SlideShare a Scribd company logo

Web Application Social Engineering Vulnerabilities

Download as PPTX, PDF
M
mvcooley

In this presentation from Triangle Infosecon 2011, we discuss common web application vulnerabilities which could be leveraged for social engineering attacks.

Technology
1 of 44
Web Application Social Engineering Vulnerabilities Matt Cooley Lead Security Advisory Analyst Symantec Security Strategy & Advisory Services
Agenda 1 Overview 2 Homograph Attacks 3 Web Application Vulnerabilities 4 Demonstration Web Application Social Engineering Vulnerabilities 2
Presentation Overview • This presentation will demonstrate some attacks that can be used to target users and administrators of web applications. • You will learn techniques attackers use to steal money and sensitive data while going undetected. Web Application Social Engineering Vulnerabilities 3
Domain Spoofing Homograph Attacks Web Application Social Engineering Vulnerabilities 4
Domain Name Spoofing • Wait, that’s not a web application vulnerability • No, but it’s a tool in our toolbox which we will use to make our attacks more convincing Web Application Social Engineering Vulnerabilities 5
Internationalized Domain Names (IDN) http http://例子.测试 http://παράδειγμα.δοκιμή http://пример.испытание http Web Application Social Engineering Vulnerabilities 6
The problem is, this is also an Internationalized Domain Name: miсrоsоft.com This is not: microsoft.com Web Application Social Engineering Vulnerabilities 7
When Homographs Attack Web Application Social Engineering Vulnerabilities 8
Homograph Attacks – A Brief History 2002 – Paper by Gabrilovich and Gontmakher • Revealed that it was possible to register a domain containing non-Latin characters which would appear indistinguishable from a legitimate domain name. microsoft.com (authentic) miсrоsоft.com (Russian letters ‘c’ and ‘o’) • с = Unicode Character 'CYRILLIC SMALL LETTER ES' (U+0441) • о = Unicode Character 'CYRILLIC SMALL LETTER O' (U+043E) http://www.cs.technion.ac.il/~gabr/papers/homograph.html Web Application Social Engineering Vulnerabilities 9
Web Browsers Were Fixed.. Kinda 2005 – Shmoo Group revisits homograph attacks • Found that homograph attack prevention in browsers was applied inconsistently and spoofing issues could be exploited in Firefox, Safari, and Opera www.paypal.com (the real site) • a = Unicode Character 'LATIN SMALL LETTER A' (U+0061) www.pаypal.com (Shmoo’s site) • а = Unicode Character 'CYRILLIC SMALL LETTER A' (U+0430) http://www.shmoo.com/idn/homograph.txt Web Application Social Engineering Vulnerabilities 10
Still not fixed 2009 – Chris Weber discloses IDN spoofing issue with Safari https://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdf http://support.apple.com/kb/ht3733 Web Application Social Engineering Vulnerabilities 11
Today • All popular browsers implement their own policies for how IDN’s should be displayed in the address bar • If a Unicode IDN doesn’t pass the browser’s policy for display, it will be displayed in Punycode – should raise suspicion • Safari and mobile Safari have more permissive rules than Chrome, Firefox, Internet Explorer http://www.idnnews.com/?p=8760 Web Application Social Engineering Vulnerabilities 12
These are all the same domain Chrome 14.0 Windows Firefox 7.0 Windows Internet Explorer 9.0 Windows Android 2.2 Safari 5.1 Windows Safari 5.0.2 iPhone Opera Mini 6.0 iPhone Web Application Social Engineering Vulnerabilities 13
