SlideShare a Scribd company logo

Security Day - Chesf

Download as PPTX, PDF
Estuário TI, profile picture
Estuário TI

The document appears to be a slide presentation about web application security given by Rafael Silva. Some of the topics discussed include the OWASP Top 10, how automated scanners have limitations, using iframes and HTML5 features like CORS for hacking, cursor/click hijacking, HTTP parameter pollution, and bypassing HTTPOnly protections. The presentation provides examples and demonstrations of these different techniques.

Technology
1 of 33
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Novos ataques em www.estuarioti.com.br Aplicações Web. @estuarioti Rafael Silva rafaelsilva@estuarioti.com.br
Agenda  Whoami  OWASP top 10  Ferramentas X SkillSet  IFrames  HTML 5 Hacking Features  Cursor Hijack / Click Hijack  HTTP Parameter Pollution  HTTPOnly XSS Bypass www.estuarioti.com.br @estuarioti
$whoami  OWASP Member  rfdslabs || TheBug Magazine  FAB (Força Aérea Brasileira)  C.E.S.A.R  Tempest @rfdslabs  EstuárioTI  www.estuarioti.com.br @estuarioti
Owasp TOP 10 www.estuarioti.com.br @estuarioti
Ferramentas X skillSet  Nessus, Acunetix, Nstalker…  Attacks and Vulnerabilities  Automated scanners not detect:  Session Fixation  Privilege Escalation [Horizontal and Vertical]  Logout  Logic Flaws  Unauthenticated Direct Access  “Forgot my password”  … www.estuarioti.com.br @estuarioti
IFRAMES  Stealth  Browser Exploit or JAVA or SWF…  Insert Malicious Javascript  Stored XSS + IFRAME = Chaos  Redirect Defacement www.estuarioti.com.br @estuarioti
IFRAMES www.estuarioti.com.br @estuarioti
IFRAMES DEMO 1 www.estuarioti.com.br @estuarioti
HTML 5 Hacking Features Cross Origin Resource Sharing  Cross Domain AJAX  With Cookies  Blind  Not limited to <form> syntax  Used to Trigger CSRF www.estuarioti.com.br @estuarioti
HTML 5 Hacking Features Cross Origin Resource Sharing www.estuarioti.com.br @estuarioti
HTML 5 Hacking Features Cross Origin Resource Sharing www.estuarioti.com.br @estuarioti
HTML 5 Hacking Features Silent File Upload  Java Script FileUpload! Stealth <input type=file> with any file name and content  Use CORS  How? Create raw multipart/form-data www.estuarioti.com.br @estuarioti
HTML 5 Hacking Features Silent File Upload www.estuarioti.com.br @estuarioti
HTML 5 Hacking Features Silent File Upload www.estuarioti.com.br @estuarioti
HTML 5 Hacking Features Silent File Upload  No User Action  No Frames  Cross-domain with cookies   Works in most browsers   You can add more form fields -- CSRF flaw needed -- No access to response www.estuarioti.com.br @estuarioti
Cursor Hijack / Click Hijack  Facebook Scams  Actively Exploited  Javascript in url bar   NoScript Plugin to mitigate   Use your creativity www.estuarioti.com.br @estuarioti
Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti
Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti
Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti
Cursor Hijack / Click Hijack DEMO 2 www.estuarioti.com.br @estuarioti
Cursor Hijack / Click Hijack DEMO 3 www.estuarioti.com.br @estuarioti
HTTP Parameter Pollution  Query String Term ?  Defined in the RFC 3986  GET and POST:  Query string meta characters are & ? # ; = www.estuarioti.com.br @estuarioti
HTTP Parameter Pollution www.estuarioti.com.br @estuarioti
HTTP Parameter Pollution  Bypass ModSecurity Busted Query: Accepted Query: www.estuarioti.com.br @estuarioti
HTTP Parameter Pollution  Bypass IBM Web Application Firewall (FIXED) Busted Query: Accepted Query: Discovered by Wendel Henrique from Trustwave Labs www.estuarioti.com.br @estuarioti
HTTPOnly XSS Bypass  Implemented in 2002 by Microsoft in IE 6  Additional FLAG included in a Set-Cookie HTTP responde header  Exploiting a XSS with a HTTPOnly in response? No cookies for you?  www.estuarioti.com.br @estuarioti
HTTPOnly XSS Bypass How to Bypass?  Cross-Site Tracking – HTTP TRACE (FIXED)  XMLHttpRequest also blocked TRACE Method (FIXED)  CVE-2009-0357 XMLHttpRequest in FireFox (FIXED) www.estuarioti.com.br @estuarioti
HTTPOnly XSS Bypass Java API Applet HTTP TACE (FIXED) www.estuarioti.com.br @estuarioti
HTTPOnly XSS Bypass  Java GetHeaderField in java.net.URLConnection package (UNFIXED)   By Aung Khant http://yehg.net www.estuarioti.com.br @estuarioti
HTTPOnly XSS Bypass www.estuarioti.com.br @estuarioti
HTTPOnly XSS Bypass  and… WORKS!  www.estuarioti.com.br @estuarioti
EstuárioTI www.estuarioti.com.br @estuarioti
References Tempest Blog Steffano di Paola SecKB Blog OWASP Marcus Niemietz www.estuarioti.com.br @estuarioti

