SlideShare una empresa de Scribd logo

Blended Threat Concept in Web Applications - DefCamp 2012

Descargar como PPT, PDF
DefCamp
DefCamp
1 de 26
“Blended Threat” Concept in web applications Bogdan Sergiu Dragos a.k.a Domnul.Do Student at Drăgan European University in Lugoj
Legal Disclame This is only a proof of concept , for demostrating only .
“Blended Threat Concept” • It has no clear definition because it’s more a concept that an attack . • But we have the following definition from different sites:
Blended Threat Concept • Definition from Wikipedia: “A blended threat is a software vulnerability which in turn involves a combination of attacks against different vulnerabilities. For example, many worm, a trojan horse and a computer virus exploit multiple techniques to attack and propagate. It is a kind of computer threat.” Link: http://en.wikipedia.org/wiki/Blended_threat
Blended Threat Concept • Definition from TrendMicro: “ (…) A blended threat refers to a single threat that attacks via multiple vectors (e.g., a worm gains entry via email and then leverages back-door vulnerabilities for further infection and destruction). “ Link: http://apac.trendmicro.com/apac/threats/enterprise/threats-summary/blended-threats/
Blended Threat Concept • My own definition: “A Blended Threat: is a non-limited vector that need two or more different attack,that are mutually dependent, for manipulation of the usual application logic.“
History of Blended Threat’s • The person who introduce this kind of method was: Billy (BK) Rios • In his presentation: “Will it Blend” • With this P.o.C : Blended Threat from Combined Attack Using Apple’s
The P.o.C My Proof Concept is: • In a Yahoo! Service , called YQL • Based on CSRF and one user interaction In this presentation I will show a method to validate YQL commands, without the console , more exactly : ! To change the status in the Yahoo! Profile YQL = Yahoo Query Language
What is YQL YQL is: • A SQL-like language • A clowd service • W can create API’s or using other API’s and manipulating the rezults in the “cloud” • We can make authentificated YQL commands in Yahoo!Inbox or Yahoo!Profile
YQL- Open Data Tables • It’s a way to connect to the remote web API (EndPoint) and understanding what to do with the data that will get • How it look like:
YQL-Open Data Table Example
YQL –Use verb • We can use simple server side javascripts in the <execute> tab of the xml ,here some exemple: • To make an object request we can use request: Request.accept(‘application/json’) .header(‘Authorization’, ‘…’) .query(‘searchterm’, ‘foo’).get() • The response.object can transmit the user the final result : Response.object = data
YQL – JS API • Some key feature , what can do: - use external JS files - convert between XML JSON - can make other YQL in the same YQL
How it look like in console Link: http://developer.yahoo.com/yql/console/#h=update%20social.profile.status%20set%20status%3D%22EasterEgg %22%20where%20guid%3Dme
How it look like in request • First the console read the crumb (Yahoo! Token ) • Second the console send the YQL command with the crumb to the “cloud”
First Step: Read the crumb Note: The crumb is generated no matter if the user is logged in
Second step: Sending the data
The P.o.C • I have the “location” of the crumb • I know where to send the data,but how to convise the user to give us the crumb?!
The P.o.C • I have the “location” of the crumb • I know where to send the data,but how to convise the user to give us the crumb?! • Is simple …
Meanwhile … • Why do dogs (and other animals) eat poop? “Herbivores such as rabbits eat their own poop because their diet of plants is hard to digest efficiently, and they have to make two passes at it to get everything out of the meal. “
The P.o.C This is another version of the attack named “Fake Captcha” by Kotowicz
The sourse of the P.o.C
How to gather the status We can confirm by using the YQL command: Link : http://developer.yahoo.com/yql/console/#h=select%20message%20from%20social.profile.status%20where%20guid%3Dme
My recommendation is: Is enough to add the response header: ”X-FRAME-OPTIONS”
Credits • Billy (BK) Rios • Kotowicz • Dragan European University , Lugoj , Timis • Dan Kaminsky , in 2008 he “own-ed” the internet. His work must not be forgoten!
Want to ask something?

