SlideShare a Scribd company logo

[QA Night Recife] Heartbleed SecInf

Download as PPTX, PDF
Guilherme Motta
Guilherme Motta

Talking about Heartbleed, Information Security, Security Testing

Software
1 of 40
Heartbleed e a inseguranca da informacao QA Night Recife Guilherme Motta, @gfcmotta
about @gfcmotta gfcmotta@gmail.com
WTFWTF
Protocolo HTTP GET /index.html HTTP/1.1 Requisicao> GET metodo HTTP, HTTP URI, 1.1 Versao Host: www.example.com Valores no cabecalho (nome: valor)
Protocolo HTTP HTTP/1.1 200 OK Resposta> HTTP/1.1 protocolo e versao, 200 status, OK mensagem Date: Mon, 23 May 2005 22:38:34 GMT Valores no cabecalho (nome: valor) Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT ETag: "3f80f-1b6-3e1cb03b" Content-Type: text/html; charset=UTF-8 Content-Length: 131 Accept-Ranges: bytes Connection: close <html> Corpo da mensagem <head> <title>An Example Page</title> </head> <body> Hello World, this is a very simple HTML document. </body> </html>
Protocolo HTTP cleartext facil de ler :))))
Protocolo HTTPS S de “seguro” TLS/SSL
Protocolo HTTPS S de “seguro” <criptografia> SSL/TLS
Protocolo HTTPS SSL/TLS -> Open SSL
Protocolo HTTPS -> Open SSL todos usa!
SSL/TLS Heartbeat
SSL/TLS Heartbeat
Heartbleed
Heartbleed In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
Heartbleed In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Dr. Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
Look at code examples
Look at code examples
Look at code examplesMetodologias!!! OWASP OSSTMM ISSAF IBM* NIST 800.42 ...
Look at code examples
Look at code examples
Look at code examples http://en.wikipedia.org/wiki/Taint_checking
not so live demo Hacking DVWA - XSS (ultimos 2 minutos do video) http://www.youtube.com/watch?v=-H1qjiwQldw - SQL Injection http://www.youtube.com/watch?v=7NCpvG7nY b
not so live demo Hacking DVWA - remote command execution http://www.youtube.com/watch?v=6hnCGsS- V0Y - Cookie hijacking http://www.youtube.com/watch?v=qB9c01R3a QU
not so live demo Hacking DVWA - CSFR (Cross-Site Request Forgery) http://www.youtube.com/watch?v=2Y7IywV1YB Q
Links www.dvwa.co.uk/ www.backtrack-linux.org http://www.kali.org/ http://portswigger.net/burp/ http://www.wireshark.org/ http://wpepro.net/ http://cheatengine.org/

Recommended

OST2PST
OST2PSTOST2PST
OST2PSTOst To Pst Conversion
 
Html基礎
Html基礎Html基礎
Html基礎光利 吉田
 
Heartbleed
HeartbleedHeartbleed
HeartbleedIbrahim Mosaad
 
The Heartbleed Bug
The Heartbleed BugThe Heartbleed Bug
The Heartbleed Bugn|u - The Open Security Community
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed ExplainedMike Chapple
 
20180823 - Sensu + Puppet
20180823 - Sensu + Puppet20180823 - Sensu + Puppet
20180823 - Sensu + Puppetgarrett honeycutt
 
Pretotyping g motta agile brazil 2013
Pretotyping g motta agile brazil 2013Pretotyping g motta agile brazil 2013
Pretotyping g motta agile brazil 2013Guilherme Motta
 
How to stop friends from stopping your quit efforts
How to stop friends from stopping your quit effortsHow to stop friends from stopping your quit efforts
How to stop friends from stopping your quit effortsJane Allen
 

Recommended

OST2PST
OST2PSTOST2PST
OST2PSTOst To Pst Conversion
 
Html基礎
Html基礎Html基礎
Html基礎光利 吉田
 
Heartbleed
HeartbleedHeartbleed
HeartbleedIbrahim Mosaad
 
The Heartbleed Bug
The Heartbleed BugThe Heartbleed Bug
The Heartbleed Bugn|u - The Open Security Community
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed ExplainedMike Chapple
 
