The Diviner project aims to provide digital clairvoyance and insight into source code and application structure through extensive behavior analysis and information gathering. It uses an automated process called "source code divination" to analyze an application's behavior under different conditions and inputs in order to infer details about its underlying source code, structure, and potential vulnerabilities. The Diviner tool is an extension for the OWASP ZAP web application scanner that allows penetration testers to visualize an application's behavior and entry points, detect indirect attack vectors, and obtain recommendations for further manual testing.
Security everywhere digital signature and digital fingerprint v1 (personal)Paul Yang
This is the slide I used to train people about the security concepts, such as digital signature and digital fingerprint.
I tried to use friendly way to explain the topic with animation and many example in real life.
Hope it helps for you.
Protect Your Client Software and Identification SecuritySteven Davis
"Software clients can't be secured" is an axiom of computer security. True, but not helpful. How do you incorporate security into a client and address the key issues of Identity. For the more information or if you need any security help, visit http://free2secure.com/.
Security everywhere digital signature and digital fingerprint v1 (personal)Paul Yang
This is the slide I used to train people about the security concepts, such as digital signature and digital fingerprint.
I tried to use friendly way to explain the topic with animation and many example in real life.
Hope it helps for you.
Protect Your Client Software and Identification SecuritySteven Davis
"Software clients can't be secured" is an axiom of computer security. True, but not helpful. How do you incorporate security into a client and address the key issues of Identity. For the more information or if you need any security help, visit http://free2secure.com/.
ZKorum: Building the Next Generation eAgora powered by SSISSIMeetup
The immense potential unlocked by SSI in content-centric social networks (forums) is largely unaddressed by the recent wave of decentralized social networks. Enter ZKorum - a network of verifiable communities where members create anonymous polls and discussions. In this episode, Nicolas Gimenez, the Co-Founder and CTO of ZKorum, unveils the Alpha version and delves into its architecture, drawing inspiration from SSI, DWeb, and Password Managers.
Testing Application Security: The Hacker Psyche ExposedTechWell
Computer hacking isn’t a new thing, but the threat is real and growing even today. It is always the attacker’s advantage and the defender’s dilemma. How do you keep your secrets safe and your data protected? In today’s ever-changing technology landscape, the fundamentals of producing secure code and systems are more important than ever. Exploring the psyche of hackers, Mike Benkovich exposes how they think, reveals common areas where they find weakness, and identifies novel ways to test your defenses against their threats. From injection attacks and cross-site scripting to security mis-configuring and broken session management, Mike examines the top exploits, shows you how they work, explores ways to test for them, and then shares what you can do to help your team build more secure software in the future. Join Mike and help your company avoid being at the center of the next media frenzy over lost or compromised data.
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...SecureAuth
Two-factor authentication is a great first step in securing your VPN, but we have seen that it is not always infallible. With advances in authentication technology we now have techniques to analyze the context of a user before and during authentication and step up your security when needed, without burdening your users. SecureAuth IdP is the industry’s first access control solution to provide adaptive authentication and leverage live attack intelligence to identify suspicious actors and drop a net around them, stopping them in their tracks.
My presentation at HackCon 7 Oslo, exploring where the world of information security is headed. Crude vs. stealthy exploit techinques, the underground digital economy, failure of anti-virus, the future of web application security and the (de)evolution of browsers and HTTP.
Small discussion on Echo's Hack In The Zoo (HITZ) 2017
Ragunan Zoo Jakarta
Jakarta, 2017-09-09
Frida? It's a Dynamic Binary Instrumentation. DBI.
Let's see what frida can do for us, reverse engineer.
Workshop on Cyber security and investigationMehedi Hasan
Introduction:
In the fast-evolving digital age of the 21st century, cybersecurity has emerged as a paramount concern for governments, businesses, and individuals. The Workshop on Cybersecurity is a comprehensive and immersive event designed to address the challenges posed by cyber threats and equip participants with the knowledge and tools to safeguard their digital assets. This workshop, to be held over five days, seeks to empower attendees with the latest insights and practices in cyber defense, fostering a culture of resilience and proactive security measures.
