The document discusses a Layer 7 DDOS attack called an HTTP POST attack. It works by sending legitimate HTTP POST requests to a server but slowly sending the content over an extended period, tying up server resources. This attack is more effective than the HTTP GET Slowloris attack as it fully sends the HTTP headers immediately, bypassing defenses against Slowloris. The attack code example shows how it generates random content lengths and sends payload bytes slowly over time to perform the DDOS attack.
Palestra ministrada no OWASP Floripa Day - Florianópolis - SC |
A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).
Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. The event is focused on introducing and teaching the 'Trust Rust can Entrust' on coding to Young developers and engineers who make the web better and more secure!, to train developers, students, mozillians and budding programmers on Rust. Never wrote a single line of code in Rust? Don’t worry, most of us are just starting off. The Rust programming language will be important to the future of the web, making it safe and great.
This document discusses the Python programming behind loltw.net, a website that provides League of Legends player stats and rankings. It begins with an introduction to the author and his background. It then explains what League of Legends is and how loltw.net allows users to look up player info, rankings, and stats even when not in-game. The rest of the document discusses the technical details behind building and maintaining loltw.net, including scraping player data, using Django as the web framework, MongoDB to store non-structured log data, and Twisted for network programming.
This document discusses secure file upload in PHP web applications. It begins by describing a naive file upload implementation that allows arbitrary files to be uploaded, including PHP scripts that could execute commands on the server. It then discusses various approaches to make file uploads more secure, such as verifying the content type, image file contents, and file extensions. However, it notes that an attacker can bypass these checks by manipulating the HTTP request. The document concludes by providing a reference implementation for a more secure file upload process.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
HTTP request smuggling involves sending malformed HTTP requests to exploit vulnerabilities in how devices handle requests. This allows an attacker to smuggle a request to one device without the other being aware. Key techniques include using multiple content-length headers, GET requests with content-length, and CRLF tricks to treat multiple requests as one. Prevention focuses on firewalls, terminating sessions after each request, disabling caching, and enforcing strict HTTP parsing.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
Palestra ministrada no OWASP Floripa Day - Florianópolis - SC |
A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).
Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. The event is focused on introducing and teaching the 'Trust Rust can Entrust' on coding to Young developers and engineers who make the web better and more secure!, to train developers, students, mozillians and budding programmers on Rust. Never wrote a single line of code in Rust? Don’t worry, most of us are just starting off. The Rust programming language will be important to the future of the web, making it safe and great.
This document discusses the Python programming behind loltw.net, a website that provides League of Legends player stats and rankings. It begins with an introduction to the author and his background. It then explains what League of Legends is and how loltw.net allows users to look up player info, rankings, and stats even when not in-game. The rest of the document discusses the technical details behind building and maintaining loltw.net, including scraping player data, using Django as the web framework, MongoDB to store non-structured log data, and Twisted for network programming.
This document discusses secure file upload in PHP web applications. It begins by describing a naive file upload implementation that allows arbitrary files to be uploaded, including PHP scripts that could execute commands on the server. It then discusses various approaches to make file uploads more secure, such as verifying the content type, image file contents, and file extensions. However, it notes that an attacker can bypass these checks by manipulating the HTTP request. The document concludes by providing a reference implementation for a more secure file upload process.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
HTTP request smuggling involves sending malformed HTTP requests to exploit vulnerabilities in how devices handle requests. This allows an attacker to smuggle a request to one device without the other being aware. Key techniques include using multiple content-length headers, GET requests with content-length, and CRLF tricks to treat multiple requests as one. Prevention focuses on firewalls, terminating sessions after each request, disabling caching, and enforcing strict HTTP parsing.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
Many notable and new Web hacking techniques have already been revealed in 2009. During his session, Jeremiah Grossman will describe the technical details of the top ten from 2009, as well as some of the prevalent security issues emerging in 2010. By attending Mr. Grossman’s session, attendees will be treated to a step-by-step guided tour of the newest threats targeting today’s corporate websites and enterprise users. With that knowledge, Mr. Grossman will then strategize what defensive solutions will have the most impact.
Mr. Grossman will begin his presentation by providing the audience with definitions of the key terms and techniques used in his session. After laying this foundation, Mr. Grossman will move on to identifying the top ten attacks in 2009, including hacks involving Rich Internet Applications, Social Networking, Cloud Computing, Mobile Web Applications, Next Generation Web Browsers and HTML 5. Mr. Grossman will briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, as well as what preventative measures can be taken.
Mr. Grossman will also stress the importance of security professionals remaining proactive and continuing to move research forward, as analysis of attacks from years past only goes so far as hackers continue to push the envelop of what’s possible in the ever-changing Web security landscape.
