This document summarizes a presentation about improving web vulnerability scanning. It discusses:
1. Current web vulnerability scanners are based on HTTP libraries and don't support JavaScript-rich applications well. Authenticated scanning is also challenging.
2. The presenter proposes replacing the HTTP library with a Webkit engine to gain full support for JavaScript, AJAX, redirects, and other modern web features. This would reduce code and better simulate human user behavior.
3. Scaling the Webkit approach requires solving challenges like multithreading, exploiting vulnerabilities, distributed scanning in the cloud, and improved reporting. Mastering authentication is also a priority area discussed in the presentation.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
Krzysztof Kotowicz gave a talk at Hack in Paris in June 2014 about lessons learned from trusting JavaScript cryptography. He discussed the history of skepticism around JS crypto due to language weaknesses like implicit type coercion and lack of exceptions. He then analyzed real-world vulnerabilities in JS crypto libraries like Cryptocat that exploited these issues, as well as web-specific issues like cross-site scripting. Finally, he argued that while the JS language has flaws, developers can still implement crypto securely through practices like strict mode, type checking, and defense-in-depth against web vulnerabilities.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
This document discusses finding vulnerabilities in SWF (Flash) files. It begins with an introduction to embedding SWF files in HTML and ActionScript versions. It then covers strategies for finding SWF files on websites, as well as types of issues like XSS, data hijacking, and information disclosure. The document provides details on tools for automated and manual testing of SWF files, such as decompiling files, identifying input parameters and sinks, and techniques for bypassing protections.
This document provides an overview of HTML5 including its history, current status, implementation in browsers, and both benefits and security issues. It discusses how HTML5 aims to simplify and enhance usability but also introduces new vulnerabilities due to its dynamic nature forcing rapid implementation. While HTML5 enables rich content and interactivity, its inconsistencies and evolving specifications combined with a rush for browser support has resulted in buggy websites and potential for attacks like hijacking forms, stealing data, and bypassing security restrictions.
Security Best Practices for Bot BuildersMax Feldman
This document provides security best practices for bot builders. It discusses common web application vulnerabilities like injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using components with known vulnerabilities, and underprotected APIs. The document uses an example of building a task management app to demonstrate how to find and prevent these vulnerabilities, emphasizing that user input should not be trusted and the principle of least privilege. Key takeaways are to design securely from the beginning, limit permissions to the minimum required, and think about how an attacker could abuse systems. Helpful security resources are also provided.
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
I thought you were my friend - Malicious MarkupMario Heiderich
The document is a transcript from a talk given by Mario Heiderich at the CONFidence 2009 conference. It discusses various ways that malicious code can be embedded in markup and exploited by browsers, including through techniques like inline SVG, XML namespaces, XUL artifacts, and more. It provides examples of actual malicious code and encourages awareness of legacy browser vulnerabilities as new web standards are developed.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
Krzysztof Kotowicz gave a talk at Hack in Paris in June 2014 about lessons learned from trusting JavaScript cryptography. He discussed the history of skepticism around JS crypto due to language weaknesses like implicit type coercion and lack of exceptions. He then analyzed real-world vulnerabilities in JS crypto libraries like Cryptocat that exploited these issues, as well as web-specific issues like cross-site scripting. Finally, he argued that while the JS language has flaws, developers can still implement crypto securely through practices like strict mode, type checking, and defense-in-depth against web vulnerabilities.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
This document discusses finding vulnerabilities in SWF (Flash) files. It begins with an introduction to embedding SWF files in HTML and ActionScript versions. It then covers strategies for finding SWF files on websites, as well as types of issues like XSS, data hijacking, and information disclosure. The document provides details on tools for automated and manual testing of SWF files, such as decompiling files, identifying input parameters and sinks, and techniques for bypassing protections.
This document provides an overview of HTML5 including its history, current status, implementation in browsers, and both benefits and security issues. It discusses how HTML5 aims to simplify and enhance usability but also introduces new vulnerabilities due to its dynamic nature forcing rapid implementation. While HTML5 enables rich content and interactivity, its inconsistencies and evolving specifications combined with a rush for browser support has resulted in buggy websites and potential for attacks like hijacking forms, stealing data, and bypassing security restrictions.