20180823 - Sensu + Puppet
20180823 - Sensu + Puppet20180823 - Sensu + Puppet
20180823 - Sensu + Puppetgarrett honeycutt
 
Pretotyping g motta agile brazil 2013
Pretotyping g motta agile brazil 2013Pretotyping g motta agile brazil 2013
Pretotyping g motta agile brazil 2013Guilherme Motta
 
How to stop friends from stopping your quit efforts
How to stop friends from stopping your quit effortsHow to stop friends from stopping your quit efforts
How to stop friends from stopping your quit effortsJane Allen
 
wolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarwolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarJacob Barthelmeh
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
Evolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabEvolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabCefalo
 
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveOWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveCheckmarx
 
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...NETWAYS
 
HTTP
HTTPHTTP
HTTPDaniel Kummer
 
Http2 kotlin
Http2 kotlinHttp2 kotlin
Http2 kotlinAndrii Bezruchko
 
Http methods
Http methodsHttp methods
Http methodsmaamir farooq
 
Heartbleed
HeartbleedHeartbleed
Heartbleedn|u - The Open Security Community
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amberRaghunath G
 
API Design Workshop
API Design WorkshopAPI Design Workshop
API Design WorkshopOtavio Ferreira
 
HTTP
HTTPHTTP
HTTPTricode (part of Dept)
 
Heartbleed
HeartbleedHeartbleed
HeartbleedMohammed Danish Amber
 
ConferenceASL Instructions
ConferenceASL InstructionsConferenceASL Instructions
ConferenceASL InstructionsTEDxBaltimore
 
HTTP/2 for Developers
HTTP/2 for DevelopersHTTP/2 for Developers
HTTP/2 for DevelopersSvetlin Nakov
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWebsecurify
 
demo1
demo1demo1
demo1googli
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 
[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speaker[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speakerGuilherme Motta
 
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...Guilherme Motta
 

More Related Content

Similar to [QA Night Recife] Heartbleed SecInf

wolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarwolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarJacob Barthelmeh
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
Evolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabEvolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabCefalo
 
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveOWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveCheckmarx
 
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...NETWAYS
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amberRaghunath G
 
ConferenceASL Instructions
ConferenceASL InstructionsConferenceASL Instructions
ConferenceASL InstructionsTEDxBaltimore
 
HTTP/2 for Developers
HTTP/2 for DevelopersHTTP/2 for Developers
HTTP/2 for DevelopersSvetlin Nakov
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWebsecurify
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 

Similar to [QA Night Recife] Heartbleed SecInf (20)

wolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinarwolfSSL : Compatibility layer webinar
wolfSSL : Compatibility layer webinar
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)
 
Evolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al MehrabEvolution of HTTP - Miran Al Mehrab
Evolution of HTTP - Miran Al Mehrab
 
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and AveOWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
OWASP Top 10 - Checkmarx Presentation at Polytechnic Institute of Cávado and Ave
 
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
stackconf 2023 | How the Network Protocols You Choose Ultimately Affect Your ...
 
HTTP
HTTPHTTP
HTTP
 
Http2 kotlin
Http2 kotlinHttp2 kotlin
Http2 kotlin
 
Http methods
Http methodsHttp methods
Http methods
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amber
 
API Design Workshop
API Design WorkshopAPI Design Workshop
API Design Workshop
 
HTTP
HTTPHTTP
HTTP
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
ConferenceASL Instructions
ConferenceASL InstructionsConferenceASL Instructions
ConferenceASL Instructions
 
HTTP/2 for Developers
HTTP/2 for DevelopersHTTP/2 for Developers
HTTP/2 for Developers
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstration
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
 
demo1
demo1demo1
demo1
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
 

More from Guilherme Motta

[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speaker[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speakerGuilherme Motta
 
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...Guilherme Motta
 
[Agilidade recife 2017] Scrum com lego
[Agilidade recife 2017] Scrum com lego [Agilidade recife 2017] Scrum com lego
[Agilidade recife 2017] Scrum com lego Guilherme Motta
 
