SlideShare a Scribd company logo

Why Web Security Is Fundamentally Broken

Most people are disturbed when they witness just how much of their personal information is accessible the very moment they visit a website. Then, if you give that [malicious] website just one mouse-click --- out goes even more personally identifiable data. We’re talking about full names, where you live, the town where you grew up and went to school, martial status, list of friends, sites you are logged-in to, the software you use complete with version numbers, and in some cases, your browser’s auto-complete data and history of other sites you’ve visited. All of this is performed using nothing but HTML and JavaScript. No need for memory corrupting exploits that escape the confines of the browser walls. Through a demo-driven presentation, the audience will see first-hand how and why all these attacks are possible, even in the presence of browser silent updates and the latest security improvements such as sandboxes, anti-phishing protections, and the availability of Content Security Policy, X-Frame-Options, Origin, Strict Transport Security, SSL, etc. And just so everyone is crystal clear, firewalls don’t help and neither does anti-virus software. The reason why none of this works is that these web attacks take advantage of flaws in the way the Web was designed to work! Adding insult to injury most of the techniques on display are NOT technically “new,” and this talk will cleverly wire these issues together to make a point, and tell a story. It is the story of Why Web Security Is Fundamentally Broken. Here’s the punchline: The only known ways to fix these issues adequately is to “break the Web” -- i.e. negatively impact the usability of a significant percentage of websites. Doing so directly conflicts with business interests of the current browser vendors who are looking to grow market share and advertising revenue. Their choice is simple, be less secure and more adopted, rather than secure and obscure. This is the Web security trade-off that’s being made for us.

1 of 57
Download to read offline
Why Web Security Is
Fundamentally Broken

Jeremiah Grossman
Founder & Chief Technology Officer




                                     © 2012 WhiteHat Security, Inc.   1
Jeremiah Grossman
ØFounder & CTO of WhiteHat Security
ØInternational Presenter
ØTED Alumni
ØInfoWorld Top 25 CTO
ØCo-founder of the Web Application Security Consortium
ØCo-author: Cross-Site Scripting Attacks
ØFormer Yahoo! information security officer
ØBrazilian Jiu-Jitsu Black Belt




                                                          2
WhiteHat Security
• Headquartered in Santa Clara, CA
• WhiteHat Sentinel – SaaS end-to-end website risk
  management platform (static and dynamic)
• Employees: 220+



  Cool
  Vendor




                        The FutureNow List




                                                     3
Web Security   A website must be able to
               defend itself against a
Rule #1:       hostile client [browser].




                           © 2010 WhiteHat Security, Inc. | Page
Web Security       A website must be able to
                   defend itself against a
Rule #1:           hostile client [browser].



  Challenging, but
 possible to follow.



                               © 2010 WhiteHat Security, Inc. | Page
Web Security A browser must be able
               to defend itself against a
Rule #2:       hostile website.




                             © 2010 WhiteHat Security, Inc. | Page

Recommended

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 

More Related Content

More from Jeremiah Grossman

Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Jeremiah Grossman
 

More from Jeremiah Grossman (20)

Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
 

Recently uploaded

SKY Paradigms, change and cake: the steep curve of introducing new technologies
SKY Paradigms, change and cake: the steep curve of introducing new technologiesSKY Paradigms, change and cake: the steep curve of introducing new technologies
SKY Paradigms, change and cake: the steep curve of introducing new technologiesNeo4j
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Chris Bingham
 
software-quality-assurance question paper 2023
software-quality-assurance question paper 2023software-quality-assurance question paper 2023
software-quality-assurance question paper 2023RohanMistry15
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfRodneyThomas28
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyMustafa Kuğu
 
AI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the ClassroomsAI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the ClassroomsPremsankar Chakkingal
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIVijayananda Mohire
 
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)François
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceVijayananda Mohire
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...SearchNorwich
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxInfosec
 
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...Cprime
 
Establishing data sharing standards to promote global industry development
Establishing data sharing standards to promote global industry developmentEstablishing data sharing standards to promote global industry development
Establishing data sharing standards to promote global industry developmentThorsten Huelsmann
 
Artificial Intelligence, Design, and More-than-Human Justice
Artificial Intelligence, Design, and More-than-Human JusticeArtificial Intelligence, Design, and More-than-Human Justice
Artificial Intelligence, Design, and More-than-Human JusticeJosh Gellers
 
