This document discusses exploiting vulnerabilities in ASP.net server-side web controls. It describes how dormant or hidden server controls can still be executed to abuse application logic, even when protections like event validation and viewstate MAC are enabled. Specific attacks covered include executing events of commented out, disabled, and invisible controls by manipulating POST data. The document also outlines techniques for fingerprinting server control properties and overriding them to alter application behavior. It introduces the RIA SCIP ZAP extension for analyzing these issues and demonstrates attacks. Risk mitigation recommendations are provided focusing on secure coding practices.
Every software developer knows object oriented programming; in fact most use it every day. Using OOP enables code reuse and creates readable and maintainable code.
But there are places where object oriented is just not enough. There are features that cut across the entire system such as security, logging and transaction handling which are hard to implement efficiently using the OO paradigm.
Aspect Oriented Programming (AOP) helps us deal with these application-wide concerns by adding a high level of reuse to the traditional OOP framework.
In this session I'll explain what AOP is all about and how it can be implemented in .NET using simple methods and industrial grade frameworks to improve the developer's everyday work by using aspects.
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
A quick summary of the current state of big data technology and data science approaches used in cyber / network defender security analytics including summary use cases, a walk through of a reference architecture and breakdown of the required skills. Focus is on the knowledge needed to run a proof of concept and establish a programme for early benefits. Will then also include a view on the future of extending the platforms and capabilities of security analytics to cover performance metrics and data-driven security management approaches.
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
Let’s take a quick trip across the sea to the halls of Black Hat. What made the training network tick? How was it created, who was attacking the network, and how was it defended? How do you keep the wired training network up and reliable when you have nearly two thousand people hammering on it? What tricks kept the wireless running for all those tweets?
Every software developer knows object oriented programming; in fact most use it every day. Using OOP enables code reuse and creates readable and maintainable code.
But there are places where object oriented is just not enough. There are features that cut across the entire system such as security, logging and transaction handling which are hard to implement efficiently using the OO paradigm.
Aspect Oriented Programming (AOP) helps us deal with these application-wide concerns by adding a high level of reuse to the traditional OOP framework.
In this session I'll explain what AOP is all about and how it can be implemented in .NET using simple methods and industrial grade frameworks to improve the developer's everyday work by using aspects.
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
A quick summary of the current state of big data technology and data science approaches used in cyber / network defender security analytics including summary use cases, a walk through of a reference architecture and breakdown of the required skills. Focus is on the knowledge needed to run a proof of concept and establish a programme for early benefits. Will then also include a view on the future of extending the platforms and capabilities of security analytics to cover performance metrics and data-driven security management approaches.
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
Let’s take a quick trip across the sea to the halls of Black Hat. What made the training network tick? How was it created, who was attacking the network, and how was it defended? How do you keep the wired training network up and reliable when you have nearly two thousand people hammering on it? What tricks kept the wireless running for all those tweets?
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
Risk is often seen as a dirty word in business. It is a thing that needs to be reduced to nothing, and has no possible good use in an organization, especially a security programme.
This couldn’t be more wrong! Risk is an inherent part of any business, and yet it is often poorly recognized and leveraged in the security organisation. In this presentation Thom will look at three areas of the risk conundrum to open the veil on the elusive art of understanding and ultimately measuring risk.
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON
44CON 2014 - Researching Android Device Security with the Help of a Droid Army, Joshua J. Drake
In the last few years, Android has become the world’s leading smart phone operating system. Unfortunately, the diversity and sheer number of devices in the ecosystem represent a significant challenge to security researchers. Primarily, auditing and exploit development efforts are less effective when focusing on a single device because each device is like a snowflake: unique.
This presentation centers around the speaker’s approach to dealing with the Android diversity problem, which is often called “fragmentation”. To deal with the issue, Joshua created a heterogeneous cluster of Android devices. By examining and testing against multiple devices, you can discover similarities and differences between devices or families of devices. Such a cluster also enables quickly testing research findings or extracting specific information from each device.
44CON 2014 - Advanced Excel Hacking, Didier Stevens
This is a workshop on hacking Excel on Windows without exploits.
Visual Basic for Applications (VBA) is a powerful programming language, more powerful than VBScript, because it has access to the Windows API. What I teach in this workshop is applicable to all applications with VBA support (Word, Powerpoint, AutoCAD, …), but I choose Excel because of its prevalence and its tabular GUI that is particularly suited for inputting and outputting data.