More Related Content

PPT
3 S's to a Successful Launch
Poornima Vijayashanker
 
PPT
Joomladay Switzerland - security
Wilco Jansen
 
ODP
Joomladay Netherlands - Security
Wilco Jansen
 
PDF
Os Nightingale
oscon2007
 
PPTX
Adversary tactics config mgmt-&amp;-logs-oh-my
Jesse Moore
 
PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
PPTX
XSS (Cross Site Scripting)
Shubham Gupta
 
PPT
OWASP Top 10 - Experiência e Cases com Auditorias Teste de Invasão em Aplicaç...
Clavis Segurança da Informação
 
3 S's to a Successful Launch
Poornima Vijayashanker
 
Joomladay Switzerland - security
Wilco Jansen
 
Joomladay Netherlands - Security
Wilco Jansen
 
Os Nightingale
oscon2007
 
Adversary tactics config mgmt-&amp;-logs-oh-my
Jesse Moore
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
XSS (Cross Site Scripting)
Shubham Gupta
 
OWASP Top 10 - Experiência e Cases com Auditorias Teste de Invasão em Aplicaç...
Clavis Segurança da Informação
 

Recently uploaded (20)

PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
What is a Computer? Input Devices /output devices
GulJan8
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
August Patch Tuesday
Ivanti
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
Ad

Featured (20)

PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
PDF
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
PDF
Everything You Need To Know About ChatGPT
Expeed Software
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
PDF
Skeleton Culture Code
Skeleton Technologies
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
PDF
Content Methodology: A Best Practices Report (Webinar)
contently
 
PPTX
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
PDF
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
PDF
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
PDF
Getting into the tech field. what next
Tessa Mero
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
PDF
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Ad