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...MichaelBenis1
 
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Jay Zhao
 
Achieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfAchieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfIES VE
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerSaiLinnThu2
 
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueVM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueShapeBlue
 

Recently uploaded (20)

SKY Paradigms, change and cake: the steep curve of introducing new technologies
SKY Paradigms, change and cake: the steep curve of introducing new technologiesSKY Paradigms, change and cake: the steep curve of introducing new technologies
SKY Paradigms, change and cake: the steep curve of introducing new technologies
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
 
software-quality-assurance question paper 2023
software-quality-assurance question paper 2023software-quality-assurance question paper 2023
software-quality-assurance question paper 2023
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdf
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5Company
 
AI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the ClassroomsAI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the Classrooms
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AI
 
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
Mind your App Footprint 🐾⚡️🌱 (@FlutterHeroes 2024)
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial Intelligence
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptx
 
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
 
Establishing data sharing standards to promote global industry development
Establishing data sharing standards to promote global industry developmentEstablishing data sharing standards to promote global industry development
Establishing data sharing standards to promote global industry development
 
Artificial Intelligence, Design, and More-than-Human Justice
Artificial Intelligence, Design, and More-than-Human JusticeArtificial Intelligence, Design, and More-than-Human Justice
Artificial Intelligence, Design, and More-than-Human Justice
 
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
 
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
 
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
 
Achieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfAchieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdf
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
 
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueVM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
 

