w eaponizing the w eb
play

W eaponizing the W eb More Attacks on User Generated Content - PowerPoint PPT Presentation

Jan 18, 2024 •581 likes •940 views

W eaponizing the W eb More Attacks on User Generated Content Saturday, August 1, 2009 Co m rades Citizen: Nathan Ha m iel Senior Consultant - Idea InfoSec Associate Prof @UAT, Hexagon Security Group 23 rd Degree Mason, LavaRolling Enthusiast

  1. W eaponizing the W eb More Attacks on User Generated Content Saturday, August 1, 2009

  2. Co m rades Citizen: Nathan Ha m iel Senior Consultant - Idea InfoSec Associate Prof @UAT, Hexagon Security Group 23 rd Degree Mason, LavaRolling Enthusiast Citizen: Shawn Moyer Principal Consultant - FishNet Security Douchebag with microphone, self-styled Wikipedian Shot a man in Reno just to watch him die Black Hat USA 2009 Saturday, August 1, 2009

  3. Preview for the ADHD ★ Navel gazing and rants Democratization of misinformation ★ Trust, integration, and shared exposure ★ Features arms race, emerging attack surface ★ ★ Actual information and content A nifty (we think) approach to an old bug ★ Tool release, ensuing demos o' fail ★ Stupid API tricks and multi-site mayhem ★ Sorry, you have to listen to rants first. =) ★ Black Hat USA 2009 Saturday, August 1, 2009

  4. Voice of the people ★ User-Generated Content User-driven, social, collaborative content ★ Blogs, wikis, socnets, web communities ★ Increasingly bolted onto “old” web media ★ ★ Integrated, Aggregated, Dynamic Offsite content, syndication, shared APIs ★ Aggregation points, feeds, personal portals ★ Increasing client-side logic (REST , JSON, etc) ★ Black Hat USA 2009 Saturday, August 1, 2009

  5. W hat could possibly go wrong? ★ Moot is Time's person the year Lulzy example. Larger problem. ★ Time: “Feh. Internet polls aren't trusted.” Oh. ★ Black Hat USA 2009 Saturday, August 1, 2009

  6. W hat could possibly go wrong? ★ Post-MJ celebrity death hoaxes Some “real” news outlets picked up. ★ iReport, uReport, you are on notice. ★ Note: Please stop Rickrolling. Please. ★ Black Hat USA 2009 Saturday, August 1, 2009

  7. W hat could possibly go wrong? ★ NYT aggregation fail HTML injection article propagates HTML injection ★ Aggregation, syndication, shared exposure ★ Black Hat USA 2009 Saturday, August 1, 2009

  8. W hat could possibly go wrong? ★ DailyKos trolls twittering dittoheads Fake economy / budget numbers ★ $3 million for replacement tires for 1992-1995 Geo Metros. ★ $750,000 for an underground tunnel connecting a middle school ★ and high school in North Carolina. $4.7 million for a program supplying public television to K-8 ★ classrooms. $2.3 million for a museum dedicated to the electric bass guitar . ★ Black Hat USA 2009 Saturday, August 1, 2009

  9. Shared e x posure ★ The emerging socialized web ★ Multi-site aggregation = Attacker ROI ★ Multipoint attack surfaces, APIs, “Digg this!”, etc ★ (n)th-parties and shared exposure ★ “Malware-like” legit functionality ★ Silent updates, presence announcements ★ Offsite links and wrapped external content ★ Try blocking .js for googleapis.com. I dare you. Black Hat USA 2009 Saturday, August 1, 2009

  10. Unite for proble m s Black Hat USA 2009 Saturday, August 1, 2009

  11. Top BOTSites Black Hat USA 2009 Saturday, August 1, 2009

  12. Bolting On fail ★ Retrofitting the Thing of The Now More FF fail. No, srsly. ★ Black Hat USA 2009 Saturday, August 1, 2009