Day 1: Understanding the Cyber Landscape
The workshop commences with a deep dive into the complex cyber landscape that defines modern society. Distinguished experts from the cybersecurity field will present an overview of the ever-changing cyber ecosystem, highlighting its interconnectedness and vulnerabilities. Participants will gain valuable insights into the roles of governments, corporations, and individuals in shaping the cyber landscape.
Key topics covered will include the global impact of cyberattacks, the importance of international collaboration in countering cyber threats, and the significance of public-private partnerships. This foundational knowledge will serve as the basis for the subsequent discussions on cyber defense strategies.
Day 2: Unraveling Cyber Threats and Attack Vectors
Day two focuses on understanding the multitude of cyber threats and attack vectors that can target individuals and organizations. Renowned cybersecurity researchers will present real-life case studies of recent cyber incidents, ranging from nation-state-sponsored attacks to financially motivated hacking campaigns. Participants will gain a comprehensive understanding of the tactics employed by threat actors and the motivations behind their actions.
Through interactive sessions, attendees will be immersed in simulated cyber-attack scenarios, enabling them to identify and mitigate potential threats effectively. The day will emphasize the need for a proactive and adaptive approach to cybersecurity, as well as the importance of threat intelligence sharing to bolster collective defense capabilities.
Day 3: Building Robust Cyber Defense Strategies
Day three delves into the development and implementation of robust cyber defense strategies. Experts in the field will introduce participants to cutting-edge tools and technologies that can effectively detect, prevent, and respond to cyber threats. Topics covered will include advanced threat hunting techniques, next-generation firewalls, intrusion detection systems, and incident response best practices.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
Докладчик покажет, как с помощью bare-metal programming подружить Raspberry Pi с GPIO, памятью и Ethernet, и пояснит, кому и зачем это может понадобиться.
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
Intel Boot Guard — аппаратно поддержанная технология верификации подлинности BIOS, которую вендор компьютерной системы может встроить на этапе производства. Докладчик представит результаты анализа технологии, расскажет об её эволюции. Слушатели узнают, как годами клонируемая ошибка на производстве нескольких вендоров позволяет потенциальному злоумышленнику воспользоваться этой технологией для создания в системе неудаляемого (даже программатором!) скрытого руткита. Github: https://github.com/flothrone/bootguard
More Related Content
Similar to Shay chen the diviner - digital clairvoyance breakthrough - gaining access to the source code & server side memory structure of any application
ZKorum: Building the Next Generation eAgora powered by SSISSIMeetup
The immense potential unlocked by SSI in content-centric social networks (forums) is largely unaddressed by the recent wave of decentralized social networks. Enter ZKorum - a network of verifiable communities where members create anonymous polls and discussions. In this episode, Nicolas Gimenez, the Co-Founder and CTO of ZKorum, unveils the Alpha version and delves into its architecture, drawing inspiration from SSI, DWeb, and Password Managers.
Testing Application Security: The Hacker Psyche ExposedTechWell
Computer hacking isn’t a new thing, but the threat is real and growing even today. It is always the attacker’s advantage and the defender’s dilemma. How do you keep your secrets safe and your data protected? In today’s ever-changing technology landscape, the fundamentals of producing secure code and systems are more important than ever. Exploring the psyche of hackers, Mike Benkovich exposes how they think, reveals common areas where they find weakness, and identifies novel ways to test your defenses against their threats. From injection attacks and cross-site scripting to security mis-configuring and broken session management, Mike examines the top exploits, shows you how they work, explores ways to test for them, and then shares what you can do to help your team build more secure software in the future. Join Mike and help your company avoid being at the center of the next media frenzy over lost or compromised data.