Recomendados

Digipass Instrumentation for Fun and Profit - DefCamp 2012
Digipass Instrumentation for Fun and Profit - DefCamp 2012Digipass Instrumentation for Fun and Profit - DefCamp 2012
Digipass Instrumentation for Fun and Profit - DefCamp 2012DefCamp
 
Project Smart - DefCamp 2012
Project Smart - DefCamp 2012Project Smart - DefCamp 2012
Project Smart - DefCamp 2012DefCamp
 
Social Engineering - DefCamp 2012
Social Engineering - DefCamp 2012Social Engineering - DefCamp 2012
Social Engineering - DefCamp 2012DefCamp
 
Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012DefCamp
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxrichardnorman90310
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaSteve Poole
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 

Recomendados

Digipass Instrumentation for Fun and Profit - DefCamp 2012
Digipass Instrumentation for Fun and Profit - DefCamp 2012Digipass Instrumentation for Fun and Profit - DefCamp 2012
Digipass Instrumentation for Fun and Profit - DefCamp 2012DefCamp
 
Project Smart - DefCamp 2012
Project Smart - DefCamp 2012Project Smart - DefCamp 2012
Project Smart - DefCamp 2012DefCamp
 
Social Engineering - DefCamp 2012
Social Engineering - DefCamp 2012Social Engineering - DefCamp 2012
Social Engineering - DefCamp 2012DefCamp
 
Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012Attacks Against Captcha Systems - DefCamp 2012
Attacks Against Captcha Systems - DefCamp 2012DefCamp
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxrichardnorman90310
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaSteve Poole
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Application Context and Discovering XSS without
Application Context and Discovering XSS without Application Context and Discovering XSS without
Application Context and Discovering XSS without Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non jsTal Be'ery
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
The Evolution of the Fileless Click-Fraud Malware Poweliks
The Evolution of the Fileless Click-Fraud Malware PoweliksThe Evolution of the Fileless Click-Fraud Malware Poweliks
The Evolution of the Fileless Click-Fraud Malware PoweliksSymantec
 
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017Bhushan Jawle
 
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Difference between java script and jquery
Difference between java script and jqueryDifference between java script and jquery
Difference between java script and jqueryUmar Ali
 
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010Heiko Behrens
 
ImageJ and the SciJava software stack
ImageJ and the SciJava software stackImageJ and the SciJava software stack
ImageJ and the SciJava software stackCurtis Rueden
 
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...itsatony
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
How to bypass email gateways using common payloads... Bsides Manchester 2017
How to bypass email gateways using common payloads... Bsides Manchester 2017How to bypass email gateways using common payloads... Bsides Manchester 2017
How to bypass email gateways using common payloads... Bsides Manchester 2017Neil Lines
 
Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 

Más contenido relacionado

Similar a Blended Threat Concept in Web Applications - DefCamp 2012

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non jsTal Be'ery
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
The Evolution of the Fileless Click-Fraud Malware Poweliks
The Evolution of the Fileless Click-Fraud Malware PoweliksThe Evolution of the Fileless Click-Fraud Malware Poweliks
The Evolution of the Fileless Click-Fraud Malware PoweliksSymantec
 
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017Bhushan Jawle
 
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Difference between java script and jquery
Difference between java script and jqueryDifference between java script and jquery
Difference between java script and jqueryUmar Ali
 
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010Heiko Behrens
 
ImageJ and the SciJava software stack
ImageJ and the SciJava software stackImageJ and the SciJava software stack
ImageJ and the SciJava software stackCurtis Rueden
 
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...itsatony
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
How to bypass email gateways using common payloads... Bsides Manchester 2017
How to bypass email gateways using common payloads... Bsides Manchester 2017How to bypass email gateways using common payloads... Bsides Manchester 2017
How to bypass email gateways using common payloads... Bsides Manchester 2017Neil Lines
 

Similar a Blended Threat Concept in Web Applications - DefCamp 2012 (20)

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Application Context and Discovering XSS without
Application Context and Discovering XSS without Application Context and Discovering XSS without
Application Context and Discovering XSS without
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non js
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
The Evolution of the Fileless Click-Fraud Malware Poweliks
The Evolution of the Fileless Click-Fraud Malware PoweliksThe Evolution of the Fileless Click-Fraud Malware Poweliks
The Evolution of the Fileless Click-Fraud Malware Poweliks
 
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017
WordPress Security : What We Learnt When We Were Hacked : WordCamp Mumbai 2017
 
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Difference between java script and jquery
Difference between java script and jqueryDifference between java script and jquery
Difference between java script and jquery
 
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
 
ImageJ and the SciJava software stack
ImageJ and the SciJava software stackImageJ and the SciJava software stack
ImageJ and the SciJava software stack
 
