Successfully reported this slideshow.

Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition

0

Share

Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 19
1 of 19

Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition

0

Share

Download to read offline

Explaining vulnerabilities, exploits, attack vectors, attack surface reduction, aslr etc to someone who understands The Imperial Deathstar.

Presented at Opkoko 2013.1. Live presentation recording in Swedish here: http://www.youtube.com/watch?v=Xi9SRFENiO4

Explaining vulnerabilities, exploits, attack vectors, attack surface reduction, aslr etc to someone who understands The Imperial Deathstar.

Presented at Opkoko 2013.1. Live presentation recording in Swedish here: http://www.youtube.com/watch?v=Xi9SRFENiO4

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Vulnerabilities and Exploitation - Application Security Sci-Fi Hipster Edition

  1. 1. Vulnerabilities and Exploitation APPLICATION SECURITY SCI-FI HIPSTER EDITION! peter magnusson twitter: @blaufish_ omegapoint.se sakerhetspodcasten.se
  2. 2. DEFENDER Imperial Death Star (legacy application)
  3. 3. ATTACKERS X-Wing squad (hackers, agile)
  4. 4. VULNERABILITY Reactor core (document.write, s printf, eval)
  5. 5. ATTACK VECTOR Exhaust port / shaft (code paths etc. connecting input to vulnerability )
  6. 6. EXPLOIT Torpedo fitting into exhaust port Reach and gain control over vulnerability, ?id=%27%20SQL
  7. 7. EXPLOIT PAYLOAD Exploding proton warhead (metasploit meterpreter, connect back shells, sqli downloading database, etc)
  8. 8. Improving the Imperial Death Star
  9. 9. ATTACK SURFACE REDUCTION Disable by default Close unused port Force-field (firewall)
  10. 10. FIX VULNERABILITY Exploding core -> safe non-exploding core (sprintf -> snprintf)
  11. 11. DON’T JUST FIX ONE ATTACK VECTOR Often multiple paths to same vulnernability
  12. 12. EXPLOIT MITIGATION ASLR: Randomize location of vulnerability
  13. 13. FIN Questions?

×