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/
For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.
This document provides an overview of the basic function call flow for OpenSSL to establish a secure TCP connection. It discusses initializing the OpenSSL library, creating an SSL_CTX object, generating randomness, creating an SSL object for a connection, performing the TLS/SSL handshake, and reading and writing data over the encrypted connection. It also provides examples of OpenSSL code for a client application.
This document discusses cache poisoning attacks. It begins with an overview and introduction to web cache poisoning and related attacks like HTTP response splitting. It then provides an example of how HTTP response splitting works and can be used to conduct a cache poisoning attack by injecting malicious content. The document outlines practical considerations for both attackers in conducting such an attack and victims in preventing them, such as input validation and restricting special characters. It concludes with a bibliography of additional resources on these topics.
The document provides an overview of SSL and OpenSSL. It discusses generating keys and certificates, setting up SSL contexts, creating secure connections, reading/writing data, and handling errors. It also provides code snippets for an echo client and server. The echo server loads a certificate, sets up a listening BIO, accepts connections, and performs handshakes. The handshake process involves a client sending a "hello" message and the server responding with its own parameters to establish encryption.
The document discusses various HTTP security headers and their purposes. It provides descriptions and examples of HTTP Strict-Transport-Security (HSTS), X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, and Content-Security-Policy-Report-Only headers. It also discusses limitations and recommendations for using these headers to strengthen security.
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...PROIDEA
This document discusses attacking web servers by abusing runtime configuration files like .htaccess in Apache. It begins by providing background on htshells, a tool for creating web shells using runtime configuration. It then explains how runtime configuration works and can be used to change server behavior. Several attacks are described like information disclosure, command execution, and authentication bypass. Methods for placing files on servers like file uploads and XXE are also covered. The document concludes by discussing detection and defense techniques as well as updating htshells for newer techniques.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
Web cache poisoning involves exploiting how web caches store and retrieve cached responses. By manipulating request headers, an attacker can poison caches to store malicious responses that are then served to other users. The document discusses various real-world examples where cache poisoning was used, such as hijacking open graph metadata on Facebook. It also provides defenses like avoiding the use of caching or including all request headers in cache keys.
The Security library in VisualWorks went through sweeping changes recently. Main change is replacing native smalltalk implementations of various cryptographic algorithms with pluggable interfaces to external libraries, but also a complete rewrite of the SSL implementation to support all current versions of the protocol (SSL3.0 & TLS 1.0, 1.1 and 1.2). Introducing dependencies on external libraries can complicate deployment, however the resulting pluggability of implementation and perfomance boost we're getting in exchange should more then pay off in terms of widening the scope of potential applications, where the purely native implementation was simply not acceptable. In this talk we will survey these changes and discuss their impact and backward compatibility implications.
- CORS (Cross-Origin Resource Sharing) allows resources on a web page to be requested from another domain outside the domain from which the first resource was served.
- CORS uses additional HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin.
- Developer mistakes can lead to security vulnerabilities like cross-site request forgery if CORS is not implemented correctly, such as specifying '*' for allowed origins, failing to validate origins, or not handling credentials properly.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
This document provides an overview of Burp Suite and how to use its features to perform vulnerability assessments. It discusses Burp Suite's key components like the proxy, scanner, intruder, repeater, collaborator, and extender. It also covers techniques like bypassing filters, server-side request forgery, XML external entities, and common vulnerabilities to target like open redirects, insufficient entropy, and insecure deserialization.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
This document provides an overview of HTTP and Java networking. It begins with a refresher on HTTP, including versions, methods, status codes, and examples. It then discusses the internet stack and where Java fits in, covering the socket API and classes for HTTP, SSL, SMTP, and other protocols. The document concludes with code examples for building an echo client/server and basic web crawler in Java.
2017 dev nexus_deconstructing_rest_securityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
This document discusses the pros and cons of implementing cryptography natively versus using external libraries. It provides examples of implementing hashes, ciphers, and public key algorithms both natively and externally in Smalltalk. Implementing natively allows for easy integration and debugging but has downsides of maintenance burden and potential security issues. Using external libraries reduces development cost but can introduce integration and platform coverage issues. The key factors to consider are providing seamless use, deployment, platform coverage, capability coverage, and extensibility while meeting other requirements like certification and performance.
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
Defending against application level DoS attacksChu Xu
The document discusses application level denial of service (DoS) attacks and defenses. It begins with an introduction and overview of layer 7 DoS attacks and then discusses specific attacks and recommendations for mitigating attacks against web applications, web services, web servers, and databases. It also provides guidance on dealing with an HTTP DoS attack by discussing preparations, response during an attack, and recovery after an attack.
