SlideShare a Scribd company logo

Top 10 Web Hacking Techniques of 2014

Download as PPTX, PDF
PROIDEA
PROIDEA

Speakers: Matt Johansen, Johnathan Kuskos Language: English Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges. The full list is available here: https://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2014/ CONFidence: http://confidence.org.pl/pl/

Software
1 of 55
Johnathan Kuskos Manager WhiteHat Security Europe, Ltd. Threat Research Center Twitter: @JohnathanKuskos The Top 10 Web Hacking Techniques of 2014 Matt Johansen Director, Security Services & Research WhiteHat Security Threat Research Center Twitter: @MattJay
“Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, web browsers, web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of web-based attack.” - Jeremiah Grossman
New Techniques in Prev. Years 3 2007 2008 2009 2010 2011 2012 2013 65 70 80 69 51 56 31 XSS VULNS IN COMMON SHOCKWAV E FILES GIFAR (GIF + RAR) CREATING A ROGUE CA CERTIFICATE PADDING ORACLE CRYPTO ATTACK BEAST MXSS (MUTATION) CRIME
2014 Top 10 1. Heartbleed 2. ShellShock 3. POODLE 4. Rosetta Flash 5. Misfortune Cookie 6. Reusable CSRF bypass 7. Google Two-Factor Authentication Bypass 8. Apache Struts ClassLoader Manipulation Remote Code Execution 9. Facebook Hosted DDoS with Notes App. 10. Covert Timing Channels based on HTTP Cache Headers 4
Covert Timing Channels “A covert channel is a path that can be used to transfer information in a way not intended by the system’s designers (CWE-514) A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another (CWE-515) Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information (CWE-385)” Denis Kolegov, Oleg Broslavsky, Nikita Oleksov http://www.slideshare.net/dnkolegov/wh102014 5
Facebook Hosted DDoS w/Notes App “Facebook Notes allows users to include <img> tags. Whenever a <img> tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.” Chaman Thapa aka chr13 http://chr13.com/2014/04/20/using-facebook-notes-to- ddos-any-website/ 6
Apache Struts ClassLoader RCE “A remote command execution vulnerability in Apache Struts versions 1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due to the ParametersInterceptor. Both allow access to 'class' parameter that is directly mapped to getClass() method and allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary Java code via crafted parameters.” class.classLoader -> class[‘classLoader’] Fixed by adding the following regex to struts excludeParams: (.*.|^|.*|[('|"))(c|C)lass(.|('|")]|[).* Peter Magnusson, Przemyslaw Celej https://cwiki.apache.org/confluence/display/WW/S2- 020 7
Google Two-Factor Authentication Bypass “The attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.” Anonymous Hacker http://gizmodo.com/how-hackers-reportedly-side- stepped-gmails-two-factor-a-1653631338 8
Hacking PayPal Accounts with 1 Click “An attacker can conduct a targeted CSRF attack against a PayPal users and take a full control over his account Hence, An attacker can CSRF all the requests including but not limited to: 1- Add/Remove/Confirm Email address 2-Add fully privileged users to business account 3- Change Security questions 4- Change Billing/Shipping Address 5- Change Payment methods 6- Change user settings(Notifications/Mobile settings) …and more” Yaser Ali http://yasserali.com/hacking-paypal-accounts-with- one-click/ 9