I illustrate 2 major hacking techniques on Excel: pure VBA and VBA mixed with with special shellcode and DLLs.
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
This 2 hour workshop will introduce you to Industrial Ethernet Switches and their vulnerabilities. These are switches used in industrial environments, like substations, factories, refineries, ports, or other other homes of industrial automation equipment. In other words, scada and ICS switches. You will gain familiarity with the basic usage of these switches, and do some very light traffic analysis and firmware reverse engineering.
Not only will vulnerabilities be disclosed for the first time (exclusively at 44CON), but the methods of finding those vulnerabilities will be shared. If you have never done any reverse engineering or firmware analysis, this might be a good place to start.
You will need to be familiar with a linux commandline, and the usage of tools such as BURP and wireshark. If you are an IDA Pro wizard we welcome your attendance, but we won’t be teaching you anything new. However, we will examine firmware and device embedded webservers with tools such binwalk, strings, grep, xxd, python, scapy, and compression utilities.
All vulnerabilities taught/disclosed will be in the default configuration state of the devices. While these vulnerabilities have been responsibly disclosed to the vendors, SCADA/ICS patching in live environments tends to take 1-3 years. So this work will be fresh and useful for your penetration tests in the future.
You might even find new vulnerabilities with the chance to play with these devices (which are being brought to 44CON for this workshop)!
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
Residential gateway (/SOHO router) exploitation is a rising trend in the security landscape - ever so often do we hear of yet another vulnerable device, with the occasional campaign targeted against specific versions of devices through independent scanning or Shodan dorking. We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course (sorry NSA, we know it was a cool attack vector with the best research-hours-to-mass-pwnage ratio). We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices. During the talk (pending patch availability), we will release exploits to vulnerabilities we discovered in ACS software, including RCEs on several platforms.
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
”…and therein lies the Android problem…” Vendors, service providers, handset manufacturers, an insane number of different devices, patch stagnation, lack of updates, blah, blah, blah. We get it, and honestly it’s starting to be a tad boring. So why would you want to sit through yet another Android talk? You don’t, and I don’t want to give that talk anyway.
Instead, let us spend some time talking about the roots of all smartphones: The hardware design, the system on chip internals, the problematic linux kernels. Let’s chat about design reuse and how to take advantage of lazy electronic engineers. Let’s converse about generational design flaws and how they can be exploited. In short, let’s talk about breaking a bunch of expensive toys.
This talk will cover multiple handset manufacturers internal PCB designs, a fair bit of Qualcomm exploration, some witty banter about the fossil-esque linux kernel we drag about daily and probably some childish poking at the trusted boot process
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick
Most dismiss power side channel attacks as difficult, expensive and unlikely, and are therefore out of scope for many security evaluations. Recent presentations have demonstrated how to get this cost down to a few hundred dollars using low-cost, high performance analog components alongside current high performance FPGAs.
By simplifying both the target hardware and the analysis, I aim to present a series of simple examples of timing and power analysis attacks on microcontroller hardware that require no advanced math and can be done in the comfort of your home for less than $20 in parts
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick.
Hardware hacks tend to focus on low-speed (jtag, uart) and external (network, usb) interfaces, and PCI Express is typically neither. After a crash course in PCIe Architecture, we’ll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. We’ll top it off with a demonstration of SLOTSCREAMER, an inexpensive device that’s part of the NSA Playset which we’ve configured to access memory and IO, cross-platform and transparent to the OS - all by design with no 0-day needed. The open hardware and software framework that we will release will expand your Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system.
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
CANAPE is an open source network proxy written in .NET. It has been developed to aid in the analysis and exploitation of unknown application network protocols using a similar use case to common HTTP proxies such as Burp or CAT.
This workshop will go through the basics of analysing an unknown application protocol with hands on training examples. By the end of the workshop candidates should be able to better understand CANAPE’s functionality and be able to apply that to other protocols they come across.
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Francis Alexander
The rise of NoSQL databases and their simplicity has made corporates as well as end users have started to move towards NoSQL,However is it safe?.Does NoSQL mean we will not have to worry about Injection attacks. Yes We Do. This paper concentrates on exploiting NoSQL DB’s especially with its reach towards Mongodb,Couchdb and Redis and automating it using the NoSQL Exploitation Framework.
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
Risk is often seen as a dirty word in business. It is a thing that needs to be reduced to nothing, and has no possible good use in an organization, especially a security programme.
This couldn’t be more wrong! Risk is an inherent part of any business, and yet it is often poorly recognized and leveraged in the security organisation. In this presentation Thom will look at three areas of the risk conundrum to open the veil on the elusive art of understanding and ultimately measuring risk.
