Security Day - Chesf

•Download as PPTX, PDF•

1 like•2,539 views

Estuário TI

Palestra do CTO Rafael Silva no evento Chesf Security Day.

Technology

Novos ataques em
www.estuarioti.com.br

Aplicações Web.
@estuarioti

Rafael Silva
rafaelsilva@estuarioti.com.br

Agenda
 Whoami

 OWASP top 10

 Ferramentas X SkillSet

 IFrames

 HTML 5 Hacking Features

 Cursor Hijack / Click Hijack

 HTTP Parameter Pollution

 HTTPOnly XSS Bypass

www.estuarioti.com.br @estuarioti

$whoami

 OWASP Member

 rfdslabs || TheBug Magazine

 FAB (Força Aérea Brasileira)

 C.E.S.A.R

 Tempest @rfdslabs

 EstuárioTI 

www.estuarioti.com.br @estuarioti

Owasp TOP 10

www.estuarioti.com.br @estuarioti

Ferramentas X skillSet

 Nessus, Acunetix, Nstalker…

 Attacks and Vulnerabilities

 Automated scanners not detect:
 Session Fixation
 Privilege Escalation [Horizontal and Vertical]
 Logout
 Logic Flaws
 Unauthenticated Direct Access
 “Forgot my password”
 …

www.estuarioti.com.br @estuarioti

IFRAMES

 Stealth

 Browser Exploit or JAVA or SWF…

 Insert Malicious Javascript

 Stored XSS + IFRAME = Chaos

 Redirect Defacement

www.estuarioti.com.br @estuarioti

IFRAMES

www.estuarioti.com.br @estuarioti

IFRAMES

DEMO 1

www.estuarioti.com.br @estuarioti

HTML 5 Hacking Features

Cross Origin Resource Sharing

 Cross Domain AJAX

 With Cookies

 Blind

 Not limited to <form> syntax

 Used to Trigger CSRF

www.estuarioti.com.br @estuarioti

HTML 5 Hacking Features

Cross Origin Resource Sharing

www.estuarioti.com.br @estuarioti

HTML 5 Hacking Features

Silent File Upload

 Java Script FileUpload!
Stealth <input type=file> with any file
name and content
 Use CORS

 How? Create raw multipart/form-data

www.estuarioti.com.br @estuarioti

HTML 5 Hacking Features

Silent File Upload

www.estuarioti.com.br @estuarioti

HTML 5 Hacking Features

Silent File Upload

 No User Action

 No Frames

 Cross-domain with cookies 

 Works in most browsers 

 You can add more form fields

-- CSRF flaw needed

-- No access to response

www.estuarioti.com.br @estuarioti

Cursor Hijack / Click Hijack

 Facebook Scams

 Actively Exploited

 Javascript in url bar 

 NoScript Plugin to mitigate 

 Use your creativity

www.estuarioti.com.br @estuarioti

Cursor Hijack / Click Hijack

www.estuarioti.com.br @estuarioti

Cursor Hijack / Click Hijack

DEMO 2

www.estuarioti.com.br @estuarioti

Cursor Hijack / Click Hijack

DEMO 3

www.estuarioti.com.br @estuarioti

HTTP Parameter Pollution

 Query String Term ?

 Defined in the RFC 3986

 GET and POST:

 Query string meta characters are & ? # ; =

www.estuarioti.com.br @estuarioti

HTTP Parameter Pollution

www.estuarioti.com.br @estuarioti

HTTP Parameter Pollution

 Bypass ModSecurity

Busted Query:

Accepted Query:

www.estuarioti.com.br @estuarioti

HTTP Parameter Pollution

 Bypass IBM Web Application Firewall (FIXED)

Busted Query:

Accepted Query:

Discovered by Wendel Henrique from Trustwave Labs

www.estuarioti.com.br @estuarioti

HTTPOnly XSS Bypass

 Implemented in 2002 by Microsoft in IE 6

 Additional FLAG included in a Set-Cookie HTTP responde
header

 Exploiting a XSS with a HTTPOnly in response? No cookies
for you? 

www.estuarioti.com.br @estuarioti

HTTPOnly XSS Bypass

How to Bypass?