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
Many notable and new Web hacking techniques have already been revealed in 2009. During his session, Jeremiah Grossman will describe the technical details of the top ten from 2009, as well as some of the prevalent security issues emerging in 2010. By attending Mr. Grossman’s session, attendees will be treated to a step-by-step guided tour of the newest threats targeting today’s corporate websites and enterprise users. With that knowledge, Mr. Grossman will then strategize what defensive solutions will have the most impact.
Mr. Grossman will begin his presentation by providing the audience with definitions of the key terms and techniques used in his session. After laying this foundation, Mr. Grossman will move on to identifying the top ten attacks in 2009, including hacks involving Rich Internet Applications, Social Networking, Cloud Computing, Mobile Web Applications, Next Generation Web Browsers and HTML 5. Mr. Grossman will briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, as well as what preventative measures can be taken.
Mr. Grossman will also stress the importance of security professionals remaining proactive and continuing to move research forward, as analysis of attacks from years past only goes so far as hackers continue to push the envelop of what’s possible in the ever-changing Web security landscape.
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/
For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.
This document provides an overview of the basic function call flow for OpenSSL to establish a secure TCP connection. It discusses initializing the OpenSSL library, creating an SSL_CTX object, generating randomness, creating an SSL object for a connection, performing the TLS/SSL handshake, and reading and writing data over the encrypted connection. It also provides examples of OpenSSL code for a client application.
This document discusses cache poisoning attacks. It begins with an overview and introduction to web cache poisoning and related attacks like HTTP response splitting. It then provides an example of how HTTP response splitting works and can be used to conduct a cache poisoning attack by injecting malicious content. The document outlines practical considerations for both attackers in conducting such an attack and victims in preventing them, such as input validation and restricting special characters. It concludes with a bibliography of additional resources on these topics.
The document provides an overview of SSL and OpenSSL. It discusses generating keys and certificates, setting up SSL contexts, creating secure connections, reading/writing data, and handling errors. It also provides code snippets for an echo client and server. The echo server loads a certificate, sets up a listening BIO, accepts connections, and performs handshakes. The handshake process involves a client sending a "hello" message and the server responding with its own parameters to establish encryption.
The document discusses various HTTP security headers and their purposes. It provides descriptions and examples of HTTP Strict-Transport-Security (HSTS), X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, and Content-Security-Policy-Report-Only headers. It also discusses limitations and recommendations for using these headers to strengthen security.
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...PROIDEA
This document discusses attacking web servers by abusing runtime configuration files like .htaccess in Apache. It begins by providing background on htshells, a tool for creating web shells using runtime configuration. It then explains how runtime configuration works and can be used to change server behavior. Several attacks are described like information disclosure, command execution, and authentication bypass. Methods for placing files on servers like file uploads and XXE are also covered. The document concludes by discussing detection and defense techniques as well as updating htshells for newer techniques.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
Web cache poisoning involves exploiting how web caches store and retrieve cached responses. By manipulating request headers, an attacker can poison caches to store malicious responses that are then served to other users. The document discusses various real-world examples where cache poisoning was used, such as hijacking open graph metadata on Facebook. It also provides defenses like avoiding the use of caching or including all request headers in cache keys.
The Security library in VisualWorks went through sweeping changes recently. Main change is replacing native smalltalk implementations of various cryptographic algorithms with pluggable interfaces to external libraries, but also a complete rewrite of the SSL implementation to support all current versions of the protocol (SSL3.0 & TLS 1.0, 1.1 and 1.2). Introducing dependencies on external libraries can complicate deployment, however the resulting pluggability of implementation and perfomance boost we're getting in exchange should more then pay off in terms of widening the scope of potential applications, where the purely native implementation was simply not acceptable. In this talk we will survey these changes and discuss their impact and backward compatibility implications.
- CORS (Cross-Origin Resource Sharing) allows resources on a web page to be requested from another domain outside the domain from which the first resource was served.
- CORS uses additional HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin.
- Developer mistakes can lead to security vulnerabilities like cross-site request forgery if CORS is not implemented correctly, such as specifying '*' for allowed origins, failing to validate origins, or not handling credentials properly.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
This document provides an overview of Burp Suite and how to use its features to perform vulnerability assessments. It discusses Burp Suite's key components like the proxy, scanner, intruder, repeater, collaborator, and extender. It also covers techniques like bypassing filters, server-side request forgery, XML external entities, and common vulnerabilities to target like open redirects, insufficient entropy, and insecure deserialization.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
This document provides an overview of HTTP and Java networking. It begins with a refresher on HTTP, including versions, methods, status codes, and examples. It then discusses the internet stack and where Java fits in, covering the socket API and classes for HTTP, SSL, SMTP, and other protocols. The document concludes with code examples for building an echo client/server and basic web crawler in Java.