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON
44CON 2014 - Researching Android Device Security with the Help of a Droid Army, Joshua J. Drake
In the last few years, Android has become the world’s leading smart phone operating system. Unfortunately, the diversity and sheer number of devices in the ecosystem represent a significant challenge to security researchers. Primarily, auditing and exploit development efforts are less effective when focusing on a single device because each device is like a snowflake: unique.
This presentation centers around the speaker’s approach to dealing with the Android diversity problem, which is often called “fragmentation”. To deal with the issue, Joshua created a heterogeneous cluster of Android devices. By examining and testing against multiple devices, you can discover similarities and differences between devices or families of devices. Such a cluster also enables quickly testing research findings or extracting specific information from each device.
44CON 2014 - Advanced Excel Hacking, Didier Stevens
This is a workshop on hacking Excel on Windows without exploits.
Visual Basic for Applications (VBA) is a powerful programming language, more powerful than VBScript, because it has access to the Windows API. What I teach in this workshop is applicable to all applications with VBA support (Word, Powerpoint, AutoCAD, …), but I choose Excel because of its prevalence and its tabular GUI that is particularly suited for inputting and outputting data.
I illustrate 2 major hacking techniques on Excel: pure VBA and VBA mixed with with special shellcode and DLLs.
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
This 2 hour workshop will introduce you to Industrial Ethernet Switches and their vulnerabilities. These are switches used in industrial environments, like substations, factories, refineries, ports, or other other homes of industrial automation equipment. In other words, scada and ICS switches. You will gain familiarity with the basic usage of these switches, and do some very light traffic analysis and firmware reverse engineering.
Not only will vulnerabilities be disclosed for the first time (exclusively at 44CON), but the methods of finding those vulnerabilities will be shared. If you have never done any reverse engineering or firmware analysis, this might be a good place to start.
You will need to be familiar with a linux commandline, and the usage of tools such as BURP and wireshark. If you are an IDA Pro wizard we welcome your attendance, but we won’t be teaching you anything new. However, we will examine firmware and device embedded webservers with tools such binwalk, strings, grep, xxd, python, scapy, and compression utilities.
All vulnerabilities taught/disclosed will be in the default configuration state of the devices. While these vulnerabilities have been responsibly disclosed to the vendors, SCADA/ICS patching in live environments tends to take 1-3 years. So this work will be fresh and useful for your penetration tests in the future.
You might even find new vulnerabilities with the chance to play with these devices (which are being brought to 44CON for this workshop)!
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
Residential gateway (/SOHO router) exploitation is a rising trend in the security landscape - ever so often do we hear of yet another vulnerable device, with the occasional campaign targeted against specific versions of devices through independent scanning or Shodan dorking. We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course (sorry NSA, we know it was a cool attack vector with the best research-hours-to-mass-pwnage ratio). We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices. During the talk (pending patch availability), we will release exploits to vulnerabilities we discovered in ACS software, including RCEs on several platforms.
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
”…and therein lies the Android problem…” Vendors, service providers, handset manufacturers, an insane number of different devices, patch stagnation, lack of updates, blah, blah, blah. We get it, and honestly it’s starting to be a tad boring. So why would you want to sit through yet another Android talk? You don’t, and I don’t want to give that talk anyway.
Instead, let us spend some time talking about the roots of all smartphones: The hardware design, the system on chip internals, the problematic linux kernels. Let’s chat about design reuse and how to take advantage of lazy electronic engineers. Let’s converse about generational design flaws and how they can be exploited. In short, let’s talk about breaking a bunch of expensive toys.
This talk will cover multiple handset manufacturers internal PCB designs, a fair bit of Qualcomm exploration, some witty banter about the fossil-esque linux kernel we drag about daily and probably some childish poking at the trusted boot process
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick
Most dismiss power side channel attacks as difficult, expensive and unlikely, and are therefore out of scope for many security evaluations. Recent presentations have demonstrated how to get this cost down to a few hundred dollars using low-cost, high performance analog components alongside current high performance FPGAs.
By simplifying both the target hardware and the analysis, I aim to present a series of simple examples of timing and power analysis attacks on microcontroller hardware that require no advanced math and can be done in the comfort of your home for less than $20 in parts
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick.