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...SecureAuth
Two-factor authentication is a great first step in securing your VPN, but we have seen that it is not always infallible. With advances in authentication technology we now have techniques to analyze the context of a user before and during authentication and step up your security when needed, without burdening your users. SecureAuth IdP is the industry’s first access control solution to provide adaptive authentication and leverage live attack intelligence to identify suspicious actors and drop a net around them, stopping them in their tracks.
My presentation at HackCon 7 Oslo, exploring where the world of information security is headed. Crude vs. stealthy exploit techinques, the underground digital economy, failure of anti-virus, the future of web application security and the (de)evolution of browsers and HTTP.
Small discussion on Echo's Hack In The Zoo (HITZ) 2017
Ragunan Zoo Jakarta
Jakarta, 2017-09-09
Frida? It's a Dynamic Binary Instrumentation. DBI.
Let's see what frida can do for us, reverse engineer.
Workshop on Cyber security and investigationMehedi Hasan
Introduction:
In the fast-evolving digital age of the 21st century, cybersecurity has emerged as a paramount concern for governments, businesses, and individuals. The Workshop on Cybersecurity is a comprehensive and immersive event designed to address the challenges posed by cyber threats and equip participants with the knowledge and tools to safeguard their digital assets. This workshop, to be held over five days, seeks to empower attendees with the latest insights and practices in cyber defense, fostering a culture of resilience and proactive security measures.
Day 1: Understanding the Cyber Landscape
The workshop commences with a deep dive into the complex cyber landscape that defines modern society. Distinguished experts from the cybersecurity field will present an overview of the ever-changing cyber ecosystem, highlighting its interconnectedness and vulnerabilities. Participants will gain valuable insights into the roles of governments, corporations, and individuals in shaping the cyber landscape.
Key topics covered will include the global impact of cyberattacks, the importance of international collaboration in countering cyber threats, and the significance of public-private partnerships. This foundational knowledge will serve as the basis for the subsequent discussions on cyber defense strategies.
Day 2: Unraveling Cyber Threats and Attack Vectors
Day two focuses on understanding the multitude of cyber threats and attack vectors that can target individuals and organizations. Renowned cybersecurity researchers will present real-life case studies of recent cyber incidents, ranging from nation-state-sponsored attacks to financially motivated hacking campaigns. Participants will gain a comprehensive understanding of the tactics employed by threat actors and the motivations behind their actions.
Through interactive sessions, attendees will be immersed in simulated cyber-attack scenarios, enabling them to identify and mitigate potential threats effectively. The day will emphasize the need for a proactive and adaptive approach to cybersecurity, as well as the importance of threat intelligence sharing to bolster collective defense capabilities.
Day 3: Building Robust Cyber Defense Strategies
Day three delves into the development and implementation of robust cyber defense strategies. Experts in the field will introduce participants to cutting-edge tools and technologies that can effectively detect, prevent, and respond to cyber threats. Topics covered will include advanced threat hunting techniques, next-generation firewalls, intrusion detection systems, and incident response best practices.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
Similar to Shay chen the diviner - digital clairvoyance breakthrough - gaining access to the source code & server side memory structure of any application (20)
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
Докладчик покажет, как с помощью bare-metal programming подружить Raspberry Pi с GPIO, памятью и Ethernet, и пояснит, кому и зачем это может понадобиться.
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
Intel Boot Guard — аппаратно поддержанная технология верификации подлинности BIOS, которую вендор компьютерной системы может встроить на этапе производства. Докладчик представит результаты анализа технологии, расскажет об её эволюции. Слушатели узнают, как годами клонируемая ошибка на производстве нескольких вендоров позволяет потенциальному злоумышленнику воспользоваться этой технологией для создания в системе неудаляемого (даже программатором!) скрытого руткита. Github: https://github.com/flothrone/bootguard
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
В Spring MVC есть классная фича — autobinding. Но если пользоваться ей неправильно, могут появиться «незаметные» уязвимости, иногда с серьёзным импактом. Рассмотрим пару примеров, углубимся в тонкости появления autobinding-багов. Writeup [ENG]: http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
Руткиты в мире основанных на ядре Linux операционных систем уже не являются редкостью. Рассказ будет о том, как попытки в современных реалиях определить то, скомпрометирована ли система, привели к неожиданному результату.