Why Web Security Is Fundamentally Broken

  • 1. Why Web Security Is Fundamentally Broken Jeremiah Grossman Founder & Chief Technology Officer © 2012 WhiteHat Security, Inc. 1
  • 2. Jeremiah Grossman ØFounder & CTO of WhiteHat Security ØInternational Presenter ØTED Alumni ØInfoWorld Top 25 CTO ØCo-founder of the Web Application Security Consortium ØCo-author: Cross-Site Scripting Attacks ØFormer Yahoo! information security officer ØBrazilian Jiu-Jitsu Black Belt 2
  • 3. WhiteHat Security • Headquartered in Santa Clara, CA • WhiteHat Sentinel – SaaS end-to-end website risk management platform (static and dynamic) • Employees: 220+ Cool Vendor The FutureNow List 3
  • 4. Web Security A website must be able to defend itself against a Rule #1: hostile client [browser]. © 2010 WhiteHat Security, Inc. | Page
  • 5. Web Security A website must be able to defend itself against a Rule #1: hostile client [browser]. Challenging, but possible to follow. © 2010 WhiteHat Security, Inc. | Page
  • 6. Web Security A browser must be able to defend itself against a Rule #2: hostile website. © 2010 WhiteHat Security, Inc. | Page
  • 7. Web Security A browser must be able to defend itself against a Rule #2: hostile website. Impossible. © 2010 WhiteHat Security, Inc. | Page
  • 8. © 2010 WhiteHat Security, Inc. | Page 6
  • 9. Today’s browsers make availabe to every website you visit: Passive access to your operating system information, various system settings, browser type / version, installed add-ons & plug-ins, geographic location, websites currently logged-into, etc. © 2010 WhiteHat Security, Inc. | Page 6
  • 10. Today’s browsers make availabe to every website you visit: Passive access to your operating system information, various system settings, browser type / version, installed add-ons & plug-ins, geographic location, websites currently logged-into, etc. Give a website just 1 mouse-click — Then it gets access to: Your name, where you live, where you’ve been, town you grew up in and went to school, martial status, photos, and in some cases, the browser’s auto- complete data and surfing history. © 2010 WhiteHat Security, Inc. | Page 6
  • 11. Today’s browsers make availabe to every website you visit: Passive access to your operating system information, various system settings, browser type / version, installed add-ons & plug-ins, geographic location, websites currently logged-into, etc. Give a website just 1 mouse-click — Then it gets access to: Your name, where you live, where you’ve been, town you grew up in and went to school, martial status, photos, and in some cases, the browser’s auto- complete data and surfing history. All browsers also allow a [malicious] website to: Force your browser to send self-incriminating Web requests, hack your Intranet, auto-XSS / CSRF you on any website, etc. © 2010 WhiteHat Security, Inc. | Page 6
  • 12. The 2 Types of Browser Attacks 1) Attacks designed to escape the browser walls and infect the operating system with malware. (a.k.a. Drive-by-Downloads) Security: Sandboxing, silent and automatic updates, increased software security, anti-phishing & anti- malware warnings, etc. [Enabled by default] 2) Attacks that remain within the browser walls and compromise cloud-based data. XSS, CSRF, Clickjacking, etc. Security: SECURE Cookies, httpOnly, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Content Security Policy, EV-SSL, etc. [Opt-In by website, users can’t protect themselves] © 2010 WhiteHat Security, Inc. | Page
  • 13. Browser Interrogation Operating System and Browser Type via User-Agent Headers User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 Language setting, ActiveX support, and the Referer. GET / HTTP/1.1 Host: http://maliciouswebsite/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 Accept-Language:en-US,en;q=0.8 <script> if (navigator.language) { ! console.log(navigator.language); } </script> © 2010 WhiteHat Security, Inc. | Page 8
  • 14. Browser Interrogation (cont.) ActiveX <script> if(typeof(window.ActiveXObject)=="undefined"){ ! console.log(“ActiveX Unavailable"); } else { ! console.log(“ActiveX Available"); } </script> Referer GET / HTTP/1.1 Host: http://maliciouswebsite/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 Referer:http://searchengine/search?q=keywords © 2010 WhiteHat Security, Inc. | Page 9
