The document discusses vulnerabilities in Flash applications. It begins by introducing Flash and explaining that while some claim it is outdated, it still poses security risks due to programming flaws. Several types of vulnerabilities are then outlined, including cross-site scripting, cross-domain policy misconfigurations, decompilation risks revealing sensitive data, and abuse of functions like getURL() that allow external code execution. Methods of exploiting these vulnerabilities are explained, along with mitigations like sanitizing inputs and using strict cross-domain policies. The document concludes by mentioning additional risks like camjacking through clickjacking.
This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
This document discusses attacking Chrome extensions through exploiting vulnerabilities in their architecture and code. It begins by explaining the components and permissions model of Chrome extensions. It then describes how to exploit vulnerabilities like DOM XSS in extensions' UI pages under the legacy v1 model. The document outlines fixes made in the v2 model but still finds ways to bypass security restrictions, such as through content script XSS. It introduces tools like XSSChEF and Mosquito for exploiting extensions. The presentation concludes by noting CSP should only be seen as a mitigation rather than prevention for extension vulnerabilities.
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
This is the presentation I used at the National Conference on “Current Scenario & Emerging trends in Information Technology" held at MSIT in march 2013.
Here is the link to the whitepaper : http://www.exploit-db.com/wp-content/themes/exploit/docs/24559.pdf
The document discusses vulnerabilities in Flash applications. It begins by introducing Flash and explaining that while some claim it is outdated, it still poses security risks due to programming flaws. Several types of vulnerabilities are then outlined, including cross-site scripting, cross-domain policy misconfigurations, decompilation risks revealing sensitive data, and abuse of functions like getURL() that allow external code execution. Methods of exploiting these vulnerabilities are explained, along with mitigations like sanitizing inputs and using strict cross-domain policies. The document concludes by mentioning additional risks like camjacking through clickjacking.
This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
This document discusses attacking Chrome extensions through exploiting vulnerabilities in their architecture and code. It begins by explaining the components and permissions model of Chrome extensions. It then describes how to exploit vulnerabilities like DOM XSS in extensions' UI pages under the legacy v1 model. The document outlines fixes made in the v2 model but still finds ways to bypass security restrictions, such as through content script XSS. It introduces tools like XSSChEF and Mosquito for exploiting extensions. The presentation concludes by noting CSP should only be seen as a mitigation rather than prevention for extension vulnerabilities.
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
This is the presentation I used at the National Conference on “Current Scenario & Emerging trends in Information Technology" held at MSIT in march 2013.
Here is the link to the whitepaper : http://www.exploit-db.com/wp-content/themes/exploit/docs/24559.pdf
The document discusses the evolution of the web platform and browser security. It covers the basic technologies that underlie the web like HTML, CSS, JavaScript, and HTTP. It describes how these technologies work together to deliver content to users and allow for client-side interactivity. Key elements covered include HTML elements and tags, how CSS and JavaScript are used in web pages, JSON for data formatting, URIs for resource identification, the HTTP request/response protocol, and common HTTP methods and headers.
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
Local storage can expand the attack surface for web applications by allowing sensitive data to be accessed through malware or viruses. It is also vulnerable to cross-site scripting (XSS) attacks, where malicious code could harvest and transmit stored data. Additionally, lack of privacy controls enables persistent user tracking across domains and invasion of privacy. Proper security defenses and protections are needed to mitigate risks from local storage.
The document provides an overview of web application security topics like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), file inclusion, and tools/techniques for exploiting vulnerabilities. It discusses basic web communication, HTTP methods, response codes, URLs, database communication. It also covers setting up a Kali Linux environment, Firefox plugins, exploiting XSS vulnerabilities, defending against attacks, and includes exercises on vulnerable web apps.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
Major news in the month included unrest in Turkey and a coup in Thailand. Ebay was hacked and fake user databases were sold. The USA charged five Chinese nationals with cyber espionage. Memory issues caused failures in an air traffic control system. Interesting tools released included ones for bypassing two-factor authentication and exploiting ad networks. Heartbleed continued to be analyzed and disclosed vulnerabilities in certificate authorities.