Security Best Practices for Bot BuildersMax Feldman
This document provides security best practices for bot builders. It discusses common web application vulnerabilities like injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using components with known vulnerabilities, and underprotected APIs. The document uses an example of building a task management app to demonstrate how to find and prevent these vulnerabilities, emphasizing that user input should not be trusted and the principle of least privilege. Key takeaways are to design securely from the beginning, limit permissions to the minimum required, and think about how an attacker could abuse systems. Helpful security resources are also provided.
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
I thought you were my friend - Malicious MarkupMario Heiderich
The document is a transcript from a talk given by Mario Heiderich at the CONFidence 2009 conference. It discusses various ways that malicious code can be embedded in markup and exploited by browsers, including through techniques like inline SVG, XML namespaces, XUL artifacts, and more. It provides examples of actual malicious code and encourages awareness of legacy browser vulnerabilities as new web standards are developed.
The document discusses security issues with AngularJS and summarizes four general attack vectors:
A1: Attacking the AngularJS sandbox by bypassing restrictions on dangerous objects and methods. Early versions had trivial bypasses but later versions required more creative techniques.
A2: Attacking the AngularJS sanitizer, which aims to sanitize HTML strings and remove XSS attacks. There were issues with both an older sanitizer version and the current version.
A3: Attacking the Content Security Policy (CSP) mode in AngularJS.
A4: Attacking vulnerabilities directly in the AngularJS codebase through techniques like sandbox bypasses.
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
The clipboard is one of the most commonly used tools across operating systems, window managers and devices. Pressing Ctrl-C and Ctrl-V has become so fundamentally important to productivity and usability that we cannot get rid of it anymore. We happily and often thoughtlessly copy things from one source and paste them into another. URLs into address-bars, lengthy commands into console windows, text segments into web editors and mail interfaces. And we never worry about security when doing so. Because what could possibly go wrong, right?
But have we ever asked ourselves what the clipboard content actually consists of? Do we really know what it contains? And are we aware of the consequences a thoughtless copy&paste interaction can have? Who else can control the contents of the clipboard? Is it really just us doing Ctrl-C or is there other forces in the realm who are able to infect what we believe to be clean, who can desecrate what we trust so blindly that we never question or observe it?
This talk is about the clipboard and the technical details behind it. How it works, what it really contains – and who can influence its complex range of contents. We will learn about a new breed of targeted attacks, including cross-application XSS from PDF, ODT, DOC and XPS that allow to steal website accounts faster than you can click, turn your excel sheet into a monster and learn about ways to smuggle creepy payload that is hidden from sight until it executes. Oh, and we’ll also see what can be done about that and what defensive measures we achieved to create so far.
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
This document discusses using ES5 capabilities to help mitigate cross-site scripting (XSS) vulnerabilities. It summarizes the history of JavaScript and XSS, current approaches to mitigation, and limitations. It then proposes using ES5 features like Object.defineProperty to prohibit unauthorized access to DOM properties and add monitoring of property access. This could enable intrusion detection and role-based access control without impedance mismatches. Examples show freezing DOM objects to prevent tampering. Limitations include blacklisting and compatibility issues, but the approach aims to detect and prevent XSS at the client level without server-side filtering.
This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving mobile and cloud technologies. Old vulnerabilities persist in widely used software like PHP and Apache. The growth of IoT and "smart" devices introduces many new insecure products. Overall, new technologies are often released without security testing, while older software houses long-standing flaws. The document concludes that as applications and networks grow more complex, so too will security issues, requiring continued research and vigilance.
Web framework selection is not an easy task it requires some solid criteria to understand the amazing diversity of development putting in the right place blinks and colorful demos
The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
Mario Heiderich gave a presentation on active content injection using SVG files. He discussed how SVG files are XML-based and support scripting, allowing execution of JavaScript. This enables security issues like XSS. Browser implementations of SVG are inconsistent, with different levels of script support depending on how SVG files are deployed (inline, via <img>, etc). Exploits discussed SVG vulnerabilities in Firefox, Opera, and Chromium. Defense is difficult due to lack of documentation and filters, and new vectors are found weekly. Future work proposed a SVG purifier and raising awareness of issues.
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
- The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features.
- It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive information like passwords without using JavaScript.
- The attacks demonstrate that even without scripting, features in HTML5 and CSS can be abused to conduct traditional XSS attacks and undermine security defenses, so more work is needed to protect against side-channels and unwanted data leakage from the browser.
