SlideShare a Scribd company logo

Abusing bu is-4.3

Positive Hack Days
Positive Hack Days
Technology
1 of 44
FORFUN& PROFIT ABUSINGBROWSERSUSER INTERFACESROSARIOVALOTTA
HELLO MY NAME ISRosario sites.google.com/site/tentacoloviola/  NDUJA CONNECTION  COOKIEJACKIN G  NDUJA DOM FUZZER
SOCIALLYENGINEEREDMAL 200K NEW MALWARE SAMPLES EVERY DAY 1.5+ BILLIONS MALWARE ATTACKS ORIGINATED FROM THE WEB MOSTLY ORIGINATED BY USER INITIATED DOWNLOADS 2012 FACTS
USERSASKFOR • GUIDANCE WHILE SURFING THE WEB • PROTECTION FROM MALICIOUS SITES • RELIABLE BROWSER SECURITY MECHANISMS
VENDORSREPLIES ENHANCED MEMORY PROTECTION TECHNOLOGIES FOR PROTECTING AGAINST EXPLOITS AND DRIVEBY DOWNLOADS (ASLR, DEP, GS, ETC) EMBEDDED SECURITY FITERS AGAINST WEB ATTACKS (XSS FILTER, ANTI FRAMING/CLICKJACKING, ETC) MALWARE/PHISHING RECOGNITION TECHNOLOGIES (SAFE BROWSING, SMARTSCREEN FILTER, ETC) TRUSTED AND RECOGNIZABLE USER INTERFACES TO HELP USERS IN MAKING AWARE CHOICES WHILE SURFING THE WEB
THIS IS CHROME
THIS IS CONTENT
PICTU REIN PICTU RE ATTAC K WHICHISCHROME?
URL OBFUSCATION FLAWS • EXPLOIT A DESIGN FLAW IN BROWSERS THAT ARE NOT ABLE TO RELIABLY RENDER THE URL REQUIRED BY THE USER • URL FORMAT FOLLOWS THE GENERAL PATTERN http://username:password@mysite.com WITH OPTIONAL password FIELD • http://www.bankofamerica.com&service=...@174.120.41.176/~inferno/ex ploits/obfusurl/index.htm DISABLES RESOLUTION FOR URLS WITH EMBEDDED CREDENTIALS RAISE A WARNI NG RENDERS PAGE AND STRIPS CREDENTIALS FROM THE URL AND REVEALING TRUE NATURE OF THE DOMAIN
DOWNLOAD DIALOG SPOO • VICTIM VISITS ROGUE WEBSITE • WEBSITE IMMEDIATELY SPAWNS A NEW NAVIGATION WINDOW LINKING TO A BENIGN WEBPAGE • ROGUE WEBSITE SETS THE NEW NAVIGATION WINDOW URL TO A RESOURCE SERVED WITH Content-Disposition: attachment HEADER • A DOWNLOAD NOTIFICATION BAR/DIALOG APPEARS IN THE CONTEXT OF THE NEW NAVIGATION WINDOW • VICTIM IS TRICKED TO BELIEVE DOWNLOAD HAS BEEN STILL WORKS ON IE9, CHROME 25 AND FIREFOX 19! http://lcamtuf.coredump.cx/fldl
BROWSERSECURITYN
BROWSERSECURITYN
MODALNOTIFICATIONS OS GENERATED BROWSER GENERATE • IMPORTANT NOTIFICATIONS ONLY • NOT STRICTLY PART OF CHROME • DEFAULT ANWSER PROBLEM • TRIGGERED IN SEVERAL SCENARIOS • SOMETIMES CAN BE VERY ANNOYING • DEFAULT ANWSER PROBLEM STRONG VISUAL CONTRAST “ GRAB USER ATTENTION “ BLOCK WORKFLOW
MODELESSNOTIFICATIONS • DESIGNED TO INFORM USER WITHOUT INTERRUPTING NA • STAY IN CONTEXT OF THE NAVIGATION WINDOW • CHROME NOT DOM FILEDOWNLOA DING PLUGINSACTIV ATION HTML5APIS
MODALTOMODELESSSHIFT MODELESS MODELESS MODELESS MODELESS MODELESS MODELESS MODELESS MODELESSMODAL MODALMIXED MODALMODAL MODAL MODELESS EXTENSIONS/ADDONS MODAL MODAL MODAL MODAL MODELESS
1. DISPLAYED EVEN IF THE WINDOW IS IN 2.KEYBOARD SHORTCUTS ENABLED FOR 3.NOTIFICATION BARS CAN BE NAVIGATED 4.NOTIFICATION BARS ARE BOUND TO TH 4PROBLEMSABOUTMODELE SSNOTIFICATIONS
NOTIFICATIONSINBACKGROU SCENARIO: 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUP WINDOW 3. POPUP IS OPENED ON THE BACKGROUND (POPUNDER) 4. ON WINDOWS 7/8 THE POPUNDER IS MERELY UNNOTICED 5. POPUNDER INITIATES A DOWNLOAD 6. MODELESS NOTIFICATION IS TRIGGERED (HIDDEN FROM USER 7. POPUNDER TAB DOESN’T BLINK TO GIVE EVIDENCE OF A PENDIN A LITTLE BIT OF JS MAGIC IS REQUIRED FOR THIS TO WORK IN EVERY BROWSER. blur() DOESN’T WORK PROPERLY ON SOME IMPLEMENTATIONS. JSPOPUNDER PROJECT ENABLES POPUNDERS IN CROSS BROWSER ENVIRONMENTS.