  • 15. Browser Interrogation (cont.) Virtualization Detection via Screen Dimensions <script> var  dimensions  =  {'320,  200'  :  '',  '320,  200'  :  '',  '320,  240'  :  '',  '640,  480'  :  '',  '800,  480'  :  '',  '768,  576'  :  '',  '854,  480'  :  '',   '1024,  600'  :  '',  '1152,  768'  :  '',  '800,  600'  :  '',  '1024,  768'  :  '',  '1280,  854'  :  '',  '1280,  960'  :   '',  '1280,  1024'  :  '',  '1280,  720'  :  '',  '1280,  768'  :  '',  '1366,  768'  :  '',  '1280,  800'  :  '',  '1440,   900'  :  '',  '1440,  960'  :  '',  '1400,  1050'  :  '',  '1600,  1200'  :  '',  '2048,  1536'  :  '',  '1680,  1050'  :   1,  '1920,  1080'  :  '',  '2048,  1080'  :  '',  '1920,  1200'  :  '',  '2560,  1600'  :  '',  '2560,  2048'  :  ''};   var  wh  =  screen.width  +  ",  "  +  screen.height;   if  (dimensions[wh]  !=  undefined)  {   console.log(“Not  virtualized"); }  else  {   console.log(“OperaUng  in  a  virtualized  environment");  } </script> © 2010 WhiteHat Security, Inc. | Page 10
  • 16. Browser Interrogation (cont.) Identifying Installed Extensions and Add-Ons (CHROME) <script  src=”chrome-­‐extension://aknpkdffaafgjchaibgeecgmgeghloj/manifest.json  ”   onload=”extensionDetected()”>   (Firefox) <script> if  (typeof  uniquelyNamedObject  !=  'undefined'){      console.log  ("Add-­‐On  Present"); } </script> © 2010 WhiteHat Security, Inc. | Page 11
  • 17. © 2010 WhiteHat Security, Inc. | Page 12
  • 18. Common use-case: <img src=”http://someotherwebsite/image.png”> <img src=”http://someotherwebsite/image.png” onload=”successful()” onerror=”error()”> If the image file loaded correctly, the “successful” Javascript function executes. If some error occurred, obviously the “error” function executes. © 2010 WhiteHat Security, Inc. | Page 12
  • 19. Common use-case: DEMO <img src=”http://someotherwebsite/image.png”> <img src=”http://someotherwebsite/image.png” onload=”successful()” onerror=”error()”> If the image file loaded correctly, the “successful” Javascript function executes. If some error occurred, obviously the “error” function executes. Login-Detection (via CSRF): <img src=”http://someotherwebsite/loggedin.png” onload=”loggedIn()” onerror=”notLoggedIn()”>. If the user is logged-in, the image file loads successfully, which executes the “loggedIn.” If they’re not logged-in, “notLoggedIn” is executed. © 2010 WhiteHat Security, Inc. | Page 12
  • 20. Authenticated Javascript/CSS Event Handler <script src=”http://thirdparty/javascript.js” onload=”loggedin()” onerror=”notloggedin()”></script> Object Detection <script src=”http://thirdparty/javascript.js”> </script> <script> if (typeof loggedInObject != 'undefined'){ console.log ("Logged-In"); } </script> CSS Object Detection <link rel="stylesheet" type="text/css" href="http:// thirdparty/stylesheet.css" /> © 2010 WhiteHat Security, Inc. | Page 13
  • 21. Authenticated IFRAMEs iframe.contentWindow.length <iframe id=”login” src=”http://thirdparty/profile/”> </iframe> <script> if (iframe.contentWindow.length > 0) { console.log ("Logged-In"); } </script> XFO Detection <iframe id=”login” src=”http://thirdparty/profile/”></ iframe> © 2010 WhiteHat Security, Inc. | Page 14
  • 22. XFO Detection <iframe id=”login” src=”http://thirdparty/profile/”></iframe> <script src=”http://ajax.googleapis.com/ajax/libs/dojo/1.7.2/dojo/dojo.js”></script> <script> var urls = ['http://www.wikipedia.org/','http://ha.ckers.org/', 'http:// www.google.com/','http://www.facebook.com/','https://github.com/','http:// daringfireball.net/',]; function detect() { dojo.forEach(urls, function(url) { var iframe = dojo.create(“iframe”, { src: url, id: url }); dojo.attr(iframe, “style”, {display: ‘none’}); dojo.connect(iframe, “onload”, function() { dojo.destroy(iframe); }); dojo.place(iframe, dojo.body()); setTimeout(function () { var obj = dojo.byId(url); if (obj) { dojo.destroy(iframe); var entry = dojo.create(“li”, null, dojo.body()); entry.innerHTML = “Yes: ” + url; } else { var entry = dojo.create(“li”, null, dojo.body()); entry.innerHTML = “No: ” + url; } }, 3000); }); } © 2010 WhiteHat Security, Inc. | Page 15
  • 23. Deanonymize (via Clickjacking) © 2010 WhiteHat Security, Inc. | Page 16
  • 24. Deanonymize (via Clickjacking) Click For More Dancing Cats © 2010 WhiteHat Security, Inc. | Page 16
  • 25. Deanonymize (via Clickjacking) Click For More Dancing Cats "A mashup is a self-inflicted XSS attack." Douglas Crockford © 2010 WhiteHat Security, Inc. | Page 16
  • 26. Deanonymize (via Clickjacking) Click For More Dancing Cats "A mashup is a self-inflicted XSS attack." Douglas Crockford http://mayscript.com/blog/david/clickjacking-attacks-unresolved DEMO © 2010 WhiteHat Security, Inc. | Page 16
  • 27. “Unless you've taken very particular precautions, assume every website you visit knows exactly who you are, where you’re from, etc.” Jeremiah Grossman © 2010 WhiteHat Security, Inc. | Page 17
  • 28. Browser Intranet Hacking Circa (2006) <iframe src=”http://192.168.1.1/” onload=”detection()”></iframe> © 2010 WhiteHat Security, Inc. | Page 18
  • 29. Browser Intranet Hacking Circa (2006) Intranet Wiki Printer JavaScript HTT Malware User New Web Firewall Server Bug IP Phone Tracking <iframe src=”http://192.168.1.1/” onload=”detection()”></iframe> © 2010 WhiteHat Security, Inc. | Page 18