Hardware hacks tend to focus on low-speed (jtag, uart) and external (network, usb) interfaces, and PCI Express is typically neither. After a crash course in PCIe Architecture, we’ll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. We’ll top it off with a demonstration of SLOTSCREAMER, an inexpensive device that’s part of the NSA Playset which we’ve configured to access memory and IO, cross-platform and transparent to the OS - all by design with no 0-day needed. The open hardware and software framework that we will release will expand your Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system.
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
CANAPE is an open source network proxy written in .NET. It has been developed to aid in the analysis and exploitation of unknown application network protocols using a similar use case to common HTTP proxies such as Burp or CAT.
This workshop will go through the basics of analysing an unknown application protocol with hands on training examples. By the end of the workshop candidates should be able to better understand CANAPE’s functionality and be able to apply that to other protocols they come across.
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Francis Alexander
The rise of NoSQL databases and their simplicity has made corporates as well as end users have started to move towards NoSQL,However is it safe?.Does NoSQL mean we will not have to worry about Injection attacks. Yes We Do. This paper concentrates on exploiting NoSQL DB’s especially with its reach towards Mongodb,Couchdb and Redis and automating it using the NoSQL Exploitation Framework.
CyberLab Training Division :
ASP.NET is a web application framework developed and marketed by Microsoft to allow programmers to build dynamic web sites. It allows you to use a full featured programming language such as C# or VB.NET to build web applications easily.
This tutorial covers all the basic elements of ASP.NET that a beginner would require to get started.
Audience
This tutorial has been prepared for the beginners to help them understand basic ASP.NET programming. After completing this tutorial you will find yourself at a moderate level of expertise in ASP.NET programming from where you can take yourself to next levels.
Prerequisites
Before proceeding with this tutorial, you should have a basic understanding of .NET programming language. As we are going to develop web-based applications using ASP.NET web application framework, it will be good if you have an understanding of other web technologies such as HTML, CSS, AJAX. etc
ASP.NET supports three different development models:
Web Pages, MVC (Model View Controller), and Web Forms.
For More Details.
Visit: http://www.cyberlabzone.com
Workshop on how to build Vaadin Add-ons. We introduce two styles of building Vaadin add-on components for Vaadin: integrating an existing GWT widget (DatePicker), and integrating an existing JavaScript library (three.js).
Developing ASP.NET Applications Using the Model View Controller Patterngoodfriday
Learn how to use the model-view-controller (MVC) pattern to take advantage of your favorite .NET Framework language for writing business logic in a way that is de-coupled from the views of the data.
The Kentico Online Marketing solution simplifies sophisticated digital marketing. The system provides an amazing out of the box feature set. But what if you need to integrate or customize the Kentico feature set? Attend this webinar, hosted by Kentico MVP Brian McKeiver, to find out how.
During the Kentico EMS API deep dive session, Brian will illustrate code samples for how to customize and extend the system in an upgrade safe way utilizing the Kentico API. Attend this session to learn how to best use the Kentico EMS API.
What's covered during webinar is listed below:
The basics – What does Kentico 8.2 offer?
First steps to customize - Registering Custom Classes
Create Campaigns and Conversions Programmatically
Activity Tracking - Creating Custom Activity types
Marketing Automation - Creating Custom Steps and Actions
Important Kentico K# Macros for Scoring, Automation, and Personalization
A few quick Kentico Marketing Solution Optimizations
For more information see my blog post at http://www.mcbeev.com/Blog/August-2015/I-m-Presenting-at-the-Next-Kentico-User-Group-Webinar
By Brian McKeiver
Co-Owner @ BizStream
Kentico MVP
http://www.mcbeev.com
Salesforce's Event-Driven Software Architecture is presented by Tim Taylor, a member of the Jacksonville FL Developer group. For more information see
Platform Events Developer Guide - https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/platform_events_intro.htm
Platform Events Basics - https://trailhead.salesforce.com/en/content/learn/modules/platform_events_basics
These are the slides from our January presentation of our in-Flash payment solution.
It gives a brief overview of Social Gold as well as a technical presentation that shows how to integrate the our in-Flash solution with your Flash game.
Enjoy!
in this presentation we give a brief intro to Social Gold, an overview of the in-flash solution architecture followed by a step by step integration example.
The complete ASP.NET (IIS) Tutorial with code example in power point slide showSubhas Malik
SP.NET is a server-side Web application framework designed for Web development to produce dynamic Web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, web applications and web services. It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft's Active Server Pages (ASP) technology. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language. The ASP.NET SOAP extension framework allows ASP.NET components to process SOAP messages.