2017 dev nexus_deconstructing_rest_securityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
This document discusses the pros and cons of implementing cryptography natively versus using external libraries. It provides examples of implementing hashes, ciphers, and public key algorithms both natively and externally in Smalltalk. Implementing natively allows for easy integration and debugging but has downsides of maintenance burden and potential security issues. Using external libraries reduces development cost but can introduce integration and platform coverage issues. The key factors to consider are providing seamless use, deployment, platform coverage, capability coverage, and extensibility while meeting other requirements like certification and performance.
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
Defending against application level DoS attacksChu Xu
The document discusses application level denial of service (DoS) attacks and defenses. It begins with an introduction and overview of layer 7 DoS attacks and then discusses specific attacks and recommendations for mitigating attacks against web applications, web services, web servers, and databases. It also provides guidance on dealing with an HTTP DoS attack by discussing preparations, response during an attack, and recovery after an attack.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
This document discusses browser security challenges posed by new technologies like HTML5, cross-document messaging, and browser plugins. It summarizes potential attacks like cross-site scripting through relaxed origin policies, browser SQL injection using HTML5 client storage, and using cross-document messaging to enable cross-site communication. The document advocates for the OWASP Intrinsic Group to work with browser vendors to address these issues.
Web Application Security 101 - 02 The BasicsWebsecurify
In part 2 of Web Application Security 101 we cover the basics of HTTP, HTML, XML, JSON, JavaScript, CSS and more in order to get you up to speed with the technology. This knowledge will be used during the rest of the course to explore the various security aspects effecting web applications today.
The document provides an introduction to web spider web weaving and discusses key concepts related to HTTP requests and responses between clients and servers. It explains common web technologies like web servers, browsers, spiders, and scripting languages. It also discusses database servers, web models like LAMP and WAMP, HTTP sessions, and introducing a uniform server.
This document describes the design and implementation of a DDoS testbed. It discusses various DDoS attack architectures and experimental techniques like mathematical models, simulation models, emulation models, and real-time models. The motivation for increasing DDoS attacks and a comparison of experimental techniques is provided. The document also outlines the hardware and software used in the testbed, including CORE emulator, Ubuntu, Apache web server, Wireshark sniffer, and attack tools like Hulk and HTTP Flooder. Finally, it discusses the future scope of detecting and defending against different types of DDoS attacks and measuring their impact.
This document summarizes the key aspects of designing secure systems:
1) It discusses various common security threats like defacement, infiltration, phishing, and denial of service attacks.
2) It emphasizes the importance of understanding threats and designing security into systems from the beginning, rather than adding it as an afterthought.
3) Using a simple web server example, it shows how not considering security can leave systems vulnerable if authentication, access controls, and input validation are not implemented properly.
This document provides an overview of the Python web framework Flask. It discusses Flask's lightweight and extensible nature. It also covers key Flask concepts like URL routing, parameters, templates, and request handling. Examples are given for basic routing, parameter collection via GET and POST, and rendering templates with dynamic data. The document serves as an introduction to building web applications with the Flask framework in Python.
The document provides an overview of the key steps involved in a typical web server transaction to service an HTTP GET request. It outlines the basic operations from initializing the server socket, accepting connections, parsing requests, retrieving and sending response files and headers, and closing connections. It then discusses common optimizations including caching file metadata, descriptors, headers and data in memory to reduce repetitive disk and system calls. Custom OS primitives are proposed to further optimize operations like request acceptance, time retrieval, and sending responses.
The document provides an overview of how a web server processes an HTTP request. Key steps include:
1) Receiving the request via a listening socket and parsing it to determine the requested file.
2) Checking permissions and metadata for the file via calls like stat().
3) Opening the file, generating a response, and sending the response headers and file contents to the client socket.
4) Optimizations focus on caching frequently accessed metadata and file data in memory to avoid repeated disk operations.
Save 10% off ANY FITC event with discount code 'slideshare'
See our upcoming events at www.fitc.ca
Node.js: The What, The How and The When
with Richard Nieuwenhuis
This document provides an introduction to Node.js including its history, uses, advantages, and community. It describes how Node.js uses non-blocking I/O and JavaScript to enable highly scalable applications. Examples show how Node.js can run HTTP servers and handle streaming data faster than traditional blocking architectures. The document recommends Node.js for real-time web applications and advises against using it for hard real-time systems or CPU-intensive tasks. It encourages participation in the growing Node.js community on mailing lists and IRC.