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
[Agile Trends Floripa 2017] Aprendendo com transformações ágeisGuilherme Motta
 
[Caipira 2017] workshop métricas oct 2017
[Caipira 2017] workshop métricas oct 2017[Caipira 2017] workshop métricas oct 2017
[Caipira 2017] workshop métricas oct 2017Guilherme Motta
 
[Agile Brazil 2017] Guildas e comunidades de prática
[Agile Brazil 2017] Guildas e comunidades de prática[Agile Brazil 2017] Guildas e comunidades de prática
[Agile Brazil 2017] Guildas e comunidades de práticaGuilherme Motta
 
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipesGuilherme Motta
 
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalistaGuilherme Motta
 
[TDC Floripa 2017] Ruby Koans e a prática Zen
[TDC Floripa 2017] Ruby Koans e a prática Zen [TDC Floripa 2017] Ruby Koans e a prática Zen
[TDC Floripa 2017] Ruby Koans e a prática Zen Guilherme Motta
 
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.com
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.comTabela Periódica das Retrospectivas - RetroAgil.wordpress.com
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.comGuilherme Motta
 
[Scrum Day Peru 2017] Beyond Agile Ceremonies
[Scrum Day Peru 2017] Beyond Agile Ceremonies[Scrum Day Peru 2017] Beyond Agile Ceremonies
[Scrum Day Peru 2017] Beyond Agile CeremoniesGuilherme Motta
 
[Agile Brazil 2016] Julgamento da TI Bimodal
[Agile Brazil 2016] Julgamento da TI Bimodal[Agile Brazil 2016] Julgamento da TI Bimodal
[Agile Brazil 2016] Julgamento da TI BimodalGuilherme Motta
 
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não OrtodoxasGuilherme Motta
 
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de softwareGuilherme Motta
 
[TDC POA 2016] Valores individuais? E de sua equipe?
[TDC POA 2016] Valores individuais? E de sua equipe?[TDC POA 2016] Valores individuais? E de sua equipe?
[TDC POA 2016] Valores individuais? E de sua equipe?Guilherme Motta
 
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...Guilherme Motta
 
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...Guilherme Motta
 
[Desconf 2015] Oito traços que levam o profissional ao sucesso
[Desconf 2015] Oito traços que levam o profissional ao sucesso[Desconf 2015] Oito traços que levam o profissional ao sucesso
[Desconf 2015] Oito traços que levam o profissional ao sucessoGuilherme Motta
 
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...Guilherme Motta
 
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0Guilherme Motta
 

More from Guilherme Motta (20)

[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speaker[Toptal leadership summit] improving as a speaker
[Toptal leadership summit] improving as a speaker
 
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
[ScrumDay 2018] Review, Demo e Apresentações, o que de fato importa para o se...
 
[Agilidade recife 2017] Scrum com lego
[Agilidade recife 2017] Scrum com lego [Agilidade recife 2017] Scrum com lego
[Agilidade recife 2017] Scrum com lego
 
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
[Agile Trends Floripa 2017] Aprendendo com transformações ágeis
 
[Caipira 2017] workshop métricas oct 2017
[Caipira 2017] workshop métricas oct 2017[Caipira 2017] workshop métricas oct 2017
[Caipira 2017] workshop métricas oct 2017
 
[Agile Brazil 2017] Guildas e comunidades de prática
[Agile Brazil 2017] Guildas e comunidades de prática[Agile Brazil 2017] Guildas e comunidades de prática
[Agile Brazil 2017] Guildas e comunidades de prática
 
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
[Scrum Gathering Rio 2017] Dinâmicas e ferramentas para formação de equipes
 
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
[TDC Floripa 2017] Dificuldades e oportunidades de ser generalista
 
[TDC Floripa 2017] Ruby Koans e a prática Zen
[TDC Floripa 2017] Ruby Koans e a prática Zen [TDC Floripa 2017] Ruby Koans e a prática Zen
[TDC Floripa 2017] Ruby Koans e a prática Zen
 
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.com
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.comTabela Periódica das Retrospectivas - RetroAgil.wordpress.com
Tabela Periódica das Retrospectivas - RetroAgil.wordpress.com
 
