Ancient City Ruby: Hack me, if you can!

Transcript

1. Hack Me, If You Can Konstantin Haase @konstantinhaase

2. None
3. None

4. Welcome to St. Augustine, the oldest city in America

5. Three Things I’m good at •History •Geography •Telling people they

   are wrong

6. Settlement City Still Inhabited European European, Inhabited America Puerto Hormiga

   4000 BC Caral 2627 BC Ticul 700 BC Eystribyggð 985 Santo Domingo 1498 North America Kaminaljuyu 1500 BC Kaminaljuyu 1500 BC Ticul 700 BC Eystribyggð 985 Santo Domingo 1498 Mexico, US, Canada Ticul 700 BC Ticul 700 BC Ticul 700 BC L’Anse aux Meadows 1003 Veracruz 1519 US Cahokia 650 Cahokia 650 Acoma Pueblo 1000 San Juan 1521 San Juan 1521 Continental US Cahokia 650 Cahokia 650 Acoma Pueblo 1000 Pensacola 1559 Pensacola 1559
7. None
8. None
9. None
10. None
11. None
12. None
13. None
14. None
15. None
16. None

17. XSS Cross Site Scripting

18. sanitize all user input

19. Content-Security-Policy default-src ‘self';
 script-src 'self' https://apis.google.com;
 report-uri https://example.com/csp

20. CSRF Cross Site Request Forgery

21. Is this awesome, y/n?

22. None
23. None

24. all requests include a session cookie

25. embed URL as image

26. 1 2 PUT / 2 PUT / 2 Repeatable! :)

    State change! :( Deterministic! :) https://speakerdeck.com/rkh/we-dont-know-http

27. “safe” HTTP methods should never change resource state

28. submit a hidden form

29. None

30. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: csrf_token=XXX

31. Path Traversal

32. None

33. %2e%2e%2f

34. Clickjacking

35. X-Frame-Options

36. Same Origin Policy

37. VBScript CSRF

38. JSON CSRF

39. Session authenticated JSON endpoint

40. https://github.com/rkh/json-csrf

41. Referrer Leak

42. [click here](http:// evil.com)

43. GET / HTTP/1.1 Host: evil.com Referer: http://good.com/?secret=foo

44. GET /?redirect_to=http://evil.com Host: good.com Referer: http://good.com/?secret=foo

45. GET / HTTP/1.1 Host: evil.com Referer: http://good.com/?redirect_…

46. HTTP/1.1 301 Moved Permanently Location: http://evil.com

47. Header Injection

48. HTTP/1.1 200 OK\n Header: Value\n Header: Value\n \n Body

49. HTTP/1.1 200 OK\n Header: Val\rue\n Header: Value\n \n Body

50. None

51. HTTP/1.1 200 OK\n Header: Val\r Injected: Value\n Header: Value\n \n

    Body

52. HTTP/1.1 200 OK\n Header: Val\r\r ! Injected Body, OMG <!--\n

    Header: Value\n \n Body

53. GET /?redirect_to=%0dSet-Cookie:x=1

54. HTTP/1.1 301 Moved\n Location: \r Set-Cookie: x=1\n \n

55. Capturing the Cookie

56. None
57. None
58. None

59. BEAST Browser Exploit Against SSL/TLS

60. decrypt SSL via injected plain text

61. fixed in TLS 1.1 (released in 2006)

62. None

63. CRIME Compression Ratio Info-Leak Made Easy

64. GET /?user=alice HTTP/1.1 Cookie: user=bob GET /?user=bob HTTP/1.1 Cookie: user=bob

    better compression
65. None

66. BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext

67. Browser

68. Reconnaissance

69. and Exfiltration

70. via Adaptive

71. Compression

72. of Hypertext

73. None
74. None

75. inject something in the response http://www.recipetast.ic/search?q=XXX

76. None

77. Can we trust the browser?

78. Can we trust the browser plugins?

79. None

80. Social Engineering

81. So I hear you parse YAML?

82. None

83. Do you keep all this in mind?

84. Next attack around the corner?

85. Thank you! ! @konstantinhaase