  13. E x posing Yourself Black Hat USA 2009 Saturday, August 1, 2009

  14. E x posing Yourself ★ APIs are the New Hotness ★ Integrate other site functions ( Your tweets in my Facebook? Awww....) ★ Hooks into fluffy clouds of amorphous love ★ googleapis, amazonws, others ★ Crossdomain content, sandboxing ★ Two major types of APIs ★ For consumption of application services ★ For integration of app on another site Black Hat USA 2009 Saturday, August 1, 2009

  15. API Stacking ★ Your app is so ugly its APIs have APIs How far away from what we are using do we need to ★ be? Application API Application API Application ★ = WTF. Complexity breeds exposure. Black Hat USA 2009 Saturday, August 1, 2009

  16. API as anon pro x y ★ Attacks anonymization via shared APIs Black Hat USA 2009 Saturday, August 1, 2009

  17. no place like 127.0.0.1 ★ Hi5 API localhost dev page. Opps1!1 Black Hat USA 2009 Saturday, August 1, 2009

  18. api Redirect loops ★ Triangle of Death ★ (Rectangle|Pentagon|Hexagram|Octagon) of Death Black Hat USA 2009 Saturday, August 1, 2009

  19. now we break so m e stuff ★ CSRF / Session Riding / XSRF ★ Well understood. Pete Watkins, 2001 ★ Often tough to audit for , nuanced ★ Typically described as a “static” attack ★ Per-user forgeries usually only via XSS ★ Can be silly, bad, or really, really bad ★ Our continued move to webeverything (tm) ★ Classical mitigations: Referrer , POSTs, tokens Black Hat USA 2009 Saturday, August 1, 2009

  20. do you use a browser for it? Black Hat USA 2009 Saturday, August 1, 2009

  21. CLASSICAL CSRF Black Hat USA 2009 Saturday, August 1, 2009

  22. CLASSICAL CSRF (via POST) Black Hat USA 2009 Saturday, August 1, 2009

  23. “ Dyna m ic ” CSRF ★ “Dynamic” CSRF . ★ Per-request, per-session, per-user forgeries ★ Watkins described in 2001, but no one noticed ★ Samy, recent bit.ly XSS, other XSS worms ★ Again, well understood as XSS side effect ★ Lots of “complex” CSRF gets ignored ★ POST-based, tokenized, per-user requests ★ Still exploitable, but higher bar ★ <img src=”/password?newpassword=moo”> gets old after the 30 times or so. Black Hat USA 2009 Saturday, August 1, 2009

  24. “ Dyna m ic ” CSRF ★ “Dynamic” CSRF . ★ We wanted to automate “complex” CSRF ★ Needed more logic than just redirects / tags ★ Many non-trivial CSRF are ignored ★ Devs often think SOP saves them (it might) ★ See also: http://securethoughts.com/2009/07/ hacking-csrf-tokens-using-css-history-hack/ Black Hat USA 2009 Saturday, August 1, 2009

  25. Dyna m ic CSRF Black Hat USA 2009 Saturday, August 1, 2009

  26. Enter the fist. ★ MonkeyFist: PoC Dynamic CSRF Tool ★ http://hexsec.com/labs ★ Small Python web server ★ Creates payload / patterns based on referrer ★ Automates per-request, “dynamic” CSRF ★ Constructs hidden POSTs, redirects, refreshes ★ Makes requests for tokens or steals from referrer Black Hat USA 2009 Saturday, August 1, 2009

  27. MF Payload Options ★ <PAYLOAD n=”1”> - Payload with number ★ <SITE l=”example.com> - Site entry w/ domain ★ <METHOD> - Attack method (GET , POST , PAGE) ★ <ID> - Session data to grab ★ <TARGET> - URL to send attack to ★ <HEADER> - Header to add to POST request ★ <HEADVAL> - Value for defined header ★ <POSTVAR> - POST Variable name ★ <POSTVAL> - Value for defined POST variable ★ <DESTINATION> - Destination for meta refresh Black Hat USA 2009 Saturday, August 1, 2009