Safari’s IDN Handling Policy • There is a white list file containing permitted IDN character sets. It is up to the user to maintain the list • /System/Library/Frameworks/WebKit.framework/Versions/A/R esources/IDNScriptWhiteList.txt • C:Program FilesSafariSafari.resourcesIDNScriptWhiteList.txt http://support.apple.com/kb/TA22996 Web Application Social Engineering Vulnerabilities 14
Safari’s White List # Default Web Kit International Domain Name Script White List. Common Inherited Arabic Armenian Bopomofo Canadian_Aboriginal Devanagari Deseret Gujarati Gurmukhi Hangul Han Hebrew Hiragana Katakana_Or_Hiragana Katakana Latin Tamil Thai Yi Web Application Social Engineering Vulnerabilities 15
Safari has the Weakest IDN Spoofing Protection Policy • So let’s attack Safari Web Application Social Engineering Vulnerabilities 16
My first attempt • sỵmantec.com • xn--smantec-h64c.com (Punycode) • ỵ = Unicode 0x1ef5 “LATIN SMALL LETTER Y WITH DOT BELOW” Web Application Social Engineering Vulnerabilities 17
Somewhat Convincing Spoof in both Punycode and Native Character Formats • xn--microsoft-msft.com (Punycode) • micro̦so̤ft.com • Instead of gibberish in the Punycode format, the text “msft” is used (stock symbol for Microsoft) • If the victim opens the URL in a browser that shows Punycode, they will see this: • Otherwise, they will see this: Web Application Social Engineering Vulnerabilities 18
Hmm.. This is interesting • sy̲mantec.com • xn--symantec-rcf.com (Punycode) • Unicode 0x0332 “COMBINING LOW LINE” • Safari in Windows 7 - Underline doesn’t display: Achievement unlocked! Web Application Social Engineering Vulnerabilities 19
A fix? Removing “Latin” from the Safari IDN white list causes this: To become this: Web Application Social Engineering Vulnerabilities 20
IDN Spoofing on iOS Devices The following Unicode characters are not displayable on iOS devices, but can be registered within an IDN: 夆 U+5906 悞 U+609E 暵 U+66B5 煒 U+7152 譿 U+8B7F 驊 U+9A4A Bonus: They are allowed by Safari’s default white list (Han) Web Application Social Engineering Vulnerabilities 21
iOS IDN Spoofing Proof of Concept • www.apple夆.com • www.xn--apple-c94i.com (Punycode) Mobile Safari: Opera Mini: Web Application Social Engineering Vulnerabilities 22
Another Neat Trick.. Dot.. Dot.. Dot.. • So I was at a restaurant and scanned the QR code on a bottle of ketchup with an iPhone. Web Application Social Engineering Vulnerabilities 23
We can register one domain and spoof everything! • 夆. 夆. 夆. 夆.夆夆.com • xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrsa.com • www.microsoft.co.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn-- rrs.xn--rrsa.com Web Application Social Engineering Vulnerabilities 24
iOS Fix? • Apple provides a mechanism for preventing native IDN display with undesirable character sets • So let’s just remove “Han” from the white list file… oh wait Web Application Social Engineering Vulnerabilities 25
QR Codes Let me show you my QR codes Web Application Social Engineering Vulnerabilities 26
Web Application Social Engineering Vulnerabilities 27
Combining Homograph Attack with QR Codes • Replace legit QR code with malicious QR code • Victim scans malicious QR code and browser is redirected to attacker’s URL • Attacker’s server examines user agent header • If it is not a vulnerable device, forward them to a legitimate site • Otherwise, spoof the domain and capture info (PROFIT!!!) Web Application Social Engineering Vulnerabilities 28
american.xn--redcross-vr0o.com american.redcross夆.com Web Application Social Engineering Vulnerabilities 29
Web Application Vulnerabilities Arbitrary URL Redirection Web Application Social Engineering Vulnerabilities 30