The document discusses security challenges with service-oriented architectures (SOA) and web services. It introduces SOA, web services, and web 2.0, and describes the growing adoption of these technologies. It then presents the XML/SOA threat model, which includes payload/content threats that target back-end systems or end users, XML misuse/abuse through injection and structure manipulation attacks, and infrastructure attacks. Examples of specific attacks are provided like SQL injection, XML entity expansion attacks, and denial of service attacks.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
This document introduces Web Application Firewall (WAF) and discusses techniques for bypassing WAF protections, including SQL injection, cross-site scripting, file inclusion, HTTP parameter contamination, and HTTP pollution attacks. It provides examples of bypassing specific WAF vendors and open source WAFs like ModSecurity and PHPIDS. While WAFs can block some attacks, the document argues they cannot eliminate all vulnerabilities and proper secure coding is still needed. It concludes that WAFs may succeed or fail depending on configurations and imaginative attacks.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
This document summarizes security issues with JavaScript and discusses vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It provides examples of how XSS can be used to steal cookies and hijack sessions. It also discusses challenges with securing JSON responses and preventing code injection attacks. Countermeasures discussed include escaping output, adding random tokens to forms, and using a secure comment syntax to wrap sensitive JSON responses.
It's time to deprecate JavaScript. It's security model and the language itself are appalling.
As data moves into the cloud the JavaScript threat is increasing and I believe the only way to fix this is to start all over again. The 14 year old language and security model aren't up to today's threats.
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
This document discusses how to defeat cross-site scripting (XSS) and cross-site request forgery (XSRF) when using JavaServer Faces (JSF) frameworks. It covers validating user input, encoding output, and protecting view states to prevent XSS, as well as configuring JSF implementations to protect against XSRF by encrypting view states and adding tokens to URLs. The presentation emphasizes testing validation, encoding, and protection in specific JSF implementations since behaviors can differ.
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
This document discusses using iframes, postMessage, and localStorage for communication in a sandboxed web application platform. It notes both advantages and disadvantages of iframes, describes how to securely communicate between iframes and different browser tabs or windows using postMessage, and explores strategies and considerations for using localStorage for communication.
This document discusses sandboxing untrusted JavaScript from third parties to improve security. It proposes a two-tier sandbox architecture that uses JavaScript libraries and wrappers, without requiring browser modifications. Untrusted code is executed in an isolated environment defined by policy code, and can only access approved APIs. This approach aims to mediate access between code and the browser securely and efficiently while maintaining compatibility with existing third-party scripts.
The document provides an analysis of HTTP security headers in Turkey. It begins with an outline that covers topics like web browsers and same-origin policy, the OWASP top 10 security risks, and various HTTP security headers like content security policy, X-XSS-Protection, and strict transport security. It then analyzes the implementation of security headers on the Alexa top 500 websites in Turkey and finds that adoption is still low. The document concludes with pointers to further resources for information on security headers.
The document discusses various web security topics such as cookies, same origin policy, cross-site scripting (XSS), and cross-site request forgery (CSRF). Cookies are used to maintain state in stateless HTTP and can be used for authentication. The same origin policy restricts how scripts from different origins can access each other's resources. XSS occurs when untrusted user input containing scripts is rendered without sanitization. CSRF tricks authenticated users into performing actions on a web site by submitting forged HTTP requests, leveraging the user's session to bypass CSRF protections.
The document discusses the evolution of the web platform and browser security. It covers the basic technologies that underlie the web like HTML, CSS, JavaScript, and HTTP. It describes how these technologies work together to deliver content to users and allow for client-side interactivity. Key elements covered include HTML elements and tags, how CSS and JavaScript are used in web pages, JSON for data formatting, URIs for resource identification, the HTTP request/response protocol, and common HTTP methods and headers.
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
Local storage can expand the attack surface for web applications by allowing sensitive data to be accessed through malware or viruses. It is also vulnerable to cross-site scripting (XSS) attacks, where malicious code could harvest and transmit stored data. Additionally, lack of privacy controls enables persistent user tracking across domains and invasion of privacy. Proper security defenses and protections are needed to mitigate risks from local storage.