  • 30. © 2010 WhiteHat Security, Inc. | Page 19
  • 31. DEMO © 2010 WhiteHat Security, Inc. | Page 19
  • 32. Cross-Site Scripting (XSS) At least 55% of websites + Browser Auto-Complete = pwn Cross-Site Request Forgery (CSRF) At least 19% of websites DNS Rebinding © 2010 WhiteHat Security, Inc. | Page 20
  • 33. © 2010 WhiteHat Security, Inc. | Page 21
  • 34. © 2010 WhiteHat Security, Inc. | Page 21
  • 35. © 2010 WhiteHat Security, Inc. | Page 21
  • 36. © 2010 WhiteHat Security, Inc. | Page 21
  • 37. Possible Solutions? © 2010 WhiteHat Security, Inc. | Page 22
  • 38. © 2010 WhiteHat Security, Inc. | Page 23
  • 39. Login-Detection Idea: Do not send the Web visitors cookie data to off- domain destinations, destinations different from the hostname in the URL bar, along with the Web requests. © 2010 WhiteHat Security, Inc. | Page 23
  • 40. Login-Detection Idea: Do not send the Web visitors cookie data to off- domain destinations, destinations different from the hostname in the URL bar, along with the Web requests. Breaks the Web Not sending cookies off-domain would break websites using multiple hostnames to deliver authenticated content. Breaks single-click Web widgets like Twitter “Follow,” Facebook “Like,” and Google “+1” buttons. Also breaks visitor tracking via Google Analytics, Coremetrics, etc. © 2010 WhiteHat Security, Inc. | Page 23
  • 41. © 2010 WhiteHat Security, Inc. | Page 24
  • 42. Deanonymization Idea: Ban IFRAMEs entirely, or at least ban transparent IFRAMEs. Ideally, browser users should be able to “see” what they are really clicking on. © 2010 WhiteHat Security, Inc. | Page 24
  • 43. Deanonymization Idea: Ban IFRAMEs entirely, or at least ban transparent IFRAMEs. Ideally, browser users should be able to “see” what they are really clicking on. Breaks the Web Millions of websites current rely upon IFRAMEs, including transparent IFRAMEs, for essential functionality. Notable examples are Facebook, Gmail, and Yahoo! Mail. © 2010 WhiteHat Security, Inc. | Page 24
  • 44. © 2010 WhiteHat Security, Inc. | Page 25
  • 45. Browser Intranet Hacking Idea: Create a barrier in the browser between “public” and “private” networks by prohibit the inclusion of RFC-1918 on non-RFC-1918 websites. © 2010 WhiteHat Security, Inc. | Page 25
  • 46. Browser Intranet Hacking Idea: Create a barrier in the browser between “public” and “private” networks by prohibit the inclusion of RFC-1918 on non-RFC-1918 websites. Breaks the Web Some organizations actually do include intranet content on public websites, for their employees, which does not violate RFC specification. © 2010 WhiteHat Security, Inc. | Page 25
  • 47. Browser Intranet Hacking Idea: Create a barrier in the browser between “public” and “private” networks by prohibit the inclusion of RFC-1918 on non-RFC-1918 websites. Breaks the Web Some organizations actually do include intranet content on public websites, for their employees, which does not violate RFC specification. Vulnerabilities are required by Web standards. © 2010 WhiteHat Security, Inc. | Page 25
  • 48. bigger problem KNOWN “WONT-FIX” ISSUES © 2010 WhiteHat Security, Inc. | Page 26
  • 49. Browser vendor’s choice is simple: Be less secure and more user adopted, or secure and obscure. Browser War = Trench Warfare © 2010 WhiteHat Security, Inc. | Page 27
  • 50. “[N]obody's breaking the web, dude. Not now, not ever.” Dan Kaminsky to Jeremiah Grossman, December 21, 2010 Security: SECURE Cookies, httpOnly, X-Frame-Options, Strict-Transport- Security, X-Content-Type-Options, Content Security Policy, EV-SSL, etc. •Opt-In security, by website owners •Measurably low adoption rates •Do not allow for Web users to protect themselves © 2010 WhiteHat Security, Inc. | Page 28
  • 51. © 2010 WhiteHat Security, Inc. | Page 29
  • 52. Web browsers are NOT “safe.” Web browsers are NOT “secure.” Web browsers do NOT protect your “privacy.” © 2010 WhiteHat Security, Inc. | Page 29
  • 53. Web browsers are NOT “safe.” Web browsers are NOT “secure.” Web browsers do NOT protect your “privacy.” © 2010 WhiteHat Security, Inc. | Page 29
  • 54. What do we do now? © 2010 WhiteHat Security, Inc. | Page 30
  • 55. 1) Status Quo 2) .SECURE 3) Break the Web ... © 2010 WhiteHat Security, Inc. | Page 31
  • 56. Mobile Apps “DesktopApps” Mini-browsers, where each Custom browsers’ designed to site / app is isolated. No automatically launch to a website issues with Login Detection, and go no further. Denaonymization, etc. © 2010 WhiteHat Security, Inc. | Page 32
  • 57. Thank You! “I Know...” series http://blog.whitehatsec.com/introducing-the-i-know-series/ Blog: http://blog.whitehatsec.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com © 2012 WhiteHat Security, Inc. 33