SlideShare a Scribd company logo

Owasp AppSecEU 2015 - BeEF Session

B
Bart Leppens

Bart Leppens gave a presentation on the Browser Exploitation Framework (BeEF). He discussed BeEF's architecture, how it hooks browsers, its module and extension system, and live demonstrations of information gathering, exploitation, and using BeEF with Metasploit. He also covered topics like inter-protocol communication, exploiting protocols like ActiveFax, and porting BeEF bind shellcode to Linux. The talk provided an overview of BeEF's capabilities and real-world attack scenarios.

Software
1 of 71
Download to read offline
OWASP AppSecEU 2015 Bart Leppens
whoami Bart Leppens ● BeEF developer (since may 2012) ● Ported BeEF Bind shellcode to Linux ● Smashing the stack for FUN @bmantra In
Disclaimer ● The views and opinions expressed here are my own and do not necessarily represent those of my employer ● My employer has absolutely nothing to do with anything related to BeEF ● I’m not speaking in the representation of my company
What the talk? ● BeEF: Browser Exploitation Framework ○ architecture ○ modules ○ extensions ● … live demos and videos
BeEF: Browser Exploitation Framework ● Professional security tool ● Focus on client side attack vectors ● Real attack scenarios ● v1.0 by Wade Alcorn http://beefproject.comhttps://github.com/beefproject/beef
BeEF: Live CD ● https://github. com/beefproject/beef/wiki/BeEF- Live-CD ● Ubuntu 12.04 LTS ● Ruby 1.9.3p194 ● Metasploit and sqlmap
BeEF: Architecture
BeEF: Hook a Browser Inject the javascript hook to the DOM ● Cross-site Scripting ● MiTM ● Controlling DNS ● Social Engineering ● … be creative ;)
BeEF: Polling ● Once the browser is hooked, the browser will ‘poll’ BeEF for new JavaScript payloads to execute ● When a payload is found, the browser will execute it
BeEF: A Whole Lot Of Modules ● Many different purposes ○ Information gathering ○ Social Engineering ○ Network Discovery ○ ... ● Easy to extend with your own modules ● Complex scenarios with RestFul API http://beefproject.comhttps://github.com/beefproject/beef
BeEF: Module overview Each module contains 3 primary files: ● config.yaml => Configuration file ● module.rb => Ruby Module Code ● command.js =>JavaScript payload http://beefproject.comhttps://github.com/beefproject/beef
BeEF: config.yaml Provides basic information ● name of author ● category ● working browsers ● determines if module is enabled http://beefproject.comhttps://github.com/beefproject/beef
BeEF: module.rb Defines configurable options (self.options) Defines return result actions (post.execute) http://beefproject.comhttps://github.com/beefproject/beef
BeEF: command.js JavaScript payload template ● Supports eRuby variable substitution <%= @var %> ● Access to the JavaScript BeEF object beef.net.forge_request
BeEF: Sesame Magic Browser “Internal server vulnerabilities are sitting there bored and lonely” - Michele Orru` // ”ActiveFax, you look very bored” - Bart Leppens
BeEF: DEMO
BeEF: Skype iOS URI Scheme
BeEF: IoT
BeEF: GlassFish XSRF ● REST CSRF in GlassFish 3.1.1 (build 12) ● Bug FOUND by Roberto Suggi Liverani ● According to ORACLE the 3th most critical bug ever in SUN products ● Demo (fingerprint + exploit)
BeEF: CookieJar overflow ● JavaScript cannot modify HTTPOnly-cookies ● John Wilander overflowed the CookieJar ● Recreate those cookies ● Demo
BeEF: Autorun ● launch modules automatically on new hooked browsers ● edit config.yaml set autorun: true in each module ● limitation => used with default parameters
BeEF: RESTful API Scripting BeEF through HTTP/JSON requests ● token parameter must be always added to requests ● GET or POST ● Automate advanced attacks automatically
BeEF: RESTful API Authentication ● Post credentials to /api/admin/login ● return authentication token ● e.g. curl -H "Content-Type: application/json" -X POST -d '{"username":"beef", "password":"beef"}' http://127.0.0.1:3000/api/admin/login
BeEF: RESTful API Hooked Browsers ● GET to /api/hooks ● return online/offline hooked browsers ● e.g. curl http://127.0.0.1: 3000/api/hooks?token=[token]