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса.
В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
Расскажу где и как iCloud Keychain хранит пароли, и какие потенциальные риски это несёт. Apple утверждает, что пароли надежно защищены, и даже её сотрудники не могут получить к ним доступ. Чтобы это подтвердить или опровергнуть, необходимо разобраться с внутренним устройством iCloud Keychain, чем мы и займемся.
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Shay chen the diviner - digital clairvoyance breakthrough - gaining access to the source code & server side memory structure of any application
1. The Diviner
Digital Clairvoyance Breakthrough
Source Code & Structure Black Box Divination
Shay Chen, @sectooladdict
CTO at Hacktics ASC, Ernst & Young
November 20, 2012
2. About Me
► Addictions
Diviner - Clairvoyance in the Digital Frontier
3. About Me
► Security Tools Collector / Addict
Diviner - Clairvoyance in the Digital Frontier
4. About Me
► Law of Familiarity
Diviner - Clairvoyance in the Digital Frontier
5. About Hacktics
► Hacktics ASC
► Formerly a boutique company that provided various
information security services since 2004.
► As of 01/01/2011, Ernst & Young acquired Hacktics
professional services practice, and the group joined EY
as one of the firm’s advanced security centers (ASC).
Diviner - Clairvoyance in the Digital Frontier
6. The Diviner Project
The Diviner Project
► Diviner
► OWASP ZAP extension (v1.4+)
► Requires ZAP to run with Java 1.7+
► Homepage: http://code.google.com/p/diviner/
► Development
► 1+ years of development, tons of extra hours by @Secure_ET
► Made possible due to support from the OWASP ZAP project,
specifically from Simon Bennetts (@psiinon)
Diviner - Clairvoyance in the Digital Frontier
7. The Problem
The numerous tasks of
manual penetration testing
Diviner - Clairvoyance in the Digital Frontier
11. The Limited Time Frame (Cont.)
#tests =~100 tests per each
parameter
#pages = different web pages in
the application
#params = different parameters
in each web page
Diviner - Clairvoyance in the Digital Frontier
12. The Limited Time Frame (Cont.)
#tests * #pages * #params
=
A lot of time ( and tests)
Diviner - Clairvoyance in the Digital Frontier
13. The Limited Time Frame (Cont.)
#tests * #pages * #params
100 20 3
=
6,000 tests
Diviner - Clairvoyance in the Digital Frontier
14. The Limited Time Frame (Cont.)
#tests * #pages * #params
100 2 3
=
6,000 tests
Diviner - Clairvoyance in the Digital Frontier
15. The Limited Time Frame (Cont.)
#tests * #pages * #params
100 3
=
6,000 tests
Diviner - Clairvoyance in the Digital Frontier
16. The Limited Time Frame (Cont.)
#tests * #pages * #params
100 100 3
=
30,000 tests
Diviner - Clairvoyance in the Digital Frontier
17. The Limited Time Frame (Cont.)
!!!30,000
Diviner - Clairvoyance in the Digital Frontier
18. The Limited Time Frame, Potential Solutions
► Experience, Intuition and Luck.
► Automated Scanners
► Benefit: Perform multiple tests on a large amount of
URLs/Parameters.
► Downside: Can only detect familiar attacks and scenarios,
limited accuracy, and potential false positives.
► Fuzzers
► Benefit: Collect the responses of numerous payloads from
multiple URLs.
► Downside: Presentation method, amount of analysis required.
