Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ancient City Ruby: Hack me, if you can!

Ancient City Ruby: Hack me, if you can!

Konstantin Haase

April 06, 2014
Tweet

More Decks by Konstantin Haase

Other Decks in Technology

Transcript

  1. Hack Me, If You Can
    Konstantin Haase
    @konstantinhaase

    View full-size slide

  2. Welcome to
    St. Augustine,
    the oldest city in
    America

    View full-size slide

  3. Three Things I’m good at
    •History
    •Geography
    •Telling people they are
    wrong

    View full-size slide

  4. Settlement City
    Still
    Inhabited
    European
    European,
    Inhabited
    America
    Puerto
    Hormiga
    4000 BC
    Caral
    2627 BC
    Ticul
    700 BC
    Eystribyggð
    985
    Santo
    Domingo
    1498
    North
    America
    Kaminaljuyu
    1500 BC
    Kaminaljuyu
    1500 BC
    Ticul
    700 BC
    Eystribyggð
    985
    Santo
    Domingo
    1498
    Mexico, US,
    Canada
    Ticul
    700 BC
    Ticul
    700 BC
    Ticul
    700 BC
    L’Anse aux
    Meadows
    1003
    Veracruz
    1519
    US
    Cahokia
    650
    Cahokia
    650
    Acoma
    Pueblo
    1000
    San Juan
    1521
    San Juan
    1521
    Continental
    US
    Cahokia
    650
    Cahokia
    650
    Acoma
    Pueblo
    1000
    Pensacola
    1559
    Pensacola
    1559

    View full-size slide

  5. XSS
    Cross Site Scripting

    View full-size slide

  6. sanitize all user input

    View full-size slide

  7. Content-Security-Policy
    default-src ‘self';

    script-src 'self' https://apis.google.com;

    report-uri https://example.com/csp

    View full-size slide

  8. CSRF
    Cross Site Request Forgery

    View full-size slide

  9. Is this awesome, y/n?

    View full-size slide

  10. all requests include a
    session cookie

    View full-size slide

  11. embed URL as image

    View full-size slide

  12. 1 2
    PUT /
    2
    PUT /
    2
    Repeatable! :)
    State change! :(
    Deterministic! :)
    https://speakerdeck.com/rkh/we-dont-know-http

    View full-size slide

  13. “safe” HTTP methods should
    never change resource state

    View full-size slide

  14. submit a hidden form

    View full-size slide

  15. HTTP/1.1 200 OK
    Content-Type: text/html
    Set-Cookie: csrf_token=XXX

    View full-size slide

  16. Path
    Traversal

    View full-size slide

  17. Clickjacking

    View full-size slide

  18. X-Frame-Options

    View full-size slide

  19. Same Origin Policy

    View full-size slide

  20. VBScript
    CSRF

    View full-size slide

  21. Session authenticated JSON
    endpoint

    View full-size slide

  22. https://github.com/rkh/json-csrf

    View full-size slide

  23. Referrer Leak

    View full-size slide

  24. [click here](http://
    evil.com)

    View full-size slide

  25. GET / HTTP/1.1
    Host: evil.com
    Referer: http://good.com/?secret=foo

    View full-size slide

  26. GET /?redirect_to=http://evil.com
    Host: good.com
    Referer: http://good.com/?secret=foo

    View full-size slide

  27. GET / HTTP/1.1
    Host: evil.com
    Referer: http://good.com/?redirect_…

    View full-size slide

  28. HTTP/1.1 301 Moved Permanently
    Location: http://evil.com

    View full-size slide

  29. Header
    Injection

    View full-size slide

  30. HTTP/1.1 200 OK\n
    Header: Value\n
    Header: Value\n
    \n
    Body

    View full-size slide

  31. HTTP/1.1 200 OK\n
    Header: Val\rue\n
    Header: Value\n
    \n
    Body

    View full-size slide

  32. HTTP/1.1 200 OK\n
    Header: Val\r
    Injected: Value\n
    Header: Value\n
    \n
    Body

    View full-size slide

  33. HTTP/1.1 200 OK\n
    Header: Val\r\r
    !
    Injected Body, OMG

    View full-size slide

  34. GET /?redirect_to=%0dSet-Cookie:x=1

    View full-size slide

  35. HTTP/1.1 301 Moved\n
    Location: \r
    Set-Cookie: x=1\n
    \n

    View full-size slide

  36. Capturing the
    Cookie

    View full-size slide

  37. BEAST
    Browser Exploit Against
    SSL/TLS

    View full-size slide

  38. decrypt SSL via
    injected plain text

    View full-size slide

  39. fixed in TLS 1.1
    (released in 2006)

    View full-size slide

  40. CRIME
    Compression Ratio
    Info-Leak Made Easy

    View full-size slide

  41. GET /?user=alice HTTP/1.1
    Cookie: user=bob
    GET /?user=bob HTTP/1.1
    Cookie: user=bob
    better
    compression

    View full-size slide

  42. BREACH
    Browser Reconnaissance
    and Exfiltration via Adaptive
    Compression of Hypertext

    View full-size slide

  43. Reconnaissance

    View full-size slide

  44. and
    Exfiltration

    View full-size slide

  45. inject something in
    the response
    http://www.recipetast.ic/search?q=XXX

    View full-size slide

  46. Can we trust the
    browser?

    View full-size slide

  47. Can we trust the
    browser plugins?

    View full-size slide

  48. Social Engineering

    View full-size slide

  49. So I hear you parse
    YAML?

    View full-size slide

  50. Do you keep all this in
    mind?

    View full-size slide

  51. Next attack around the
    corner?

    View full-size slide

  52. Thank you!
    !
    @konstantinhaase

    View full-size slide