BeEF: RESTful API Browser Details ● GET to /api/hooks/:session ● Information on the hooked browser ● e.g. curl http://127.0.0.1: 3000/api/hooks/[session]?token=[token]
BeEF: RESTful API List Command Modules ● GET to /api/modules ● e.g. curl http://127.0.0.1: 3000/api/modules?token=[token]
BeEF: RESTful API Informations on a specific module ● GET to /api/modules/:module_id ● e.g. curl http://127.0.0.1: 3000/api/modules/[module_id]?token= [token]
BeEF: RESTful API Launch a command on a specific browser ● POST to /api/modules/:session/:module_id ● e.g. curl -H "Content-Type: application/json; charset=UTF-8" -d '{"question":"wtf?"}' -X POST http://127. 0.0.1:3000/api/modules/[session]/ [module]?token=[token]
BeEF: RESTful API Return information about the command module previously executed ● GET to /api/modules/:session/:mod_id/: cmd_id ● e.g. curl http://127.0.0.1: 3000/api/modules/[session]/[module_id]/ [cmd_id]?token=[token]
BeEF: RESTful API A whole lot more: ● control BeEF DNS rules ● Access Logs ● ... Refer to the BeEF Wiki: https://github. com/beefproject/beef/wiki/BeEF-RESTful-API
BeEF: Console Console is a BeEF extension ● metasploit-like console ● should be enabled in the main config. yaml ● control hooked browsers
BeEF: Metasploit integration Console is a BeEF extension ● should be enabled in the main config. yaml ● should be configured in extentions/metasploit/ ● msfrpcd can be launched automatically from within BeEF :-)
IPC: Inter-Protocol Communication ● Initial research by Wade Alcorn in 2006/2007 ● “Tolerant” protocol implementation that does not drop the client connection after N errors ● A properly encoded POST request can be send to the target: ○ HTTP Headers are parsed as BAD COMMANDS ○ HTTP request body is parsed as VALID COMMANDS (or as SHELLCODE)
IPC: Limitations ● Some ports are banned by the Browser (e.g. 21,25,110,..) ● Content-Type: text/plain or multipart/form- data ● Doesn’t work well with binary protocols => often not that tolerant
IPC: ActiveFax Server ● Extended research done in 2013 by Michele Orru` & myself ● Widely used Fax solution ● Manual suggest port 3000 for RAW socket ● Protocol is very tolerant ● Commands are formatted as: @Fxxx data@
IPC: ActiveFax Server (example message) Sender...................... Bart Leppens, +1 11 112233-25 Recipient 1............... OWASP Belgium, Fax: 016 123456 Subject..................... IPC is cool Priority...................... Very High @F101 Bart Leppens@@F110 +1 11 112233-25@ @F201 OWASP Belgium@@F211 016 123456@ @F307 IPC is cool@ @F301 1@
IPC: ActiveFax Server (XHR) var xhr = new XMLHttpRequest(); var uri = "http://x.x.x.x:3000/"; xhr.open("POST", uri, true); xhr.setRequestHeader("Content-Type", "text/plain"); var post_body = "@F101 Bart Leppens@@F110 +1 11 112233- 25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@"; xhr.send(post_body);
IPC: ActiveFax Server (XHR) POST / HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0 .. Content-Type: text/plain; charset=UTF-8 Cache-Control: no-cache @F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@
IPC: ActiveFax Server (Demo)
IPC: ActiveFax Server (Time-out) The ActiveFax RAW socket takes 60 seconds to time-out. We can fix that! 2 seconds is more then enough to send a FAX over a LAN network: xhr = new XMLHttpRequest(); .. xhr.send(post_body); setTimeout(function(){xhr.abort()}, 2000);
IPC: ActiveFax Server (Faster Demo)
BeEF: NAT Pinning ● Samy Kamkar in 2010 ● Trick user to visit page ● Access port on internal network (via IPC) ● Connection Tracking must be enabled ● not only routers, IPTables with connection tracking works as well
BeEF: NAT Pinning
IPE: Inter-Protocol Exploitation ● Research by Wade Alcorn (extension of IPC) ● Extended research in 2012 by Michele Orru` ○ QualCOMM WorldMail IMAP 3.0 ● More research in 2013 by Michele & myself ○ ActiveFax Server
IPE: Inter-Protocol Exploitation ● Need to send binary data ○ sendAsBinary (FF, Chrome) ● Same restrictions: tolerance, blocked ports ● More restrictions: header space, bad chars