Security Day - Chesf

  • 1. Novos ataques em www.estuarioti.com.br Aplicações Web. @estuarioti Rafael Silva rafaelsilva@estuarioti.com.br
  • 2. Agenda  Whoami  OWASP top 10  Ferramentas X SkillSet  IFrames  HTML 5 Hacking Features  Cursor Hijack / Click Hijack  HTTP Parameter Pollution  HTTPOnly XSS Bypass www.estuarioti.com.br @estuarioti
  • 3. $whoami  OWASP Member  rfdslabs || TheBug Magazine  FAB (Força Aérea Brasileira)  C.E.S.A.R  Tempest @rfdslabs  EstuárioTI  www.estuarioti.com.br @estuarioti
  • 4. Owasp TOP 10 www.estuarioti.com.br @estuarioti
  • 5. Ferramentas X skillSet  Nessus, Acunetix, Nstalker…  Attacks and Vulnerabilities  Automated scanners not detect:  Session Fixation  Privilege Escalation [Horizontal and Vertical]  Logout  Logic Flaws  Unauthenticated Direct Access  “Forgot my password”  … www.estuarioti.com.br @estuarioti
  • 6. IFRAMES  Stealth  Browser Exploit or JAVA or SWF…  Insert Malicious Javascript  Stored XSS + IFRAME = Chaos  Redirect Defacement www.estuarioti.com.br @estuarioti
  • 7. IFRAMES www.estuarioti.com.br @estuarioti
  • 8. IFRAMES DEMO 1 www.estuarioti.com.br @estuarioti
  • 9. HTML 5 Hacking Features Cross Origin Resource Sharing  Cross Domain AJAX  With Cookies  Blind  Not limited to <form> syntax  Used to Trigger CSRF www.estuarioti.com.br @estuarioti
  • 10. HTML 5 Hacking Features Cross Origin Resource Sharing www.estuarioti.com.br @estuarioti
  • 11. HTML 5 Hacking Features Cross Origin Resource Sharing www.estuarioti.com.br @estuarioti
  • 12. HTML 5 Hacking Features Silent File Upload  Java Script FileUpload! Stealth <input type=file> with any file name and content  Use CORS  How? Create raw multipart/form-data www.estuarioti.com.br @estuarioti
  • 13. HTML 5 Hacking Features Silent File Upload www.estuarioti.com.br @estuarioti
  • 14. HTML 5 Hacking Features Silent File Upload www.estuarioti.com.br @estuarioti
  • 15. HTML 5 Hacking Features Silent File Upload  No User Action  No Frames  Cross-domain with cookies   Works in most browsers   You can add more form fields -- CSRF flaw needed -- No access to response www.estuarioti.com.br @estuarioti
  • 16. Cursor Hijack / Click Hijack  Facebook Scams  Actively Exploited  Javascript in url bar   NoScript Plugin to mitigate   Use your creativity www.estuarioti.com.br @estuarioti
  • 17. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti
  • 18. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti
  • 19. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti
  • 20. Cursor Hijack / Click Hijack DEMO 2 www.estuarioti.com.br @estuarioti
  • 21. Cursor Hijack / Click Hijack DEMO 3 www.estuarioti.com.br @estuarioti
  • 22. HTTP Parameter Pollution  Query String Term ?  Defined in the RFC 3986  GET and POST:  Query string meta characters are & ? # ; = www.estuarioti.com.br @estuarioti
  • 23. HTTP Parameter Pollution www.estuarioti.com.br @estuarioti
  • 24. HTTP Parameter Pollution  Bypass ModSecurity Busted Query: Accepted Query: www.estuarioti.com.br @estuarioti
  • 25. HTTP Parameter Pollution  Bypass IBM Web Application Firewall (FIXED) Busted Query: Accepted Query: Discovered by Wendel Henrique from Trustwave Labs www.estuarioti.com.br @estuarioti
  • 26. HTTPOnly XSS Bypass  Implemented in 2002 by Microsoft in IE 6  Additional FLAG included in a Set-Cookie HTTP responde header  Exploiting a XSS with a HTTPOnly in response? No cookies for you?  www.estuarioti.com.br @estuarioti
  • 27. HTTPOnly XSS Bypass How to Bypass?  Cross-Site Tracking – HTTP TRACE (FIXED)  XMLHttpRequest also blocked TRACE Method (FIXED)  CVE-2009-0357 XMLHttpRequest in FireFox (FIXED) www.estuarioti.com.br @estuarioti
  • 28. HTTPOnly XSS Bypass Java API Applet HTTP TACE (FIXED) www.estuarioti.com.br @estuarioti
  • 29. HTTPOnly XSS Bypass  Java GetHeaderField in java.net.URLConnection package (UNFIXED)   By Aung Khant http://yehg.net www.estuarioti.com.br @estuarioti
  • 30. HTTPOnly XSS Bypass www.estuarioti.com.br @estuarioti
  • 31. HTTPOnly XSS Bypass  and… WORKS!  www.estuarioti.com.br @estuarioti
  • 32. EstuárioTI www.estuarioti.com.br @estuarioti
  • 33. References Tempest Blog Steffano di Paola SecKB Blog OWASP Marcus Niemietz www.estuarioti.com.br @estuarioti

Editor's Notes

  • #23: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresem um array
  • #24: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #25: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #26: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #27: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #28: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #29: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #30: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #31: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #32: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #33: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array
  • #34: 4 comportamentospadroesUtilizasomente o ultimo valor repassadoUtilizasomente o primeiro valor repassadoConcatenatodososvaloresutilizando um separadorTransformatodososvaloresemum array