The document discusses the history and development of the Document Object Model (DOM) from its early implementations in 1995 to modern standards. It outlines key milestones like DOM Level 1 in 1998, the rise of JavaScript frameworks like Prototype, jQuery and MooTools in 2005-2006, and ongoing work by the W3C and WHATWG. The talk will explore security issues that can arise from the DOM's ability to convert strings to executable code and demonstrate an attack technique called DOM clobbering.
The document provides an overview of a JavaScript crash course, including topics that will be covered such as core language syntax, strings, regular expressions, functions, and objects. It also advertises customized Java EE training courses developed and taught by Marty Hall on various technologies including servlets, JSP, JSF, Struts, Ajax, GWT, Spring and more. The training is available both at public venues and customized on-site versions at organizations.
This document provides information about the Google Chrome web browser, including its version number, what it is, why it should be used, how it compares to other browsers, and summaries of vulnerabilities found in it and other browsers like Firefox. It describes things like Chrome being open source, lightweight, having integrated Google search, and being fast. It also outlines exploits like remote code execution via malicious URLs or automatic file downloads without prompts.
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
Some old and new tips, tricks and tools for rapid web application security assessment (black and white box). They are useful in various situtations: pentest with very limited time or huge scope, competition, bugbounty program, etc.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
This document discusses security challenges with web applications that combine content from multiple sources (mashups). It covers how the same-origin policy isolates origins but exempts scripts, allowing cross-site scripting attacks. Frame-based communication and the postMessage API provide secure cross-origin messaging capabilities. The document recommends sandboxing iframes and using features like CORS to mitigate risks in mashups.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
- The document is a presentation on Ajax given by Alex Russell that covers what Ajax is, how it works, when it should and should not be used, tools for Ajax development, debugging techniques, and the future of Ajax and the open web.
- It includes examples of building an auto-save feature with Ajax using plain JavaScript, Prototype, and Dojo and discusses language features of JavaScript.
- The presentation aims to provide enough knowledge and code examples to get started with Ajax development while addressing open web standards and browser compatibility.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
The document discusses best practices for developing JavaScript widgets. It covers challenges like versioning, cross-domain restrictions, cookies, security, and performance. Versioning can be handled through URL parameters or initializing with a version number. Cross-domain issues can be addressed using techniques like CORS, postMessage, or JSONP. Security requires sanitizing inputs, whitelisting domains, and handling risks like XSS and CSRF. Performance involves minimizing payload size and network requests.
The document discusses security issues with AngularJS and summarizes four general attack vectors:
A1: Attacking the AngularJS sandbox by bypassing restrictions on dangerous objects and methods. Early versions had trivial bypasses but later versions required more creative techniques.
A2: Attacking the AngularJS sanitizer, which aims to sanitize HTML strings and remove XSS attacks. There were issues with both an older sanitizer version and the current version.
A3: Attacking the Content Security Policy (CSP) mode in AngularJS.
A4: Attacking vulnerabilities directly in the AngularJS codebase through techniques like sandbox bypasses.
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
The clipboard is one of the most commonly used tools across operating systems, window managers and devices. Pressing Ctrl-C and Ctrl-V has become so fundamentally important to productivity and usability that we cannot get rid of it anymore. We happily and often thoughtlessly copy things from one source and paste them into another. URLs into address-bars, lengthy commands into console windows, text segments into web editors and mail interfaces. And we never worry about security when doing so. Because what could possibly go wrong, right?
But have we ever asked ourselves what the clipboard content actually consists of? Do we really know what it contains? And are we aware of the consequences a thoughtless copy&paste interaction can have? Who else can control the contents of the clipboard? Is it really just us doing Ctrl-C or is there other forces in the realm who are able to infect what we believe to be clean, who can desecrate what we trust so blindly that we never question or observe it?
This talk is about the clipboard and the technical details behind it. How it works, what it really contains – and who can influence its complex range of contents. We will learn about a new breed of targeted attacks, including cross-application XSS from PDF, ODT, DOC and XPS that allow to steal website accounts faster than you can click, turn your excel sheet into a monster and learn about ways to smuggle creepy payload that is hidden from sight until it executes. Oh, and we’ll also see what can be done about that and what defensive measures we achieved to create so far.