IPE: ActiveFax 5.01 RAW Server Exploit ● bug found by Craig Freyman ● @F506 crashes after 1024 bytes ● Many bad characters: ○ 0x00 -> 0x19 ○ 0x40 (@) ● PoC modified to use IPE
IPE: ActiveFax (Metasploit Reverse shell)
IPE: ActiveFax (Demo)
BeEF Bind Shellcode ● Shellcode written by Ty Miller (Win32) ● Allows communication from the browser to a shell ○ Commands are proxied back and forth through the browser to cmd.exe ○ Stage is delivered through the browser as well
BeEF Bind Shellcode: The Stager ● Stager listens on a specified port for HTTP requests ● Ignores HTTP headers and looks for the egg “cmd=” which marks the start of our 2nd stage (or any stage you like) ● Allocate executable memory + copy ● Jump into the stage shellcode
BeEF Bind Shellcode: The Stage ● Stage listens on a specified port for HTTP requests as well ● Ignores HTTP headers and looks for “cmd=” which marks the start of our command ● Requests are proxied back and forth from the browser to a “cmd.exe” childprocess ● Access-Control-Allow-Origin: *
BeEF Bind Shellcode: ● Ported to Linux x86 and Linux x64 ○ stager and stage ● Can also be used compiled with RCE vulns ● Metasploit modules are available for easily encoding and removal of bad characters
IPE: ActiveFax (BeEF Bind + BeEF)
IPE: ActiveFax (Demo)
Exploiting Webmail with XSS Cross-site Scripting ● most common vulnerability ● impact = underestimated ● mail = interesting target for attacker
CVE-2011-2937 Round-cube reflected Cross-site Scripting vulnerability ● found by Abyszko ● before 0.5.4 http://server/roundcube/?_mbox=<script> alert(document.cookie)</script> CVE score for this bug is 4.3 out of 10.
CVE-2014-0913 Lotus iNotes stored Cross-site Scripting vulnerability ● IBM iNotes and Domino 8.5.3 FP6 before IF2 and 9.0.1 before FP1 ● Inject arbitrary web script or HTML via an e- mail message CVE score for this bug is 4.3 out of 10.
CVE-2014-0913 Lotus iNotes telnet iNotesSMTPserver 25 HELO xss MAIL FROM: attacker@evil.com RCPT TO: poorvictim@good.com DATA MIME-Version: 1.0 FROM: ATTACKER <attacker@evil.com> TO: VICTIM <poorvictim@good.com> Subject: iNotes XSS vulnerable mail Content-Type: text/html <img style="display:none" src="x"/onerror="alert(1)">
Universal Cross-site Scripting and webmail ● Control every origin ● Execute arbitrary code ● Control all webmail clients => including Cloud based like gmail, yahoo mail, etc.
This is a myth: there ain’t no such thing ● Targeted mailbox attack ○ read mails ○ send mails ● Nesting and replication ○ Mailworm - Nduja by Rosario Valotta in 2007 ■ spreading across multiple webmail services ■ named after spicy italian sausage from Calabria, Italy
This is a myth: there ain’t no such thing ● DDoS of server ○ BeEF DOSer-module ○ also internal servers (via victims browser) ● DDoS of mailbox ○ multiple zombies sending mails to victim
This is a myth: there ain’t no such thing ● Sending spam ○ by email account of trusted user ● Download infection ○ attachment that seems to be sent from well-know user (=victim) ○ Replace attachment links in existing mails
This is a myth: there ain’t no such thing ● Modify existing “notes” ● Social Engineering attacks by mail ● Perform reset of passwords ● names.nsf in iNotes ● ….
This is a myth: there ain’t no such thing 4.3/10
DEMO
Tunneling Proxy Reverse HTTP Proxy ● hooked browser = exit point ● XHR requests or WebSockets ● limited to the hooked domain and security context of the victims browser
Tunneling Proxy Attack scenarios ● browsing hooked domain (security context of the victim browser) ● spidering hooked domain ● finding and exploiting SQLi with Burp Pro Scanner and sqlmap ● Video
BeEF: Video Videos ● TrixBox exploit ● WebCloner Massmailer ● uiabuse ● Distributed Blind SQLi ● ..
For those who can’t get enough ● Browser Hackers Handbook ○ 50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
Thanks to ● OWASP ● The other BeEF guys ;) ● My wife for lending her laptop
Questions