KEYBOARDSHORTCUTS • ARE AVAILABLE FOR ACTIVATING ACTIONS ON NOTIFICATION BAR • IE ALLOWS THIS FOR FILE DOWNLOAD NOTIFICATIONS • IE & FF ALLOW THIS FOR HTML5 API NOTIFICATIONS ALT +R “ ALT +S “ ALT + O ALT + O ALT +A “ ALT + O • NAVIGATION WINDOW NEEDS TO BE FOCUSED FOR USING SHOR
USINGTABINNOTIFICATIONB SOME BROWSERS ALLOW USING TAB KEY TO NAVIGATE O • CHROME SKIPS THE FILE OPENING BUTTON • IE ALLOWS THIS FOR FILE DOWNLOAD NOTIFICATION NOTIFICATION BAR IS PART OF CHROME: NO SYNTHETIC NAVIGATIO
BOUNDTONAVIGATIONWIND AS THEY ARE BUILT IN CHROME, NOTIFICATION BARS CAN BE:
ATTACKSCENARIO#1 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUNDER WINDOW 3. ON WINDOWS 7/8 THE POPUNDER IS MERELY UNNOTICED 4. POPUNDER INITIATES A DOWNLOAD OF A .EXE FILE 5. MODELESS NOTIFICATION IS TRIGGERED (HIDDEN FROM USER VIEW) 6. POPUNDER TAB DOESN’T BLINK TO GIVE EVIDENCE OF A PENDING NOTIFICATION 7. AFTER NOTIFICATION IS READY, POPUNDER IS STILL IN BACKGROUND BUT HAS THE FOCUS! 8. EVERY KEYBOARD INPUT WILL BE DIRECTED TO THE POPUNDER… 9. USER ENTERS ‚TAB‛ + ‚R’’ 10. CODE EXECUTION WITHOUT ANY NOTIFICATION OR 9 -10
ATTACKSCENARIO#1UNDER POPUNDER WINDOW ON FOCUS FOREGROUND WINDOW NOT ON FOCUS 1 2
ATTACKSCENARIO#1UNDER KEYBOARD INPUTS DIRECTED TO ONFOCUS WINDOW KEYBOARD SHORTCUTS AVAILABLE FOR INTERACTION 3 4
ATTACKSCENARIO#1UNDER PRESS TAB TO MOVE THE FOCUS ON THE ‘’RUN’’ BUTTON… …THEN PRESS ‘’R’’ (or equivalent key) TO EXEC PROGRAM 5 6
ATTACKSCENARIO#1UNDER …PROF IT !!! 7
ONEKEYATTACK • IN WIN7 + IE9-10 OPENING POPUNDER WINDOW USING: <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> WILL BRING THE FOCUS OF THE POPUNDER DIRECTLY ON THE NOTIFICATION BAR  NO NEED FOR TAB KEY THIS MEANS YOU CAN TRIGGER CODE EXECUTION BY JUST TYPING ONE KEY (key changes according to OS language) 9 -10
ATTACKSCENARIO#2 DYNAMIC WINDOW OVERLAY 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUNDER WINDOW AT SOME GIVEN COORDINATES 3. POPUNDER INITIATES A DOWNLOAD OF A .EXE FILE 4. MODELESS NOTIFICATION IS TRIGGERED (HIDDEN FROM USER VIEW) 5. POPUNDER TAB DOESN’T BLINK TO GIVE EVIDENCE OF A PENDING NOTIFICATION 6. ATTACKER TRICKS VICTIM TO CLICK ON A GIVEN LINK/BUTTON 7. PAGE IS LISTENING ON MOUSE MOVES 8. AS SOON AS THE MOUSE IS HOVERING ON THE BUTTON, WINDOW IS CLOSED 9. IF TIMING IS APPROPRIATE THERE ARE GOOD CHANCES OF VICTIM CLICKING ON THE UNDERLYING POPUNDER
ONECLICKATTACK • EVERY TIME A FILE IS DOWNLOADED FROM THE WEB THE OS ADDS A ZONE INFORMATION FILE TO THE DISK • ZONE INFORMATION FILE IS WRITTEN IN AN ASD (alternate data stream) • IT CONTAINS A REFERENCE TO THE SECURITY ZONE THE FILE WAS DOWNLOADED FROM (e.g. INTERNET) • LAUNCHING AN UNSIGNED .EXE FILE DOWNLOADED FROM THE WEB WILL PROMPT A CONFIRMATION DIALOG, NOT BYPASSABLE • A SMARTSCREEN CHECK IS PERFORMED (MORE ON BYPASSING SMARTSCREEN LATER…) • NO FURTHER DIALOGS ARE DISPLAYED • CODE EXECUTION!
ONECLICKATTA CK#2.bDEFEATING HTML5 PRIVILEGES 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUNDER WINDOW AT SOME GIVEN COORDINATES 3. POPUNDER LOADS A WEBPAGE REQUIRING SOME PRIVILEGES (e.g. YOUR POSITION) 4. MODELESS NOTIFICATION IS SHOWN (HIDDEN FROM USER VIEW) 5. POPUNDER TAB DOESN’T BLINK TO GIVE EVIDENCE OF A PENDING NOTIFICATION 6. ATTACKER TRICKS VICTIM TO CLICK ON A GIVEN LINK/BUTTON 7. PAGE IS LISTENING ON MOUSE MOVES 8. AS SOON AS THE MOUSE IS HOVERING ON THE BUTTON, WINDOW IS CLOSED 9. IF TIMING IS APPROPRIATE THERE GOOD CHANCES THE VICTIM CLICKS ON THE UNDERLYING POPUNDER