Similar to 44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web Controls - Shay Chen (20)
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
One of the hottest topics in current crypto research is Post-Quantum Cryptography. This branch of cryptography addresses asymmetric crypto systems that are not prone to quantum computers.
Virtually all asymmetric crypto systems currently in use (Diffie-Hellman, RSA, DSA, and Elliptic Curve Crypto Systems) are not Post-Quantum. They will be useless, once advanced quantum computers will be available. Quantum computer technology has made considerable progress in recent years, with major organisations, like Google, NSA, and NASA, investing in it.
Post-Quantum Cryptography uses advanced mathematical concepts. Even if one knows the basics of current asymmetric cryptography (integer factorisation, discrete logarithms, …), Post-Quantum algorithms are hard to understand.
The goal of this presentation is to explain Post-Quantum Cryptography in a way that is comprehensible for non-mathematicians. Five families of crypto systems (as good as all known Post-Quantum algorithms belong to these) will be introduced:
Lattice-based systems:
The concept of lattice-based asymmetric encryption will be explained with a two-dimensional grid (real-world implementations use 250 dimensions and more). Some lattice-based ciphers (e.g., New Hope) make use of the Learning with Error (LWE) concept. I will demonstrate LWE encryption in a way that is understandable to somebody who knows Gaussian elimination (this is taught at middle school). Other lattice-based systems (especially NTRU) use truncated polynomials, which I will also explain in a simple way.
Code-based systems:
McEliece and a few other asymmetric ciphers are based on error correction codes. While teaching the whole McEliece algorithm might be too complex for a 44CON presentation, it is certainly possible to explain error correction codes and the main McEliece fundamentals.
Non-commutative systems:
There are nice ways to explain non-commutative groups and the crypto systems based on these, using everyday-life examples. Especially, twisting a Rubik’s Cube and plaiting a braid are easy-to-understand group operations a crypto system can be built on.
Multivariate systems:
Multivariate crypto can be explained to somebody who knows Gaussian elimination.
Hash-based signatures: If properly explained, Hash-based signatures are easier to understand than any other asymmetric crypto scheme.
I will explain these systems with cartoons, drawings, photographs, a Rubik’s Cube and other items.
In addition, I will give a short introduction to quantum computers and the current Post-Quantum Crypto Competition (organised by US authority NIST).
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
Data Center security has been forced to reinvent itself as software complexity increases, networking capabilities grow more agile, and attack complexity turns unmanageable. With this change, the need for security policy enforcement to be handled at the edge has pushed functionality onto host compute systems, resulting in inherent performance loss and security weakness due to consolidation of resources.
In the first part of the talk we will be presenting a SmartNIC-based model for data-center security that solves both the performance problem and the security problems of edge-centric policy models. The model features a more robust isolation of responsibilities, superior offload capabilities, significantly better scaling of policy, and unique visibility opportunities.
To illustrate this, we present a SmartNIC-based reference architecture for network layout, as well as examples of SmartNIC security controls and their resulting threat models.
The second part of the talk will unveil a new innovative technique for tamper proof host introspection as SmartNICs are in a unique position to analyze and inspect the memory of the host to which they are attached. Normally, this functionality is reserved for a hypervisor, where it is known as ‘guest introspection’ or ‘virtual-machine introspection’. With host introspection, security controls no longer live in the hypervisor, but on the SmartNIC itself, on a separate trust domain. In this way, the visibility normally achieved with guest introspection can be performed for the entire host memory in an isolated and secure area. In order for host introspection to work in the same way as guest introspection, memory is DMA transferred in bursts over the PCI-e bus that attaches the SmartNIC to the host. As this method can be subverted to hide unwanted software, we will demonstrate a novel approach to tamper proof the acquisition of memory and for performing live introspection.
Host introspection complements the network controls implemented using the SmartNIC by enabling the measurement of the integrity and the behavior of workloads (virtual machines, containers, bare metal servers) to identify possible indicators of compromise. The visibility and context gained also enhances the granularity of network controls, resulting in measurably better security for the data center compared to traditional software-only based controls.
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.
The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve:
Unexpected consequences (why did it decide this rifle is a banana?)
Data leakage (how did they know Joe has diabetes)
Memory corruption and other exploitation techniques (boom! RCE)
Influence the output
In other words, while ML is great at identifying and classifying patterns, an attacker can take advantage of this and take control of the system.
This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage!
Garbage In, RCE Out :)
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how a specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Framework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times. Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint.