Recommended

Browser exploit framework
Browser exploit frameworkBrowser exploit framework
Browser exploit frameworkPrashanth Sivarajan
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorial
imlaurel2
 
Kali net hunter
Kali net hunterKali net hunter
Kali net hunter
Prashanth Sivarajan
 
BeEF
BeEFBeEF
BeEF
AlexandraLacatus
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian Luszczymak
Meet Magento Spain
 
Continuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoContinuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for Magento
AOE
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015
Aleksey Razbakov
 

Recommended

Browser exploit framework
Browser exploit frameworkBrowser exploit framework
Browser exploit frameworkPrashanth Sivarajan
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorial
imlaurel2
 
Kali net hunter
Kali net hunterKali net hunter
Kali net hunter
Prashanth Sivarajan
 
BeEF
BeEFBeEF
BeEF
AlexandraLacatus
 
Magento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian LuszczymakMagento and Continuous Integration - Damian Luszczymak
Magento and Continuous Integration - Damian Luszczymak
Meet Magento Spain
 
Continuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for MagentoContinuous Integration and Deployment Patterns for Magento
Continuous Integration and Deployment Patterns for Magento
AOE
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015Continuous Integration @ MeetMagento Germany 2015
Continuous Integration @ MeetMagento Germany 2015
Aleksey Razbakov
 
Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all fronts
AOE
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Root via XSS
Root via XSSRoot via XSS
Root via XSSPositive Hack Days
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)
AOE
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
Vedran Krivokuca
 
Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)
AOE
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and Patterns
AOE
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
How Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projectsHow Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projects
Etienne Margraff
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Playing in the SharePoint SandBox
Playing in the SharePoint SandBoxPlaying in the SharePoint SandBox
Playing in the SharePoint SandBoxToni Frankola
 
Web browsers
Web browsersWeb browsers
Web browserstorosalgado
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal Presentation
Anant Shrivastava
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
__x86
 

More Related Content

What's hot

Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all fronts
AOE
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)
AOE
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
Vedran Krivokuca
 
Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)
AOE
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and Patterns
AOE
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
How Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projectsHow Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projects
Etienne Margraff
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Playing in the SharePoint SandBox
Playing in the SharePoint SandBoxPlaying in the SharePoint SandBox
Playing in the SharePoint SandBoxToni Frankola
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal Presentation
Anant Shrivastava
 

What's hot (20)

Magento Testing on all fronts
Magento Testing on all frontsMagento Testing on all fronts
Magento Testing on all fronts
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)Rock-solid Magento Deployments (and Development)
Rock-solid Magento Deployments (and Development)
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)Multithreaded XML Import (San Francisco Magento Meetup)
Multithreaded XML Import (San Francisco Magento Meetup)
 
Continuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and PatternsContinuous Development and Deployment: Workflows and Patterns
Continuous Development and Deployment: Workflows and Patterns
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
How Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projectsHow Vorlon.js helps you debug your web projects
How Vorlon.js helps you debug your web projects
 
Flashack
FlashackFlashack
Flashack
 
Playing in the SharePoint SandBox
Playing in the SharePoint SandBoxPlaying in the SharePoint SandBox
Playing in the SharePoint SandBox
 
Web browsers
Web browsersWeb browsers
Web browsers
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal Presentation
 

Viewers also liked

How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
__x86
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
_mr_me
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java
Moabi.com
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
Ken Belva
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
ERPScan
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Lionel Briand
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
CODE BLUE
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
Ferruh Mavituna
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 

Viewers also liked (20)

How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 

Similar to Owasp AppSecEU 2015 - BeEF Session

If You Tolerate This, Your Child Processes Will Be Next
If You Tolerate This, Your Child Processes Will Be NextIf You Tolerate This, Your Child Processes Will Be Next
If You Tolerate This, Your Child Processes Will Be Next
Bart Leppens
 
(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems
sosorry
 
How to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesHow to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on Kubernetes
AndreaMedeghini
 
Local development environment evolution
Local development environment evolutionLocal development environment evolution
Local development environment evolution
Wise Engineering
 
Monkey Server
Monkey ServerMonkey Server
Monkey Server
Eduardo Silva Pereira
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansBachkoutou Toutou
 
