4. Questions: #RSA13R33
► Easy installation & management as Product / Service
► Reliable exploits
► Evasion techniques
► Maintained & updated
► Not free but has good ROI
Exploit Kits
6. Questions: #RSA13R33
► Most systems used by attackers are written in PHP
► Free
► Easy installation & maintenance
► But, like any other language…
► Code has to be written correctly
► No out-of-the-box security wrappers
PHP – What? Why?
7. Questions: #RSA13R33
► PHP 5.2 -
► Register Global – On
► GPC – On
► PHP 5.3 -
► Register Global – Off
► GPC – Off
► PHP 5.4+ -
► Register Global – Removed (always off)
► GPC – Removed (always off)
“It’s Not a Bug- It’s a Feature”
10. Questions: #RSA13R33
► Simple case - Brute force (weak password)
► Some statistics from Global SpiderLabs Report 2013:
► ~51% of password hashes tested were cracked within 5 minutes
using basic dictionary attacks.
► Over 90% were dictionary-crackable.
► The simple solution is often the best one
Dealing with Authentication
11. Questions: #RSA13R33
► Things are not always that simple
► Security by Obscurity - random file names:
► Phoenix Exploit Kit
► Use of CAPTCHA:
► Blackhole Exploit Kit v2
► CritXPack Exploit Kit
► No choice but to start digging in…
Still Dealing with Authentication
16. Questions: #RSA13R33
► Once we’ve authenticated things get easier
► More features more user input more risk.
► Bad assumption: If you’re authenticated, you’re probably
the owner of the server.
Post-Authentication to RCE
19. Questions: #RSA13R33
► “The cobbler’s shoes are never fixed”
► Exploit Kits are vulnerable too
► “PHP Injections” are underrated
► Attack surface is larger post-authentication
Summary