In this presentation, I will first do a quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I’ll introduce KMDF with all its relevant functions for reverse engineering through a set of case-studies. I’ll describe how to interact with a KMDF device object through SetupDI api and how to find and analyze the different IO queues dispatch routines. Does the framework actually enhances security? We’ll come to a conclusion after revealing some major vendor implementation problems.
Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
In March 2018, the UK launched its Secure by Design report in order to help defend against security threats, especially for consumer Internet of Things products and services. Over the past few years, poorly secured IoT devices have been hijacked in both targeted as well as large-scale DDoS attacks such as Mirai. In addition to this, poor security can threaten both privacy and safety.
The speaker, David Rogers authored the UK’s ‘Code of Practice for Security in Consumer IoT Products and Associated Services’, in collaboration with DCMS, NCSC, ICO and industry colleagues with extensive support from the security research community. David will discuss the guidelines within the Code of Practice, why these were prioritised and why the top three became dealing with the password problem, implementing vulnerability disclosure and acting on it and addressing software updates. David will also look at what’s next: what will the challenges be and will the Code of Practice succeed in its aims? How can IoT products possibly be certified and how will the threat landscape change in response to improving security?
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
Cyber Security is often framed in terms of ‘Risk’- the possibility of suffering harm or loss – and the ‘Management’ of Risk to reduce uncertainty. This is familiar territory for businesses. Cyber Security falls in neatly under Risk Management, is assigned a suitable place on the organigramme, tossed some spare budget and granted a few paragraphs in the board report. NIST defines Risk as a ‘function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation’.
Key theme:
This presentation explores the idea that making cyber security analogous to risk is holding us back. How about we talk about security ‘debt’ instead? Technical Debt is already a well understood concept in software development – the cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer or cost more. Changing our language changes how we think and how we behave. This presentation argues that such a change could have a significant impact on software security.
In this presentation we will comment on the power of ‘analogies’ and how they’ve shaped our industry. We’ll then consider the difference between the ‘security as risk’ and the ‘security as debt’ paradigms and explore how changing paradigms may change the way we think about, talk about and measure software security. We believe this could have a very empowering effect on development managers and other security professionals who are struggling to articulate the relative benefits of security (or a lack of security) to a software product.
Con speakers fear the Nerf gun. Overrun your talk time at your peril; Steve will shoot your arse with extreme prejudice until you STFU. We had to find a way to pwn the gun and shoot him back.
That’s when we found the Nerf Terrascout: a remote tank gun controlled over 2.4GHz, with a video feed to the remote, complete with crosshairs.
At first, we thought this would be a trivial job: figure out the RF and take control. It turned in to a mammoth hardware, firmware and RF reversing project.
This puppy is so over-specced it would drive you to tears.
The talk will cover the fails, hair loss and eventual success. There won’t be any smart dildos in it, though some of the techniques used are equally suited to teledildonics exploitation, if that’s your thing.
Reversing RF in a high frequency environment using SDRs is challenging. We’ll discuss how we worked around these issues using hardware reversing skills.
We had to import hardware from China for this project, which we could then programme ourselves using SPI, impersonate the legitimate controller and ‘jack the tank gun.
This talk will of course include a live demonstration of hijacking the tank gun and (possibly) shooting Steve.
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
Presented by: Julien Voisin and Thibault Koechlin
Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web Controls - Shay Chen
1. .Net Havoc
Abusing ASP.net Mechanics &
Overriding Properties of ServerSide Web Controls
Shay Chen, CTO
Hacktics ASC, Ernst & Young
September 12th, 2013
Page 1
2. About
► Formerly
a boutique company that provided
information security services since 2004.
► As of 01/01/2011, Ernst & Young acquired
Hacktics professional services practice, and
the group joined EY as one of the firm’s
advanced security centers (ASC).