Arbitrary URL Redirection • A common web application vulnerability which can be used to coerce victims into clicking a malicious link • http://<target site>/redirect?url=http://<attacker’s site> • Because the host name in the URI is legitimate, it should pass the trust test • OWASP refers to this vulnerability as “Open redirect” • The difficulty in using this as an exploit is in hiding the true nature of the URL: that it’s directing you to somewhere bad https://www.owasp.org/index.php/Open_redirect Web Application Social Engineering Vulnerabilities 31
URL Redirection with Percent Encoding Obfuscation Before: • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://evilhost.com After: • http://ourcompany.com/wordpress/wp- login.php?%72%65%64%69%72%65%63%74%5F%74%6F=%68% 74%74%70%3A%2F%2F%65%76%69%6C%68%6F%73%74%2E% 63%6F%6D#501_Table_Integrity_Error_in_SQL_Notify_Adminis trator Web Application Social Engineering Vulnerabilities 32
URL Redirection with IDN Spoofing • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompanỵ.com/wordpress/mai n Or if targeting iPhone readers: • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com.xn-- ourcompany-wr7r.com/wordpress/main (xn--ourcompany-wr7r.com = ourcompany夆.com) Web Application Social Engineering Vulnerabilities 33
URL Redirection Triple Threat • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com〳error- %61%2E%78%6E%2D%2D%6F%75%72%63%6F%6D%70%61%6 E%79%2D%77%72%37%72%2E%63%6F%6D#501_SQL_Encodin g_Error • This is the redirection target: • http://ourcompany.xn--comerror-a-3w3i.xn--ourcompany- wr7r.com/ • Use TinyURL to wrap it all up into a nice gift Web Application Social Engineering Vulnerabilities 34
Web Application Vulnerabilities Cross-Site Scripting Web Application Social Engineering Vulnerabilities 35
Cross-Site Scripting (XSS) Web Application Social Engineering Vulnerabilities 36
Cross-Site Scripting Attack Vectors Old School: • Capture session identifiers to hijack session Middle School: • Capture keystrokes to steal valid credentials and sensitive information Cool School: • Compromise a fully patched and secured host Web Application Social Engineering Vulnerabilities 37
BeEF Demonstration • Leverage cross-site scripting to log keystrokes on an iPhone Web Application Social Engineering Vulnerabilities 38
BeEF Details • Included in BackTrack • Works best when used with a persistent cross-site scripting vulnerability • BeEF is a good resource to demonstrate bad things you can do with JavaScript • Useful as a proof of concept tool Web Application Social Engineering Vulnerabilities 39
Social Engineering Toolkit Web Application Social Engineering Vulnerabilities 40
Social Engineering Toolkit (SET) • One of the best ways to remotely compromise a fully patched, fully protected host • The Java Applet web attack vector will get through just about anything • Setup a SET listener on external host • Send victim a URL redirect / put link on twitter or Facebook • Use with XSS Web Application Social Engineering Vulnerabilities 41
Mega Demo • Leveraging everything we’ve learned • Persistent XSS redirects user to Wordpress login – steals credentials with keystroke logger • Wordpress site then redirects to SET Java applet page • SET host has an IDN hostname • Windows 7 host is compromised Web Application Social Engineering Vulnerabilities 42
Tools Used Web Application Social Engineering Vulnerabilities 43
Thank you! matt_cooley@symantec.com http://www.symantec.com/connect/symantec-blogs/the-security-advisor Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Web Application Social Engineering Vulnerabilities 44