► Information Gathering…
Diviner - Clairvoyance in the Digital Frontier
19. Gazing into the
Crystal Ball
The Art of War:
Information Gathering
Diviner - Clairvoyance in the Digital Frontier
20. Introduction to Digital Information Gathering
► Information gathering processes are used to locate
instances of sensitive information disclosure, as well
as obtaining semi-legitimate information on the
application’s structure, underlying infrastructure, and
behavior.
“If you know your enemies and know yourself,
you will not be imperiled in a hundred battles”
(Sun Tzu, The Art of War, 6th century BC)
Diviner - Clairvoyance in the Digital Frontier
21. Passive Information Gathering
► Dictionary term: “accepting or allowing what happens or
what others do, without active response or resistance.”
► Application-level passive analysis is performed using
techniques such as:
► Google hacking
► Entry point mapping
► Content analysis tools:
► Watcher, ZAP, WebFight , Etc.
► Internet Research
► Open source code analysis
► Etc.
Diviner - Clairvoyance in the Digital Frontier
22. Active Information Gathering
► Dictionary Term: “Gathering information that is not
available in open sources, sometimes requires criminal
activities to obtain.”
► Performed using techniques such as:
► Brute-Force Attacks
► Resource Enumeration
► Intentional Error Generation
► Source Code Disclosure Attacks
► Etc.
Is it really the limit?
Diviner - Clairvoyance in the Digital Frontier
23. Mr. Big
(?!?)
Diviner - Clairvoyance in the Digital Frontier
24. MrBig
Massive Recursive Behavior Information Gathering
► Application behavior in normal & extreme scenarios
► Indirect cross component effect
► Effect of values in each and every field
► Restrictions
► Behavior analysis
Which can lead to…
Diviner - Clairvoyance in the Digital Frontier
25. The Impact
Black Box
Source Code & Structure
Insight
Diviner - Clairvoyance in the Digital Frontier
26. The Crown Jewel - Source Code Disclosure
► Inherent Security Flaws in the Application Code
► Test a Local Copy of the Application
► Hardcoded Credentials & Encryption Keys
► Disclose the Structure of the Internal Network
► Etc.
Diviner - Clairvoyance in the Digital Frontier
27. Security by Obscurity – Officially Dead?
► Based on Kerckhoffs's principle.
► "Security by obscurity" makes the product safer and less
vulnerable to attack.
► Written in 1883.
► During the last 130 years, security experts disprove this
concept over and over again.
► Diviner puts the last nail in the coffin.
Diviner - Clairvoyance in the Digital Frontier
28. Source Code Divination – Benefits
► The benefits of source code divination are many:
► Generate a visual representation of the behavior of each page.
► Generate a pseudo-code representation of language specific
source code.
► Locate and differentiate between direct & indirect effect of input
values on entry points.
► Track the flow of input & output in the application.
► Track session identifier origin & lifespan.
► Detection of dormant events, methods, and parameters.
► Indirect attack vector detection.
Diviner - Clairvoyance in the Digital Frontier
33. Exploring Different Paths of Execution
Behavior in Different Authentication Modes and History Perquisites
Start
History
Target
History
Login History
Request#1
Mode Access Request#2
No History
Login-Request
No Login No History Request#4
… Required
History
Login First Partial
History
Source
Login After Full History Entry Point
Source EP Target Entry
Point
Optional
Login
Result
Analysis
Diviner - Clairvoyance in the Digital Frontier
34. Exploring Different Paths of Execution, Cont.
Behavior With Different Session Cookies, Identifiers and Tokens
Access
Entry Point Use Original
Cookie
New
Session
Cookie
Use Updated
Cookie New
AntiCSRF
Token Use New
Token
New
AntiCSRF
Token Use New
Token
New Page
Specific
Parameter Update
New Page Parameter
Specific
Parameter Update
Parameter Scenario
Execution
Scenario
Execution
Diviner - Clairvoyance in the Digital Frontier
35. Source Code Divination Accuracy
ID Behaviour
Name
1 Input Reflected from Variable
2 Input Reflected from Session
3 Input Reflected from Database
4 Input Stored in Server Variable
5 Input Stored in Session Variable
6 Input Stored in Database Table
7 New Cookie Value
... ...