Page 2
5. Property Injection / Property Override
► Fingerprint
visible & hidden control types
► Override server side control properties
► Access additional data sources in the
backend databases and systems
► Execute application attacks while
bypassing ASP.net security mechanisms
Page 5
6. Event Execution Exploits (EodSec)
► Elevate
privileges by executing
controls/events of high-privileged users
► Exploit vulnerable code stored in dormant
events
► Corrupt the application data
► Exceed logical restrictions
► Etc
Page 6
7. Risk Factors
► Hidden
Server Control Identification
► Server Control Type Fingerprinting
► Server Control Property Manipulation
► Server Control Property Injection
► Execution of Dormant Server Controls
► Cached Viewstate Reuse
Page 7
9. Security Features in ASP.net/Mono
► Event
Validation
► Digital Signatures / MAC
►
Limit to List, Manipulation Prevention
► Security
Filter (XSS)
► Sandbox
► Built-in Regular Expressions
► Etc
Page 9
10. Attack Surface Analysis: Entry Points
► Purpose:
►
►
►
►
►
Locating Code to Abuse
Web Pages
Web Service Methods
Global Modules (Filters, Handlers, Etc)
…
*Events of Server Web Controls*
Page 10
14. The Structure of the Viewstate Field
►
Viewstate HTML Structure:
►
►
Serialized into Base64*
Signed (MAC), clear-text or
encrypted
Page 14
15. Event Validation Drill Down
Independent Events (e.g. buttons with
usesubmitbehavior=false, etc)
► Programmatic vs. Declarative
►
Page 15
16. The Event Validation Mechanism
►
Name/Value HashCode Formula
if ([ControlValue] == null)
return GetStringHashCode([ControlName]);
else
return GetStringHashCode([ControlName]) ^ GetStringHashCode([ControlValue]);
The EventValidation Field
►
<-Viewstate
Hashcode
►
<-Control
Hashcodes
►
►
MachineKey and MAC
Control Name/Value
Verification, Prior to Event
Execution
Include viewstate hashcode
Included in the HTML:
Page 16
17. Evidence of Hidden Controls & Type
►
►
Visible/Enabled Controls:
EventValidation
(Viewstate Decoder):
Invisible / Disabled Controls (Properties in Viewstate):
EventValidation
(Viewstate Decoder):
Page 17
19. Fingerprinting Server Controls
►
Control Viewstate Presence
►
►
►
►
Collection of Properties for Each Control
Boolean, Numeric, Text, etc
Properties reloaded from the viewstate
Rule of Thumb – Properties in Viewstate
►
►
Programmatic value manipulation
Significant In-Design Modifications
Page 19
24. Overriding Control Properties
►
Reusing Valid Viewstates
►
►
►
►
MAC Compatibility
Mining Sources
Structure Similarity
Reconstructing Unsigned Viewstates
►
►
Structure and Order of Properties
Insertion of Value Pair Blocks
Page 24
26. Dormant Server Web Controls, 1 of 3
►
Commented Out Controls
►
►
Commented out using HTML comments (<!-- -->)
Rendered inside an HTML comment, but the server
code is still active.
Page 26
27. Dormant Server Web Controls, 2 of 3
►
Disabled Controls
►
►
►
The control enabled property is set to false (Server)
Rendered with the disabled="disabled" HTML property
Rendered without an input postback method
Page 27
28. Dormant Server Web Controls, 3 of 3
►
Invisible Controls
►
►
The control visible property is set to false
Not rendered in the presentation layer, but the code is
still active
Page 28
29. Dormant Events of Web Controls
► Dormant
►
►
Events of Visible Controls
Declarative: Optional events of controls with
multiple events
Programmatic: Optional event listeners
registered in the code level for controls with at
least one active event
Page 29
31. Commented Control Event Execution
►
Prerequisites (ASP.Net) - Commented Out Controls:
►
►
►
Process
►
►
Comment server control using HTML comments
Event code does not include privilege validation
“uncomment” the HTML control and execute the event, or
send the appropriate values directly.
Advantages
►
Exploit works despite the Viewstate MAC AND
EventValidation.
Page 31
34. Disabled Control Event Execution
►
Prerequisites (ASP.Net / Mono) - Disabled Controls:
►
►
►
Process
►
►
►
The control “enabled” server property is set to FALSE
Event code does not include privilege validation
ASP.Net/Mono: Forge a postback / callback call, or send the
appropriate values directly.
Mono: delete the viewstate (!)
Advantages
►
Exploit works despite an active Viewstate MAC AND
EventValidation.
Page 34
35. Forging a Disabled Control Event
►
►
Forging a PostBack / CallBack Method Call
Why does it work?
►
►
►
ASP.Net: Temporarily disabled controls are a feature
Mono: EventValidation’ Viewstate hash-code issue
How does it work?
►
The control name is exposed in the disabled control
►
Use an interception proxy to “inject” postback calls into
HTML control events, or craft requests manually.