Misfortune Cookie “Researchers from Check Point’s Malware and Vulnerability Research Group uncovered this critical vulnerability present on millions of residential gateway (SOHO router) devices from different models and makers. It has been assigned the CVE-2014-9222 identifier. This severe vulnerability allows an attacker to remotely take over the device with administrative privileges.” Denis Kolegov, Oleg Broslavsky, Nikita Oleksov http://www.slideshare.net/dnkolegov/wh102014 10
Background: TR-069 11
ACS Photo credit: https://zmap.io/paper.pdf - Single Point of Failure - ACS very powerful as required by TR-069 - Port 7547
TR-069 Diversity Connection Request Server Technologies 13
Get to the Hack Already! - HTTP Header Fuzzing RomPager - {Authorization: Digest username=‘a’*600} - Crashes Router Unprotected String Copy
- RomPager uses cookies - Cookie array is pre-allocated memory - 10 40 byte cookies - C0, C1, C2, etc. - No more memory variations between firmwares
Misfortune Cookie Remediation - Most people will just need to wait for manufacturer fix - Technical people can flash firmware (DD-WRT, etc.) - Don’t buy these: http://mis.fortunecook.ie/misfortune-cookie-suspected- vulnerable.pdf
Rosetta Flash “Rosetta Flash [is] a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site. This is a CSRF bypassing Same Origin Policy.” https://github.com/mikispag/rosettaflash Michele Spagnuolo https://miki.it/blog/2014/7/8/abusing-jsonp-with- rosetta-flash/ 18
What is it? Rosetta Flash is a tool that converts normal binary SWF files and returns a compressed alphanumeric only equivalent. Photo Credit https://miki.it/blog/2014/7/8/abusing- jsonp-with-rosetta-flash/
JSONP Widely Used Callback parameter in URL Only accepts [a-zA-Z] _ and . as valid Photo Credit https://miki.it/blog/2014/7/8/abusing- jsonp-with-rosetta-flash/ Ordinary SWF Binary Invalid JSONP callback
JSONP • Google • Yahoo! • YouTube • LinkedIn • Twitter • Instagram • Flickr • eBay • Mail.ru • Baidu • Tumblr • Olark 21 Just a “handful” of sites used JSONP and were vulnerable:
SWF Header Formats Photo Credit https://miki.it/blog/2014/7/8/abusing-jsonp- with-rosetta-flash/
Faking valid zlib data - First 2 bytes of zlib stream - Huffman Coding: Bit reduction - DEFLATE: Duplicate string elimination LZ77 algorithm - ALDER32 Checksum 23
SWF to Alphanumeric
- HTML PoC - Attacker Hosted - crossdomain.xml
Mitigations - Don’t use JSONP on sensitive domains - HTTP Headers: - Content-Disposition: attachment; filename=f.txt - X-Content-Type-Options: nosniff - Latest versions of Flash are patched by Adobe
Poodle Encryption downgrade attack to SSLv3.0 Like BEAST and CRIME, a successful exploit targets the client, not the server Requires determined MitM attacker Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf
Magic Plaintext Key Ciphertext
Sensitive Data
MAC Sensitive Data
PaddingMAC Sensitive Data
PaddingMAC Sensitive Data ■■■■■■■■S CB C
Padding DES uses 8 Bytes AES uses 16 bytes MAC Sensitive Data CBC CBC CBCCBC CBC Encryption is occurring
Padding DES uses 8 Bytes AES uses 16 bytes MAC Sensitive Data CBC CBC CBCCBC CBC Encryption is occurring
Padding DES uses 8 Bytes AES uses 16 bytes MAC Sensitive Data CBC CBC CBCCBC CBC
PaddingMAC Sensitive Data ■■■■■■■■S CB C
Requirements - A motivated and active MITM attacker. - A webserver set up to force the JS requests to break multiple encryption blocks Solution - Disable SSLv3.0 in the client. - Disable SSLv3.0 in the server. - Disable support for CBC-based cipher suites when using SSLv3.0 in either client or server.
