views169 slides
Client sidesec 2013 - non js by
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non jsTal Be'ery
553 views58 slides
Luis Grangeia IBWAS by
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
355 views47 slides
IBWAS 2010: Web Security From an Auditor's Standpoint by
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
1.1K views47 slides
The Evolution of the Fileless Click-Fraud Malware Poweliks by
The Evolution of the Fileless Click-Fraud Malware PoweliksThe Evolution of the Fileless Click-Fraud Malware Poweliks
The Evolution of the Fileless Click-Fraud Malware PoweliksSymantec
991 views35 slides

Similar to Blended Threat Concept in Web Applications - DefCamp 2012(20)

Application Context and Discovering XSS without by Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
Application Context and Discovering XSS without Application Context and Discovering XSS without
Application Context and Discovering XSS without
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)1.9K views
OWASP Free Training - SF2014 - Keary and Manico by Eoin Keary
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
Eoin Keary8.4K views
Client sidesec 2013 - non js by Tal Be'ery
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non js
Tal Be'ery553 views
Luis Grangeia IBWAS by Luis Grangeia
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia355 views
IBWAS 2010: Web Security From an Auditor's Standpoint by Luis Grangeia
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia1.1K views
The Evolution of the Fileless Click-Fraud Malware Poweliks by Symantec
The Evolution of the Fileless Click-Fraud Malware PoweliksThe Evolution of the Fileless Click-Fraud Malware Poweliks
The Evolution of the Fileless Click-Fraud Malware Poweliks
Symantec991 views
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017 by Bhushan Jawle
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017
Bhushan Jawle5.9K views
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world by OWASP
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP95 views
Watchtowers of the Internet - Source Boston 2012 by Stephan Chenette
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette490 views
Web security-–-everything-we-know-is-wrong-eoin-keary by drewz lin
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin2.2K views
Java application security the hard way - a workshop for the serious developer by Steve Poole
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole522 views
Difference between java script and jquery by Umar Ali
Difference between java script and jqueryDifference between java script and jquery
Difference between java script and jquery
Umar Ali22.7K views
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010 by Heiko Behrens
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Heiko Behrens4.8K views
ImageJ and the SciJava software stack by Curtis Rueden
ImageJ and the SciJava software stackImageJ and the SciJava software stack
ImageJ and the SciJava software stack
Curtis Rueden1.5K views
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame... by itsatony
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...
itsatony986 views
TRISC 2010 - Grapevine , Texas by Aditya K Sood
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood525 views
Scaling Web 2.0 Malware Infection by Wayne Huang
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang1.4K views
2 Roads to Redemption - Thoughts on XSS and SQLIA by guestfdcb8a
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a453 views
How to bypass email gateways using common payloads... Bsides Manchester 2017 by Neil Lines
How to bypass email gateways using common payloads... Bsides Manchester 2017How to bypass email gateways using common payloads... Bsides Manchester 2017
How to bypass email gateways using common payloads... Bsides Manchester 2017
Neil Lines1.8K views
Crash Course In Brain Surgery by morisson
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
morisson1.1K views

More from DefCamp

Remote Yacht Hacking by
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
1.7K views89 slides
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
974 views167 slides
The Charter of Trust by
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
558 views24 slides
Internet Balkanization: Why Are We Raising Borders Online? by
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
309 views22 slides
Bridging the gap between CyberSecurity R&D and UX by
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
260 views13 slides
Secure and privacy-preserving data transmission and processing using homomorp... by
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
470 views102 slides

More from DefCamp(20)

Remote Yacht Hacking by DefCamp
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp1.7K views
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by DefCamp
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp974 views
The Charter of Trust by DefCamp
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp558 views
Internet Balkanization: Why Are We Raising Borders Online? by DefCamp
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp309 views
Bridging the gap between CyberSecurity R&D and UX by DefCamp
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp260 views
Secure and privacy-preserving data transmission and processing using homomorp... by DefCamp
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp470 views
Drupalgeddon 2 – Yet Another Weapon for the Attacker by DefCamp
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp269 views
Economical Denial of Sustainability in the Cloud (EDOS) by DefCamp
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp254 views
Trust, but verify – Bypassing MFA by DefCamp
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp323 views
Threat Hunting: From Platitudes to Practical Application by DefCamp
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
DefCamp218 views
Building application security with 0 money down by DefCamp
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp179 views
Implementation of information security techniques on modern android based Kio... by DefCamp
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp215 views
Lattice based Merkle for post-quantum epoch by DefCamp
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp241 views
The challenge of building a secure and safe digital environment in healthcare by DefCamp
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp323 views
Timing attacks against web applications: Are they still practical? by DefCamp
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp258 views
Tor .onions: The Good, The Rotten and The Misconfigured by DefCamp
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp816 views
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t... by DefCamp
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp294 views
We will charge you. How to [b]reach vendor’s network using EV charging station. by DefCamp
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp442 views
Connect & Inspire Cyber Security by DefCamp
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp290 views
The lions and the watering hole by DefCamp
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp225 views