Recommended

Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Trojan horseofbyod2
Trojan horseofbyod2Trojan horseofbyod2
Trojan horseofbyod2Stephanie Vanroelen
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threatAli J
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 

Recommended

Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Trojan horseofbyod2
Trojan horseofbyod2Trojan horseofbyod2
Trojan horseofbyod2Stephanie Vanroelen
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threatAli J
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013n|u - The Open Security Community
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile securityKavita Rastogi
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Ceh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsCeh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsMehrdad Jingoism
 
97 2003 калашникова самопрезентация
97 2003 калашникова самопрезентация97 2003 калашникова самопрезентация
97 2003 калашникова самопрезентацияАнгелина Калашникова
 
En el jardín
En el jardínEn el jardín
En el jardínrayitodesol3
 
Grupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucarGrupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucarjulio ulacio
 
AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015Jonathan Mawdsley
 
Profundizado07 gr2
Profundizado07 gr2Profundizado07 gr2
Profundizado07 gr2Alvarogarcy
 
La Marca del Jaguar
La Marca del JaguarLa Marca del Jaguar
La Marca del Jaguarviktor76gdl
 
PUPILETRA
PUPILETRAPUPILETRA
PUPILETRAMisho26
 
mortgage
mortgagemortgage
mortgagesamtbs2
 
Penelitian
PenelitianPenelitian
PenelitianWarnet Raha
 
Notas sin-palabras-36
Notas sin-palabras-36Notas sin-palabras-36
Notas sin-palabras-36Ministerio Infantil Arcoiris
 
Jornal a4 n2
Jornal a4 n2Jornal a4 n2
Jornal a4 n2CharlesFields
 
The Deer Family
The Deer FamilyThe Deer Family
The Deer FamilyHarris
 
Presentasi ipba 2
Presentasi ipba 2Presentasi ipba 2
Presentasi ipba 2Nanang Sofiyullah
 

More Related Content

What's hot

Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile securityKavita Rastogi
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Ceh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsCeh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsMehrdad Jingoism
 

What's hot (9)

Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
Ceh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsCeh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applications
 

Viewers also liked

Grupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucarGrupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucarjulio ulacio
 
AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015Jonathan Mawdsley
 
Profundizado07 gr2
Profundizado07 gr2Profundizado07 gr2
Profundizado07 gr2Alvarogarcy
 
La Marca del Jaguar
La Marca del JaguarLa Marca del Jaguar
La Marca del Jaguarviktor76gdl
 
PUPILETRA
PUPILETRAPUPILETRA
PUPILETRAMisho26
 
mortgage
mortgagemortgage
mortgagesamtbs2
 
The Deer Family
The Deer FamilyThe Deer Family
The Deer FamilyHarris
 
Operational Plan (Kaki Travel)
Operational Plan (Kaki Travel)Operational Plan (Kaki Travel)
Operational Plan (Kaki Travel)Afifah Nabilah
 
June 2016 the woodlands tx market report
June 2016 the woodlands tx market reportJune 2016 the woodlands tx market report
June 2016 the woodlands tx market reportDebra Wymore
 
Presentacion Herramientas Gerenciales Equipo 2
Presentacion Herramientas Gerenciales Equipo 2Presentacion Herramientas Gerenciales Equipo 2
Presentacion Herramientas Gerenciales Equipo 2rreysid
 

Viewers also liked (20)

97 2003 калашникова самопрезентация
97 2003 калашникова самопрезентация97 2003 калашникова самопрезентация
97 2003 калашникова самопрезентация
 
En el jardín
En el jardínEn el jardín
En el jardín
 
Grupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucarGrupo 2 fabricacion de azucar
Grupo 2 fabricacion de azucar
 
AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015AFWA_Monarch_Report_Oct_23_2015
AFWA_Monarch_Report_Oct_23_2015
 
Profundizado07 gr2
Profundizado07 gr2Profundizado07 gr2
Profundizado07 gr2
 
La Marca del Jaguar
La Marca del JaguarLa Marca del Jaguar
La Marca del Jaguar
 
PUPILETRA
PUPILETRAPUPILETRA
PUPILETRA
 
mortgage
mortgagemortgage
mortgage
 
Penelitian
PenelitianPenelitian
Penelitian
 
Notas sin-palabras-36
Notas sin-palabras-36Notas sin-palabras-36
Notas sin-palabras-36
 
Jornal a4 n2
Jornal a4 n2Jornal a4 n2
Jornal a4 n2
 
The Deer Family
The Deer FamilyThe Deer Family
The Deer Family
 
Presentasi ipba 2
Presentasi ipba 2Presentasi ipba 2
Presentasi ipba 2
 
Operational Plan (Kaki Travel)
Operational Plan (Kaki Travel)Operational Plan (Kaki Travel)
Operational Plan (Kaki Travel)
 