The document provides an overview of web application security topics like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), file inclusion, and tools/techniques for exploiting vulnerabilities. It discusses basic web communication, HTTP methods, response codes, URLs, database communication. It also covers setting up a Kali Linux environment, Firefox plugins, exploiting XSS vulnerabilities, defending against attacks, and includes exercises on vulnerable web apps.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
Major news in the month included unrest in Turkey and a coup in Thailand. Ebay was hacked and fake user databases were sold. The USA charged five Chinese nationals with cyber espionage. Memory issues caused failures in an air traffic control system. Interesting tools released included ones for bypassing two-factor authentication and exploiting ad networks. Heartbleed continued to be analyzed and disclosed vulnerabilities in certificate authorities.
The document discusses security challenges with service-oriented architectures (SOA) and web services. It introduces SOA, web services, and web 2.0, and describes the growing adoption of these technologies. It then presents the XML/SOA threat model, which includes payload/content threats that target back-end systems or end users, XML misuse/abuse through injection and structure manipulation attacks, and infrastructure attacks. Examples of specific attacks are provided like SQL injection, XML entity expansion attacks, and denial of service attacks.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
This document introduces Web Application Firewall (WAF) and discusses techniques for bypassing WAF protections, including SQL injection, cross-site scripting, file inclusion, HTTP parameter contamination, and HTTP pollution attacks. It provides examples of bypassing specific WAF vendors and open source WAFs like ModSecurity and PHPIDS. While WAFs can block some attacks, the document argues they cannot eliminate all vulnerabilities and proper secure coding is still needed. It concludes that WAFs may succeed or fail depending on configurations and imaginative attacks.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
This document summarizes security issues with JavaScript and discusses vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It provides examples of how XSS can be used to steal cookies and hijack sessions. It also discusses challenges with securing JSON responses and preventing code injection attacks. Countermeasures discussed include escaping output, adding random tokens to forms, and using a secure comment syntax to wrap sensitive JSON responses.
It's time to deprecate JavaScript. It's security model and the language itself are appalling.
As data moves into the cloud the JavaScript threat is increasing and I believe the only way to fix this is to start all over again. The 14 year old language and security model aren't up to today's threats.
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
This document discusses how to defeat cross-site scripting (XSS) and cross-site request forgery (XSRF) when using JavaServer Faces (JSF) frameworks. It covers validating user input, encoding output, and protecting view states to prevent XSS, as well as configuring JSF implementations to protect against XSRF by encrypting view states and adding tokens to URLs. The presentation emphasizes testing validation, encoding, and protection in specific JSF implementations since behaviors can differ.
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
This document discusses using iframes, postMessage, and localStorage for communication in a sandboxed web application platform. It notes both advantages and disadvantages of iframes, describes how to securely communicate between iframes and different browser tabs or windows using postMessage, and explores strategies and considerations for using localStorage for communication.
This document discusses sandboxing untrusted JavaScript from third parties to improve security. It proposes a two-tier sandbox architecture that uses JavaScript libraries and wrappers, without requiring browser modifications. Untrusted code is executed in an isolated environment defined by policy code, and can only access approved APIs. This approach aims to mediate access between code and the browser securely and efficiently while maintaining compatibility with existing third-party scripts.
The document provides an analysis of HTTP security headers in Turkey. It begins with an outline that covers topics like web browsers and same-origin policy, the OWASP top 10 security risks, and various HTTP security headers like content security policy, X-XSS-Protection, and strict transport security. It then analyzes the implementation of security headers on the Alexa top 500 websites in Turkey and finds that adoption is still low. The document concludes with pointers to further resources for information on security headers.
The document discusses various web security topics such as cookies, same origin policy, cross-site scripting (XSS), and cross-site request forgery (CSRF). Cookies are used to maintain state in stateless HTTP and can be used for authentication. The same origin policy restricts how scripts from different origins can access each other's resources. XSS occurs when untrusted user input containing scripts is rendered without sanitization. CSRF tricks authenticated users into performing actions on a web site by submitting forged HTTP requests, leveraging the user's session to bypass CSRF protections.