Diviner - Clairvoyance in the Digital Frontier
36. Source Code Divination Accuracy
ID Code JSP Code ASP.Net ...
Description Code
String input$$1$$ = String input$$1$$ =
1 Read Input to Variable request. Request[“##1##”];
getParameter(##1##);
session.invalidate(); Session.Abandon();
2 Invalidate Session
request.getSession(true); …
3 New Session Identifier
Cookie cookie = new Cookie Response.Cookies("##1#
4 New Cookie Value ("##1##",val); #").Value = "val";
response.addCookie(cookie);
Class.forName(DriverClassName); SqlConnection conn =
5 Get Database Connection Connection conn = new SqlConnection(X);
DriverManager.getConnection(X);
... ... ... ... ...
Diviner - Clairvoyance in the Digital Frontier
37. Source Code Divination Accuracy
99%
Behavior Code Code Rank Default
ID ID Type Probability 90%
7 3 1 1010 50%
70%
7 4 1 10040 70%
7 2 2 5550 40%
40%
6 1 1 2010 90%
6 5 2 10000 80%
... ... ... ... ... 1%
Diviner - Clairvoyance in the Digital Frontier
38. Verification Process and Probability
For each unique entry point / request, the probability for the
existence of specific lines of code is adjusted according to the results
of various behavior specific confirmation processes.
Previous session redirects to login after set-cookie instruction?
Behaviour7 -> CodeId2 +40%, CodeId3 +20%, CodeId4 -10%
99%
Behavior Code Code Rank Current
ID ID Type Probability 90%
7 3 1 1010 70%
70%
7 4 1 10040 60%
7 2 2 5550 80%
40%
6 1 1 2010 90%
6 5 2 10000 80%
... ... ... ... ... 1%
Diviner - Clairvoyance in the Digital Frontier
59. Source Code Divination Mechanics
► When entry point behaviors are interpreted to language-
specific pseudo code, one line of code of each “code
type” is added (to enable the process to support multiple
interpretations for each behavior), for every behavior
potential code collection.
Diviner - Clairvoyance in the Digital Frontier
60. Sorting Divined Source Code
► The code is initially sorted according to a predefined
behavior specific ranking system, but then re-sorted
according to the results of designated sort verification
processes (delay of service and behavior stack
verification).
Diviner - Clairvoyance in the Digital Frontier
61. Source Code Divination – Structure Analysis
► Analyzing the application structure, and tracking the flow
of input/output will provide various insights:
► Component behaviors in normal vs. extreme scenarios:
► Reaction to different sets of characters (abnormality/exception)
► Reaction to missing content
► Direct & Indirect effect of input on different entry points
► Indirect and Direct output reflection
► In addition, the locations
► Input Database storage vs. Session storage
► Static Variable Storage and Viewstate storage
Diviner - Clairvoyance in the Digital Frontier
62. Source Code Divination – Code Prediction
► Hints on the existence of specific code can be obtained
from various sources and behaviors:
► Application behaviors, such as:
► Direct & Indirect reflection of input in the output
► Exceptions or abnormal behaviors caused due to specific characters
► Abnormal access sequences
► Response variation
► Comparing different behaviors
► Identifying value override junctions
Diviner - Clairvoyance in the Digital Frontier
63. Source Code Divination – Code Prediction
► Source Code Divination Sources (Cont.):
► Line-targeted Delay Of Service attacks:
► RegEx DoS
► Connection Pool Consumption
► Numeric DoS
► Magic Hash, Etc
► Behavior fingerprinting, alongside various verifications
Diviner - Clairvoyance in the Digital Frontier
64. Twists & Turns
Diviner - Clairvoyance in the Digital Frontier
65. Source Code Divination – Sorting Mechanics
► Sorting the source code can be achieved via:
► Simultaneous activation of line-targeted Delay of Service attacks,
while:
► Accessing the entry point with an exception generating character,
located during the structure mapping phase.