Consejos Sobre Desarrollo Y Liderazgo
Consejos Sobre Desarrollo Y LiderazgoConsejos Sobre Desarrollo Y Liderazgo
Consejos Sobre Desarrollo Y Liderazgo
 
Manualbpm1
Manualbpm1Manualbpm1
Manualbpm1
 
5 congress brochure
5 congress brochure5 congress brochure
5 congress brochure
 
Urea azufre-melaza
Urea azufre-melazaUrea azufre-melaza
Urea azufre-melaza
 
June 2016 the woodlands tx market report
June 2016 the woodlands tx market reportJune 2016 the woodlands tx market report
June 2016 the woodlands tx market report
 
Presentacion Herramientas Gerenciales Equipo 2
Presentacion Herramientas Gerenciales Equipo 2Presentacion Herramientas Gerenciales Equipo 2
Presentacion Herramientas Gerenciales Equipo 2
 

Similar to Web Application Social Engineering Vulnerabilities

Web application security
Web application securityWeb application security
Web application securityrandhawa121985
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Enough Software
 
Web 2.0 Presentation
Web 2.0 PresentationWeb 2.0 Presentation
Web 2.0 Presentationxia_bofa
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!Rafal Los
 
Challenges EPs Face Going Mobile
Challenges EPs Face Going MobileChallenges EPs Face Going Mobile
Challenges EPs Face Going MobileEDR
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...CODE BLUE
 
Siruna session at Drupalcon Paris 2009
Siruna session at Drupalcon Paris 2009Siruna session at Drupalcon Paris 2009
Siruna session at Drupalcon Paris 2009Tom Deryckere
 
CS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityCS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityRick Patterson
 
Drupalcamp New York 2009
Drupalcamp New York 2009Drupalcamp New York 2009
Drupalcamp New York 2009Tom Deryckere
 
Mobile Dev For Web Devs
Mobile Dev For Web DevsMobile Dev For Web Devs
Mobile Dev For Web DevsJustin James
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Priyanka Aash
 
Outsmarting the Smart City
Outsmarting the Smart CityOutsmarting the Smart City
Outsmarting the Smart CityPriyanka Aash
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
Começando com Android
Começando com AndroidComeçando com Android
Começando com AndroidDextra
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There TodayHTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There Todaydavyjones
 

Similar to Web Application Social Engineering Vulnerabilities (20)

Web application security
Web application securityWeb application security
Web application security
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Web 2.0 Presentation
Web 2.0 PresentationWeb 2.0 Presentation
Web 2.0 Presentation
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!
 
Challenges EPs Face Going Mobile
Challenges EPs Face Going MobileChallenges EPs Face Going Mobile
Challenges EPs Face Going Mobile
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
 
Siruna session at Drupalcon Paris 2009
Siruna session at Drupalcon Paris 2009Siruna session at Drupalcon Paris 2009
Siruna session at Drupalcon Paris 2009
 
CS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityCS155 Computer Security at Stanford University
CS155 Computer Security at Stanford University
 
Drupalcamp New York 2009
Drupalcamp New York 2009Drupalcamp New York 2009
Drupalcamp New York 2009
 
Mobile Dev For Web Devs
Mobile Dev For Web DevsMobile Dev For Web Devs
Mobile Dev For Web Devs
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
 
Outsmarting the Smart City
Outsmarting the Smart CityOutsmarting the Smart City
Outsmarting the Smart City
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Começando com Android
Começando com AndroidComeçando com Android
Começando com Android
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There TodayHTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