Road to sbt 1.0 paved with server
Road to sbt 1.0 paved with serverRoad to sbt 1.0 paved with server
Road to sbt 1.0 paved with server
Eugene Yokota
 
Import golang; struct microservice
Import golang; struct microserviceImport golang; struct microservice
Import golang; struct microservice
Giulio De Donato
 
Odo improving the developer experience on OpenShift - hack &amp; sangria
Odo improving the developer experience on OpenShift - hack &amp; sangriaOdo improving the developer experience on OpenShift - hack &amp; sangria
Odo improving the developer experience on OpenShift - hack &amp; sangria
Jorge Morales
 
JS digest. October 2017
JS digest. October 2017 JS digest. October 2017
JS digest. October 2017
ElifTech
 
Road to sbt 1.0: Paved with server (2015 Amsterdam)
Road to sbt 1.0: Paved with server (2015 Amsterdam)Road to sbt 1.0: Paved with server (2015 Amsterdam)
Road to sbt 1.0: Paved with server (2015 Amsterdam)
Eugene Yokota
 
TechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityTechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching Programmability
Robb Boyd
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
ch0psticks
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado
 
Deep Dive Azure Functions - Global Azure Bootcamp 2019
Deep Dive Azure Functions - Global Azure Bootcamp 2019Deep Dive Azure Functions - Global Azure Bootcamp 2019
Deep Dive Azure Functions - Global Azure Bootcamp 2019
Andrea Tosato
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)
David Jorm
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
Anne Nicolas
 
ESIGate dev meeting #4 21-11-2013
ESIGate dev meeting #4 21-11-2013ESIGate dev meeting #4 21-11-2013
ESIGate dev meeting #4 21-11-2013
François-Xavier Bonnet
 
Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3
Asher Martin
 
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
Mark West
 

Similar to Owasp AppSecEU 2015 - BeEF Session (20)

If You Tolerate This, Your Child Processes Will Be Next
If You Tolerate This, Your Child Processes Will Be NextIf You Tolerate This, Your Child Processes Will Be Next
If You Tolerate This, Your Child Processes Will Be Next
 
(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems
 
How to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on KubernetesHow to build a tool for operating Flink on Kubernetes
How to build a tool for operating Flink on Kubernetes
 
Local development environment evolution
Local development environment evolutionLocal development environment evolution
Local development environment evolution
 
Monkey Server
Monkey ServerMonkey Server
Monkey Server
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick Rethans
 
Road to sbt 1.0 paved with server
Road to sbt 1.0 paved with serverRoad to sbt 1.0 paved with server
Road to sbt 1.0 paved with server
 
Import golang; struct microservice
Import golang; struct microserviceImport golang; struct microservice
Import golang; struct microservice
 
Odo improving the developer experience on OpenShift - hack &amp; sangria
Odo improving the developer experience on OpenShift - hack &amp; sangriaOdo improving the developer experience on OpenShift - hack &amp; sangria
Odo improving the developer experience on OpenShift - hack &amp; sangria
 
JS digest. October 2017
JS digest. October 2017 JS digest. October 2017
JS digest. October 2017
 
Road to sbt 1.0: Paved with server (2015 Amsterdam)
Road to sbt 1.0: Paved with server (2015 Amsterdam)Road to sbt 1.0: Paved with server (2015 Amsterdam)
Road to sbt 1.0: Paved with server (2015 Amsterdam)
 
TechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityTechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching Programmability
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Deep Dive Azure Functions - Global Azure Bootcamp 2019
Deep Dive Azure Functions - Global Azure Bootcamp 2019Deep Dive Azure Functions - Global Azure Bootcamp 2019
Deep Dive Azure Functions - Global Azure Bootcamp 2019
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
ESIGate dev meeting #4 21-11-2013
ESIGate dev meeting #4 21-11-2013ESIGate dev meeting #4 21-11-2013
ESIGate dev meeting #4 21-11-2013
 
Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3
 
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
 

Recently uploaded

Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 

Recently uploaded (20)

Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 

Owasp AppSecEU 2015 - BeEF Session

  • 2. whoami Bart Leppens ● BeEF developer (since may 2012) ● Ported BeEF Bind shellcode to Linux ● Smashing the stack for FUN @bmantra In
  • 3. Disclaimer ● The views and opinions expressed here are my own and do not necessarily represent those of my employer ● My employer has absolutely nothing to do with anything related to BeEF ● I’m not speaking in the representation of my company
  • 4. What the talk? ● BeEF: Browser Exploitation Framework ○ architecture ○ modules ○ extensions ● … live demos and videos
  • 5. BeEF: Browser Exploitation Framework ● Professional security tool ● Focus on client side attack vectors ● Real attack scenarios ● v1.0 by Wade Alcorn http://beefproject.comhttps://github.com/beefproject/beef
  • 6. BeEF: Live CD ● https://github. com/beefproject/beef/wiki/BeEF- Live-CD ● Ubuntu 12.04 LTS ● Ruby 1.9.3p194 ● Metasploit and sqlmap
  • 8. BeEF: Hook a Browser Inject the javascript hook to the DOM ● Cross-site Scripting ● MiTM ● Controlling DNS ● Social Engineering ● … be creative ;)
  • 9. BeEF: Polling ● Once the browser is hooked, the browser will ‘poll’ BeEF for new JavaScript payloads to execute ● When a payload is found, the browser will execute it
  • 10. BeEF: A Whole Lot Of Modules ● Many different purposes ○ Information gathering ○ Social Engineering ○ Network Discovery ○ ... ● Easy to extend with your own modules ● Complex scenarios with RestFul API http://beefproject.comhttps://github.com/beefproject/beef
  • 11. BeEF: Module overview Each module contains 3 primary files: ● config.yaml => Configuration file ● module.rb => Ruby Module Code ● command.js =>JavaScript payload http://beefproject.comhttps://github.com/beefproject/beef
  • 12. BeEF: config.yaml Provides basic information ● name of author ● category ● working browsers ● determines if module is enabled http://beefproject.comhttps://github.com/beefproject/beef
  • 13. BeEF: module.rb Defines configurable options (self.options) Defines return result actions (post.execute) http://beefproject.comhttps://github.com/beefproject/beef
  • 14. BeEF: command.js JavaScript payload template ● Supports eRuby variable substitution <%= @var %> ● Access to the JavaScript BeEF object beef.net.forge_request
  • 15. BeEF: Sesame Magic Browser “Internal server vulnerabilities are sitting there bored and lonely” - Michele Orru` // ”ActiveFax, you look very bored” - Bart Leppens
  • 17. BeEF: Skype iOS URI Scheme
  • 19. BeEF: GlassFish XSRF ● REST CSRF in GlassFish 3.1.1 (build 12) ● Bug FOUND by Roberto Suggi Liverani ● According to ORACLE the 3th most critical bug ever in SUN products ● Demo (fingerprint + exploit)
  • 20. BeEF: CookieJar overflow ● JavaScript cannot modify HTTPOnly-cookies ● John Wilander overflowed the CookieJar ● Recreate those cookies ● Demo
  • 21. BeEF: Autorun ● launch modules automatically on new hooked browsers ● edit config.yaml set autorun: true in each module ● limitation => used with default parameters
  • 22. BeEF: RESTful API Scripting BeEF through HTTP/JSON requests ● token parameter must be always added to requests ● GET or POST ● Automate advanced attacks automatically
  • 23. BeEF: RESTful API Authentication ● Post credentials to /api/admin/login ● return authentication token ● e.g. curl -H "Content-Type: application/json" -X POST -d '{"username":"beef", "password":"beef"}' http://127.0.0.1:3000/api/admin/login
  • 24. BeEF: RESTful API Hooked Browsers ● GET to /api/hooks ● return online/offline hooked browsers ● e.g. curl http://127.0.0.1: 3000/api/hooks?token=[token]
  • 25. BeEF: RESTful API Browser Details ● GET to /api/hooks/:session ● Information on the hooked browser ● e.g. curl http://127.0.0.1: 3000/api/hooks/[session]?token=[token]
  • 26. BeEF: RESTful API List Command Modules ● GET to /api/modules ● e.g. curl http://127.0.0.1: 3000/api/modules?token=[token]