The document discusses a new web security technique called cross-site tracing (XST) that can bypass the HTTP-only security feature in Internet Explorer 6 SP1 and perform cross-site scripting attacks. XST exploits the TRACE HTTP request method, which echoes request information to the client, to obtain authentication cookies from other domains over HTTP and HTTPS. While HTTP-only helps prevent cookie access via JavaScript, XST can still access cookies through TRACE requests.
The document discusses different types of denial of service (DoS) attacks against web servers, focusing on Slowloris, Slow Post, and Slow Read attacks. Slowloris keeps connections open by sending partial HTTP requests and headers. Slow Post sends complete headers but an incomplete message body. Slow Read maliciously throttles the receipt of large HTTP responses to tie up server resources. These low-bandwidth attacks can be effective at consuming connection pools and overloading servers. The document provides details on how each attack works and recommendations for detection and mitigation techniques.
The document is a presentation about Node.js, a JavaScript runtime built on Chrome's V8 JavaScript engine. It discusses how Node.js uses an event-driven, non-blocking I/O model that makes it particularly suited for real-time web applications and I/O-intensive applications compared to traditional threaded server models. It provides examples of Node.js features like asynchronous I/O, event loops, modules and the npm package manager.
Node.js is a JavaScript runtime environment that allows building fast, scalable network applications using event-driven, asynchronous I/O. It uses Google's V8 JavaScript engine and can run on Windows, Mac OS, and Linux. Node.js is commonly used for building servers, APIs, real-time apps, streaming data, and bots. Typical Node.js apps use NPM to install packages for tasks like databases, web frameworks, testing, and more. Node.js handles non-blocking I/O through callbacks to avoid blocking and optimize performance. A basic HTTP server in Node.js creates a server, handles requests, and sends responses.
The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
The document discusses database forensics and analysis techniques. It introduces current challenges, available tools, and new approaches using external tables to preserve metadata when collecting evidence. Typical patterns seen in database objects like SYS.USER$ are shown, like multiple accounts with login attempts or similar lock times indicating password guessing. Timeline creation is demonstrated to combine data from different sources.
This document provides an overview of database security platforms and the evolution of this market. Some key points:
- Database security platforms have evolved beyond just monitoring database activity and now incorporate features like vulnerability assessment, user rights management, data discovery/filtering, and blocking capabilities.
- The increased scope of monitoring coverage and additional security features mean "Database Activity Monitoring" is no longer an accurate term - these solutions are now more appropriately called "Database Security Platforms."
- These platforms consolidate multiple database security tools into a single solution and can monitor both relational and non-relational databases as well as multiple database types.
- Vendors are beginning to differentiate their database security platforms based on primary use cases
The document discusses how Windows Credentials Editor (WCE) can be used to obtain credentials stored in memory on Windows systems, allowing an attacker to steal usernames and hashes to perform pass-the-hash attacks without cracking passwords. WCE enables bypassing common pre-exploitation techniques by directly using harvested credentials. Leaving logon sessions disconnected rather than logged off can leave credentials exposed in memory as "zombie sessions".
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.
This document discusses a vulnerability in Oracle databases that allows privilege escalation from CREATE USER privileges to SYSDBA privileges. It provides code examples demonstrating how a user with CREATE USER privileges can create a function with the same name as a built-in SYS function to override the namespace and elevate their privileges when SYS executes the function. The document outlines best practices for prevention, including not logging in as SYS, closely monitoring CREATE USER privileges, and using a tool like Sentrigo Hedgehog for advanced monitoring and alerts. It also provides recommendations for forensic response if privilege escalation occurs.
1. The document discusses SSH tricks and configuration tips for securing SSH connections and servers. It provides examples of SSH client-side one-liners and ways to quickly set up an SSH server.
2. SSH is a secure network protocol for exchanging data between networked devices. The document outlines ways to lock down SSH servers and clients through configuration files and access controls.
3. The document shows examples of SSH port forwarding, tunnels, and other one-liners that can enable remote access or administration through SSH connections.
This document summarizes optimizations to TLS/SSL including False Start, Snap Start, and defenses against the BEAST attack. False Start allows the client to send application data before receiving the server's Finished message to reduce latency. Snap Start uses cached handshake parameters to further reduce latency. However, both introduce security risks. The BEAST attack exploits TLS CBC encryption and IV reuse, but can be prevented by changing the encryption mode or adding padding.
The document provides an overview of practical cryptography and the GPG/PGP encryption tools. It discusses symmetric and public key cryptography theory. It then demonstrates how to use GPG/PGP to generate keys, encrypt and decrypt files, digitally sign documents, verify signatures, and distribute public keys through a key server. It also discusses how the web of trust model works to validate identities through in-person key signing after carefully verifying a user's identity.