Web Application Social Engineering Vulnerabilities

  • 1. Web Application Social Engineering Vulnerabilities Matt Cooley Lead Security Advisory Analyst Symantec Security Strategy & Advisory Services
  • 2. Agenda 1 Overview 2 Homograph Attacks 3 Web Application Vulnerabilities 4 Demonstration Web Application Social Engineering Vulnerabilities 2
  • 3. Presentation Overview • This presentation will demonstrate some attacks that can be used to target users and administrators of web applications. • You will learn techniques attackers use to steal money and sensitive data while going undetected. Web Application Social Engineering Vulnerabilities 3
  • 4. Domain Spoofing Homograph Attacks Web Application Social Engineering Vulnerabilities 4
  • 5. Domain Name Spoofing • Wait, that’s not a web application vulnerability • No, but it’s a tool in our toolbox which we will use to make our attacks more convincing Web Application Social Engineering Vulnerabilities 5
  • 6. Internationalized Domain Names (IDN) http http://例子.测试 http://παράδειγμα.δοκιμή http://пример.испытание http Web Application Social Engineering Vulnerabilities 6
  • 7. The problem is, this is also an Internationalized Domain Name: miсrоsоft.com This is not: microsoft.com Web Application Social Engineering Vulnerabilities 7
  • 8. When Homographs Attack Web Application Social Engineering Vulnerabilities 8
  • 9. Homograph Attacks – A Brief History 2002 – Paper by Gabrilovich and Gontmakher • Revealed that it was possible to register a domain containing non-Latin characters which would appear indistinguishable from a legitimate domain name. microsoft.com (authentic) miсrоsоft.com (Russian letters ‘c’ and ‘o’) • с = Unicode Character 'CYRILLIC SMALL LETTER ES' (U+0441) • о = Unicode Character 'CYRILLIC SMALL LETTER O' (U+043E) http://www.cs.technion.ac.il/~gabr/papers/homograph.html Web Application Social Engineering Vulnerabilities 9
  • 10. Web Browsers Were Fixed.. Kinda 2005 – Shmoo Group revisits homograph attacks • Found that homograph attack prevention in browsers was applied inconsistently and spoofing issues could be exploited in Firefox, Safari, and Opera www.paypal.com (the real site) • a = Unicode Character 'LATIN SMALL LETTER A' (U+0061) www.pаypal.com (Shmoo’s site) • а = Unicode Character 'CYRILLIC SMALL LETTER A' (U+0430) http://www.shmoo.com/idn/homograph.txt Web Application Social Engineering Vulnerabilities 10
  • 11. Still not fixed 2009 – Chris Weber discloses IDN spoofing issue with Safari https://www.owasp.org/images/5/5a/Unicode_Transformations_Finding_Elusive_Vulnerabilities-Chris_Weber.pdf http://support.apple.com/kb/ht3733 Web Application Social Engineering Vulnerabilities 11
  • 12. Today • All popular browsers implement their own policies for how IDN’s should be displayed in the address bar • If a Unicode IDN doesn’t pass the browser’s policy for display, it will be displayed in Punycode – should raise suspicion • Safari and mobile Safari have more permissive rules than Chrome, Firefox, Internet Explorer http://www.idnnews.com/?p=8760 Web Application Social Engineering Vulnerabilities 12
  • 13. These are all the same domain Chrome 14.0 Windows Firefox 7.0 Windows Internet Explorer 9.0 Windows Android 2.2 Safari 5.1 Windows Safari 5.0.2 iPhone Opera Mini 6.0 iPhone Web Application Social Engineering Vulnerabilities 13
  • 14. Safari’s IDN Handling Policy • There is a white list file containing permitted IDN character sets. It is up to the user to maintain the list • /System/Library/Frameworks/WebKit.framework/Versions/A/R esources/IDNScriptWhiteList.txt • C:Program FilesSafariSafari.resourcesIDNScriptWhiteList.txt http://support.apple.com/kb/TA22996 Web Application Social Engineering Vulnerabilities 14
  • 15. Safari’s White List # Default Web Kit International Domain Name Script White List. Common Inherited Arabic Armenian Bopomofo Canadian_Aboriginal Devanagari Deseret Gujarati Gurmukhi Hangul Han Hebrew Hiragana Katakana_Or_Hiragana Katakana Latin Tamil Thai Yi Web Application Social Engineering Vulnerabilities 15