ONECLICKATTACK#2.c DEFEATING CLICKJACKING PROTECTIONS (ANTI-FRA 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUNDER WINDOW AT SOME GIVEN COORDINATES 3. POPUNDER LOADS A WEBPAGE SERVED WITH X-FRAME- OPTIONS (e.g. TWITTER) 4. ATTACKER TRICKS VICTIM TO CLICK ON A GIVEN LINK/BUTTON 5. PAGE IS LISTENING ON MOUSE MOVES 6. AS SOON AS THE MOUSE IS HOVERING ON THE BUTTON, WINDOW IS CLOSED 7. IF TIMING IS APPROPRIATE THERE GOOD CHANCES THE VICTIM CLICKS ON THE UNDERLYING POPUNDER
ANYLIMITATIONS?
MALICIOUSDOWNLOADPRO BLOCKING ACCESS TO MALICIOUS URLS&FILES BEFORE L FUNCTIONAL COMPONENTS: 1 2 3
IMPLEMENTATIONS SAFEBROWSING SMARTSCREENFILTER IE EFFECTIVENESS MALWARE URL RESPONSE TIM CHARTS FROM NSS LABS REPORT 2012
SMARTSCREENFILTER<App> <FName>U2FtZUdhbWUuZXhl</FName> <FHash>d3ff5939726c9f8fa6e514fb65eb470 a1f9ec7a65b2706732a03749226c25 20</FHash> <Sig>0</Sig> <Sz>45056</Sz> <M>1</M> <SR>100</SR> </App> IP “ URL “ FILE HASH (SHA256) “ FILENAME (BASE64) • SIGNING CERTIFICATE (if available) INPUT:  BLACKLISTE D REPUTATION FAILURE  SUCCEDEED OUTPUT: BAR COLOR CHANGES ACCORDING TO THE SIGNING CERTIFICATE + CHECK RESULT
(NOTSO)SMARTSCREENFIL REPUTATION CHECK IS NOT 100% RELIABLE , MORE THAN 20% SAMPLES ON http://minotauranalysis.com/exet weet/default.aspx WILL PASS THROUGH RESPONSE TIME FOR CATCHING NEW EXECUTABLE SAMPLES ALLOWS FOR EASY BYPASS IN THE FIRST PUBLISHING DAYS WHEN DEALING WITH SIGNED APPLICATIONS, SMASCREEN WILL ONLY LOOK AT CERTIFICATE REPUTATION AND NOT TO THE APPLICATION ITSELF: 1. STEAL A STANDARD CERTIFICATE WITH A GOOD REPUTATION (ASK DIGINOTAR…) 2. BUY AN EV CERTIFICATE AND GAIN REPUTATION! ‘’NEWLY PUBLISHED EXECUTABLES SIGNED WITH AN EV CERTIFICATE WILL IMMEDIATELY ESTABLISH A GOOD REPUTATION EVEN IF NO PRIOR REPUTATION EXISTS’’ INTERNET CONNECTION NEEDED FOR PERFORMING THE CHECK (more on this later…)
ONEKEYATTACKONSTEROID 1 (MITM SCENARIO) 2 X 1. ATTACKER SETS UP A FREE ACCESS POI 2. BLOCKS COMMUNICATIONS TO SMARTS 3. RESULT IS: 4. TRICK VICTIM TO TYPE ‚R‛ KEY ONCE A 5. ARBITRARY CODE EXECU
STEROIDSUNCOVERED WHEN THE FIRST ‘’R’’ IS PRESSED SMARTSCREEN CHECK IS TRIGGERED AFTER THE CHECK THIS BAR IS SHOWED 2 3 TRICK A VICTIM TO TYPE A CAPTCHA CONTAINING ‘’R’’ +’’TAB’’+’’R’’ KEYS… 9 -10 1 PRESS ‘’TAB’’ THEN ‘’R’’ 4
USERACCESSCONTROL ONLY TRIGGERED WHEN ADMINISTRATIVE PRIVILEGES AR YOU CANNOT BYPASS THAT. FULL STOP. DO YOU REALLY NEED THAT FOR CAUSING SERIOUS TROU
NOLIMITATIONS!!!
LET’SSUMUP ONE KEY*/ONE CLICK ONE KEY/ONE CLICK ONE KEY/ONE CLICK ONE CLICK ONE CLICK ONE CLICK ONE CLICK CODE EXEC PLUGIN/ACTIVEX HTML5 APIS ONE CLICK * ARBITRARY CODE EXECUTION IN MITM SCENARIO
SOME PROPOSALS 1. NOTIFICATIONS ON BACKGROUND WINDOWS ARE USELESS (AT BEST). SHOW THE NOTIFICATION AFTER SOME SECONDS SINCE THE NAVIGATION WINDOW HAS REGAINED FOCUS 2. DISABLE TAB KEY IN THE NOTIFICATION BARS, JUST USE THE MOUSE. IF YOU ARE CONCERNED ABOUT ACCESSIBILITY ENABLE MORE COMPLEX KEYBOARD SHORTCUTS IN ORDER TO LIMIT THE CHANCE OF BEING SOCIAL ENGINEREED 3. SOME SENSITIVE NOTIFICATIONS (E.G. FILE DOWNLOADING) SHOULD BE EVER KEPT IN A STATIC FRAME OF THE CHROME, NOT BOUND TO NAVIGATION WINDOW 4. BROWSER INITIATED SWITCHES BETWEEN WINDOWS OF DIFFERENT DOMAINS SHOULD BE COMBINED WITH A GRAPHICAL EFFECT (e.g. fading, etc) IN ORDER TO GIVE USERS ADEQUATE REACTION TIME
CONCLUSIONS 1. THE BROWSERS SHIFT FROM MODAL TO MODELESS NOTIFICATIONS IS STILL NOT MATURE AND IMPLEMENTATIONS SUFFER FROM CRITICAL ISSUES 2. TWO TECHNIQUES ALLOW FOR STEALTH REMOTE CODE EXECUTION WITH MINIMUM USER INTERACTION ( ONE KEY or ONE CLICK) 3. THE EASY WAY IS BY FAR THE MOST EXPLOITED IN THE WILD: PAY GREATER ATTENTION TO USER
THAN K YOU valotta.rosario@gmail.com@tentacolo_Viola sites.google.com/site/ten