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
This document discusses using ES5 capabilities to help mitigate cross-site scripting (XSS) vulnerabilities. It summarizes the history of JavaScript and XSS, current approaches to mitigation, and limitations. It then proposes using ES5 features like Object.defineProperty to prohibit unauthorized access to DOM properties and add monitoring of property access. This could enable intrusion detection and role-based access control without impedance mismatches. Examples show freezing DOM objects to prevent tampering. Limitations include blacklisting and compatibility issues, but the approach aims to detect and prevent XSS at the client level without server-side filtering.
This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving mobile and cloud technologies. Old vulnerabilities persist in widely used software like PHP and Apache. The growth of IoT and "smart" devices introduces many new insecure products. Overall, new technologies are often released without security testing, while older software houses long-standing flaws. The document concludes that as applications and networks grow more complex, so too will security issues, requiring continued research and vigilance.
Web framework selection is not an easy task it requires some solid criteria to understand the amazing diversity of development putting in the right place blinks and colorful demos
The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
Mario Heiderich gave a presentation on active content injection using SVG files. He discussed how SVG files are XML-based and support scripting, allowing execution of JavaScript. This enables security issues like XSS. Browser implementations of SVG are inconsistent, with different levels of script support depending on how SVG files are deployed (inline, via <img>, etc). Exploits discussed SVG vulnerabilities in Firefox, Opera, and Chromium. Defense is difficult due to lack of documentation and filters, and new vectors are found weekly. Future work proposed a SVG purifier and raising awareness of issues.
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
- The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features.
- It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive information like passwords without using JavaScript.
- The attacks demonstrate that even without scripting, features in HTML5 and CSS can be abused to conduct traditional XSS attacks and undermine security defenses, so more work is needed to protect against side-channels and unwanted data leakage from the browser.
The document discusses the history and development of the Document Object Model (DOM) from its early implementations in 1995 to modern standards. It outlines key milestones like DOM Level 1 in 1998, the rise of JavaScript frameworks like Prototype, jQuery and MooTools in 2005-2006, and ongoing work by the W3C and WHATWG. The talk will explore security issues that can arise from the DOM's ability to convert strings to executable code and demonstrate an attack technique called DOM clobbering.
The document provides an overview of a JavaScript crash course, including topics that will be covered such as core language syntax, strings, regular expressions, functions, and objects. It also advertises customized Java EE training courses developed and taught by Marty Hall on various technologies including servlets, JSP, JSF, Struts, Ajax, GWT, Spring and more. The training is available both at public venues and customized on-site versions at organizations.
This document provides information about the Google Chrome web browser, including its version number, what it is, why it should be used, how it compares to other browsers, and summaries of vulnerabilities found in it and other browsers like Firefox. It describes things like Chrome being open source, lightweight, having integrated Google search, and being fast. It also outlines exploits like remote code execution via malicious URLs or automatic file downloads without prompts.
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
Some old and new tips, tricks and tools for rapid web application security assessment (black and white box). They are useful in various situtations: pentest with very limited time or huge scope, competition, bugbounty program, etc.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
This document discusses security challenges with web applications that combine content from multiple sources (mashups). It covers how the same-origin policy isolates origins but exempts scripts, allowing cross-site scripting attacks. Frame-based communication and the postMessage API provide secure cross-origin messaging capabilities. The document recommends sandboxing iframes and using features like CORS to mitigate risks in mashups.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
- The document is a presentation on Ajax given by Alex Russell that covers what Ajax is, how it works, when it should and should not be used, tools for Ajax development, debugging techniques, and the future of Ajax and the open web.
- It includes examples of building an auto-save feature with Ajax using plain JavaScript, Prototype, and Dojo and discusses language features of JavaScript.
- The presentation aims to provide enough knowledge and code examples to get started with Ajax development while addressing open web standards and browser compatibility.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
The document discusses best practices for developing JavaScript widgets. It covers challenges like versioning, cross-domain restrictions, cookies, security, and performance. Versioning can be handled through URL parameters or initializing with a version number. Cross-domain issues can be addressed using techniques like CORS, postMessage, or JSONP. Security requires sanitizing inputs, whitelisting domains, and handling risks like XSS and CSRF. Performance involves minimizing payload size and network requests.
This document discusses best practices for developing JavaScript widgets. It begins by introducing widgets and their types, then discusses challenges like versioning, cross-domain restrictions, shared environments, and security. It provides recommendations for handling these challenges, such as using cache-revalidating scripts for versioning, cross-domain messaging for communication, and sanitization for security. The document concludes by addressing widget performance, emphasizing minimizing payload size, lazy loading, and yielding to avoid blocking.
