How We Hacked LinkedIn and What Happened Next | JFall 2016
•Download as PPTX, PDF•
3 likes•430 views
Blog: https://bitsensor.io/blog/jfall-2016-in-depth-secure-coding-patterns We're going deep into XSS attacks with actual examples from LinkedIn, eBay and IndieGoGo. Starting with an attack that uses CSS selectors to fool users, then going into building XSS with interactions, such as local portscans, using BeEF. After showing why XSS is dangerous, I'm suggesting that we should take our coding paradigms such as Unit Testing, Integration Testing, Design Patterns, Clean Code, Logging and Paging, and apply that to security vulnerabilities. We finish with a maturity level in our security where we don't even have to get up at night when we're paged, we've just automated the response and mitigated the risk using HAProxy and isolated the attacker to a sandboxed version of our container. We will do this by only using opensource components on the Vamp platform, with ElastAlert and the opensource BitSensor plugin.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to How We Hacked LinkedIn and What Happened Next | JFall 2016
Similar to How We Hacked LinkedIn and What Happened Next | JFall 2016 (20)
Recently uploaded
Recently uploaded (20)
How We Hacked LinkedIn and What Happened Next | JFall 2016
- 1. How we hacked and how you can be safe Ruben van Vreeland How we hacked and whathappened next
- 2. Code Patterns for Security blogpost available at: https://bitsensor.io/blog/jfall-2016-in-depth-secure-coding-patterns
- 3. Fixed
- 4. Fixed
- 7. WTF? XSS! Eehm, whats the deal? Hunting bugs: case study How to not become the next casestudy Security equivalents for - tests - code patterns - clean code - logging - self healing
- 13. Comand & Control BROWSER WEBPAGE XSSBootstrap PayloadWEBPAGE User Data Firewalled Network Change Data Passwords
- 20. <a href=“ javascript:payload ” style=“ width:100%; height: 100%; position: fixed; left: 0px; top: 0px; background: rgba(255, 0, 0, 0.5); ” ></a> http://output.jsbin.com/cipozanute/1/ BEEF HOOK Test mode Window position Set position type Set size
- 23. <a href=“ javascript:payload ” style=“ width:100%; height: 100%; left: 0px; top: 0px; position: fixed; background: rgba(255, 0, 0, 0.5); ” ></a>
- 25. <head> <!-- Bootstrap core CSS --> <link href="http://getbootstrap.com/dist/css/bootstrap.min.css" rel="stylesheet"> </head>
- 27. 3663 .dropdown-backdrop { 3664 position: fixed; 3665 top: 0; 3666 right: 0; 3667 bottom: 0; 3668 left: 0; 3669 z-index: 990; 3670 } bootstrap.css
- 28. 4299 .navbar-fixed-top, 4300 .navbar-fixed-bottom { 4301 position: fixed; 4302 right: 0; 4303 left: 0; 4304 z-index: 1030; 4305 } bootstrap.css
- 29. <a href=“ javascript:payload ” width=“100%” height=“100%” class=“dropdown-backdrop navbar-fixed-top”> </a> http://output.jsbin.com/zoqipeloca/1/ BEEF HOOK Capture window Set position Set full window Set full window Z-index
- 32. iframe
- 36. javascript link whitelisted iframe 100% covering iframe iframe cross domain iframe open redirect 100% covering link 100% covering image covering image & link
- 37. image link
- 38. Fixed
- 43. Fixed
- 50. 1 javascript link 5 whitelisted iframe 10 100% covering iframe 11 iframe cross domain 14 iframe open redirect 20 100% covering link 23 100% covering image 25 covering image & link attempts
- 51. <img src=“/uploads/mycatpicture.png ” /> <img src=“” “” /> <img src=“” /> <a “” /> <img src=“” /><script>alert(1)</script><a “” />
- 52. <img src=“/favicon.png ” /> <img src=“/favicon.png” “” /> <img src=“/favicon.png” onload=“ “” /> <img src=“/favicon.png” onload=“alert(1) “” />
- 53. <a href=“http://twitter.com/@EnableBitSensor”/> <a href=“ ”/> <a href=“javascript: alert(1) ”/> <a href=“javascript:// alert(1) ”/> <a href=“javascript://%0Aalert(1) ”/>
- 54. <script> var user = ruben ;</script> <script> var user = ruben; alert(1) ;</script>
- 55. <div style=“width: 10px ;”/> <div style=“width: expression(alert(1)) ;”/>
- 62. ELK / Elastic stack exceptions ids/ips (modsecurity) Logging
- 66. +31 (0)6 122 10 587 ruben@bitsensor.io 0x4D4ED75AD9BB92F8
- 67. “Please rate my talk in the unhacked J-Fall app”
Editor's Notes
- IndieGogo is a very open company, allows me to teach about security vulnerabilities Here we see the indiegogo password form on secure connection, that sends credentials to my webserver. What happened??? How did this work???
- What type of attack is this?
- Basic XSS examples Demo with Alert Demo with BEEF (Browser Exploitation Framework) Quick how does it work from high level. We’re developers right ;) Now we have seen dangers of XSS and know why and how it works First step in fundation
- How do we trigger it in practice?
- Improve previous demo! Now we have a button that spawns the whole page
- Improve previous demo! Now we have a button that spawns the whole page
- Easy to understand with the foundation of previous knowledge More interesting: what did I try that did not succeed?