Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Tale of Forgotten Disclosure and Lesson learned Slide 1 Tale of Forgotten Disclosure and Lesson learned Slide 2 Tale of Forgotten Disclosure and Lesson learned Slide 3 Tale of Forgotten Disclosure and Lesson learned Slide 4 Tale of Forgotten Disclosure and Lesson learned Slide 5 Tale of Forgotten Disclosure and Lesson learned Slide 6 Tale of Forgotten Disclosure and Lesson learned Slide 7 Tale of Forgotten Disclosure and Lesson learned Slide 8 Tale of Forgotten Disclosure and Lesson learned Slide 9 Tale of Forgotten Disclosure and Lesson learned Slide 10 Tale of Forgotten Disclosure and Lesson learned Slide 11 Tale of Forgotten Disclosure and Lesson learned Slide 12 Tale of Forgotten Disclosure and Lesson learned Slide 13 Tale of Forgotten Disclosure and Lesson learned Slide 14 Tale of Forgotten Disclosure and Lesson learned Slide 15 Tale of Forgotten Disclosure and Lesson learned Slide 16 Tale of Forgotten Disclosure and Lesson learned Slide 17 Tale of Forgotten Disclosure and Lesson learned Slide 18 Tale of Forgotten Disclosure and Lesson learned Slide 19 Tale of Forgotten Disclosure and Lesson learned Slide 20 Tale of Forgotten Disclosure and Lesson learned Slide 21 Tale of Forgotten Disclosure and Lesson learned Slide 22 Tale of Forgotten Disclosure and Lesson learned Slide 23 Tale of Forgotten Disclosure and Lesson learned Slide 24 Tale of Forgotten Disclosure and Lesson learned Slide 25 Tale of Forgotten Disclosure and Lesson learned Slide 26 Tale of Forgotten Disclosure and Lesson learned Slide 27 Tale of Forgotten Disclosure and Lesson learned Slide 28 Tale of Forgotten Disclosure and Lesson learned Slide 29 Tale of Forgotten Disclosure and Lesson learned Slide 30 Tale of Forgotten Disclosure and Lesson learned Slide 31 Tale of Forgotten Disclosure and Lesson learned Slide 32 Tale of Forgotten Disclosure and Lesson learned Slide 33 Tale of Forgotten Disclosure and Lesson learned Slide 34 Tale of Forgotten Disclosure and Lesson learned Slide 35
Upcoming SlideShare
OWASP Bangalore : OWTF demo : 13 Dec 2014
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Tale of Forgotten Disclosure and Lesson learned

Download to read offline

Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Tale of Forgotten Disclosure and Lesson learned

  1. 1. TALE OF FORGOTTEN DISCLOSURE BY ANANT SHRIVASTAVA
  2. 2. ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H and @anantshri Co-Author OWASP Testing Guide 4.0 Projects http://anantshri.info      
  3. 3. SCENARIO 1. A vulnerability present in code (last updated March 2013) 2. Public disclosure in aug 2014. 3. Interestingly someone posted a pull request in Jan 2013 4. Till may 2015 it was not patched even though there was a new release after the pull request was in place.
  4. 4. INFORMATION RECIEVED
  5. 5. INVESTIGATION RESULT 1. Javascript Based DOM-XSS 2. Culprit identified as facebook-page-photo-gallery wordpress plugin. 3. Remove the plugin 4. XSS Fixed; Issue closed 5. End of Story
  6. 6. EMAIL TO PLUGINS TEAM
  7. 7. RESPONSE FROM PLUGIN TEAM
  8. 8. MEANWHILE DISCOVERY REQUIRES EXPERIMENTATION
  9. 9. REPOSITORY
  10. 10. CRUX OF THE ISSUE function getHashtag(){ var url = location.href; hashtag = (url.indexOf('#prettyPhoto') !== -1) ? decodeURI(url.substring(url.indexOf('#pretty Photo')+1,url.length)) : false; return hashtag; };
  11. 11. GOOGLE AHOY
  12. 12. INTERESTING FACT
  13. 13. CONTACTING AUTHOR
  14. 14. SPREAD THE WORD
  15. 15. SPREAD THE WORD
  16. 16. SPREAD THE WORD
  17. 17. FINALLY SOME ACTION
  18. 18. SOME ACTION
  19. 19. RELIEVED LET THE WORLD BE IN PEACE AND LETS GET BACK TO WORK
  20. 20. AFTER 7 DAYS
  21. 21. WHY YOU NO FIX
  22. 22. WORDPRESS PLUGIN INFO 1. Total 35 Plugins Found Total Plugin Downloads Active Install 2882520 3,37,780
  23. 23. NERDY DATA
  24. 24. WHAT IS VULNERABLE 1. Any application / website which has jquery.prettyphoto.js 2. Version 3.1.4 and 3.1.5 are confirmed vulnerable older versions not checked.
  25. 25. WHAT IS A FIX 1. Upgrade to 3.1.6
  26. 26. ENOUGH OF THE PAST WHAT'S IN IT FOR ME.
  27. 27. LESSONS TO BE LEARNED
  28. 28. FOR DEVELOPER 1. Never ignore pull requests and security issue bug report. 2. Proactively test software and at-least if a fix is released publicly accept security issue.
  29. 29. FOR DEVELOPERS / SYSADMIN / DEVOPS 1. never ignore update from shared library 2. Keep an eye on how shared resources are holding up. 3. Monitor your Dependencies
  30. 30. HOW
  31. 31. HOW
  32. 32. HOW
  33. 33. IS THIS ENOUGH 1. Not yet 2. We still lack method to track it for every third party library. 3. Manual tracking is still required.
  34. 34. REFERENCES 1. A9 - Using Components with Known Vulnerabilities 2. https://www.owasp.org/index.php/Top_10_2013-A9- Using_Components_with_Known_Vulnerabilities
  35. 35. THANKS

Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components

Views

Total views

11,674

On Slideshare

0

From embeds

0

Number of embeds

9,935

Actions

Downloads

13

Shares

0

Comments

0

Likes

0

×