  • 16. Safari has the Weakest IDN Spoofing Protection Policy • So let’s attack Safari Web Application Social Engineering Vulnerabilities 16
  • 17. My first attempt • sỵmantec.com • xn--smantec-h64c.com (Punycode) • ỵ = Unicode 0x1ef5 “LATIN SMALL LETTER Y WITH DOT BELOW” Web Application Social Engineering Vulnerabilities 17
  • 18. Somewhat Convincing Spoof in both Punycode and Native Character Formats • xn--microsoft-msft.com (Punycode) • micro̦so̤ft.com • Instead of gibberish in the Punycode format, the text “msft” is used (stock symbol for Microsoft) • If the victim opens the URL in a browser that shows Punycode, they will see this: • Otherwise, they will see this: Web Application Social Engineering Vulnerabilities 18
  • 19. Hmm.. This is interesting • sy̲mantec.com • xn--symantec-rcf.com (Punycode) • Unicode 0x0332 “COMBINING LOW LINE” • Safari in Windows 7 - Underline doesn’t display: Achievement unlocked! Web Application Social Engineering Vulnerabilities 19
  • 20. A fix? Removing “Latin” from the Safari IDN white list causes this: To become this: Web Application Social Engineering Vulnerabilities 20
  • 21. IDN Spoofing on iOS Devices The following Unicode characters are not displayable on iOS devices, but can be registered within an IDN: 夆 U+5906 悞 U+609E 暵 U+66B5 煒 U+7152 譿 U+8B7F 驊 U+9A4A Bonus: They are allowed by Safari’s default white list (Han) Web Application Social Engineering Vulnerabilities 21
  • 22. iOS IDN Spoofing Proof of Concept • www.apple夆.com • www.xn--apple-c94i.com (Punycode) Mobile Safari: Opera Mini: Web Application Social Engineering Vulnerabilities 22
  • 23. Another Neat Trick.. Dot.. Dot.. Dot.. • So I was at a restaurant and scanned the QR code on a bottle of ketchup with an iPhone. Web Application Social Engineering Vulnerabilities 23
  • 24. We can register one domain and spoof everything! • 夆. 夆. 夆. 夆.夆夆.com • xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrsa.com • www.microsoft.co.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn--rrs.xn-- rrs.xn--rrsa.com Web Application Social Engineering Vulnerabilities 24
  • 25. iOS Fix? • Apple provides a mechanism for preventing native IDN display with undesirable character sets • So let’s just remove “Han” from the white list file… oh wait Web Application Social Engineering Vulnerabilities 25
  • 26. QR Codes Let me show you my QR codes Web Application Social Engineering Vulnerabilities 26
  • 27. Web Application Social Engineering Vulnerabilities 27
  • 28. Combining Homograph Attack with QR Codes • Replace legit QR code with malicious QR code • Victim scans malicious QR code and browser is redirected to attacker’s URL • Attacker’s server examines user agent header • If it is not a vulnerable device, forward them to a legitimate site • Otherwise, spoof the domain and capture info (PROFIT!!!) Web Application Social Engineering Vulnerabilities 28
  • 30. Web Application Vulnerabilities Arbitrary URL Redirection Web Application Social Engineering Vulnerabilities 30
  • 31. Arbitrary URL Redirection • A common web application vulnerability which can be used to coerce victims into clicking a malicious link • http://<target site>/redirect?url=http://<attacker’s site> • Because the host name in the URI is legitimate, it should pass the trust test • OWASP refers to this vulnerability as “Open redirect” • The difficulty in using this as an exploit is in hiding the true nature of the URL: that it’s directing you to somewhere bad https://www.owasp.org/index.php/Open_redirect Web Application Social Engineering Vulnerabilities 31
  • 32. URL Redirection with Percent Encoding Obfuscation Before: • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://evilhost.com After: • http://ourcompany.com/wordpress/wp- login.php?%72%65%64%69%72%65%63%74%5F%74%6F=%68% 74%74%70%3A%2F%2F%65%76%69%6C%68%6F%73%74%2E% 63%6F%6D#501_Table_Integrity_Error_in_SQL_Notify_Adminis trator Web Application Social Engineering Vulnerabilities 32
