Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Insecurities 2.0


Published on

Session given at the BarCamp in Hamburg (06/09/07)

Published in: Technology
  • Be the first to comment

Insecurities 2.0

  1. 1. Insecurities 2.0 Universität Hamburg BarCamp Hamburg 09.06.2007 Martin Johns University of Hamburg Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen
  2. 2. A short survey Who in this room is familiar with Cross Site Scripting (XSS)  Cross Site Request Forgery / Session Riding (XSRF)   (SQL Injection, Path Traversal, Remote Command Injection) Web Security 1.0 Attacking the server (SQL Inj., Buffer Overflow)  Attacking the browser (Buffer Overflow)  Web Security 2.0 Attacking the application on the client side  © Martin Johns, UHH, FB Inf, SVS 2
  3. 3. Insecurities 2.0 (technological) What’s new, pussycat? AJAX  Badly integrated in existing authentication frameworks   Breaks automatic solutions JSON  Hmmm, let’s use executable code for data transport...   ...does this sound like a good idea? WEB APIs and mashable applications  E.g., Yahoo Pipes, Google translates,...   Provides malware with further cross-domain capabilities Flash  Breaking CSRF protection with crossdomain.xml  Web Browsers  New capabilities of recent JavaScript implementations  © Martin Johns, UHH, FB Inf, SVS 3
  4. 4. Insecurities 2.0 (social) “social sites” User provided content  Highly interactive   Interwoven communities Excellent breeding ground for self-replicating XSS  Self-hosting Setting up Wordpress yourself is quite easy nowadays   Blogworms, anyone? © Martin Johns, UHH, FB Inf, SVS 4
  5. 5. Web 2.0 == Client Side Attacks are fun again Traditional applications move to the web Finally interesting data via XSS / CSRF  Mighty, mighty web browser Turing complete programming language   Rich network capabilities XMLHttpRequest, Flash, Java Sockets  Malware leaves no traces  Who need botnets anymore?  © Martin Johns, UHH, FB Inf, SVS 5
  6. 6. Example 1: Breaking Applications (CSRF) Vulnerable:’s frontpage is determined by the number of “diggs”  a certain story gets Using CSRF a webpage was able to cause the victim’s  browser to “digg” an arbitrary URL  The demo page “digged” itself © Martin Johns, UHH, FB Inf, SVS 6
  7. 7. Example 2: Samy is my hero (XSS) The first large scale XSS worm Exploited a stored XSS problem in MySpace  Every user that visited a infected profile involuntarily added  the worm to his profile Exponential growth   Over 1.000.000 profiles infected in 24 hours The worm made heavy use  of the XMLHttpRequest-object © Martin Johns, UHH, FB Inf, SVS 7
  8. 8. Example 3: GMail Adressbook disclosure Address-book data is communicated in JSON [[quot;ctquot;,quot;YourNamequot;,quot;foo@gmail.comquot;], [quot;ctquot;,quot;AnotherNamequot;,quot;bar@gmail.comquot;]] But this URL content can also be accessed via script injection <script src=quot;;> By overwriting the global array-constructor this data could be read cross-domain © Martin Johns, UHH, FB Inf, SVS 8