Recommended

B.C. LNG Infrastructure Build Commences
B.C. LNG Infrastructure Build CommencesB.C. LNG Infrastructure Build Commences
B.C. LNG Infrastructure Build CommencesFollow me on Twitter @Stockshaman
 
(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012STO STRATEGY
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013STO STRATEGY
 
Javi
JaviJavi
Javiitssomthing
 
Javi
JaviJavi
Javiitssomthing
 
Javi
JaviJavi
Javiitssomthing
 
Javi
JaviJavi
Javiitssomthing
 
Javi
JaviJavi
Javiitssomthing
 

Recommended

B.C. LNG Infrastructure Build Commences
B.C. LNG Infrastructure Build CommencesB.C. LNG Infrastructure Build Commences
B.C. LNG Infrastructure Build CommencesFollow me on Twitter @Stockshaman
 
(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012STO STRATEGY
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013STO STRATEGY
 
Javi
JaviJavi
Javiitssomthing
 
Javi
JaviJavi
Javiitssomthing
 
Javi
JaviJavi
Javiitssomthing
 
Javi
JaviJavi
Javiitssomthing
 
Javi
JaviJavi
Javiitssomthing
 
Javi
JaviJavi
Javiitssomthing
 
The Physical World meets the Web
The Physical World meets the WebThe Physical World meets the Web
The Physical World meets the WebMaximiliano Firtman
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentȘtefan Popa
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningSumutiu Marius
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013STO STRATEGY
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!Roberto Martelloni
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaGilles Sgro
 