  • 33. URL Redirection with IDN Spoofing • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompanỵ.com/wordpress/mai n Or if targeting iPhone readers: • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com.xn-- ourcompany-wr7r.com/wordpress/main (xn--ourcompany-wr7r.com = ourcompany夆.com) Web Application Social Engineering Vulnerabilities 33
  • 34. URL Redirection Triple Threat • http://ourcompany.com/wordpress/wp- login.php?redirect_to=http://ourcompany.com〳error- %61%2E%78%6E%2D%2D%6F%75%72%63%6F%6D%70%61%6 E%79%2D%77%72%37%72%2E%63%6F%6D#501_SQL_Encodin g_Error • This is the redirection target: • http://ourcompany.xn--comerror-a-3w3i.xn--ourcompany- wr7r.com/ • Use TinyURL to wrap it all up into a nice gift Web Application Social Engineering Vulnerabilities 34
  • 35. Web Application Vulnerabilities Cross-Site Scripting Web Application Social Engineering Vulnerabilities 35
  • 36. Cross-Site Scripting (XSS) Web Application Social Engineering Vulnerabilities 36
  • 37. Cross-Site Scripting Attack Vectors Old School: • Capture session identifiers to hijack session Middle School: • Capture keystrokes to steal valid credentials and sensitive information Cool School: • Compromise a fully patched and secured host Web Application Social Engineering Vulnerabilities 37
  • 38. BeEF Demonstration • Leverage cross-site scripting to log keystrokes on an iPhone Web Application Social Engineering Vulnerabilities 38
  • 39. BeEF Details • Included in BackTrack • Works best when used with a persistent cross-site scripting vulnerability • BeEF is a good resource to demonstrate bad things you can do with JavaScript • Useful as a proof of concept tool Web Application Social Engineering Vulnerabilities 39
  • 40. Social Engineering Toolkit Web Application Social Engineering Vulnerabilities 40
  • 41. Social Engineering Toolkit (SET) • One of the best ways to remotely compromise a fully patched, fully protected host • The Java Applet web attack vector will get through just about anything • Setup a SET listener on external host • Send victim a URL redirect / put link on twitter or Facebook • Use with XSS Web Application Social Engineering Vulnerabilities 41
  • 42. Mega Demo • Leveraging everything we’ve learned • Persistent XSS redirects user to Wordpress login – steals credentials with keystroke logger • Wordpress site then redirects to SET Java applet page • SET host has an IDN hostname • Windows 7 host is compromised Web Application Social Engineering Vulnerabilities 42
  • 43. Tools Used Web Application Social Engineering Vulnerabilities 43
  • 44. Thank you! matt_cooley@symantec.com http://www.symantec.com/connect/symantec-blogs/the-security-advisor Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Web Application Social Engineering Vulnerabilities 44

Editor's Notes

  1. This is a sample Agenda/Preview slide. This slide is ideal for setting the scene at the beginning of your presentation by providing a big picture overview of what you plan to cover. To Change Titles in Shapes (i.e.: “Text here”):Select text. (Optional: Press Delete.) Begin typing desired text.To Change Font Color/Size: Select text, right-click and adjust the font setting on the Mini toolbar. Select desired attributes to change: font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the Font group of the Home tab.To Change a Shape’s Fill Color:Select the desired object by clicking once on its edge. On the Home tab, click the Shape Fill button within the Drawing group to select a theme color from the Symantec color palette. To Delete a Shape:Select the desired object by clicking once on its edge. Press the Delete key on your keyboard.To Copy a Text Box or Shape:Select the text box or shape. Note: Make sure to select the entire object, not just the text, by clicking the edge of the text box or shape.Type Ctrl C (copy), click outside object, then type Ctrl V (paste) to place the object. Click and drag the pasted object to desired location.