  • 27. BeEF: RESTful API Informations on a specific module ● GET to /api/modules/:module_id ● e.g. curl http://127.0.0.1: 3000/api/modules/[module_id]?token= [token]
  • 28. BeEF: RESTful API Launch a command on a specific browser ● POST to /api/modules/:session/:module_id ● e.g. curl -H "Content-Type: application/json; charset=UTF-8" -d '{"question":"wtf?"}' -X POST http://127. 0.0.1:3000/api/modules/[session]/ [module]?token=[token]
  • 29. BeEF: RESTful API Return information about the command module previously executed ● GET to /api/modules/:session/:mod_id/: cmd_id ● e.g. curl http://127.0.0.1: 3000/api/modules/[session]/[module_id]/ [cmd_id]?token=[token]
  • 30. BeEF: RESTful API A whole lot more: ● control BeEF DNS rules ● Access Logs ● ... Refer to the BeEF Wiki: https://github. com/beefproject/beef/wiki/BeEF-RESTful-API
  • 31. BeEF: Console Console is a BeEF extension ● metasploit-like console ● should be enabled in the main config. yaml ● control hooked browsers
  • 32. BeEF: Metasploit integration Console is a BeEF extension ● should be enabled in the main config. yaml ● should be configured in extentions/metasploit/ ● msfrpcd can be launched automatically from within BeEF :-)
  • 33. IPC: Inter-Protocol Communication ● Initial research by Wade Alcorn in 2006/2007 ● “Tolerant” protocol implementation that does not drop the client connection after N errors ● A properly encoded POST request can be send to the target: ○ HTTP Headers are parsed as BAD COMMANDS ○ HTTP request body is parsed as VALID COMMANDS (or as SHELLCODE)
  • 34. IPC: Limitations ● Some ports are banned by the Browser (e.g. 21,25,110,..) ● Content-Type: text/plain or multipart/form- data ● Doesn’t work well with binary protocols => often not that tolerant
  • 35. IPC: ActiveFax Server ● Extended research done in 2013 by Michele Orru` & myself ● Widely used Fax solution ● Manual suggest port 3000 for RAW socket ● Protocol is very tolerant ● Commands are formatted as: @Fxxx data@
  • 36. IPC: ActiveFax Server (example message) Sender...................... Bart Leppens, +1 11 112233-25 Recipient 1............... OWASP Belgium, Fax: 016 123456 Subject..................... IPC is cool Priority...................... Very High @F101 Bart Leppens@@F110 +1 11 112233-25@ @F201 OWASP Belgium@@F211 016 123456@ @F307 IPC is cool@ @F301 1@
  • 37. IPC: ActiveFax Server (XHR) var xhr = new XMLHttpRequest(); var uri = "http://x.x.x.x:3000/"; xhr.open("POST", uri, true); xhr.setRequestHeader("Content-Type", "text/plain"); var post_body = "@F101 Bart Leppens@@F110 +1 11 112233- 25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@"; xhr.send(post_body);
  • 38. IPC: ActiveFax Server (XHR) POST / HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0 .. Content-Type: text/plain; charset=UTF-8 Cache-Control: no-cache @F101 Bart Leppens@@F110 +1 11 112233-25@@F201 OWASP Belgium@@F211 016 123456@@F307 IPC is cool@@F301 1@
  • 40. IPC: ActiveFax Server (Time-out) The ActiveFax RAW socket takes 60 seconds to time-out. We can fix that! 2 seconds is more then enough to send a FAX over a LAN network: xhr = new XMLHttpRequest(); .. xhr.send(post_body); setTimeout(function(){xhr.abort()}, 2000);
  • 41. IPC: ActiveFax Server (Faster Demo)
  • 42. BeEF: NAT Pinning ● Samy Kamkar in 2010 ● Trick user to visit page ● Access port on internal network (via IPC) ● Connection Tracking must be enabled ● not only routers, IPTables with connection tracking works as well
  • 44. IPE: Inter-Protocol Exploitation ● Research by Wade Alcorn (extension of IPC) ● Extended research in 2012 by Michele Orru` ○ QualCOMM WorldMail IMAP 3.0 ● More research in 2013 by Michele & myself ○ ActiveFax Server
  • 45. IPE: Inter-Protocol Exploitation ● Need to send binary data ○ sendAsBinary (FF, Chrome) ● Same restrictions: tolerance, blocked ports ● More restrictions: header space, bad chars
  • 46. IPE: ActiveFax 5.01 RAW Server Exploit ● bug found by Craig Freyman ● @F506 crashes after 1024 bytes ● Many bad characters: ○ 0x00 -> 0x19 ○ 0x40 (@) ● PoC modified to use IPE