ShellShock Also known as bashdoor CVE-2014-6271 Disclosed on September 24, 2014. Simply put  () { :; }; echo ‘win’ Denis Kolegov, Oleg Broslavsky, Nikita Oleksov http://www.slideshare.net/dnkolegov/wh102014
MassScan Example target-ip = 0.0.0.0/0 port = 80 banners = true http-user-agent = () { :; }; ping -c 3 xxx.xxx.xxx.xxx http-header[Cookie] = () { :; }; ping -c 3 xxx.xxx.xxx.xxx http-header[Host] = () { :; }; ping -c 3 xxx.xxx.xxx.xxx http-header[Referer] = () { :; }; ping -c 3 xxx.xxx.xxx.xxx
Photo Credit: @ErrataRob
Before we had fancy GUI’s
ShellShock Explained Simply X=‘() { :;}; rm -rf /’
ShellShock Explained Simply VAR=‘This is something I'd really like to remember.’ VAR=‘This should also be treated as text, not syntax.’ VAR=‘rm -rf /’ VAR=‘() { :;}; rm -rf /’ echo $VAR
Heartbleed It allows an attacker to anonymously download a random chunk of memory from a server using OpenSSL. A Catastrophic vulnerability to be accompanied by “branding”. ~17%(500k) of all “secure” servers were vulnerable. Denis Kolegov, Oleg Broslavsky, Nikita Oleksov http://www.slideshare.net/dnkolegov/wh102014
Market share of busiest sites…
Market share of active sites…
THE PROBLEM - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22 116ad75f822b1 - Found in: - /ssl/d1_both.c - /ssl/t1_lib.c - Both containing the following: - buffer = OPENSSL_malloc(1 + 2 + payload + padding); - Fixed in this commit: https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9 a3#diff-2 - The payload is now bound checked and can’t exceed the intended 16 byte payload size. - “Ultimately, this boiled down to a very simple bug in a very small piece of code that required a very small fix” ~ @TroyHunt
TLS Request 1 TLS Response 1 TLS Request 2 TLS Response 2 TLS Request n TLS Response n n  ∞
TLS Request 1 TLS Response 1 HeartBeat Request KeepAlive Response
TLS Request 1 TLS Response 1 HeartBeat Request KeepAlive Response Payload, Size Payload, Some Padding
TLS Request 1 TLS Response 1 HeartBeat Request Payload, 1 Byte Size, 65,536 Bytes
TLS Request 1 TLS Response 1 HeartBeat Request Payload, 1 Byte Size, 65,536 Bytes Server mory RANDOMDATARANDOMDA TARANDOMDATARANDOM DATAPayloadDATARANDO MDATARANDOMDATARAN DOMDATARANDOMDATAR ANDOMDATARANDOMDAT ARANDOMDATARANDOMD ATARANDOMDATARANDO MDATARANDOMDATARAN
TLS Request 1 TLS Response 1 HeartBeat Request Payload, 1 Byte Size, 65,536 Bytes Server Memory RANDOMDATARANDOMDA TARANDOMDATARANDOM DATAPayloadDATARANDO MDATARANDOMDATARAN DOMDATARANDOMDATAR ANDOMDATARANDOMDAT ARANDOMDATARANDOMD ATARANDOMDATARANDO MDATARANDOMDATARAN KeepAlive Response PayloadDATARANDOM DATARANDOMDATAAN DOMDATARAN
• Encryption is King: Many years of web hacks and Transport Layer bugs are always feared and respected. • Creativity is Rare: Utilizing things under our noses in new and novel ways is always impressive. • Web Security Prevails: Of all the hacks of 2014, web hacks make the headlines. Web is where the data is, and data is what we all hold dear.
Johnathan Kuskos Manager WhiteHat Security Europe, Ltd. Threat Research Center Twitter: @JohnathanKuskos The Top 10 Web Hacking Techniques of 2014 Matt Johansen Director, Security Services & Research WhiteHat Security Threat Research Center Twitter: @MattJay Special thanks to the community who voted and to our panel of experts: Jeff Williams, Zane Lackey, Daniel Miessler, Troy Hunt, Giorgio Maone, Peleus Uhley, and Rohit Sethi