Blended Threat Concept in Web Applications - DefCamp 2012

  • 1. “Blended Threat” Concept in web applications Bogdan Sergiu Dragos a.k.a Domnul.Do Student at Drăgan European University in Lugoj
  • 2. Legal Disclame This is only a proof of concept , for demostrating only .
  • 3. “Blended Threat Concept” • It has no clear definition because it’s more a concept that an attack . • But we have the following definition from different sites:
  • 4. Blended Threat Concept • Definition from Wikipedia: “A blended threat is a software vulnerability which in turn involves a combination of attacks against different vulnerabilities. For example, many worm, a trojan horse and a computer virus exploit multiple techniques to attack and propagate. It is a kind of computer threat.” Link: http://en.wikipedia.org/wiki/Blended_threat
  • 5. Blended Threat Concept • Definition from TrendMicro: “ (…) A blended threat refers to a single threat that attacks via multiple vectors (e.g., a worm gains entry via email and then leverages back-door vulnerabilities for further infection and destruction). “ Link: http://apac.trendmicro.com/apac/threats/enterprise/threats-summary/blended-threats/
  • 6. Blended Threat Concept • My own definition: “A Blended Threat: is a non-limited vector that need two or more different attack,that are mutually dependent, for manipulation of the usual application logic.“
  • 7. History of Blended Threat’s • The person who introduce this kind of method was: Billy (BK) Rios • In his presentation: “Will it Blend” • With this P.o.C : Blended Threat from Combined Attack Using Apple’s
  • 8. The P.o.C My Proof Concept is: • In a Yahoo! Service , called YQL • Based on CSRF and one user interaction In this presentation I will show a method to validate YQL commands, without the console , more exactly : ! To change the status in the Yahoo! Profile YQL = Yahoo Query Language
  • 9. What is YQL YQL is: • A SQL-like language • A clowd service • W can create API’s or using other API’s and manipulating the rezults in the “cloud” • We can make authentificated YQL commands in Yahoo!Inbox or Yahoo!Profile
  • 10. YQL- Open Data Tables • It’s a way to connect to the remote web API (EndPoint) and understanding what to do with the data that will get • How it look like:
  • 12. YQL –Use verb • We can use simple server side javascripts in the <execute> tab of the xml ,here some exemple: • To make an object request we can use request: Request.accept(‘application/json’) .header(‘Authorization’, ‘…’) .query(‘searchterm’, ‘foo’).get() • The response.object can transmit the user the final result : Response.object = data
  • 13. YQL – JS API • Some key feature , what can do: - use external JS files - convert between XML JSON - can make other YQL in the same YQL
  • 14. How it look like in console Link: http://developer.yahoo.com/yql/console/#h=update%20social.profile.status%20set%20status%3D%22EasterEgg %22%20where%20guid%3Dme
  • 15. How it look like in request • First the console read the crumb (Yahoo! Token ) • Second the console send the YQL command with the crumb to the “cloud”
  • 16. First Step: Read the crumb Note: The crumb is generated no matter if the user is logged in
  • 18. The P.o.C • I have the “location” of the crumb • I know where to send the data,but how to convise the user to give us the crumb?!
  • 19. The P.o.C • I have the “location” of the crumb • I know where to send the data,but how to convise the user to give us the crumb?! • Is simple …
  • 20. Meanwhile … • Why do dogs (and other animals) eat poop? “Herbivores such as rabbits eat their own poop because their diet of plants is hard to digest efficiently, and they have to make two passes at it to get everything out of the meal. “
  • 21. The P.o.C This is another version of the attack named “Fake Captcha” by Kotowicz
  • 22. The sourse of the P.o.C
  • 23. How to gather the status We can confirm by using the YQL command: Link : http://developer.yahoo.com/yql/console/#h=select%20message%20from%20social.profile.status%20where%20guid%3Dme
  • 24. My recommendation is: Is enough to add the response header: ”X-FRAME-OPTIONS”
  • 25. Credits • Billy (BK) Rios • Kotowicz • Dragan European University , Lugoj , Timis • Dan Kaminsky , in 2008 he “own-ed” the internet. His work must not be forgoten!
  • 26. Want to ask something?