  • 47. IPE: ActiveFax (Metasploit Reverse shell)
  • 49. BeEF Bind Shellcode ● Shellcode written by Ty Miller (Win32) ● Allows communication from the browser to a shell ○ Commands are proxied back and forth through the browser to cmd.exe ○ Stage is delivered through the browser as well
  • 50. BeEF Bind Shellcode: The Stager ● Stager listens on a specified port for HTTP requests ● Ignores HTTP headers and looks for the egg “cmd=” which marks the start of our 2nd stage (or any stage you like) ● Allocate executable memory + copy ● Jump into the stage shellcode
  • 51. BeEF Bind Shellcode: The Stage ● Stage listens on a specified port for HTTP requests as well ● Ignores HTTP headers and looks for “cmd=” which marks the start of our command ● Requests are proxied back and forth from the browser to a “cmd.exe” childprocess ● Access-Control-Allow-Origin: *
  • 52. BeEF Bind Shellcode: ● Ported to Linux x86 and Linux x64 ○ stager and stage ● Can also be used compiled with RCE vulns ● Metasploit modules are available for easily encoding and removal of bad characters
  • 53. IPE: ActiveFax (BeEF Bind + BeEF)
  • 55. Exploiting Webmail with XSS Cross-site Scripting ● most common vulnerability ● impact = underestimated ● mail = interesting target for attacker
  • 56. CVE-2011-2937 Round-cube reflected Cross-site Scripting vulnerability ● found by Abyszko ● before 0.5.4 http://server/roundcube/?_mbox=<script> alert(document.cookie)</script> CVE score for this bug is 4.3 out of 10.
  • 57. CVE-2014-0913 Lotus iNotes stored Cross-site Scripting vulnerability ● IBM iNotes and Domino 8.5.3 FP6 before IF2 and 9.0.1 before FP1 ● Inject arbitrary web script or HTML via an e- mail message CVE score for this bug is 4.3 out of 10.
  • 58. CVE-2014-0913 Lotus iNotes telnet iNotesSMTPserver 25 HELO xss MAIL FROM: attacker@evil.com RCPT TO: poorvictim@good.com DATA MIME-Version: 1.0 FROM: ATTACKER <attacker@evil.com> TO: VICTIM <poorvictim@good.com> Subject: iNotes XSS vulnerable mail Content-Type: text/html <img style="display:none" src="x"/onerror="alert(1)">
  • 59. Universal Cross-site Scripting and webmail ● Control every origin ● Execute arbitrary code ● Control all webmail clients => including Cloud based like gmail, yahoo mail, etc.
  • 60. This is a myth: there ain’t no such thing ● Targeted mailbox attack ○ read mails ○ send mails ● Nesting and replication ○ Mailworm - Nduja by Rosario Valotta in 2007 ■ spreading across multiple webmail services ■ named after spicy italian sausage from Calabria, Italy
  • 61. This is a myth: there ain’t no such thing ● DDoS of server ○ BeEF DOSer-module ○ also internal servers (via victims browser) ● DDoS of mailbox ○ multiple zombies sending mails to victim
  • 62. This is a myth: there ain’t no such thing ● Sending spam ○ by email account of trusted user ● Download infection ○ attachment that seems to be sent from well-know user (=victim) ○ Replace attachment links in existing mails
  • 63. This is a myth: there ain’t no such thing ● Modify existing “notes” ● Social Engineering attacks by mail ● Perform reset of passwords ● names.nsf in iNotes ● ….
  • 64. This is a myth: there ain’t no such thing 4.3/10
  • 65. DEMO
  • 66. Tunneling Proxy Reverse HTTP Proxy ● hooked browser = exit point ● XHR requests or WebSockets ● limited to the hooked domain and security context of the victims browser
  • 67. Tunneling Proxy Attack scenarios ● browsing hooked domain (security context of the victim browser) ● spidering hooked domain ● finding and exploiting SQLi with Burp Pro Scanner and sqlmap ● Video
  • 68. BeEF: Video Videos ● TrixBox exploit ● WebCloner Massmailer ● uiabuse ● Distributed Blind SQLi ● ..
  • 69. For those who can’t get enough ● Browser Hackers Handbook ○ 50% of revenues will be used for the BeEF project (testing infrastructure, etc..)
  • 70. Thanks to ● OWASP ● The other BeEF guys ;) ● My wife for lending her laptop