Recommended

Secure Programming And Common Errors Part II
Secure Programming And Common Errors Part IISecure Programming And Common Errors Part II
Secure Programming And Common Errors Part IIMichele Orru'
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flashjoepangus
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 n|u - The Open Security Community
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 

Recommended

Secure Programming And Common Errors Part II
Secure Programming And Common Errors Part IISecure Programming And Common Errors Part II
Secure Programming And Common Errors Part IIMichele Orru'
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flashjoepangus
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 n|u - The Open Security Community
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIMenggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIIsmail Fahmi
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014Bryce Kunz
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupAngela Bowman
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...DefconRussia
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxDefconRussia
 
Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Weekguest9663eb
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 

More Related Content

What's hot

Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIMenggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIIsmail Fahmi
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014Bryce Kunz
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupAngela Bowman
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...DefconRussia
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxDefconRussia
 
Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Weekguest9663eb
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 

What's hot (20)

Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIMenggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
Flashack
FlashackFlashack
Flashack
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Framework
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
 
Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Week
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
 

Similar to Top 10 Web Hacking Techniques of 2014

EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsYan Cui
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 

Similar to Top 10 Web Hacking Techniques of 2014 (20)

EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 

Recently uploaded

Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 

Recently uploaded (20)

Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 

Top 10 Web Hacking Techniques of 2014

  • 1. Johnathan Kuskos Manager WhiteHat Security Europe, Ltd. Threat Research Center Twitter: @JohnathanKuskos The Top 10 Web Hacking Techniques of 2014 Matt Johansen Director, Security Services & Research WhiteHat Security Threat Research Center Twitter: @MattJay
  • 2. “Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, web browsers, web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of web-based attack.” - Jeremiah Grossman
  • 3. New Techniques in Prev. Years 3 2007 2008 2009 2010 2011 2012 2013 65 70 80 69 51 56 31 XSS VULNS IN COMMON SHOCKWAV E FILES GIFAR (GIF + RAR) CREATING A ROGUE CA CERTIFICATE PADDING ORACLE CRYPTO ATTACK BEAST MXSS (MUTATION) CRIME
  • 4. 2014 Top 10 1. Heartbleed 2. ShellShock 3. POODLE 4. Rosetta Flash 5. Misfortune Cookie 6. Reusable CSRF bypass 7. Google Two-Factor Authentication Bypass 8. Apache Struts ClassLoader Manipulation Remote Code Execution 9. Facebook Hosted DDoS with Notes App. 10. Covert Timing Channels based on HTTP Cache Headers 4
  • 5. Covert Timing Channels “A covert channel is a path that can be used to transfer information in a way not intended by the system’s designers (CWE-514) A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another (CWE-515) Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information (CWE-385)” Denis Kolegov, Oleg Broslavsky, Nikita Oleksov http://www.slideshare.net/dnkolegov/wh102014 5