Page 35
37. Invisible Control Event Execution 1/4
►
Prerequisites (ASP.Net / Mono) - Invisible Controls:
►
(I) Either the ViewstateMAC OR the EventValidation features
must be turned off
►
(II) The control “visible” server property is set to FALSE
(III) Event code does not include privilege validation
►
Page 37
38. Invisible Control Event Execution 2/4
►
EventValidation is OFF
►
No event validation = ANY event can be executed,
regardless of MAC
<%@ Page Language="C#" AutoEventWireup="true"
EnableEventValidation=“false" EnableViewStateMac=“true“ …%>
►
Process
►
►
Craft a request with valid EVENTTARGET value OR
Inject a custom Postback/Callback call to the response
HTML, and target the event of the invisible control
Page 38
39. Invisible Control Event Execution 3/4
►
EventValidation is ON , Viewstate MAC is OFF
►
Forge valid viewstate / eventvalidation fields (no MAC)
<%@ Page Language="C#" AutoEventWireup="true"
EnableEventValidation="true" EnableViewStateMac=“false“ …%>
►
Process
►
Craft a request using SCIP or other eventvalidation editors
Page 39
50. Missing CallBack Code Validation
►
Prerequisites – Improper CallBack Implementation
►
►
►
Process:
►
►
Event validation not performed manually in CallBack code
Relies on the CALLBACKID and CALLBACKPARAM
Ignore Event Validation when Forging Event Call
Advantage:
►
Works despite of Viewstate MAC & EventValidation.
Page 50
51. Mining Cached Viewstate Values 1/2
►
Prerequisites – Reusing Signed Cached Values
►
►
Obtain control names from cached / indexed content: search
engines, proxies, browser cache of privileged users
Process:
►
Reuse the cached VIEWSTATE, EVENTTARGET,
EVENTARGUMENT and EVENTVALIDATION
Page 51
52. Mining Cached Viewstate Values 2/2
►
Advantages
►
►
Exploit works DESPITE the Viewstate MAC AND
EventValidation
Shared Hosting Attack Model:
►
►
Can bypass Viewstate MAC and EventValidation
Scenarios for Shared / Isolated Application Pool
Page 52
54. Secure Coding Guidelines
Preventing Event Execution & Property Override
►
►
►
►
►
►
►
►
Do NOT use the Disabled property for security purposes
Do NOT rely on HTML comments to hide controls
Remove unnecessary dormant events from all layers:
HTML, Design (e.g. aspx), CodeBehind (e.g. aspx.cs)
Implement code-level privilege validation in each event
Enforce digital signatures (Viewstate MAC)
Activate event validation mechanisms (EventValidation)
Disable cache / Prevent indexing in pages with sensitive
controls!
Customize the platform error messages
Page 54
58. Dormant Control Execution Summary
Control / Event
Type
ONLY
Event
Validation
Is ON
ONLY
Event
Viewstate MAC Validation AND
is ON
Viewstate MAC
are ON
Commented
Disabled
Invisible
Optional
Page 58
59. Advanced Invisible Control Execution
►
Execute Control Events DESPITE MAC/Validation
►
►
►
Reuse cached / indexed ViewState and EventValidation
fields of the same Page
Abuse insecure callback implementations
Abuse MachineKey in Shared Hosting Model
Page 59
60. The RIA SCIP Project
►
►
►
►
Homepage: http://code.google.com/p/ria-scip/
OWASP ZAP extension (v2.0+), requires Java 1.7
Included in ZAP’s Marketplace
Currently focused at ASP.net
Page 60
62. The RIA SCIP Project, Cont.
►
Current Features
►
►
►
►
►
►
►
►
Passively identifies traces of Invisible Controls
Error-based invisible control name enumeration
Blind-based invisible control name enumeration (NEW!)
Disabled/commented control event execution
Invisible control event execution
Viewstate manipulation for manual parameter tampering,
when MAC is OFF (NEW!), Control Injection Templates
Manual execution of target events
Upcoming Features
►
►
Cached viewstate scraping / comparison / reuse (déjà vu)
Control type fingerprinting & exploitation
Page 62
63. Additional Resources
►
►
►
►
déjà vu (cache analysis) ZAP Extension:
https://github.com/hacktics/deja-vu
Woanware Viewstate Hacker:
http://www.woanware.co.uk/application/viewstatehack
er.html
OWASP ZAP: https://code.google.com/p/zaproxy/
James Jardine blog posts:
http://www.jardinesoftware.net/
Page 63
64. EY Advanced Security Centers
•
Americas
•
•
•
•
•
EMEIA
•
•
•
Hacktics IL
Houston
New York
Buenos Aires
Dublin
Barcelona
Asia Pacific
•
•
Singapore
Melbourne