► Exception & behavior fingerprinting
► Sending erroneous exceptions in different parameters (exception
& behavior priority)
► Comparing multiple information sources
► Assigning default sort value to each potential line of code
Diviner - Clairvoyance in the Digital Frontier
66. Intentional Latency Increment (Sorting Code)
► Delay of Service – intentional extension of the productive
latency.
► If the line is delayed then it also exists, and occurs before,
after or between other lines of code.
Productive Latency
Diviner - Clairvoyance in the Digital Frontier
67. Productive Latency Rules
► The ADoS attack must affect the lines of code before,
between or after the behavior/exception specific code.
► For example, a denial of service attack that targets the
web server is inefficient (since all the code is affected)
while a denial of service attack that targets the database
(and thus, the database access code) might be.
Session
Variables
Database
Code
Diviner - Clairvoyance in the Digital Frontier
69. Layer Targeted Denial Of Service
► Different lines of code might access different digital layers,
such as:
► Databases
► Web Services
► External Servers
► File Operations.
► Furthermore, malicious payloads can be used to increase
the latency of code sections:
► Regular Expressions
► Loops
► Search Criteria.
Diviner - Clairvoyance in the Digital Frontier
70. Increasing Latency with RegEx DoS
► RegEx Dos Payloads can increase the latency of
validation and search mechanisms. For example:
► RegEx: ([a-zA-Z0-9]+)*
► Input: Admin, aaaaaaaaaaaaaaaaaaaaaaaaaa!
Diviner - Clairvoyance in the Digital Frontier
71. Occupying Connections to Increase Latency
► Use an automated script that consistently accesses
modules, which use connections from a size-restricted
connection pool for querying the database.
► The script must use a number of threads equal or higher to the
maximum connections in the pool.
► In order to continue occupying connections, each thread should
re-access the module again, immediately after getting a response.
► The script should use less threads then the amount supported by
the server.
► The script should not affect the availability of the server, or any
other layer (but the target layer).
Diviner - Clairvoyance in the Digital Frontier
72. Occupying Connections to Increase Latency
► Occupying connections will guarantee that code, which
requires a database connection, will experience some
latency.
Delayed until a connection is released
Diviner - Clairvoyance in the Digital Frontier
73. And Finally...
Diviner - Clairvoyance in the Digital Frontier
74. Additional Resources
► Diviner Homepage (ZAP 1.4+ Extension)
► http://code.google.com/p/diviner/
► Structure and input/output flow visualization
► Source code & memory structure divination
► Advisor and task list manager
► Payload manager integrated with ZAP repeater
► Payload Manager .Net
► External editor for Diviner’s payload manager database
► Home: http://code.google.com/p/payload-manager/
► OWASP ZAP Proxy:
► http://code.google.com/p/zaproxy/
Diviner - Clairvoyance in the Digital Frontier
75. Acknowledgments
► The following individuals and groups helped transform
Diviner from an idea to reality:
► Eran Tamari – The lead developer and a firm believer.
► The OWASP ZAP Project, Simon Bennetts and Axel Neumann -
for the amazing support and for enabling ZAP extensions.
► Zafrir Grosman – Material design.
► Hacktics Employees - for assisting in the various development
phases of the payload manager extension.
► Ernst & Young, for investing the resources necessary to publish
the research.
Diviner - Clairvoyance in the Digital Frontier
76. Ernst & Young Advanced Security Centers
► Americas
► Hacktics Israel
► Houston
► New York
► Buenos Aires
► EMEIA
► Dublin
► Barcelona
► Asia Pacific
► Singapore
► Melbourne
Diviner - Clairvoyance in the Digital Frontier