[Scrum Day Peru 2017] Beyond Agile Ceremonies
[Scrum Day Peru 2017] Beyond Agile Ceremonies[Scrum Day Peru 2017] Beyond Agile Ceremonies
[Scrum Day Peru 2017] Beyond Agile Ceremonies
 
[Agile Brazil 2016] Julgamento da TI Bimodal
[Agile Brazil 2016] Julgamento da TI Bimodal[Agile Brazil 2016] Julgamento da TI Bimodal
[Agile Brazil 2016] Julgamento da TI Bimodal
 
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
[Agile Brazil 2016] Práticas Ágeis: Cerimônias Não Ortodoxas
 
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
[TDC Porto Alegre 2016] Dissecando e entendendo pipelines de entrega de software
 
[TDC POA 2016] Valores individuais? E de sua equipe?
[TDC POA 2016] Valores individuais? E de sua equipe?[TDC POA 2016] Valores individuais? E de sua equipe?
[TDC POA 2016] Valores individuais? E de sua equipe?
 
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
[Palestra] Técnicas, cases e práticas ágeis para concepção de produtos e serv...
 
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
Meetup dinamicas e facilitacao porto alegre agosto 2016 - Formação de equipes...
 
[Desconf 2015] Oito traços que levam o profissional ao sucesso
[Desconf 2015] Oito traços que levam o profissional ao sucesso[Desconf 2015] Oito traços que levam o profissional ao sucesso
[Desconf 2015] Oito traços que levam o profissional ao sucesso
 
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
[DevOpsDays Porto Alegre 2016] Dissecando e Entendendo Pipelines de Entrega d...
 
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
[TDC São Paulo 2016] Motivadores Intrínsecos Moving Motivators Gestão 3.0
 

Recently uploaded

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 

Recently uploaded (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 

[QA Night Recife] Heartbleed SecInf

  • 1. Heartbleed e a inseguranca da informacao QA Night Recife Guilherme Motta, @gfcmotta
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 16.
  • 17. Protocolo HTTP GET /index.html HTTP/1.1 Requisicao> GET metodo HTTP, HTTP URI, 1.1 Versao Host: www.example.com Valores no cabecalho (nome: valor)
  • 18. Protocolo HTTP HTTP/1.1 200 OK Resposta> HTTP/1.1 protocolo e versao, 200 status, OK mensagem Date: Mon, 23 May 2005 22:38:34 GMT Valores no cabecalho (nome: valor) Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT ETag: "3f80f-1b6-3e1cb03b" Content-Type: text/html; charset=UTF-8 Content-Length: 131 Accept-Ranges: bytes Connection: close <html> Corpo da mensagem <head> <title>An Example Page</title> </head> <body> Hello World, this is a very simple HTML document. </body> </html>
  • 20. Protocolo HTTPS S de “seguro” TLS/SSL
  • 21. Protocolo HTTPS S de “seguro” <criptografia> SSL/TLS
  • 23. Protocolo HTTPS -> Open SSL todos usa!
  • 26.
  • 27.
  • 29. Heartbleed In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
  • 30. Heartbleed In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Dr. Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
  • 31. Look at code examples
  • 32. Look at code examples
  • 33. Look at code examplesMetodologias!!! OWASP OSSTMM ISSAF IBM* NIST 800.42 ...
  • 34. Look at code examples
  • 35. Look at code examples
  • 36. Look at code examples http://en.wikipedia.org/wiki/Taint_checking
  • 37. not so live demo Hacking DVWA - XSS (ultimos 2 minutos do video) http://www.youtube.com/watch?v=-H1qjiwQldw - SQL Injection http://www.youtube.com/watch?v=7NCpvG7nY b
  • 38. not so live demo Hacking DVWA - remote command execution http://www.youtube.com/watch?v=6hnCGsS- V0Y - Cookie hijacking http://www.youtube.com/watch?v=qB9c01R3a QU
  • 39. not so live demo Hacking DVWA - CSFR (Cross-Site Request Forgery) http://www.youtube.com/watch?v=2Y7IywV1YB Q