  28. Payloads. xm l Black Hat USA 2009 Saturday, August 1, 2009

  29. Dyna m ic Redirect Attack Black Hat USA 2009 Saturday, August 1, 2009

  30. POST Construct Black Hat USA 2009 Saturday, August 1, 2009

  31. Dyna m ic Page Black Hat USA 2009 Saturday, August 1, 2009

  32. Fist Full of Fail Black Hat USA 2009 Saturday, August 1, 2009

  33. W hat you just saw ★ MF “Dynamic” CSRF of anon Wikipedia edit Requests were replayable, but unique ★ WPEdittime, WPStarttime, other session values ★ MF requested session values, hidden POST ★ We think this is pretty nifty. ★ OMGTHETANS! Black Hat USA 2009 Saturday, August 1, 2009

  34. Hr mm . Black Hat USA 2009 Saturday, August 1, 2009

  35. Hr mm . ★ CSRF mitigations are well understood ★ Still, you have to LOTS of things right ★ No bolt on fixes, sorry. ★ Look at your code! Forget SOP. ★ Thanks for listening. Send bugfixes. ★ Nathan’s blog: http://www.neohaxor.org ★ Shawn hates blogs. Black Hat USA 2009 Saturday, August 1, 2009

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stereotyping? Evidence from Reactions to Police Deaths Heather Sarsons November 9, 2015 Idea

Stereotyping? Evidence from Reactions to Police Deaths Heather Sarsons November 9, 2015 Idea

Stereotyping? Evidence from Reactions to Police Deaths Heather Sarsons November 9, 2015 Idea Broad question: Do the actions of one person lead people to update their beliefs about an entire group? Does it depend on what the context or action?

707 views • 45 slides
Statistical Literacy: Scanlans Paradox V1C V1C V1C Schield: 2020 ASA Slides 1 Schield:

Statistical Literacy: Scanlans Paradox V1C V1C V1C Schield: 2020 ASA Slides 1 Schield:

Statistical Literacy: Scanlans Paradox V1C V1C V1C Schield: 2020 ASA Slides 1 Schield: 2020 ASA Slides 2 Statistical Literacy: Scanlans Paradox Scanlans Paradox Scanlans Paradox: Lowering bad rates for two Milo Schield

473 views • 14 slides
launches policy focus legislative district) Get more data datacenter.kidscount.org

launches policy focus legislative district) Get more data datacenter.kidscount.org

KIDS COUNT in Delaw are joins Voices for Americas Children (now Partnership for Americas Children) w ith renewed D ata C enter commitment to becomes exclusive provide high- home of all D E data Goal: E xpand D elawares

611 views • 57 slides
o o

o o

o o

416 views • 12 slides
WHY BLACK LIVES MATTER GEORGE FLOYD, RACIALIZED VIOLENCE, AND CRIMINAL JUSTICE REFORM JUNE 11,

WHY BLACK LIVES MATTER GEORGE FLOYD, RACIALIZED VIOLENCE, AND CRIMINAL JUSTICE REFORM JUNE 11,

WHY BLACK LIVES MATTER GEORGE FLOYD, RACIALIZED VIOLENCE, AND CRIMINAL JUSTICE REFORM JUNE 11, 2020 Zoom Best Practices Check your environment: doors, dogs, dirty clothes, televisions, other people, etc. Mute yourself when youre not

487 views • 22 slides
Not Just Black and White: Disparities in Prostate Cancer Management in the US Alicia Morgans,

Not Just Black and White: Disparities in Prostate Cancer Management in the US Alicia Morgans,

Not Just Black and White: Disparities in Prostate Cancer Management in the US Alicia Morgans, MD, MPH Associate Professor of Medicine Robert H. Lurie Comprehensive Cancer Center Northwestern University Feinberg School of Medicine Disclosures

445 views • 28 slides
Suicide in Missouri: Where We Stand Elizabeth Sale, PhD Research Associate Professor Missouri

Suicide in Missouri: Where We Stand Elizabeth Sale, PhD Research Associate Professor Missouri

Suicide in Missouri: Where We Stand Elizabeth Sale, PhD Research Associate Professor Missouri Institute of Mental Health University of Missouri St. Louis December 2018 How common is suicide? Of almost 250 million adults nationwide: Seriously

781 views • 35 slides
Life and Death of Stellar Disks Life and Death of Stellar Disks around Supermassive Black Holes