Spo2 w22
Spo2 w22Spo2 w22
Spo2 w22SelectedPresentations
 
Attacks on the cyber world
Attacks on the cyber worldAttacks on the cyber world
Attacks on the cyber worldNikhil Tripathi
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great againEric Larcheveque
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
anroid based call history
anroid based call historyanroid based call history
anroid based call historymallareddy
 
Symbian OS
Symbian OS Symbian OS
Symbian OS Adit Pathak
 
VIRUS AND ITS TYPES.pptx
VIRUS AND ITS TYPES.pptxVIRUS AND ITS TYPES.pptx
VIRUS AND ITS TYPES.pptxSiddeshGowda8
 
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 

More Related Content

Similar to Abusing bu is-4.3

The Physical World meets the Web
The Physical World meets the WebThe Physical World meets the Web
The Physical World meets the WebMaximiliano Firtman
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentȘtefan Popa
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningSumutiu Marius
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013STO STRATEGY
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaGilles Sgro
 
Attacks on the cyber world
Attacks on the cyber worldAttacks on the cyber world
Attacks on the cyber worldNikhil Tripathi
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great againEric Larcheveque
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
anroid based call history
anroid based call historyanroid based call history
anroid based call historymallareddy
 
VIRUS AND ITS TYPES.pptx
VIRUS AND ITS TYPES.pptxVIRUS AND ITS TYPES.pptx
VIRUS AND ITS TYPES.pptxSiddeshGowda8
 

Similar to Abusing bu is-4.3 (20)

Javi
JaviJavi
Javi
 
The Physical World meets the Web
The Physical World meets the WebThe Physical World meets the Web
The Physical World meets the Web
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application development
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie Poisoning
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taragana
 
Spo2 w22
Spo2 w22Spo2 w22
Spo2 w22
 
Attacks on the cyber world
Attacks on the cyber worldAttacks on the cyber world
Attacks on the cyber world
 
Make the Smartcard great again
Make the Smartcard great againMake the Smartcard great again
Make the Smartcard great again
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
anroid based call history
anroid based call historyanroid based call history
anroid based call history
 
Symbian OS
Symbian OS Symbian OS
Symbian OS
 
VIRUS AND ITS TYPES.pptx
VIRUS AND ITS TYPES.pptxVIRUS AND ITS TYPES.pptx
VIRUS AND ITS TYPES.pptx
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Abusing bu is-4.3

