1 / 31

Top Ten Web Hacking Techniques of 2010

Top Ten Web Hacking Techniques of 2010. Ivan Markovi ć Senior Security Consultant Network Security Solutions , Serbia http://netsec.rs /. About us.

tuyet
Télécharger la présentation

Top Ten Web Hacking Techniques of 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Top Ten Web Hacking Techniques of 2010 Ivan Marković Senior Security Consultant Network Security Solutions, Serbia http://netsec.rs/

  2. About us • Network Security Solutions is one of only a handful of companies in South East Europe whose primary business focus is security of information systems. Companies such as Microsoft have recognised the value of our experience and results, and have developed a partnership with us. • Research and Training • Tools recognized by OWASP and Backtrack

  3. About presentation • Why this theme ? • Awarenes and ideas • Selection metodology • Creativity and simplicity • Experience and research

  4. Summary • EverCookie • CSS History hack • New DDoSTricks • Click Jacking • Browser Auto Complete • Plugins (Browser and Web apps) • XSS in IE XSS filter • CSRF (Cross Site Request Forgery) • HPP (HTTP Parameter Polluting) • Intranet hacking

  5. EverCookie • Virtually irrevocable persistent cookies- SamyKamkar, http://samy.pl/evercookie/ • Storage mechanisms:- Standard HTTP Cookies - Local Shared Objects (Flash Cookies) - Silverlight Isolated Storage - Storing cookies in Web History - Storing cookies in HTTP ETags - Storing cookies in Web cache - window.name caching - Internet Explorer userData storage - HTML5 Session Storage, Local Storage, Global Storage, Database Storage via SQLite - Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out

  6. CSS History Hack • I know where you've been- Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html • Cascading Style Sheets • document.defaultView.getComputedStyle

  7. New DDoS tricks • Slowloris- Robert Hansen, http://ha.ckers.org/slowloris/- Keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing • Slow HTTP POST Attack- OnnChee Wong, http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf - OSI Layer 7- Content-Length: 1000 (bytes) / but send it 1 byte per 110 seconds

  8. New DDoS tricks • Javascript LOIC- Low Orbit Ion Cannon - an open source network attack application, written in C# • HTML 5 WebWorkers and Cross Origin Requests- LavakumarKuppan, http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-html5.html

  9. Click Jacking • also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level pagehttp://www.owasp.org/index.php/Clickjacking

  10. Click Jacking • http://www.sectheory.com/clickjacking.htm

  11. Browser Auto Complete • I want to know your name, who you work for, where you live, your email address ... - Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html • Safari Address Book Autofill • Internet Explorer stealing previously entered data • Writing to auto complete • Read remembered passwords

  12. Browser Auto Complete • Safari Address Book Autofill

  13. Browser Auto Complete • Safari Address Book Autofill

  14. Browser Auto Complete • Safari Address Book Autofill<form> Name: <input type="text" name="name"> Company: <input type="text" name="company"> City: <input type="text" name="city">State: <input type="text" name="state"> Country: <input type="text" name="country"> Email: <input type="text" name="email"> </form>

  15. Browser Auto Complete • I want to know your name, who you work for, where you live, your email address ... - Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html • Safari Address Book Autofill • Internet Explorer stealing previously entered data • Writing to auto complete • Read remembered passwords with XSS

  16. Browser and Web app plugins • Browser plugins, http://research.zscaler.com/2011/02/browser-plugins-and-security.html • Security considerations:- see login/password credentials in clear text - send back the credentials to any website - modify the web pages seen by the user- add/delete/modify files on the computer - run executables

  17. Browser plugins • Malicious browser plugins examples:2007: Firebug goes evil: http://www.gnucitizen.org/blog/firebug-goes-evil/console.log({'<script>alert("bing!")</script>':'exploit'})2009: NoScriptvsAdblock: http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=217700105

  18. Browser plugins • Malicious browser plugins examples:2010: TROJAN: http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/ - Sothink Web Video Downloader / Win32.LdPinch.gen- Master Filer / Win32.Bifrose.32.BifroseBtw, how is situation in the wild ?

  19. Web app plugins • Web application plugins - Wordpress, Joomla, …http://secunia.com/advisories/search/?search=wordpress

  20. Web app plugins • Web application plugins - Wordpress, Joomla, … http://secunia.com/advisories/search/?search=joomla

  21. XSS in IE XSS Filter • Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/ Internet Explorer 8 implements an anti Cross-site Scripting (XSS) mechanism to detect certain types of XSS attacks. This feature can be abused by attackers in order to enable XSS on web sites and web pages that would otherwise be immune to XSS. For the most part, this neutering mechanism is effective at blocking certain types of XSS attacks from occuring. However, altering a server's response before it gets rendered by the browser may have unintended consequences.

  22. XSS in IE XSS Filter • Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/ Example: <img alt="[injection here]" src="x.png"> Injection string: x onload=alert(0) x <img alt="x onload=alert(0) x" src="x.png"> - will not execute the alert <img alt#"x onload=alert(0) x" src="x.png"> - will execute the alert

  23. Cross Site Request Forgery • CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticatedhttp://secunia.com/advisories/search/?search=Cross+Site+Request+Forgery&sort_by=date

  24. Cross Site Request Forgery • Facebook: http://www.john-jean.com/blog/advisories/facebook-csrf-and-xss-vulnerabilities-destructive-worms-on-a-social-network-350 • Twitter: http://techcrunch.com/2010/09/26/dont-click-the-wtf-link-on-twitter-unless-you-do-like-sex-with-goats

  25. HTTP Parameter Pollution • Stefano di Paola and Luca Carettoni, http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf • How does your application respond if it receives multiple parameters all with the same name ? • Bypass firewall, Change application behaviour, …

  26. HTTP Parameter Pollution

  27. INTRANET Hacking • From Website to LAN • Browser plugins • Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/ • CSS History Hack for Port Scanning (with and without Java Script): http://ha.ckers.org/blog/20100125/css-history-hack-in-firefox-without-javascript-for-intranet-portscanning/

  28. INTRANET Hacking • From Website to LAN • Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/

  29. INTRANET Hacking • From Website to LAN • Cross Site Request Forgeryhttp://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/ .: POC (CSRF / Change password)http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PASSWORD .: POC (CSRF / DoS)http://PUBLIC_IP_OF_USER/rebootinfo.cgi

  30. QUESTIONS ?E-mail: ivan.markovic@netsec.rs

  31. THANKS!Ivan Markovićivan.markovic@netsec.rs

More Related