Novos ataques emwww.estuarioti.com.br                         Aplicações Web.@estuarioti                                  ...
Agenda Whoami OWASP top 10 Ferramentas X SkillSet IFrames HTML 5 Hacking Features Cursor Hijack / Click Hijack HTTP...
$whoami OWASP Member rfdslabs || TheBug Magazine FAB (Força Aérea Brasileira) C.E.S.A.R Tempest                      ...
Owasp TOP 10               www.estuarioti.com.br   @estuarioti
Ferramentas X skillSet Nessus, Acunetix, Nstalker… Attacks and Vulnerabilities Automated scanners not detect:      Ses...
IFRAMES Stealth Browser Exploit or JAVA or SWF… Insert Malicious Javascript Stored XSS + IFRAME = Chaos Redirect Defa...
IFRAMES          www.estuarioti.com.br   @estuarioti
IFRAMES          DEMO 1                   www.estuarioti.com.br   @estuarioti
HTML 5 Hacking Features             Cross Origin Resource Sharing Cross Domain AJAX With Cookies Blind Not limited to ...
HTML 5 Hacking Features          Cross Origin Resource Sharing                                          www.estuarioti.com...
HTML 5 Hacking Features          Cross Origin Resource Sharing                                          www.estuarioti.com...
HTML 5 Hacking Features                Silent File Upload Java Script FileUpload!  Stealth <input type=file> with any fil...
HTML 5 Hacking Features             Silent File Upload                                  www.estuarioti.com.br   @estuarioti
HTML 5 Hacking Features             Silent File Upload                                  www.estuarioti.com.br   @estuarioti
HTML 5 Hacking Features                           Silent File Upload No User Action No Frames Cross-domain with cookies...
Cursor Hijack / Click Hijack Facebook Scams Actively Exploited Javascript in url bar  NoScript Plugin to mitigate  ...
Cursor Hijack / Click Hijack                               www.estuarioti.com.br   @estuarioti
Cursor Hijack / Click Hijack                               www.estuarioti.com.br   @estuarioti
Cursor Hijack / Click Hijack                               www.estuarioti.com.br   @estuarioti
Cursor Hijack / Click Hijack                DEMO 2                               www.estuarioti.com.br   @estuarioti
Cursor Hijack / Click Hijack                DEMO 3                               www.estuarioti.com.br   @estuarioti
HTTP Parameter Pollution Query String Term ? Defined in the RFC 3986 GET and POST: Query string meta characters are & ...
HTTP Parameter Pollution                           www.estuarioti.com.br   @estuarioti
HTTP Parameter Pollution Bypass ModSecurityBusted Query:Accepted Query:                           www.estuarioti.com.br  ...
HTTP Parameter Pollution Bypass IBM Web Application Firewall (FIXED)Busted Query:Accepted Query:Discovered by Wendel Henr...
HTTPOnly XSS Bypass Implemented in 2002 by Microsoft in IE 6 Additional FLAG included in a Set-Cookie HTTP responde  hea...
HTTPOnly XSS BypassHow to Bypass? Cross-Site Tracking – HTTP TRACE (FIXED) XMLHttpRequest also blocked TRACE Method (FIX...
HTTPOnly XSS Bypass       Java API Applet HTTP TACE (FIXED)                                     www.estuarioti.com.br   @e...
HTTPOnly XSS Bypass Java GetHeaderField in java.net.URLConnection package  (UNFIXED)  By Aung Khant http://yehg.net    ...
HTTPOnly XSS Bypass                      www.estuarioti.com.br   @estuarioti
HTTPOnly XSS Bypass and… WORKS!                       www.estuarioti.com.br   @estuarioti
EstuárioTI             www.estuarioti.com.br   @estuarioti
ReferencesTempest BlogSteffano di PaolaSecKB BlogOWASPMarcus Niemietz                    www.estuarioti.com.br   @estuarioti
Upcoming SlideShare
Loading in …5
×

Security Day - Chesf

2,863 views

Published on

Palestra do CTO Rafael Silva no evento Chesf Security Day.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,863
On SlideShare
0
From Embeds
0
Number of Embeds
2,157
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresem um array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • Security Day - Chesf