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...
VisualWeb - Building a NodeJS Server Meshwork and Full-Javascript Stack Frame...
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
How to bypass email gateways using common payloads... Bsides Manchester 2017
How to bypass email gateways using common payloads... Bsides Manchester 2017How to bypass email gateways using common payloads... Bsides Manchester 2017
How to bypass email gateways using common payloads... Bsides Manchester 2017
 

Más de DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

Más de DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Blended Threat Concept in Web Applications - DefCamp 2012

  • 1. “Blended Threat” Concept in web applications Bogdan Sergiu Dragos a.k.a Domnul.Do Student at Drăgan European University in Lugoj
  • 2. Legal Disclame This is only a proof of concept , for demostrating only .
  • 3. “Blended Threat Concept” • It has no clear definition because it’s more a concept that an attack . • But we have the following definition from different sites:
  • 4. Blended Threat Concept • Definition from Wikipedia: “A blended threat is a software vulnerability which in turn involves a combination of attacks against different vulnerabilities. For example, many worm, a trojan horse and a computer virus exploit multiple techniques to attack and propagate. It is a kind of computer threat.” Link: http://en.wikipedia.org/wiki/Blended_threat
  • 5. Blended Threat Concept • Definition from TrendMicro: “ (…) A blended threat refers to a single threat that attacks via multiple vectors (e.g., a worm gains entry via email and then leverages back-door vulnerabilities for further infection and destruction). “ Link: http://apac.trendmicro.com/apac/threats/enterprise/threats-summary/blended-threats/
  • 6. Blended Threat Concept • My own definition: “A Blended Threat: is a non-limited vector that need two or more different attack,that are mutually dependent, for manipulation of the usual application logic.“
  • 7. History of Blended Threat’s • The person who introduce this kind of method was: Billy (BK) Rios • In his presentation: “Will it Blend” • With this P.o.C : Blended Threat from Combined Attack Using Apple’s
  • 8. The P.o.C My Proof Concept is: • In a Yahoo! Service , called YQL • Based on CSRF and one user interaction In this presentation I will show a method to validate YQL commands, without the console , more exactly : ! To change the status in the Yahoo! Profile YQL = Yahoo Query Language
  • 9. What is YQL YQL is: • A SQL-like language • A clowd service • W can create API’s or using other API’s and manipulating the rezults in the “cloud” • We can make authentificated YQL commands in Yahoo!Inbox or Yahoo!Profile
  • 10. YQL- Open Data Tables • It’s a way to connect to the remote web API (EndPoint) and understanding what to do with the data that will get • How it look like:
  • 12. YQL –Use verb • We can use simple server side javascripts in the <execute> tab of the xml ,here some exemple: • To make an object request we can use request: Request.accept(‘application/json’) .header(‘Authorization’, ‘…’) .query(‘searchterm’, ‘foo’).get() • The response.object can transmit the user the final result : Response.object = data
  • 13. YQL – JS API • Some key feature , what can do: - use external JS files - convert between XML JSON - can make other YQL in the same YQL
  • 14. How it look like in console Link: http://developer.yahoo.com/yql/console/#h=update%20social.profile.status%20set%20status%3D%22EasterEgg %22%20where%20guid%3Dme
  • 15. How it look like in request • First the console read the crumb (Yahoo! Token ) • Second the console send the YQL command with the crumb to the “cloud”
  • 16. First Step: Read the crumb Note: The crumb is generated no matter if the user is logged in
  • 18. The P.o.C • I have the “location” of the crumb • I know where to send the data,but how to convise the user to give us the crumb?!
  • 19. The P.o.C • I have the “location” of the crumb • I know where to send the data,but how to convise the user to give us the crumb?! • Is simple …
  • 20. Meanwhile … • Why do dogs (and other animals) eat poop? “Herbivores such as rabbits eat their own poop because their diet of plants is hard to digest efficiently, and they have to make two passes at it to get everything out of the meal. “
  • 21. The P.o.C This is another version of the attack named “Fake Captcha” by Kotowicz
  • 22. The sourse of the P.o.C
  • 23. How to gather the status We can confirm by using the YQL command: Link : http://developer.yahoo.com/yql/console/#h=select%20message%20from%20social.profile.status%20where%20guid%3Dme
  • 24. My recommendation is: Is enough to add the response header: ”X-FRAME-OPTIONS”
  • 25. Credits • Billy (BK) Rios • Kotowicz • Dragan European University , Lugoj , Timis • Dan Kaminsky , in 2008 he “own-ed” the internet. His work must not be forgoten!
  • 26. Want to ask something?