Kyle Young presents on SSH tricks and configuration tips. He discusses the history and uses of SSH, how to securely connect to SSH servers by verifying fingerprints, and ways to lock down SSH servers and clients through configuration files like sshd_config and ssh_config. He also shares some useful SSH client-side one-liners.
This document describes padding oracle attacks on cryptographic hardware devices that allow encrypted keys to be imported. It presents two types of attacks: 1) An improved Bleichenbacher attack that exploits RSA PKCS#1v1.5 padding to reveal an imported private key in an average of 49,000 oracle queries. 2) An adaptation of the Vaudenay CBC attack to reveal keys encrypted with CBC and PKCS#5 padding. It demonstrates these attacks on commercial security tokens, smartcards, and electronic ID cards to reveal stored cryptographic keys.
The document discusses proper password hashing methods for securely storing passwords. It begins by stating that most websites currently do not properly store passwords, either in plaintext or with a single hash without salt. This is irresponsible. The document then discusses proper hashing methods that should be used, including adding salt, using key derivation functions like PBKDF2, ARC4PBKDF2, and bcrypt. PBKDF2 works by repeatedly hashing the password with a salt, while ARC4PBKDF2 additionally encrypts the password and hashes with an evolving ARC4 stream for added complexity. Bcrypt is also an adaptive function that works similarly to PBKDF2 but in a more complicated way. The document
This document proposes a new method for improving the cryptanalytic time-memory trade-off technique. The original technique, introduced by Hellman in 1980, precomputes ciphertexts to reduce cryptanalysis time at the cost of memory usage. The new method reduces the number of calculations needed during cryptanalysis by a factor of two compared to the existing approach using distinguished points. As an example, the new method can crack 99.9% of Windows password hashes in 13.6 seconds using 1.4GB of precomputed data, much faster than the 101 seconds taken by the existing approach.
This document provides an introduction and overview of threading and concurrency in Perl. It begins with definitions of threads and concurrency basics. It then discusses Perl's implementation of threads since version 5.6, noting that global variables are non-shared by default and sharing must be explicit. The document outlines various threading primitives and synchronization mechanisms in Perl like locks, condition variables, and shows examples of building thread-safe data structures like queues. It concludes with best practices and implementing other common synchronization primitives.
The document is a series of lines repeatedly stating "Author: Bill Buchanan". It does not contain any other substantive information in the content. The author of the document is Bill Buchanan, as his name is listed on every line.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Project Management Semester Long Project - Acuityjpupo2018
Acuity is an innovative learning app designed to transform the way you engage with knowledge. Powered by AI technology, Acuity takes complex topics and distills them into concise, interactive summaries that are easy to read & understand. Whether you're exploring the depths of quantum mechanics or seeking insight into historical events, Acuity provides the key information you need without the burden of lengthy texts.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
2. Agenda
Introduction to Layer 7 DDOS attacks
Different types of Layer 7 DDOS web attacks
Analysis of HTTP POST DDOS attack
Demo
OWASP 2
3. First, there was Layer 4 DDOS......
Past DDOS attacks were mainly Layer 4 (TCP)
attacks.
OWASP 3
4. Layer 4 DDOS attacks
Reach bandwidth or connection limits of
hosts or networking equipment.
Fortunately, current anti-DDOS solutions are
effective in handling Layer 4 DDOS attacks.
OWASP 4
5. Then, there were Layer 7 DDOS attacks
Operates at the application protocol level
(OSI Layer 7).
Eg. HTTP(S), SMTP, FTP and etc.
OWASP 5
6. Effectiveness of Layer 7 DDOS attacks
Legitimate TCP or UDP connections. Difficult to
differentiate from legitimate users => higher
obscurity.
Requires lesser number of connections =>
higher efficiency.
Reach resource limits of services.
Can deny services regardless of hardware
capabilities of host => higher lethality.
OWASP 6
7. Agenda
Introduction to Layer 7 DDOS attacks
Different types of Layer 7 DDOS web attacks
Analysis of HTTP POST DDOS attack
Demo
OWASP 7
8. Types of Layer 7 DDOS web attacks
Excludes causes related to stupid or inefficient
codes. (Yes! You can DOS yourself)
We will focus on protocol weaknesses of HTTP
or HTTPS.
HTTP GET => Michal Zalewski, Adrian Ilarion
Ciobanu, RSnake (Slowloris)
HTTP POST => Wong Onn Chee
OWASP 8
9. HTTP GET DDOS attack
First highlighted by Michal Zalewski and Adrian
Ilarion Ciobanu in 2007
http://www.securityfocus.com/archive/1/456339/30/0/threaded
Popularized in 2009 by Rsnake with the free
tool, Slowloris.
