Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ancient City Ruby: Hack me, if you can!

Ancient City Ruby: Hack me, if you can!

5c2b452f6eea4a6d84c105ebd971d2a4?s=128

Konstantin Haase

April 06, 2014
Tweet

Transcript

  1. Hack Me, If You Can Konstantin Haase @konstantinhaase

  2. None
  3. None
  4. Welcome to St. Augustine, the oldest city in America

  5. Three Things I’m good at •History •Geography •Telling people they

    are wrong
  6. Settlement City Still Inhabited European European, Inhabited America Puerto Hormiga

    4000 BC Caral 2627 BC Ticul 700 BC Eystribyggð 985 Santo Domingo 1498 North America Kaminaljuyu 1500 BC Kaminaljuyu 1500 BC Ticul 700 BC Eystribyggð 985 Santo Domingo 1498 Mexico, US, Canada Ticul 700 BC Ticul 700 BC Ticul 700 BC L’Anse aux Meadows 1003 Veracruz 1519 US Cahokia 650 Cahokia 650 Acoma Pueblo 1000 San Juan 1521 San Juan 1521 Continental US Cahokia 650 Cahokia 650 Acoma Pueblo 1000 Pensacola 1559 Pensacola 1559
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. XSS Cross Site Scripting

  18. sanitize all user input

  19. Content-Security-Policy default-src ‘self';
 script-src 'self' https://apis.google.com;
 report-uri https://example.com/csp

  20. CSRF Cross Site Request Forgery

  21. Is this awesome, y/n?

  22. None
  23. None
  24. all requests include a session cookie

  25. embed URL as image

  26. 1 2 PUT / 2 PUT / 2 Repeatable! :)

    State change! :( Deterministic! :) https://speakerdeck.com/rkh/we-dont-know-http
  27. “safe” HTTP methods should never change resource state

  28. submit a hidden form

  29. None
  30. HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: csrf_token=XXX

  31. Path Traversal

  32. None
  33. %2e%2e%2f

  34. Clickjacking

  35. X-Frame-Options

  36. Same Origin Policy

  37. VBScript CSRF

  38. JSON CSRF

  39. Session authenticated JSON endpoint

  40. https://github.com/rkh/json-csrf

  41. Referrer Leak

  42. [click here](http:// evil.com)

  43. GET / HTTP/1.1 Host: evil.com Referer: http://good.com/?secret=foo

  44. GET /?redirect_to=http://evil.com Host: good.com Referer: http://good.com/?secret=foo

  45. GET / HTTP/1.1 Host: evil.com Referer: http://good.com/?redirect_…

  46. HTTP/1.1 301 Moved Permanently Location: http://evil.com

  47. Header Injection

  48. HTTP/1.1 200 OK\n Header: Value\n Header: Value\n \n Body

  49. HTTP/1.1 200 OK\n Header: Val\rue\n Header: Value\n \n Body

  50. None
  51. HTTP/1.1 200 OK\n Header: Val\r Injected: Value\n Header: Value\n \n

    Body
  52. HTTP/1.1 200 OK\n Header: Val\r\r ! Injected Body, OMG <!--\n

    Header: Value\n \n Body
  53. GET /?redirect_to=%0dSet-Cookie:x=1

  54. HTTP/1.1 301 Moved\n Location: \r Set-Cookie: x=1\n \n

  55. Capturing the Cookie

  56. None
  57. None
  58. None
  59. BEAST Browser Exploit Against SSL/TLS

  60. decrypt SSL via injected plain text

  61. fixed in TLS 1.1 (released in 2006)

  62. None
  63. CRIME Compression Ratio Info-Leak Made Easy

  64. GET /?user=alice HTTP/1.1 Cookie: user=bob GET /?user=bob HTTP/1.1 Cookie: user=bob

    better compression
  65. None
  66. BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext

  67. Browser

  68. Reconnaissance

  69. and Exfiltration

  70. via Adaptive

  71. Compression

  72. of Hypertext

  73. None
  74. None
  75. inject something in the response http://www.recipetast.ic/search?q=XXX

  76. None
  77. Can we trust the browser?

  78. Can we trust the browser plugins?

  79. None
  80. Social Engineering

  81. So I hear you parse YAML?

  82. None
  83. Do you keep all this in mind?

  84. Next attack around the corner?

  85. Thank you! ! @konstantinhaase