Sergey Chernyshev presents about reducing the harm caused by these tools and best practices for consumers as well as creators of such 3rd party content.
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It allows JavaScript to be run on the server-side and is well-suited for real-time, event-driven applications due to its asynchronous and non-blocking I/O model. It was created in 2009 by Ryan Dahl who was frustrated by the limitations of JavaScript in the server-side. Node.js uses an event loop that handles asynchronous callbacks and a single thread model to achieve scalable performance. Many large companies like Uber, LinkedIn, and Netflix use Node.js for applications that require real-time features or high throughput.
This document discusses the JavaScript library Prototype and how it can be used to build dynamic user interfaces with Ajax techniques. It provides an overview of Prototype's features for simplifying Ajax calls, enhancing DOM manipulation, adding visual effects, and debugging JavaScript across browsers. The document promotes Prototype as a way to focus on applications rather than browser bugs and contains links to documentation, extensions, and debugging tools to support Prototype development.
This document discusses the JavaScript library Prototype and how it can be used to build dynamic user interfaces with Ajax techniques. It provides an overview of Prototype's features for simplifying Ajax calls, enhancing DOM manipulation, adding visual effects, and debugging JavaScript across browsers. The document promotes Prototype as a way to focus on applications rather than browser bugs and contains links to documentation, extensions, and debugging tools to support Prototype development.
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
PrairieDevCon 2014 - Web Doesn't Mean Slowdmethvin
Web sites can be fast and responsive once you understand the process web browsers use to load and run web pages. We'll look at using tools like WebPageTest to analyze and optimize web pages.
Influx/Days 2017 San Francisco | Emily NakashimaInfluxData
WHAT YOUR JAVASCRIPT DOES WHEN YOU’RE NOT AROUND
As client-side app frameworks like React keep growing more popular, we’re shipping more and more application logic out to users’ browsers. But we don’t always know much about what happens to it after we send it out to the client. This talk will take you on a fast-paced tour of all the strange cases we’ve seen in browsers in the wild, from overseas proxy sites to rogue browser extensions to console-hacking customers with a sense of humor. Finally, we’ll talk about how to cut the noise and focus on minimum viable instrumentation to have visibility into the things that really matter to your users’ experience.
The document summarizes a talk given at Toorcon Seattle 2011 about cross-site scripting (XSS) vulnerabilities in desktop applications that use HTML, JavaScript and CSS for their user interfaces. The speaker demonstrates how XSS payloads can exploit Skype to inject content from other sites and access local files, since desktop apps do not enforce the same origin policy in the same way web browsers do. He urges testing applications like Skype, Adium and iChat that embed web technologies for similar vulnerabilities.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
This document introduces PHP and MySQL for dynamic web development. PHP is an open-source scripting language suited for web development that can generate HTML code on the server. MySQL is a popular open-source database management system. PHP and MySQL allow websites to be responsive and malleable by connecting to databases and generating customized HTML based on user inputs or database contents. Examples of dynamic websites that use these technologies include WordPress, Shopify, Facebook, and interactive data visualization projects.
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
A simple PoC shown how insecure random http proxies are. And how easy you can trick people into traps.
Disclaimer: No data collected under the PoC was saved after the presentation, and everything was removed from the user browsers without any harm or stealing of information or any criminal activity at all.
The document discusses various topics related to web development including Java principles, Spring frameworks, PHP, high-load web applications, mobile backend as a service (mBaas), web frameworks, Java web development frameworks like JSF and GWT, rendering on the server-side vs client-side, distribution of work between designers and developers, web browsers and their support for HTML5 and CSS3, programming languages, GUI frameworks, AngularJS, testing tools like JUnit, and build tools like Maven, Ant, and Ivy.
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
The document discusses the state of JavaScript and opportunities for its responsible use. It encourages learning JavaScript properly rather than copying code without understanding. It argues against workarounds for browser issues and urges focusing on standards compliance. Updating tools and libraries, removing legacy code, and embracing modern JavaScript features like those in ES6 can help address past issues and enable further innovation on the web.
Why and How You Should Move from PHP to Node.jsBrainhub
As presented at DevDuck #1 - JavaScript meetup for developers (www.devduck.pl)
Why and How You Should Move from PHP to Node.js?