    1. 1. Novos ataques emwww.estuarioti.com.br Aplicações Web.@estuarioti Rafael Silva rafaelsilva@estuarioti.com.br
    2. 2. Agenda Whoami OWASP top 10 Ferramentas X SkillSet IFrames HTML 5 Hacking Features Cursor Hijack / Click Hijack HTTP Parameter Pollution HTTPOnly XSS Bypass www.estuarioti.com.br @estuarioti
    3. 3. $whoami OWASP Member rfdslabs || TheBug Magazine FAB (Força Aérea Brasileira) C.E.S.A.R Tempest @rfdslabs EstuárioTI  www.estuarioti.com.br @estuarioti
    4. 4. Owasp TOP 10 www.estuarioti.com.br @estuarioti
    5. 5. Ferramentas X skillSet Nessus, Acunetix, Nstalker… Attacks and Vulnerabilities Automated scanners not detect:  Session Fixation  Privilege Escalation [Horizontal and Vertical]  Logout  Logic Flaws  Unauthenticated Direct Access  “Forgot my password”  … www.estuarioti.com.br @estuarioti
    6. 6. IFRAMES Stealth Browser Exploit or JAVA or SWF… Insert Malicious Javascript Stored XSS + IFRAME = Chaos Redirect Defacement www.estuarioti.com.br @estuarioti
    7. 7. IFRAMES www.estuarioti.com.br @estuarioti
    8. 8. IFRAMES DEMO 1 www.estuarioti.com.br @estuarioti
    9. 9. HTML 5 Hacking Features Cross Origin Resource Sharing Cross Domain AJAX With Cookies Blind Not limited to <form> syntax Used to Trigger CSRF www.estuarioti.com.br @estuarioti
    10. 10. HTML 5 Hacking Features Cross Origin Resource Sharing www.estuarioti.com.br @estuarioti
    11. 11. HTML 5 Hacking Features Cross Origin Resource Sharing www.estuarioti.com.br @estuarioti
    12. 12. HTML 5 Hacking Features Silent File Upload Java Script FileUpload! Stealth <input type=file> with any file name and content Use CORS How? Create raw multipart/form-data www.estuarioti.com.br @estuarioti
    13. 13. HTML 5 Hacking Features Silent File Upload www.estuarioti.com.br @estuarioti
    14. 14. HTML 5 Hacking Features Silent File Upload www.estuarioti.com.br @estuarioti
    15. 15. HTML 5 Hacking Features Silent File Upload No User Action No Frames Cross-domain with cookies  Works in most browsers  You can add more form fields-- CSRF flaw needed-- No access to response www.estuarioti.com.br @estuarioti
    16. 16. Cursor Hijack / Click Hijack Facebook Scams Actively Exploited Javascript in url bar  NoScript Plugin to mitigate  Use your creativity www.estuarioti.com.br @estuarioti
    17. 17. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti
    18. 18. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti
    19. 19. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti
    20. 20. Cursor Hijack / Click Hijack DEMO 2 www.estuarioti.com.br @estuarioti
    21. 21. Cursor Hijack / Click Hijack DEMO 3 www.estuarioti.com.br @estuarioti
    22. 22. HTTP Parameter Pollution Query String Term ? Defined in the RFC 3986 GET and POST: Query string meta characters are & ? # ; = www.estuarioti.com.br @estuarioti
    23. 23. HTTP Parameter Pollution www.estuarioti.com.br @estuarioti
    24. 24. HTTP Parameter Pollution Bypass ModSecurityBusted Query:Accepted Query: www.estuarioti.com.br @estuarioti
    25. 25. HTTP Parameter Pollution Bypass IBM Web Application Firewall (FIXED)Busted Query:Accepted Query:Discovered by Wendel Henrique from Trustwave Labs www.estuarioti.com.br @estuarioti
    26. 26. HTTPOnly XSS Bypass Implemented in 2002 by Microsoft in IE 6 Additional FLAG included in a Set-Cookie HTTP responde header Exploiting a XSS with a HTTPOnly in response? No cookies for you?  www.estuarioti.com.br @estuarioti
    27. 27. HTTPOnly XSS BypassHow to Bypass? Cross-Site Tracking – HTTP TRACE (FIXED) XMLHttpRequest also blocked TRACE Method (FIXED) CVE-2009-0357 XMLHttpRequest in FireFox (FIXED) www.estuarioti.com.br @estuarioti
    28. 28. HTTPOnly XSS Bypass Java API Applet HTTP TACE (FIXED) www.estuarioti.com.br @estuarioti
    29. 29. HTTPOnly XSS Bypass Java GetHeaderField in java.net.URLConnection package (UNFIXED)  By Aung Khant http://yehg.net www.estuarioti.com.br @estuarioti
    30. 30. HTTPOnly XSS Bypass www.estuarioti.com.br @estuarioti
    31. 31. HTTPOnly XSS Bypass and… WORKS!  www.estuarioti.com.br @estuarioti
    32. 32. EstuárioTI www.estuarioti.com.br @estuarioti
    33. 33. ReferencesTempest BlogSteffano di PaolaSecKB BlogOWASPMarcus Niemietz www.estuarioti.com.br @estuarioti

    ×