  • 2. HELLO MY NAME ISRosario sites.google.com/site/tentacoloviola/  NDUJA CONNECTION  COOKIEJACKIN G  NDUJA DOM FUZZER
  • 3. SOCIALLYENGINEEREDMAL 200K NEW MALWARE SAMPLES EVERY DAY 1.5+ BILLIONS MALWARE ATTACKS ORIGINATED FROM THE WEB MOSTLY ORIGINATED BY USER INITIATED DOWNLOADS 2012 FACTS
  • 4. USERSASKFOR • GUIDANCE WHILE SURFING THE WEB • PROTECTION FROM MALICIOUS SITES • RELIABLE BROWSER SECURITY MECHANISMS
  • 5. VENDORSREPLIES ENHANCED MEMORY PROTECTION TECHNOLOGIES FOR PROTECTING AGAINST EXPLOITS AND DRIVEBY DOWNLOADS (ASLR, DEP, GS, ETC) EMBEDDED SECURITY FITERS AGAINST WEB ATTACKS (XSS FILTER, ANTI FRAMING/CLICKJACKING, ETC) MALWARE/PHISHING RECOGNITION TECHNOLOGIES (SAFE BROWSING, SMARTSCREEN FILTER, ETC) TRUSTED AND RECOGNIZABLE USER INTERFACES TO HELP USERS IN MAKING AWARE CHOICES WHILE SURFING THE WEB
  • 6.
  • 10. URL OBFUSCATION FLAWS • EXPLOIT A DESIGN FLAW IN BROWSERS THAT ARE NOT ABLE TO RELIABLY RENDER THE URL REQUIRED BY THE USER • URL FORMAT FOLLOWS THE GENERAL PATTERN http://username:password@mysite.com WITH OPTIONAL password FIELD • http://www.bankofamerica.com&service=...@174.120.41.176/~inferno/ex ploits/obfusurl/index.htm DISABLES RESOLUTION FOR URLS WITH EMBEDDED CREDENTIALS RAISE A WARNI NG RENDERS PAGE AND STRIPS CREDENTIALS FROM THE URL AND REVEALING TRUE NATURE OF THE DOMAIN
  • 11. DOWNLOAD DIALOG SPOO • VICTIM VISITS ROGUE WEBSITE • WEBSITE IMMEDIATELY SPAWNS A NEW NAVIGATION WINDOW LINKING TO A BENIGN WEBPAGE • ROGUE WEBSITE SETS THE NEW NAVIGATION WINDOW URL TO A RESOURCE SERVED WITH Content-Disposition: attachment HEADER • A DOWNLOAD NOTIFICATION BAR/DIALOG APPEARS IN THE CONTEXT OF THE NEW NAVIGATION WINDOW • VICTIM IS TRICKED TO BELIEVE DOWNLOAD HAS BEEN STILL WORKS ON IE9, CHROME 25 AND FIREFOX 19! http://lcamtuf.coredump.cx/fldl
  • 14. MODALNOTIFICATIONS OS GENERATED BROWSER GENERATE • IMPORTANT NOTIFICATIONS ONLY • NOT STRICTLY PART OF CHROME • DEFAULT ANWSER PROBLEM • TRIGGERED IN SEVERAL SCENARIOS • SOMETIMES CAN BE VERY ANNOYING • DEFAULT ANWSER PROBLEM STRONG VISUAL CONTRAST “ GRAB USER ATTENTION “ BLOCK WORKFLOW
  • 15. MODELESSNOTIFICATIONS • DESIGNED TO INFORM USER WITHOUT INTERRUPTING NA • STAY IN CONTEXT OF THE NAVIGATION WINDOW • CHROME NOT DOM FILEDOWNLOA DING PLUGINSACTIV ATION HTML5APIS
  • 17. 1. DISPLAYED EVEN IF THE WINDOW IS IN 2.KEYBOARD SHORTCUTS ENABLED FOR 3.NOTIFICATION BARS CAN BE NAVIGATED 4.NOTIFICATION BARS ARE BOUND TO TH 4PROBLEMSABOUTMODELE SSNOTIFICATIONS
  • 18. NOTIFICATIONSINBACKGROU SCENARIO: 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUP WINDOW 3. POPUP IS OPENED ON THE BACKGROUND (POPUNDER) 4. ON WINDOWS 7/8 THE POPUNDER IS MERELY UNNOTICED 5. POPUNDER INITIATES A DOWNLOAD 6. MODELESS NOTIFICATION IS TRIGGERED (HIDDEN FROM USER 7. POPUNDER TAB DOESN’T BLINK TO GIVE EVIDENCE OF A PENDIN A LITTLE BIT OF JS MAGIC IS REQUIRED FOR THIS TO WORK IN EVERY BROWSER. blur() DOESN’T WORK PROPERLY ON SOME IMPLEMENTATIONS. JSPOPUNDER PROJECT ENABLES POPUNDERS IN CROSS BROWSER ENVIRONMENTS.
  • 19. KEYBOARDSHORTCUTS • ARE AVAILABLE FOR ACTIVATING ACTIONS ON NOTIFICATION BAR • IE ALLOWS THIS FOR FILE DOWNLOAD NOTIFICATIONS • IE & FF ALLOW THIS FOR HTML5 API NOTIFICATIONS ALT +R “ ALT +S “ ALT + O ALT + O ALT +A “ ALT + O • NAVIGATION WINDOW NEEDS TO BE FOCUSED FOR USING SHOR
