Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition

381 views

Published on

Explaining vulnerabilities, exploits, attack vectors, attack surface reduction, aslr etc to someone who understands The Imperial Deathstar.

Presented at Opkoko 2013.1. Live presentation recording in Swedish here: http://www.youtube.com/watch?v=Xi9SRFENiO4

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition

  1. 1. Vulnerabilities and Exploitation APPLICATION SECURITY SCI-FI HIPSTER EDITION! peter magnusson twitter: @blaufish_ omegapoint.se sakerhetspodcasten.se
  2. 2. DEFENDER Imperial Death Star (legacy application)
  3. 3. ATTACKERS X-Wing squad (hackers, agile)
  4. 4. VULNERABILITY Reactor core (document.write, s printf, eval)
  5. 5. ATTACK VECTOR Exhaust port / shaft (code paths etc. connecting input to vulnerability )
  6. 6. EXPLOIT Torpedo fitting into exhaust port Reach and gain control over vulnerability, ?id=%27%20SQL
  7. 7. EXPLOIT PAYLOAD Exploding proton warhead (metasploit meterpreter, connect back shells, sqli downloading database, etc)
  8. 8. Improving the Imperial Death Star
  9. 9. ATTACK SURFACE REDUCTION Disable by default Close unused port Force-field (firewall)
  10. 10. FIX VULNERABILITY Exploding core -> safe non-exploding core (sprintf -> snprintf)
  11. 11. DON’T JUST FIX ONE ATTACK VECTOR Often multiple paths to same vulnernability
  12. 12. EXPLOIT MITIGATION ASLR: Randomize location of vulnerability
  13. 13. FIN Questions?

×