MITM Attacks on HTTPS: Another Perspective

The document provides an overview of web application security topics like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), file inclusion, and tools/techniques for exploiting vulnerabilities. It discusses basic web communication, HTTP methods, response codes, URLs, database communication. It also covers setting up a Kali Linux environment, Firefox plugins, exploiting XSS vulnerabilities, defending against attacks, and includes exercises on vulnerable web apps.

video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users. The top attacks in 2010 include: • 'Padding Oracle' Crypto Attack • Evercookie • Hacking Auto-Complete • Attacking HTTPS with Cache Injection • Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution • Universal XSS in IE8 • HTTP POST DoS • JavaSnoop • CSS History Hack In Firefox Without JavaScript for Intranet Portscanning • Java Applet DNS Rebinding Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.

Given at black hat and DEF CON 2010 by Wayne Huang and team. https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government. Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads. If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques. We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection. At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase. Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's. All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference. Attendees will gain the following: 1. Understanding of drive-by downloads and associated terminologies. 2. Information about various drive-by download infection vectors. 3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet 4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult 5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys 6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles 7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis 8. Knowledge about the available countermeasures to this threat

This presentations is about pentesting AEM web applications. It have been shown on PHDays security conference.

Major news in the month included unrest in Turkey and a coup in Thailand. Ebay was hacked and fake user databases were sold. The USA charged five Chinese nationals with cyber espionage. Memory issues caused failures in an air traffic control system. Interesting tools released included ones for bypassing two-factor authentication and exploiting ad networks. Heartbleed continued to be analyzed and disclosed vulnerabilities in certificate authorities.

The document discusses security challenges with service-oriented architectures (SOA) and web services. It introduces SOA, web services, and web 2.0, and describes the growing adoption of these technologies. It then presents the XML/SOA threat model, which includes payload/content threats that target back-end systems or end users, XML misuse/abuse through injection and structure manipulation attacks, and infrastructure attacks. Examples of specific attacks are provided like SQL injection, XML entity expansion attacks, and denial of service attacks.

Conference: InsomniHack (21 March 2014) Talk speakers: Michele Orru (@antisnatchor) Krzysztof Kotowicz (@kkotowicz) Talk abstract: A bag of fresh and juicy 0days is certainly something you would love to get as a Christmas present, but it would probably be just a dream you had one of those drunken nights. Hold on! Not all is lost! There is still hope for pwning targets without 0days. We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system. The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc. We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient. You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.

Presented on Hacktivity 2018 conference - https://www.hacktivity.com/bug-hunting-adobe-experience-manage.

This document introduces Web Application Firewall (WAF) and discusses techniques for bypassing WAF protections, including SQL injection, cross-site scripting, file inclusion, HTTP parameter contamination, and HTTP pollution attacks. It provides examples of bypassing specific WAF vendors and open source WAFs like ModSecurity and PHPIDS. While WAFs can block some attacks, the document argues they cannot eliminate all vulnerabilities and proper secure coding is still needed. It concludes that WAFs may succeed or fail depending on configurations and imaginative attacks.

http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin. This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.

This document summarizes security issues with JavaScript and discusses vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It provides examples of how XSS can be used to steal cookies and hijack sessions. It also discusses challenges with securing JSON responses and preventing code injection attacks. Countermeasures discussed include escaping output, adding random tokens to forms, and using a secure comment syntax to wrap sensitive JSON responses.

It's time to deprecate JavaScript. It's security model and the language itself are appalling. As data moves into the cloud the JavaScript threat is increasing and I believe the only way to fix this is to start all over again. The 14 year old language and security model aren't up to today's threats.

Above are my slides I used during a workshop I conducted at the Moroccan Cyber Security Camp back in May 2017.

This document discusses how to defeat cross-site scripting (XSS) and cross-site request forgery (XSRF) when using JavaServer Faces (JSF) frameworks. It covers validating user input, encoding output, and protecting view states to prevent XSS, as well as configuring JSF implementations to protect against XSRF by encrypting view states and adding tokens to URLs. The presentation emphasizes testing validation, encoding, and protection in specific JSF implementations since behaviors can differ.

Contents : - Introduction - Description as A Widely Used Hacking Technique - How it is used in Hacking - What can be done with XSS #XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection Sincerely, Irfad Imtiaz

This document discusses using iframes, postMessage, and localStorage for communication in a sandboxed web application platform. It notes both advantages and disadvantages of iframes, describes how to securely communicate between iframes and different browser tabs or windows using postMessage, and explores strategies and considerations for using localStorage for communication.

This document discusses sandboxing untrusted JavaScript from third parties to improve security. It proposes a two-tier sandbox architecture that uses JavaScript libraries and wrappers, without requiring browser modifications. Untrusted code is executed in an isolated environment defined by policy code, and can only access approved APIs. This approach aims to mediate access between code and the browser securely and efficiently while maintaining compatibility with existing third-party scripts.

The document provides an analysis of HTTP security headers in Turkey. It begins with an outline that covers topics like web browsers and same-origin policy, the OWASP top 10 security risks, and various HTTP security headers like content security policy, X-XSS-Protection, and strict transport security. It then analyzes the implementation of security headers on the Alexa top 500 websites in Turkey and finds that adoption is still low. The document concludes with pointers to further resources for information on security headers.

The document discusses various web security topics such as cookies, same origin policy, cross-site scripting (XSS), and cross-site request forgery (CSRF). Cookies are used to maintain state in stateless HTTP and can be used for authentication. The same origin policy restricts how scripts from different origins can access each other's resources. XSS occurs when untrusted user input containing scripts is rendered without sanitization. CSRF tricks authenticated users into performing actions on a web site by submitting forged HTTP requests, leveraging the user's session to bypass CSRF protections.