  • 6. Facebook Hosted DDoS w/Notes App “Facebook Notes allows users to include <img> tags. Whenever a <img> tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.” Chaman Thapa aka chr13 http://chr13.com/2014/04/20/using-facebook-notes-to- ddos-any-website/ 6
  • 7. Apache Struts ClassLoader RCE “A remote command execution vulnerability in Apache Struts versions 1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due to the ParametersInterceptor. Both allow access to 'class' parameter that is directly mapped to getClass() method and allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary Java code via crafted parameters.” class.classLoader -> class[‘classLoader’] Fixed by adding the following regex to struts excludeParams: (.*.|^|.*|[('|"))(c|C)lass(.|('|")]|[).* Peter Magnusson, Przemyslaw Celej https://cwiki.apache.org/confluence/display/WW/S2- 020 7
  • 8. Google Two-Factor Authentication Bypass “The attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.” Anonymous Hacker http://gizmodo.com/how-hackers-reportedly-side- stepped-gmails-two-factor-a-1653631338 8
  • 9. Hacking PayPal Accounts with 1 Click “An attacker can conduct a targeted CSRF attack against a PayPal users and take a full control over his account Hence, An attacker can CSRF all the requests including but not limited to: 1- Add/Remove/Confirm Email address 2-Add fully privileged users to business account 3- Change Security questions 4- Change Billing/Shipping Address 5- Change Payment methods 6- Change user settings(Notifications/Mobile settings) …and more” Yaser Ali http://yasserali.com/hacking-paypal-accounts-with- one-click/ 9
  • 10. Misfortune Cookie “Researchers from Check Point’s Malware and Vulnerability Research Group uncovered this critical vulnerability present on millions of residential gateway (SOHO router) devices from different models and makers. It has been assigned the CVE-2014-9222 identifier. This severe vulnerability allows an attacker to remotely take over the device with administrative privileges.” Denis Kolegov, Oleg Broslavsky, Nikita Oleksov http://www.slideshare.net/dnkolegov/wh102014 10
  • 12. ACS Photo credit: https://zmap.io/paper.pdf - Single Point of Failure - ACS very powerful as required by TR-069 - Port 7547
  • 13. TR-069 Diversity Connection Request Server Technologies 13
  • 14. Get to the Hack Already! - HTTP Header Fuzzing RomPager - {Authorization: Digest username=‘a’*600} - Crashes Router Unprotected String Copy
  • 15.
  • 16. - RomPager uses cookies - Cookie array is pre-allocated memory - 10 40 byte cookies - C0, C1, C2, etc. - No more memory variations between firmwares
  • 17. Misfortune Cookie Remediation - Most people will just need to wait for manufacturer fix - Technical people can flash firmware (DD-WRT, etc.) - Don’t buy these: http://mis.fortunecook.ie/misfortune-cookie-suspected- vulnerable.pdf
  • 18. Rosetta Flash “Rosetta Flash [is] a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site. This is a CSRF bypassing Same Origin Policy.” https://github.com/mikispag/rosettaflash Michele Spagnuolo https://miki.it/blog/2014/7/8/abusing-jsonp-with- rosetta-flash/ 18
  • 19. What is it? Rosetta Flash is a tool that converts normal binary SWF files and returns a compressed alphanumeric only equivalent. Photo Credit https://miki.it/blog/2014/7/8/abusing- jsonp-with-rosetta-flash/
  • 20. JSONP Widely Used Callback parameter in URL Only accepts [a-zA-Z] _ and . as valid Photo Credit https://miki.it/blog/2014/7/8/abusing- jsonp-with-rosetta-flash/ Ordinary SWF Binary Invalid JSONP callback
  • 21. JSONP • Google • Yahoo! • YouTube • LinkedIn • Twitter • Instagram • Flickr • eBay • Mail.ru • Baidu • Tumblr • Olark 21 Just a “handful” of sites used JSONP and were vulnerable:
  • 22. SWF Header Formats Photo Credit https://miki.it/blog/2014/7/8/abusing-jsonp- with-rosetta-flash/
  • 23. Faking valid zlib data - First 2 bytes of zlib stream - Huffman Coding: Bit reduction - DEFLATE: Duplicate string elimination LZ77 algorithm - ALDER32 Checksum 23
  • 25. - HTML PoC - Attacker Hosted - crossdomain.xml
  • 26. Mitigations - Don’t use JSONP on sensitive domains - HTTP Headers: - Content-Disposition: attachment; filename=f.txt - X-Content-Type-Options: nosniff - Latest versions of Flash are patched by Adobe