Advantages and Disadvantages of both - PHP and Node.js. Everything what you need to know while changing your tech stack to Node.js
Similar to Defcon 20-zulla-improving-web-vulnerability-scanning (20)
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
2. Introduction
Hey! 2
■ Hi there!
■ I’m Dan. This is my first year at DEFCON.
■ I do programming and security start-ups.
■ I do some penetration testing as well
3. More Introduction 3
■ Today I’m going to talk about vulnerability scanning
■ Primary on the web
■ “The cloud” is involved as well
■ Network security too
■ I’ll show some things, so there is plenty of demo time
■ Have fun, thanks for being here!
4. Some Facts 4
■ There are a lot of web vulnerability scanners, fuzzers and penetration
testing tools out there already
■ Some of them work, some of them do not
■ But basically all of them have one thing in common:
They actually don’t attack web applications on the application layer
■ They mostly fuzz HTTP and sometimes perform injection attacks
5. Some more facts 5
■ The fundamental design of web scanners has not changed in over a
decade
■ But: The web has changed.
■ So there seems to be a problem.
6. Software Architecture
What web vulnerability scanners and fuzzers look like 6
Plugins
A HTTP Library
RXSS BSQLI EVAL
The Core
PXSS LFI OSC
Multithreading /
Output Engine
Forking
SQL RFI [...]
7. A pentesters point of view 7
■ Javascript/Ajax rich applications are still not
supported
■ Authenticated scanning is still incredibly
challenging / not reliable
■ Exploitation techniques are mostly poor
■ “I don’t know which scanner will work for
foo.com and which one for bar.com, so I
use toolchains”
8. A developers point of view 8
■ HTTP Libraries don’t support JS -
■ Javascript/Ajax rich applications are still not Scanners are based on an HTTP
supported Libraries
■ Authenticated scanning is still incredibly ■ Web Logins are not standarized -
challenging / not reliable So how should they be detected
■ Exploitation techniques are mostly poor ■ No time for exploits
(Already spent 100000 lines [and nights] of code
making the crawler immune to encoding issues,
■ “I don’t know which scanner will work for malformed HTML, redirects and binary content!)
foo.com and which one for bar.com, so I
use toolchains”
■ A false positive is better than a
false negative
9. How I see it 9
■ Both of them are right.
■ The web is a mess. Nobody cares about RFCs anymore. (Especially these SEO guys!)
■ 10 years ago, you would have expected a Query String at the end of a URL like
https://foo.com/xxx/yyy?foo=bar
■ Nowadays, https://foo.com/something.ext/foo/bar is good practice
■ The result: It’s incredibly hard for scanner developers to figure out the dynamic components
of an HTTP request. Because of that, we feel overhelmed and fuzz nearly everything.
■ Header Keys, Header Values, VHost, Cookie, Method, Path, Version, ...
10. How I see it 10
■ Fuzzing HTTP is incredibly important. You never know if you are talking to an apache2, nginx
or some hidden application server upstream
■ But it has nothing to-do with web vulnerability scanning
■ So - developers are struggling with websites because they use HTTP to crawl and attack
them. Things like flash, images, javascript seems to be an unsolveable problem
■ Redirects are hard to handle sometimes (wait there is more)
■ Javascript redirects (after 10 seconds!) and of course: onmouseover, onclick, onfocus, ...
■ Flash isn’t helpful either
11. Web 2.0 11
■ But - WE DO SECURITY
■ Is it really our job to make sure that our software executed all the JS and grabbed all the
links?
■ When we spend 100 hours on the crawler, and 5 hours on the actual payloads (that’s how it
looks right now) something, somewhere, went terribly wrong
■ So - Is there a (open source?) piece of software that we could use instead of the HTTP
library? Something that has prooven its mastery in handling unpredictably broken web
content already? There is.
14. Software Architecture
What it should look like 14
The Front-End
A HTTP RXSS BSQLI EVAL
The Core
Library
PXSS LFI OSC
Reporting Engine SQL RFI [...]
The Exploitation Engine
15. Changes? Improvments? 15
■ Replacing the HTTP library by a Webkit Engine
■ Less code (A lot less code)
■ 100% support for JS/Ajax/Broken HTML/JS Events/Crazy Redirects
and all kinds of things
■ The ability to simulate human user behaviour
■ CSS Renderings (Two text fields beside each other: 10px - one of
them is a input[type=password]) - May be a login!