HTML5 introduces significant changes for today\'s websites: new and updated tags, new functionality, better error handling and improved Document Object Model (DOM). However, the HTML5 new features come with new (application) security vulnerabilities. This presentation reviews the new attack vectors, associated risks and what a needs to be taken into consideration when implementing HTML5.
HTTP request smuggling involves sending malformed HTTP requests to exploit vulnerabilities in how devices handle requests. This allows an attacker to smuggle a request to one device without the other being aware. Key techniques include using multiple content-length headers, GET requests with content-length, and CRLF tricks to treat multiple requests as one. Prevention focuses on firewalls, terminating sessions after each request, disabling caching, and enforcing strict HTTP parsing.
HTTP request smuggling involves sending malformed HTTP requests to exploit vulnerabilities in how devices handle requests. This allows an attacker to smuggle a request to one device without the other being aware. Key techniques include using multiple content-length headers, GET requests with content-length, and CRLF tricks to treat multiple requests as one. Prevention focuses on firewalls, terminating sessions after each request, disabling caching, and enforcing strict HTTP parsing.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
The WAF book intro protection elements v1.0 lior rotkovitchLior Rotkovitch
This document provides an overview of a web application firewall (WAF) and how it works. It discusses how a WAF parses requests and responses, uses signatures to detect attacks, and can take prevention actions like alerting or blocking. It explains the different components of a WAF, including the parser engine that extracts entities from traffic, the traps engine that performs detections on those entities, and the enforcer engine that handles prevention policies. Signatures are discussed as a detection technique for pattern matching known attacks. The goal of a WAF is to differentiate expected traffic from attack traffic and control traffic flow.
Same-origin policy is an important security concept of the modern browser languages like JavaScript but becomes an obstacle for developers when building complex client-side apps. Over time there have been lots of ingenious workarounds using JSON-P, IFRAME and proxies. As of January 2013 the well known Cross Origin Resource Sharing (CORS) comes as proposed standard by W3C and has now native support by all major browsers.
15_526_topic11 for topics for students.pptshatrutrial44
This document discusses various topics relating to web security, including:
- The same origin policy which isolates scripts and resources from different origins to prevent access.
- Cross-site scripting (XSS) which can occur when user inputs containing scripts are displayed on a webpage without sanitization, allowing attackers to execute scripts in a victim's browser.
- How XSS was used in a worm on MySpace that infected many users by adding the attacker as a friend when their profile was visited.
- The use of cookies by websites to maintain state in the stateless HTTP protocol and how session hijacking is a risk if cookies are stolen.
Presentation on Application layer_201.pdfprince2412001
A Network application is an application running on one host and provides a
communication to another application running on a different host.
▪ A network application development is writing programs that run on different
end systems and communicate with each other over the network.
▪ In the Web application there are two different programs that communicate with each other:
✔ Browser program running in the user's host.
✔ Web server program running in the Web server host.
Host
Host
2
Network Applications - Examples
▪ Email
▪ Web
▪ Remote Login
▪ P2P File Sharing
▪ Multi-user Network Games
▪ Streaming Stored Video (YouTube)
▪ Voice Over IP (Skype)
▪ Real-time Video Conference
▪ Social Networking
3
Network Application Architecture
1. Client-Server architecture
2. P2P (Peer to Peer) architecture
4
1. Client-Server Architecture
Client
Server:
✔ Its always-on host.
✔ It has a fixed IP address.
✔ Large cluster of host – Data Centers.
✔ E.g. Web Server
Client:
✔ It communicate with server.
✔ Its not like continuously connected.
✔ May have dynamic IP addresses.
✔ Do not communicate directly with each other.
✔ E.g. PCs, Mobiles
Server
5
2. P2P Architecture
Peer
▪ Peers (end systems) directly communicate.
▪ Get peers request service from other peers, provide service to other peers.
✔ Self Scalability – New peers bring new service capacity, as well as new service demands.
▪ Peers are alternatingly connected and change IP addresses.
✔ Complex management 6
Peer
Peer
Process Communicating
▪ What is Process?
▪ A process is an instance of a program running in a computer.
▪ We can say that process is program under execution.
▪ Within same host, two processes communicate using inter-process communication (IPC).