  • 20. USINGTABINNOTIFICATIONB SOME BROWSERS ALLOW USING TAB KEY TO NAVIGATE O • CHROME SKIPS THE FILE OPENING BUTTON • IE ALLOWS THIS FOR FILE DOWNLOAD NOTIFICATION NOTIFICATION BAR IS PART OF CHROME: NO SYNTHETIC NAVIGATIO
  • 21. BOUNDTONAVIGATIONWIND AS THEY ARE BUILT IN CHROME, NOTIFICATION BARS CAN BE:
  • 22. ATTACKSCENARIO#1 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUNDER WINDOW 3. ON WINDOWS 7/8 THE POPUNDER IS MERELY UNNOTICED 4. POPUNDER INITIATES A DOWNLOAD OF A .EXE FILE 5. MODELESS NOTIFICATION IS TRIGGERED (HIDDEN FROM USER VIEW) 6. POPUNDER TAB DOESN’T BLINK TO GIVE EVIDENCE OF A PENDING NOTIFICATION 7. AFTER NOTIFICATION IS READY, POPUNDER IS STILL IN BACKGROUND BUT HAS THE FOCUS! 8. EVERY KEYBOARD INPUT WILL BE DIRECTED TO THE POPUNDER… 9. USER ENTERS ‚TAB‛ + ‚R’’ 10. CODE EXECUTION WITHOUT ANY NOTIFICATION OR 9 -10
  • 25. ATTACKSCENARIO#1UNDER PRESS TAB TO MOVE THE FOCUS ON THE ‘’RUN’’ BUTTON… …THEN PRESS ‘’R’’ (or equivalent key) TO EXEC PROGRAM 5 6
  • 27. ONEKEYATTACK • IN WIN7 + IE9-10 OPENING POPUNDER WINDOW USING: <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> WILL BRING THE FOCUS OF THE POPUNDER DIRECTLY ON THE NOTIFICATION BAR  NO NEED FOR TAB KEY THIS MEANS YOU CAN TRIGGER CODE EXECUTION BY JUST TYPING ONE KEY (key changes according to OS language) 9 -10
  • 28. ATTACKSCENARIO#2 DYNAMIC WINDOW OVERLAY 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUNDER WINDOW AT SOME GIVEN COORDINATES 3. POPUNDER INITIATES A DOWNLOAD OF A .EXE FILE 4. MODELESS NOTIFICATION IS TRIGGERED (HIDDEN FROM USER VIEW) 5. POPUNDER TAB DOESN’T BLINK TO GIVE EVIDENCE OF A PENDING NOTIFICATION 6. ATTACKER TRICKS VICTIM TO CLICK ON A GIVEN LINK/BUTTON 7. PAGE IS LISTENING ON MOUSE MOVES 8. AS SOON AS THE MOUSE IS HOVERING ON THE BUTTON, WINDOW IS CLOSED 9. IF TIMING IS APPROPRIATE THERE ARE GOOD CHANCES OF VICTIM CLICKING ON THE UNDERLYING POPUNDER
  • 29. ONECLICKATTACK • EVERY TIME A FILE IS DOWNLOADED FROM THE WEB THE OS ADDS A ZONE INFORMATION FILE TO THE DISK • ZONE INFORMATION FILE IS WRITTEN IN AN ASD (alternate data stream) • IT CONTAINS A REFERENCE TO THE SECURITY ZONE THE FILE WAS DOWNLOADED FROM (e.g. INTERNET) • LAUNCHING AN UNSIGNED .EXE FILE DOWNLOADED FROM THE WEB WILL PROMPT A CONFIRMATION DIALOG, NOT BYPASSABLE • A SMARTSCREEN CHECK IS PERFORMED (MORE ON BYPASSING SMARTSCREEN LATER…) • NO FURTHER DIALOGS ARE DISPLAYED • CODE EXECUTION!
  • 30. ONECLICKATTA CK#2.bDEFEATING HTML5 PRIVILEGES 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUNDER WINDOW AT SOME GIVEN COORDINATES 3. POPUNDER LOADS A WEBPAGE REQUIRING SOME PRIVILEGES (e.g. YOUR POSITION) 4. MODELESS NOTIFICATION IS SHOWN (HIDDEN FROM USER VIEW) 5. POPUNDER TAB DOESN’T BLINK TO GIVE EVIDENCE OF A PENDING NOTIFICATION 6. ATTACKER TRICKS VICTIM TO CLICK ON A GIVEN LINK/BUTTON 7. PAGE IS LISTENING ON MOUSE MOVES 8. AS SOON AS THE MOUSE IS HOVERING ON THE BUTTON, WINDOW IS CLOSED 9. IF TIMING IS APPROPRIATE THERE GOOD CHANCES THE VICTIM CLICKS ON THE UNDERLYING POPUNDER
  • 31. ONECLICKATTACK#2.c DEFEATING CLICKJACKING PROTECTIONS (ANTI-FRA 1. USER BROWSES ON ATTACKER WEBSITE 2. WEB PAGE SPAWNS A POPUNDER WINDOW AT SOME GIVEN COORDINATES 3. POPUNDER LOADS A WEBPAGE SERVED WITH X-FRAME- OPTIONS (e.g. TWITTER) 4. ATTACKER TRICKS VICTIM TO CLICK ON A GIVEN LINK/BUTTON 5. PAGE IS LISTENING ON MOUSE MOVES 6. AS SOON AS THE MOUSE IS HOVERING ON THE BUTTON, WINDOW IS CLOSED 7. IF TIMING IS APPROPRIATE THERE GOOD CHANCES THE VICTIM CLICKS ON THE UNDERLYING POPUNDER