  • 27. Poodle Encryption downgrade attack to SSLv3.0 Like BEAST and CRIME, a successful exploit targets the client, not the server Requires determined MitM attacker Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf
  • 33. Padding DES uses 8 Bytes AES uses 16 bytes MAC Sensitive Data CBC CBC CBCCBC CBC Encryption is occurring
  • 34. Padding DES uses 8 Bytes AES uses 16 bytes MAC Sensitive Data CBC CBC CBCCBC CBC Encryption is occurring
  • 35. Padding DES uses 8 Bytes AES uses 16 bytes MAC Sensitive Data CBC CBC CBCCBC CBC
  • 37. Requirements - A motivated and active MITM attacker. - A webserver set up to force the JS requests to break multiple encryption blocks Solution - Disable SSLv3.0 in the client. - Disable SSLv3.0 in the server. - Disable support for CBC-based cipher suites when using SSLv3.0 in either client or server.
  • 38. ShellShock Also known as bashdoor CVE-2014-6271 Disclosed on September 24, 2014. Simply put  () { :; }; echo ‘win’ Denis Kolegov, Oleg Broslavsky, Nikita Oleksov http://www.slideshare.net/dnkolegov/wh102014
  • 39. MassScan Example target-ip = 0.0.0.0/0 port = 80 banners = true http-user-agent = () { :; }; ping -c 3 xxx.xxx.xxx.xxx http-header[Cookie] = () { :; }; ping -c 3 xxx.xxx.xxx.xxx http-header[Host] = () { :; }; ping -c 3 xxx.xxx.xxx.xxx http-header[Referer] = () { :; }; ping -c 3 xxx.xxx.xxx.xxx
  • 41. Before we had fancy GUI’s
  • 43. ShellShock Explained Simply VAR=‘This is something I'd really like to remember.’ VAR=‘This should also be treated as text, not syntax.’ VAR=‘rm -rf /’ VAR=‘() { :;}; rm -rf /’ echo $VAR
  • 44. Heartbleed It allows an attacker to anonymously download a random chunk of memory from a server using OpenSSL. A Catastrophic vulnerability to be accompanied by “branding”. ~17%(500k) of all “secure” servers were vulnerable. Denis Kolegov, Oleg Broslavsky, Nikita Oleksov http://www.slideshare.net/dnkolegov/wh102014
  • 45. Market share of busiest sites…
  • 46. Market share of active sites…
  • 47. THE PROBLEM - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22 116ad75f822b1 - Found in: - /ssl/d1_both.c - /ssl/t1_lib.c - Both containing the following: - buffer = OPENSSL_malloc(1 + 2 + payload + padding); - Fixed in this commit: https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9 a3#diff-2 - The payload is now bound checked and can’t exceed the intended 16 byte payload size. - “Ultimately, this boiled down to a very simple bug in a very small piece of code that required a very small fix” ~ @TroyHunt
  • 48. TLS Request 1 TLS Response 1 TLS Request 2 TLS Response 2 TLS Request n TLS Response n n  ∞
  • 49. TLS Request 1 TLS Response 1 HeartBeat Request KeepAlive Response
  • 50. TLS Request 1 TLS Response 1 HeartBeat Request KeepAlive Response Payload, Size Payload, Some Padding
  • 51. TLS Request 1 TLS Response 1 HeartBeat Request Payload, 1 Byte Size, 65,536 Bytes
  • 52. TLS Request 1 TLS Response 1 HeartBeat Request Payload, 1 Byte Size, 65,536 Bytes Server mory RANDOMDATARANDOMDA TARANDOMDATARANDOM DATAPayloadDATARANDO MDATARANDOMDATARAN DOMDATARANDOMDATAR ANDOMDATARANDOMDAT ARANDOMDATARANDOMD ATARANDOMDATARANDO MDATARANDOMDATARAN
  • 53. TLS Request 1 TLS Response 1 HeartBeat Request Payload, 1 Byte Size, 65,536 Bytes Server Memory RANDOMDATARANDOMDA TARANDOMDATARANDOM DATAPayloadDATARANDO MDATARANDOMDATARAN DOMDATARANDOMDATAR ANDOMDATARANDOMDAT ARANDOMDATARANDOMD ATARANDOMDATARANDO MDATARANDOMDATARAN KeepAlive Response PayloadDATARANDOM DATARANDOMDATAAN DOMDATARAN
  • 54. • Encryption is King: Many years of web hacks and Transport Layer bugs are always feared and respected. • Creativity is Rare: Utilizing things under our noses in new and novel ways is always impressive. • Web Security Prevails: Of all the hacks of 2014, web hacks make the headlines. Web is where the data is, and data is what we all hold dear.
  • 55. Johnathan Kuskos Manager WhiteHat Security Europe, Ltd. Threat Research Center Twitter: @JohnathanKuskos The Top 10 Web Hacking Techniques of 2014 Matt Johansen Director, Security Services & Research WhiteHat Security Threat Research Center Twitter: @MattJay Special thanks to the community who voted and to our panel of experts: Jeff Williams, Zane Lackey, Daniel Miessler, Troy Hunt, Giorgio Maone, Peleus Uhley, and Rohit Sethi