▪ Process in different hosts communicate by exchanging messages.
▪ Client process: A process that initiates communication.
▪ Server process: A process that waits to be contacted.
Process P1
Process P2
7
Socket
▪ A process sends messages into, and receives messages from; the
network through a software interface called a socket.
▪ A process is similar to a house and its socket is similar to its door.
✔ Sending process passes message out door.
✔ Sending process relies on transport infrastructure on other side of door to deliver message to socket at receiving process.
Process
application
proce ss
transport
network
link
physical
application
proce ss
transport
network
link
physical
socket
controlled by app developer
controlled
by OS
Internet
Socket
8
Transport Services to Applications
▪ Recall that a socket is the interface between the application process and the transport layer protocol.
▪ For develop an application, choose available transport layer protocol.
▪ Pick the protocol with the services that best match the needs of your application.
HTTP cookie hijacking in the wild: security and privacy implicationsPriyanka Aash
The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and work address and visited websites from Google, Bing and Baidu expose the user's complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively), and almost every website exposes the user's name and email address. Ad networks like Doubleclick can also reveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore multiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our university's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for our hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as the EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed. The privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking.
(Source: Black Hat USA 2016, Las Vegas)
Top 10 Web Hacks
Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year.
Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.
This document provides an overview and configuration instructions for F5 Networks' DDoS protection profile. It describes how the profile monitors traffic levels and latency to detect anomalies indicative of DDoS attacks. Upon detection, it can activate prevention policies like client-side integrity checks, CAPTCHAs, and request blocking to mitigate attacks. The profile analyzes traffic at the IP, geolocation, URL, and site-wide levels to determine the appropriate prevention response. It also details how the Proactive Bot Defense feature works to proactively challenge all clients.
This document discusses various topics related to web security, including:
- Cross-site scripting (XSS) which occurs when untrusted user inputs containing scripts are displayed on a webpage without sanitization, allowing attackers to execute scripts in a victim's browser.
- Cross-site request forgery (CSRF) which takes advantage of browsers automatically sending cookies for a website to that website, allowing an attacker to forge requests from a logged in user's browser without their knowledge.
- The same-origin policy which aims to isolate scripts and resources from different web origins to prevent malicious scripts from accessing data from other sites, but has limitations.
- Other topics covered include cookies, HTTP protocol, web authentication, and defenses
This document discusses various topics related to web security, including:
- Cross-site scripting (XSS) which occurs when untrusted user inputs containing scripts are displayed on a webpage without sanitization, allowing attackers to execute scripts in a victim's browser.
- Cross-site request forgery (CSRF) which takes advantage of browsers automatically sending cookies for a website to that website, allowing an attacker to forge requests from a logged in user's browser without their knowledge.
- The same-origin policy which aims to isolate scripts and resources from different web origins to prevent unauthorized access, but has limitations that can be exploited by XSS attacks.
- Methods for preventing XSS like sanitizing untrusted inputs
1) HTTP headers can be used to secure web applications from common attacks like cross-site scripting and clickjacking. Content Security Policy, X-Frame-Options, and HTTP Strict Transport Security are some useful security headers.
2) Content Security Policy allows specifying whitelist sources for things like scripts, stylesheets, and images to load from to prevent XSS. X-Frame-Options prevents clickjacking by not displaying pages within frames. HTTP Strict Transport Security forces HTTPS usage to prevent SSL stripping attacks.
3) Other useful headers include setting secure and HttpOnly flags on cookies to prevent session hijacking, and using X-Content-Type-Options to prevent MIME type sniffing in Internet Explorer. Adding these security
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "Eradicate the Bots in the Belfry" at the Information Security Summit.
This document discusses various web application attacks including session hijacking, code injection, cross-site scripting (XSS), pharming, and URL spoofing. It provides details on how each attack works, examples, and potential defenses. Session hijacking involves stealing valid session IDs to take over user sessions. Code injection involves introducing malicious code via data inputs. XSS involves injecting client-side scripts to bypass access controls. Pharming and URL spoofing involve redirecting users to fake websites to steal login credentials.
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
Similar to MITM Attacks on HTTPS: Another Perspective (20)
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.