 Cross-Site Tracking – HTTP TRACE (FIXED)

 XMLHttpRequest also blocked TRACE Method (FIXED)

 CVE-2009-0357 XMLHttpRequest in FireFox (FIXED)

www.estuarioti.com.br @estuarioti

HTTPOnly XSS Bypass

Java API Applet HTTP TACE (FIXED)

www.estuarioti.com.br @estuarioti

HTTPOnly XSS Bypass

 Java GetHeaderField in java.net.URLConnection package
(UNFIXED) 

 By Aung Khant http://yehg.net

www.estuarioti.com.br @estuarioti

HTTPOnly XSS Bypass

www.estuarioti.com.br @estuarioti

HTTPOnly XSS Bypass

 and… WORKS! 

www.estuarioti.com.br @estuarioti

EstuárioTI

www.estuarioti.com.br @estuarioti

References

Tempest Blog

Steffano di Paola

SecKB Blog

OWASP

Marcus Niemietz

www.estuarioti.com.br @estuarioti

Similar to Security Day - Chesf

Penetration testing web application web application (in) securityNahidul Kibria

Practical web-attacks2OWASP (Open Web Application Security Project)

Everybody loves html5,h4ck3rs tooNahidul Kibria

Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli

Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff

Phpnw security-20111009Paul Lemon

HTML5와 모바일ＡＣＣＥＳＳ

Rubbing the Sankara Stones the wrong way - From the Front 2014Christian Heilmann

Browser Horror StoriesEC-Council

Joomla! XSS Vulnerabilities by Riyaz Walikarn|u - The Open Security Community

Java Web Security ClassRich Helton

Web Application SecurityStuart Colville

DVWA BruCON Workshoptestuser1223

Top Ten Web Hacking Techniques (2010)Jeremiah Grossman

Evolution Of Web SecurityChris Shiflett

Top Ten Web Hacking Techniques – 2008Jeremiah Grossman

REST in ( a mobile ) peace @ WHYMCA 05-21-2011Alessandro Nadalin

OWASP, PHP, life and universeSebastien Gioria

2014 06-05-mozilla-afupSebastien Gioria

Xss is more than a simple threatAvădănei Andrei

Similar to Security Day - Chesf (20)

Penetration testing web application web application (in) security

Practical web-attacks2

Everybody loves html5,h4ck3rs too

Roberto Bicchierai - Defending web applications from attacks

Top 10 Web Security Vulnerabilities (OWASP Top 10)

Phpnw security-20111009

HTML5와 모바일

Rubbing the Sankara Stones the wrong way - From the Front 2014

Browser Horror Stories

Joomla! XSS Vulnerabilities by Riyaz Walikar

Java Web Security Class

Web Application Security

DVWA BruCON Workshop

Top Ten Web Hacking Techniques (2010)

Evolution Of Web Security

Top Ten Web Hacking Techniques – 2008

REST in ( a mobile ) peace @ WHYMCA 05-21-2011

OWASP, PHP, life and universe

2014 06-05-mozilla-afup

Xss is more than a simple threat

Recently uploaded

New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada

AI as an Interface for Commercial BuildingsMemoori

SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren

Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm

Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55

CloudStudio User manual (basic edition):comworks

Bluetooth Controlled Car with Arduino.pdfngoud9212

costume and set research powerpoint presentationphoebematthew05

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko

Install Stable Diffusion in windows machinePadma Pradeep

Artificial intelligence in the post-deep learning eraDeakin University

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited

Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group

Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community

My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays

Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely

Recently uploaded (20)

New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024

AI as an Interface for Commercial Buildings

SQL Database Design For Developers at php[tek] 2024

Streamlining Python Development: A Guide to a Modern Project Setup

Connect Wave/ connectwave Pitch Deck Presentation

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...

CloudStudio User manual (basic edition):

Bluetooth Controlled Car with Arduino.pdf

costume and set research powerpoint presentation

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics

Install Stable Diffusion in windows machine

Artificial intelligence in the post-deep learning era

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads

Unblocking The Main Thread Solving ANRs and Frozen Frames

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx

My Hashitalk Indonesia April 2024 Presentation

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...

Unlocking the Potential of the Cloud for IBM Power Systems

Security Day - Chesf

1. Novos ataques em www.estuarioti.com.br Aplicações Web. @estuarioti Rafael Silva rafaelsilva@estuarioti.com.br

2. Agenda  Whoami  OWASP top 10  Ferramentas X SkillSet  IFrames  HTML 5 Hacking Features  Cursor Hijack / Click Hijack  HTTP Parameter Pollution  HTTPOnly XSS Bypass www.estuarioti.com.br @estuarioti

3. $whoami  OWASP Member  rfdslabs || TheBug Magazine  FAB (Força Aérea Brasileira)  C.E.S.A.R  Tempest @rfdslabs  EstuárioTI  www.estuarioti.com.br @estuarioti