Life and Death of Stellar Disks Life and Death of Stellar Disks around Supermassive Black Holes

Michela Mapelli INAF, Padova Life and Death of Stellar Disks Life and Death of Stellar Disks around Supermassive Black Holes around Supermassive Black Holes COLLABORATORS: Alessandro Trani (SISSA) Alessandro Trani (SISSA), Alessia Gualandris

250 views • 21 slides
Schools &amp; Covid-19 Planning for Social and Emotional Supports for School Re-Opening and

Schools &amp; Covid-19 Planning for Social and Emotional Supports for School Re-Opening and

Schools &amp; Covid-19 Planning for Social and Emotional Supports for School Re-Opening and Beyond New Orleans Trauma-Informed Schools Learning Collaborative Presenters Liz Marcell-Williams, CEO Teddy McGlynn-Wright Center for Resilience

503 views • 37 slides
WHAT IS Marshall High School Sociology Mr. Cline Unit One- Slides A * Who Was He? James

WHAT IS Marshall High School Sociology Mr. Cline Unit One- Slides A * Who Was He? James

WHAT IS Marshall High School Sociology Mr. Cline Unit One- Slides A * Who Was He? James Stockdale was the highest ranking officer captured by the North Vietnamese during the Vietnam War He became a prisoner of war for 7 years.

558 views • 8 slides
Role of POCUS in Pulmonary Hypertension: a case report Ariana Anugerah, MD, MBA 1 , Moses

Role of POCUS in Pulmonary Hypertension: a case report Ariana Anugerah, MD, MBA 1 , Moses

Role of POCUS in Pulmonary Hypertension: a case report Ariana Anugerah, MD, MBA 1 , Moses Siaw-Frimpong, MD 2 1 Northwestern University Feinberg School of Medicine, Chicago, IL, 2 Komfo Anokye Teaching Hospital, Kumasi, Ghana BACKGROUND Pulmonary

251 views • 7 slides
Assessing and Improving Operational Resilience of Critical Infrastructures and Other Systems An

Assessing and Improving Operational Resilience of Critical Infrastructures and Other Systems An

Introduction Models Analysis Algorithms Extensions Conclusions References Assessing and Improving Operational Resilience of Critical Infrastructures and Other Systems An INFORMS TutORial Associate Professor David L. Alderson Distinguished

1.37k views • 99 slides
Getting ng a an NIH P H Pre-Doc F Fellowship (F30/ 30/F31 F31) Judy Hahn, PhD M A

Getting ng a an NIH P H Pre-Doc F Fellowship (F30/ 30/F31 F31) Judy Hahn, PhD M A

Getting ng a an NIH P H Pre-Doc F Fellowship (F30/ 30/F31 F31) Judy Hahn, PhD M A Professor, Division of HIV, ID &amp; Global M edicine University of California San Francisco April 17, 2019 Outlin line Why write grants Intro to

798 views • 34 slides
H ume, Miracles, and Probabilities: Meeting Earmans Challenge Peter Millican, University of

H ume, Miracles, and Probabilities: Meeting Earmans Challenge Peter Millican, University of

H ume, Miracles, and Probabilities: Meeting Earmans Challenge Peter Millican, University of Leeds (a) Earmans challenge John Earman abuses Humes argument against the credibility of miracle reports in Enquiry X as being virtually

530 views • 30 slides
Incorporating the Teachback Method into the Consenting Conversation Mary-Catherine Stockman, RD,

Incorporating the Teachback Method into the Consenting Conversation Mary-Catherine Stockman, RD,

Health Literacy Initiatives: Incorporating the Teachback Method into the Consenting Conversation Mary-Catherine Stockman, RD, LDN | MPH Candidate, May 2018 Clinical Research Dietitian and Coordinator May 3, 2018 1. Discuss the issue of

426 views • 40 slides
to your home church! Gods Plan for Church Leadership 1 Tim. 3:1 / 1 Pet. 5:1-5 I. Elders:

to your home church! Gods Plan for Church Leadership 1 Tim. 3:1 / 1 Pet. 5:1-5 I. Elders:

Welcome to your home church! Gods Plan for Church Leadership 1 Tim. 3:1 / 1 Pet. 5:1-5 I. Elders: Gods Plan for Leading the Church. A. Four Case Studies Spurgeon: To compromise on leadership is the most suicidal act a church can

105 views • 10 slides
Clinical Strategies for Managing and Reducing Long-Term Opioid Use for Chronic Pain Cycle 3 2016

Clinical Strategies for Managing and Reducing Long-Term Opioid Use for Chronic Pain Cycle 3 2016

Clinical Strategies for Managing and Reducing Long-Term Opioid Use for Chronic Pain Cycle 3 2016 LOI Applicant Town Hall October 11, 2016 / 12:30pm ET Introductions Jana-Lynn Louis, MPH Layla Lavasani, PhD, MHS Program Associate Program

662 views • 39 slides
68% Results supported the need for low-cost, online legal information Dealing with and

68% Results supported the need for low-cost, online legal information Dealing with and

Voice of Consumer Survey A Voice of the Consumer (VOC) survey was conducted online to solicit feedback on legal accessibility to the general public. The Ohio Legal Help Steering Committee believed that capturing a consumer/constituent point of

1.05k views • 27 slides
Rare Disease Workshop 5: Post Marketing Confirmatory Studies in Rare Diseases Susan Boynton, VP,

Rare Disease Workshop 5: Post Marketing Confirmatory Studies in Rare Diseases Susan Boynton, VP,

Rare Disease Workshop 5: Post Marketing Confirmatory Studies in Rare Diseases Susan Boynton, VP, Global Regulatory Affairs, Shire Mary O'Donovan, Senior Director, Regulatory Affairs &amp; Policy, Biomarin Accelerated Approval: Requirements

318 views • 8 slides
DRG und Onkologie Kleingruppenseminar Brustkrebs Dr. Holger Bunzemeier Stabsstelle

DRG und Onkologie Kleingruppenseminar Brustkrebs Dr. Holger Bunzemeier Stabsstelle

DRG und Onkologie Kleingruppenseminar Brustkrebs Dr. Holger Bunzemeier Stabsstelle Medizincontrolling des Universittsklinikums Mnster DRG-Research-Group, Universittsklinikum Mnster Betrachtung des G-DRG-Systems + Klassifikationssystem

312 views • 15 slides
LAND SLIDE During a Landslide: Stay alert and awake. Many debris-flow fatalities occur when

LAND SLIDE During a Landslide: Stay alert and awake. Many debris-flow fatalities occur when

LAND SLIDE During a Landslide: Stay alert and awake. Many debris-flow fatalities occur when people are sleeping. Listen to a Weather Radio or portable, battery-powered radio or television for warnings of intense rainfall. Be aware that

532 views • 3 slides
Landslide hazard and risk zonationwhy C.J. van Westen T.W.J. van Asch is it still so

Landslide hazard and risk zonationwhy C.J. van Westen T.W.J. van Asch is it still so

Bull Eng Geol Env (2005) ORIGINAL PAPER DOI 10.1007/s10064-005-0023-0 Landslide hazard and risk zonationwhy C.J. van Westen T.W.J. van Asch is it still so difficult? R. Soeters of land use and climatic change Abstract The quantification

499 views • 18 slides
Lesson 5 Landslide 5.01 Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639 GNR 639 : Natural

Lesson 5 Landslide 5.01 Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639 GNR 639 : Natural

GNR 639 GNR 639 : Natural Disaster And Management Lesson 5 Landslide 5.01 Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639 GNR 639 : Natural Disaster And Management Landslide What is it? Causes What happens Where does it

770 views • 50 slides
Welcome to the Indiana Public Assistance Applicant Briefing! A few notes before we get started

Welcome to the Indiana Public Assistance Applicant Briefing! A few notes before we get started

Welcome to the Indiana Public Assistance Applicant Briefing! A few notes before we get started 1. Turn off your camera. 2. Mute your microphone (computer microphone or telephone). 3. A recording of the briefing will be posted to the IDHS

728 views • 43 slides

More recommend