Slowloris used time-delayed HTTP headers to
hold on to HTTP connections and exhaust web
server threads or resources.
Can evade Layer 4 DDOS protection systems.
More info can be found at
http://ha.ckers.org/blog/20090617/slowloris-http-dos/
OWASP 9
10. HTTP GET DDOS attack
Apache Foundation disagreed this is a bug and
had no plans to “fix it”. To AF, waiting for the
HTTP headers to complete sending is a basic
and inherent behavior of web servers.
Microsoft IIS imposes a timeout for HTTP
headers to be sent. Any HTTP connection which
exceeds the headers timeout will be closed,
hence rendering HTTP GET attacks ineffective
against IIS web servers.
OWASP 1
0
11. Limitations of HTTP GET DDOS attack
Does not work on IIS web servers or web
servers with timeout limits for HTTP headers.
Easily defensible using popular load balancers,
such as F5 and Cisco, reverse proxies and
certain Apache modules, such as mod_antiloris.
Anti-DDOS systems may use “delayed
binding”/“TCP Splicing” to defend against HTTP
GET attacks.
OWASP 11
12. Agenda
Introduction to Layer 7 DDOS attacks
Different types of Layer 7 DDOS web attacks
Analysis of HTTP POST DDOS attack
Demo
OWASP 1
2
13. HTTP POST DDOS attack
First discovered in Sep 2009 by Wong Onn
Chee and his team.
Escalated to Microsoft and AF in Q1 2010. Both
interpreted this to be a protocol bug.
Apache: “What you described is a known attribute (read: flaw) of the
HTTP protocol over TCP/IP. The Apache HTTP project declines to treat this
expected use-case as a vulnerability in the software.”
MS: “While we recognize this is an issue, this issue does not meet our
bar for the release of a security update. We will continue to track this issue
and the changes I mentioned above for release in a future service pack.”
OWASP 1
3
14. How HTTP POST DDOS attack works
(HTTP/1.0)
Uses HTTP POST requests, instead of HTTP
GET which is used by Slowloris.
“A POST request includes a message body in
addition to a URL used to specify information for
the action being performed. This body can use
any encoding, but when webpages send POST
requests from an HTML form element the
Internet media type is "application/x-www-form-
urlencoded". (source: Wikipedia - “POST (HTTP)”)”
OWASP 1
4
15. How HTTP POST DDOS attack works
(HTTP/1.0) (cont'd)
The field “Content-Length” in the HTTP Header
tells the web server how large the message body
is, for e.g., “Content-Length = 1000”
The HTTP Header portion is complete and sent
in full to the web server, hence bypassing IIS
inherent protection.
OWASP 1
5
16. How HTTP POST DDOS attack works
(HTTP/1.0) (cont'd)
For e.g., Content-Length = 1000 (bytes)
The HTTP message body is properly URL-
encoded, but ......
.....is sent at, again for e.g., 1 byte per 110
seconds.
Multiply such connections by 20,000 and your
IIS web server will be DDOS.
Most web servers can accept up to 2GB worth of
content in a single HTTP POST request.
OWASP 1
6
18. Sample code to simulate HTTP POST DDOS
attack (HTTP/1.0)
Get random data -->
public static byte getRandomByte() { Byte randomness
int character = gen.nextInt();
return (byte) character;
}
Send random data -->
public void sendXHeader() throws IOException {
StringBuffer header1 = new StringBuffer();
StringBuffer header2 = new StringBuffer();
Time interval randomness
int lengthOfXA = param.getRandomLengthOfXA();
int lengthOfXB = param.getRandomLengthOfXB();
for (int i=0 ; i<lengthOfXA ; i++) {
header1.append(Misc.getRandomByte());
}
OWASP 1
8
19. Sample code to simulate HTTP POST DDOS
attack (HTTP/1.0)
for (int i=0 ; i<lengthOfXB ; i++) {
header2.append(Misc.getRandomByte());
}
socket.getOutputStream().write(("X-" + header1.toString() + ": " + header2.toString() + "rn").getBytes());
socket.getOutputStream().flush();
}
Sends the payload
public void sendPOSTBodyRandomByte() throws IOException {
socket.getOutputStream().write(Misc.getRandomByte());
socket.getOutputStream().flush();
}
OWASP 1
9
20. Why HTTP POST DDOS attack works
Being “kind” folks (like all of you), web servers
will “obey” the “Content-Length” field to wait for
the remaining message body to be sent.
By waiting for the complete message body to be
sent, web servers can support users with slow or
intermittent connections.