HTML5 introduces significant changes for today\'s websites: new and updated tags, new functionality, better error handling and improved Document Object Model (DOM). However, the HTML5 new features come with new (application) security vulnerabilities. This presentation reviews the new attack vectors, associated risks and what a needs to be taken into consideration when implementing HTML5.

HTTP request smuggling involves sending malformed HTTP requests to exploit vulnerabilities in how devices handle requests. This allows an attacker to smuggle a request to one device without the other being aware. Key techniques include using multiple content-length headers, GET requests with content-length, and CRLF tricks to treat multiple requests as one. Prevention focuses on firewalls, terminating sessions after each request, disabling caching, and enforcing strict HTTP parsing.

HTTP request smuggling involves sending malformed HTTP requests to exploit vulnerabilities in how devices handle requests. This allows an attacker to smuggle a request to one device without the other being aware. Key techniques include using multiple content-length headers, GET requests with content-length, and CRLF tricks to treat multiple requests as one. Prevention focuses on firewalls, terminating sessions after each request, disabling caching, and enforcing strict HTTP parsing.

This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.

Same-origin policy is an important security concept of the modern browser languages like JavaScript but becomes an obstacle for developers when building complex client-side apps. Over time there have been lots of ingenious workarounds using JSON-P, IFRAME and proxies. As of January 2013 the well known Cross Origin Resource Sharing (CORS) comes as proposed standard by W3C and has now native support by all major browsers.

This document discusses various topics relating to web security, including: - The same origin policy which isolates scripts and resources from different origins to prevent access. - Cross-site scripting (XSS) which can occur when user inputs containing scripts are displayed on a webpage without sanitization, allowing attackers to execute scripts in a victim's browser. - How XSS was used in a worm on MySpace that infected many users by adding the attacker as a friend when their profile was visited. - The use of cookies by websites to maintain state in the stateless HTTP protocol and how session hijacking is a risk if cookies are stolen.

A Network application is an application running on one host and provides a communication to another application running on a different host. ▪ A network application development is writing programs that run on different end systems and communicate with each other over the network. ▪ In the Web application there are two different programs that communicate with each other: ✔ Browser program running in the user's host. ✔ Web server program running in the Web server host. Host Host 2 Network Applications - Examples ▪ Email ▪ Web ▪ Remote Login ▪ P2P File Sharing ▪ Multi-user Network Games ▪ Streaming Stored Video (YouTube) ▪ Voice Over IP (Skype) ▪ Real-time Video Conference ▪ Social Networking 3 Network Application Architecture 1. Client-Server architecture 2. P2P (Peer to Peer) architecture 4 1. Client-Server Architecture Client Server: ✔ Its always-on host. ✔ It has a fixed IP address. ✔ Large cluster of host – Data Centers. ✔ E.g. Web Server Client: ✔ It communicate with server. ✔ Its not like continuously connected. ✔ May have dynamic IP addresses. ✔ Do not communicate directly with each other. ✔ E.g. PCs, Mobiles Server 5 2. P2P Architecture Peer ▪ Peers (end systems) directly communicate. ▪ Get peers request service from other peers, provide service to other peers. ✔ Self Scalability – New peers bring new service capacity, as well as new service demands. ▪ Peers are alternatingly connected and change IP addresses. ✔ Complex management 6 Peer Peer Process Communicating ▪ What is Process? ▪ A process is an instance of a program running in a computer. ▪ We can say that process is program under execution. ▪ Within same host, two processes communicate using inter-process communication (IPC). ▪ Process in different hosts communicate by exchanging messages. ▪ Client process: A process that initiates communication. ▪ Server process: A process that waits to be contacted. Process P1 Process P2 7 Socket ▪ A process sends messages into, and receives messages from; the network through a software interface called a socket. ▪ A process is similar to a house and its socket is similar to its door. ✔ Sending process passes message out door. ✔ Sending process relies on transport infrastructure on other side of door to deliver message to socket at receiving process. Process application proce ss transport network link physical application proce ss transport network link physical socket controlled by app developer controlled by OS Internet Socket 8 Transport Services to Applications ▪ Recall that a socket is the interface between the application process and the transport layer protocol. ▪ For develop an application, choose available transport layer protocol. ▪ Pick the protocol with the services that best match the needs of your application.

The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and work address and visited websites from Google, Bing and Baidu expose the user's complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively), and almost every website exposes the user's name and email address. Ad networks like Doubleclick can also reveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore multiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our university's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for our hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as the EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed. The privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking. (Source: Black Hat USA 2016, Las Vegas)

Top 10 Web Hacks Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year. Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.

This document provides an overview and configuration instructions for F5 Networks' DDoS protection profile. It describes how the profile monitors traffic levels and latency to detect anomalies indicative of DDoS attacks. Upon detection, it can activate prevention policies like client-side integrity checks, CAPTCHAs, and request blocking to mitigate attacks. The profile analyzes traffic at the IP, geolocation, URL, and site-wide levels to determine the appropriate prevention response. It also details how the Proactive Bot Defense feature works to proactively challenge all clients.

This document discusses various topics related to web security, including: - Cross-site scripting (XSS) which occurs when untrusted user inputs containing scripts are displayed on a webpage without sanitization, allowing attackers to execute scripts in a victim's browser. - Cross-site request forgery (CSRF) which takes advantage of browsers automatically sending cookies for a website to that website, allowing an attacker to forge requests from a logged in user's browser without their knowledge. - The same-origin policy which aims to isolate scripts and resources from different web origins to prevent unauthorized access, but has limitations that can be exploited by XSS attacks. - Methods for preventing XSS like sanitizing untrusted inputs