4. Owasp TOP 10 www.estuarioti.com.br @estuarioti

5. Ferramentas X skillSet  Nessus, Acunetix, Nstalker…  Attacks and Vulnerabilities  Automated scanners not detect:  Session Fixation  Privilege Escalation [Horizontal and Vertical]  Logout  Logic Flaws  Unauthenticated Direct Access  “Forgot my password”  … www.estuarioti.com.br @estuarioti

6. IFRAMES  Stealth  Browser Exploit or JAVA or SWF…  Insert Malicious Javascript  Stored XSS + IFRAME = Chaos  Redirect Defacement www.estuarioti.com.br @estuarioti

7. IFRAMES www.estuarioti.com.br @estuarioti

8. IFRAMES DEMO 1 www.estuarioti.com.br @estuarioti

9. HTML 5 Hacking Features Cross Origin Resource Sharing  Cross Domain AJAX  With Cookies  Blind  Not limited to <form> syntax  Used to Trigger CSRF www.estuarioti.com.br @estuarioti

10. HTML 5 Hacking Features Cross Origin Resource Sharing www.estuarioti.com.br @estuarioti

11. HTML 5 Hacking Features Cross Origin Resource Sharing www.estuarioti.com.br @estuarioti

12. HTML 5 Hacking Features Silent File Upload  Java Script FileUpload! Stealth <input type=file> with any file name and content  Use CORS  How? Create raw multipart/form-data www.estuarioti.com.br @estuarioti

13. HTML 5 Hacking Features Silent File Upload www.estuarioti.com.br @estuarioti

14. HTML 5 Hacking Features Silent File Upload www.estuarioti.com.br @estuarioti

15. HTML 5 Hacking Features Silent File Upload  No User Action  No Frames  Cross-domain with cookies   Works in most browsers   You can add more form fields -- CSRF flaw needed -- No access to response www.estuarioti.com.br @estuarioti

16. Cursor Hijack / Click Hijack  Facebook Scams  Actively Exploited  Javascript in url bar   NoScript Plugin to mitigate   Use your creativity www.estuarioti.com.br @estuarioti

17. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti

18. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti

19. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti

20. Cursor Hijack / Click Hijack DEMO 2 www.estuarioti.com.br @estuarioti

21. Cursor Hijack / Click Hijack DEMO 3 www.estuarioti.com.br @estuarioti

22. HTTP Parameter Pollution  Query String Term ?  Defined in the RFC 3986  GET and POST:  Query string meta characters are & ? # ; = www.estuarioti.com.br @estuarioti

23. HTTP Parameter Pollution www.estuarioti.com.br @estuarioti

24. HTTP Parameter Pollution  Bypass ModSecurity Busted Query: Accepted Query: www.estuarioti.com.br @estuarioti

25. HTTP Parameter Pollution  Bypass IBM Web Application Firewall (FIXED) Busted Query: Accepted Query: Discovered by Wendel Henrique from Trustwave Labs www.estuarioti.com.br @estuarioti

26. HTTPOnly XSS Bypass  Implemented in 2002 by Microsoft in IE 6  Additional FLAG included in a Set-Cookie HTTP responde header  Exploiting a XSS with a HTTPOnly in response? No cookies for you?  www.estuarioti.com.br @estuarioti

27. HTTPOnly XSS Bypass How to Bypass?  Cross-Site Tracking – HTTP TRACE (FIXED)  XMLHttpRequest also blocked TRACE Method (FIXED)  CVE-2009-0357 XMLHttpRequest in FireFox (FIXED) www.estuarioti.com.br @estuarioti

28. HTTPOnly XSS Bypass Java API Applet HTTP TACE (FIXED) www.estuarioti.com.br @estuarioti

29. HTTPOnly XSS Bypass  Java GetHeaderField in java.net.URLConnection package (UNFIXED)   By Aung Khant http://yehg.net www.estuarioti.com.br @estuarioti

30. HTTPOnly XSS Bypass www.estuarioti.com.br @estuarioti

31. HTTPOnly XSS Bypass  and… WORKS!  www.estuarioti.com.br @estuarioti

32. EstuárioTI www.estuarioti.com.br @estuarioti

33. References Tempest Blog Steffano di Paola SecKB Blog OWASP Marcus Niemietz www.estuarioti.com.br @estuarioti

Editor's Notes

4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresem um array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array

Security Day - Chesf

Recommended

Recommended

More Related Content

Similar to Security Day - Chesf

Similar to Security Day - Chesf (20)

Recently uploaded

Recently uploaded (20)

Security Day - Chesf

Editor's Notes