Hence, any website which has forms, i.e.
accepts HTTP POST requests, is susceptible to
such attacks.
Common uses of HTTP POST requests: login,
uploading photo/video, sending webmail /
attachments, submitting feedback and etc.
OWASP 2
0
21. Why HTTP POST DDOS attack works
This attack can evade Layer 4 detection
techniques as there is no malformed TCP, just
like Slowloris.
Unlike Slowloris, there is no delay in sending
HTTP Header, hence nullifying IIS built-in
defense, making IIS vulnerable too.
Size, character sets and time intervals can be
randomised to foil any recognition of Layer 7
traffic patterns by DDOS protection systems.
Difficult to differentiate from legit connections
which are slow.
OWASP 2
1
22. Interesting findings
IIS 6.0 (W2K3) web server is vulnerable to this
attack even when there is no form. Apache, IIS 7
or later require presence of forms for this attack
to work.
Apache requires lesser number of connections
due to mandatory client or thread limit in
httpd.conf.
Besides its “unlimited connections” settings, a
default IIS configuration will go down with 20,000
HTTP POST DDOS connections, regardless of
hardware capabilities. This is due to the rapid fail
protection sandbox feature in IIS.
OWASP 2
2
23. Interesting findings
IIS with 8 cores and 16GB RAM = IIS with 2
cores and 2GB RAM
Only 20k HTTP POST connections to DDOS
either IIS!
In HTTP/1.1 where chunked encoding is
supported and there is no “Content-Length”
HTTP header, the lethality is amplified.
The web server does not even know up front
from the headers how large is the POST
request!
OWASP 2
3
24. Interesting findings
Botnet operators had begun their “3G upgrade”
to include Layer 7 DDOS techniques. Some may
have completed their upgrade to include HTTP
POST.
We believe Layer 7 attacks may supersede
Layer 4 attacks as the modus operandi of DDOS
botnets in this new decade.
OWASP 2
4
25. Potential countermeasures
Apache
(experimental) mod_reqtimeout
LimitRequestBody directive
IIS
No reply from Microsoft on the availability of the
proposed controls in the latest service pack for IIS.
OWASP 2
5
26. Potential countermeasures
General
Limit the size of the request to each form's
requirements.
For e.g. a login form with a 20-char username field
and a 20-char password field should not accept a 1KB
POST message body
Identify the 95% or 99% percentile of normal access
speed range to your website. Establish a speed floor
for the outliers.
With the speed floor and maximum allowable body
size for each form, establish a request timeout for
each form (= Tedious! Good news for infosec folks?)
OWASP 2
6
27. Weaknesses of countermeasures
Hackers can “sense” the speed floor and
execute attacks just above the speed floor.
Most (broadband) home users have uplink
speed of at least 256 kbps. But we cannot set
speed floors at 256 kbps.
Speed floors = not friendly to overseas
customers/visitors or local ones using mobile
devices.
HTTPS will be a challenge for front appliance-
based defensive systems.
OWASP 2
7
28. Future “exploits”? - WebSockets
WebSockets in HTML5 (draft expires February
17, 2011) http://www.whatwg.org/specs/web-socket-protocol/
“Conceptually, WebSocket is really just a layer
on top of TCP that adds a Web "origin"-based
security model for browsers; adds an addressing
and subprotocol naming mechanism to support
multiple services on one port and multiple host
names on one IP address; layers a framing
mechanism on top of TCP to get back to the IP
packet mechanism that TCP is built on, but
without length limits; and reimplements the
closing handshake in-band....”
OWASP 2
8
29. Future “exploits”? - WebSockets
6.3. Data framing
The server must run through the following steps to process the bytes sent by
the client. If at any point during these steps a read is attempted but fails
because the WebSocket connection is closed, then abort.
1. Try to read a byte from the client. Let /frame type/ be that byte.
2. Try to read eight more bytes from the client. Let /frame length/ be the
result of interpreting those eight bytes as a big-endian 64 bit unsigned
integer.
(e.g. 99,999,999)
…….
99,999,999 / 1 byte per 110 secs
= 10,999,999,890 secs
= 127,315 days
= 349 years
OWASP 2
9
30. Agenda
Introduction to Layer 7 DDOS attacks
Different types of Layer 7 DDOS web attacks
Analysis of HTTP POST DDOS attack
Demo
OWASP 3
0
31. Demo
Old = you may already know about the
components.
New = New trend of “weaponized” online games
which are web-based or client-based.
Desktop firewalls do not block outgoing Port 80
connections once the process is whitelisted.
(Need to be whitelisted, else game will not run)
The one we are showing is a simple game using
a self-signed Java applet. (good old Java
sandbox bypass)
OWASP 3
1