  • 33. MALICIOUSDOWNLOADPRO BLOCKING ACCESS TO MALICIOUS URLS&FILES BEFORE L FUNCTIONAL COMPONENTS: 1 2 3
  • 34. IMPLEMENTATIONS SAFEBROWSING SMARTSCREENFILTER IE EFFECTIVENESS MALWARE URL RESPONSE TIM CHARTS FROM NSS LABS REPORT 2012
  • 35. SMARTSCREENFILTER<App> <FName>U2FtZUdhbWUuZXhl</FName> <FHash>d3ff5939726c9f8fa6e514fb65eb470 a1f9ec7a65b2706732a03749226c25 20</FHash> <Sig>0</Sig> <Sz>45056</Sz> <M>1</M> <SR>100</SR> </App> IP “ URL “ FILE HASH (SHA256) “ FILENAME (BASE64) • SIGNING CERTIFICATE (if available) INPUT:  BLACKLISTE D REPUTATION FAILURE  SUCCEDEED OUTPUT: BAR COLOR CHANGES ACCORDING TO THE SIGNING CERTIFICATE + CHECK RESULT
  • 36. (NOTSO)SMARTSCREENFIL REPUTATION CHECK IS NOT 100% RELIABLE , MORE THAN 20% SAMPLES ON http://minotauranalysis.com/exet weet/default.aspx WILL PASS THROUGH RESPONSE TIME FOR CATCHING NEW EXECUTABLE SAMPLES ALLOWS FOR EASY BYPASS IN THE FIRST PUBLISHING DAYS WHEN DEALING WITH SIGNED APPLICATIONS, SMASCREEN WILL ONLY LOOK AT CERTIFICATE REPUTATION AND NOT TO THE APPLICATION ITSELF: 1. STEAL A STANDARD CERTIFICATE WITH A GOOD REPUTATION (ASK DIGINOTAR…) 2. BUY AN EV CERTIFICATE AND GAIN REPUTATION! ‘’NEWLY PUBLISHED EXECUTABLES SIGNED WITH AN EV CERTIFICATE WILL IMMEDIATELY ESTABLISH A GOOD REPUTATION EVEN IF NO PRIOR REPUTATION EXISTS’’ INTERNET CONNECTION NEEDED FOR PERFORMING THE CHECK (more on this later…)
  • 37. ONEKEYATTACKONSTEROID 1 (MITM SCENARIO) 2 X 1. ATTACKER SETS UP A FREE ACCESS POI 2. BLOCKS COMMUNICATIONS TO SMARTS 3. RESULT IS: 4. TRICK VICTIM TO TYPE ‚R‛ KEY ONCE A 5. ARBITRARY CODE EXECU
  • 38. STEROIDSUNCOVERED WHEN THE FIRST ‘’R’’ IS PRESSED SMARTSCREEN CHECK IS TRIGGERED AFTER THE CHECK THIS BAR IS SHOWED 2 3 TRICK A VICTIM TO TYPE A CAPTCHA CONTAINING ‘’R’’ +’’TAB’’+’’R’’ KEYS… 9 -10 1 PRESS ‘’TAB’’ THEN ‘’R’’ 4
  • 39. USERACCESSCONTROL ONLY TRIGGERED WHEN ADMINISTRATIVE PRIVILEGES AR YOU CANNOT BYPASS THAT. FULL STOP. DO YOU REALLY NEED THAT FOR CAUSING SERIOUS TROU
  • 41. LET’SSUMUP ONE KEY*/ONE CLICK ONE KEY/ONE CLICK ONE KEY/ONE CLICK ONE CLICK ONE CLICK ONE CLICK ONE CLICK CODE EXEC PLUGIN/ACTIVEX HTML5 APIS ONE CLICK * ARBITRARY CODE EXECUTION IN MITM SCENARIO
  • 42. SOME PROPOSALS 1. NOTIFICATIONS ON BACKGROUND WINDOWS ARE USELESS (AT BEST). SHOW THE NOTIFICATION AFTER SOME SECONDS SINCE THE NAVIGATION WINDOW HAS REGAINED FOCUS 2. DISABLE TAB KEY IN THE NOTIFICATION BARS, JUST USE THE MOUSE. IF YOU ARE CONCERNED ABOUT ACCESSIBILITY ENABLE MORE COMPLEX KEYBOARD SHORTCUTS IN ORDER TO LIMIT THE CHANCE OF BEING SOCIAL ENGINEREED 3. SOME SENSITIVE NOTIFICATIONS (E.G. FILE DOWNLOADING) SHOULD BE EVER KEPT IN A STATIC FRAME OF THE CHROME, NOT BOUND TO NAVIGATION WINDOW 4. BROWSER INITIATED SWITCHES BETWEEN WINDOWS OF DIFFERENT DOMAINS SHOULD BE COMBINED WITH A GRAPHICAL EFFECT (e.g. fading, etc) IN ORDER TO GIVE USERS ADEQUATE REACTION TIME
  • 43. CONCLUSIONS 1. THE BROWSERS SHIFT FROM MODAL TO MODELESS NOTIFICATIONS IS STILL NOT MATURE AND IMPLEMENTATIONS SUFFER FROM CRITICAL ISSUES 2. TWO TECHNIQUES ALLOW FOR STEALTH REMOTE CODE EXECUTION WITH MINIMUM USER INTERACTION ( ONE KEY or ONE CLICK) 3. THE EASY WAY IS BY FAR THE MOST EXPLOITED IN THE WILD: PAY GREATER ATTENTION TO USER