16. Making it scale (heavily) 16
■ Webkit is slow (Website rendering, Executing JS, ... - compared to -
Speaking Plaintext HTTP)
■ Downloading Images is slow
■ Waiting for delayed JS events is slow
■ Flash is even slower
17. Making it scale (heavily)
Bad news: Qt / PyQt / PySide 17
■ QtWebkit does not support multithreading
■ It tends to SEGFAULT from time to time :(
■ Multiple QApplication instances are almost impossible to handle in
one Python namespace
18. Making it scale (heavily)
Good news: Building a preforking TCP Server 18
■ Spawning a pool of processes works quite well (one QApplication
+one Browser instance per Process)
■ Simultaneous downloads
■ Better accessibility inside the scanner (multiprocessing insides loops
to increase performance)
20. Mastering Authentication 20
■ There is no such thing as a standarized web login
■ Basically, everybody develops access control on the web slightly
differently
■ You can try to detect them by the name/id of the attributes, but that is
not reliable
■ But in the end, Web logins generally have a few things in common
that makes them easily detectable. At least, for our browser engine
23. Mastering Authentication
Geometry! Usually, the two visible text fields are under(), next_to() or at least
near(radius=10px) each other 23
X1 = X2
X1 = X2
!
Y1 = Y2
24. Mastering Authentication 24
■ That was easy!
■ The common way to solve that problem, is to iterate through a
wordlist (login, auth, signin, [...]) while checking the input[id],
input[name] attributes
■ That’s not necessarily wrong or bad practice
■ After putting the pieces together:
■ .login(“username”, “password”)
25. Mastering Authentication
Demo Time 25
■ Proof Of Concept 1: Twitter (Some Javascript)
■ Proof Of Concept 2: Facebook (More Javascript)
■ Proof Of Concept 3: Google Plus (Most Javascript + Browser Hacks)
26. Mastering Authentication
When we are signed in 26
■ New problems occur: How can we let the scanner check if we are
indeed signed in?
■ Common practive: Looking for a /logout/i String
■ The problem: Inefficient. Likely to cause false positives
■ There has to be a better way:
■ Introduction “Strategies”
29. Strategy.Authentication
Step 3: Going in: .login(“..”, “..”) 29
■ Verifying valid credentials - Behaviour should not be similiar to the
behaviour of a invalid login
30. Strategy.Authentication
Step 4: Going out. .logout() 30
■ Doing similiar work again for .logout() function seems obsolote
■ But it really isn’t.
■ It is the basis to a .is_still_loggedin() function
■ Which is really important to stay logged in during crawling
■ And if the scanner logged itself out, it can simply .login() again
■ That’s cool. :-)
31. Exploitation and Privilege Escalation 31
■ There is a whole universe besides injection vulnerabilities
■ Usually, scanners don’t detect them
■ But they should
■ And now they can: .login(“user1”, “...”); .logout(); .login(“user2”, “...”)
■ => Demo Time: Privilege Escalation, Multi-User Systems
32. Geographically distributed scanning:
Using the cloud 32
■ When (injection) vulnerabilities are getting complicated:
■ Scenario 1: The backend of a website creates a log entry for every
new IP address. It logs the USERAGENT. The log entries are kept in a
SQL database. The function that creates the log entries, is vulnerable.
The User-Agent is injectable. The problem is:
■ It only works once. As soon as the IP is in the database, the function
won’t be executed anymore :-(
■ ==> SQLMap (and every other tool) will fail.
33. Geographically distributed scanning:
Using the cloud 33
■ But they shouldn’t!
■ The limitation is totally detectable
■ And a new IP is just as far away as a single EC2 API call
35. Combining “Strategies” and the
distributed scanning 35
■ Introducing next generation vulnerability scanning
■ Exploiting a really amazingly hard SQL Injection
■ Demo Time
36. Further Research & Additional Ideas 36
■ Country specific restrictions can be by-passed in a fully automatic
manner
■ (Error) messages can be parsed and interpreted: Wolfram Alpha
■ Bloomfilters should be integrated
■ Other “Strategies” should be implemented (the limitations are gone)
37. More Live Demos 37
■ Demonstrating a logical layer beyond Authentication:
.pay(“0000111122223333”, CVV=121, type=VISA)
.search(“search query”)
.sort(“DESC UNION SELECT [...]”)
■ Interpreting error messages
■ Pivoting on penetrated hosts - Spawning another scanner instance
■ And finally: Reporting!