SlideShare ist ein Scribd-Unternehmen logo

The State of Declarative Security in HTTP Response Headers - Bank Study

Aditya K Sood
Aditya K Sood

The banking industry is grappling with the problem of malware infections in clients. The exploitation of web vulnerabilities in a bank’s website can expose online monetary transactions to fraud. Vulnerabilities such as Cross-Site Scripting (XSS), clickjacking, MIME sniffing and Cross-Site Request Forgery (CSRF) allow information in one session to be stolen from another. However, browser security can play a critical role in preventing successful exploitation.

Technologie
1 von 6
FEATURE The state of HTTP declarative security in online banking Aditya Sood Richard Enbody websites Aditya Sood and Richard Enbody, Michigan State University The banking industry is grappling with the problem of malware infections in and trusted environment for transac- clients. The exploitation of web vulnerabilities in a bank’s website can expose tions. The aim of this study is to gauge online monetary transactions to fraud. Vulnerabilities such as Cross-Site the deployment of declarative security in Scripting (XSS), clickjacking, MIME sniffing and Cross-Site Request Forgery the real world, and in banking in partic- (CSRF) allow information in one session to be stolen from another. However, ular. Since declarative security is relative- browser security can play a critical role in preventing successful exploitation. ly new, one would not expect widespread adoption. This study reflects the current To this end, new and flexible protection The initial HTTP declarative response state of security in online banking with features have been introduced in the headers are X-XSS-Protection, X-Frame- respect to declarative security. form of declarative security in HTTP Options, X-Content-Type-Options, response headers. These protection X-Download-Options and X-Content- Declarative security and mechanisms are based on the concept Security-Policy. Strict-Transport-Security of providing explicit security parameters can also be considered in this category, threat model that can be used to compel browsers to but it has a different naming convention. The HTTP header protections target perform specific security functions. Declarative security in HTTP response specific attack vectors. These types of Declarative security obliges a devel- headers has been introduced to make the protection are a set of opt-in security oper to specially configure the appli- browsers more proactive and intelligent mechanisms addressing a specific threat cation that sends HTTP response in dealing with the manipulative content landscape. These attacks include click- headers so that, on receiving them, that is a result of the exploitation of web jacking, MIME sniffing, manipulating browsers trigger security protections. vulnerabilities. file downloads, CSRF and XSS vari- These declarative security parameters This research is based on an analysis of ants that have proven to be difficult can also be specified in the web server the traffic flow of major bank websites to handle in real time. Each technique configuration file. The result is that in order to understand how declara- includes an HTTP header that has to declarative security can be considered tive security is being deployed in online be declared by the developer on the web as a portable and flexible defence. No banking. Banking websites were selected server as well as the security actions that protection method is foolproof, but from a list of the world’s top 40-plus saf- the browser triggers on the client side. for implementing generic protection, est banks of 2010 as provided by Global Once a specific HTTP header is detect- HTTP declarative response headers Finance.1 The ranking is based on the ed, the browser is supposed to execute yield promising results. In addition, long-term credit and the total assets of the required security mechanisms. Of this concept is gaining traction as it has the banks. Basically, it determines the course, this protection strategy fails if been adopted by Microsoft and Mozilla solvency and the relative credit-wor- the HTTP headers are not defined. As in order to strengthen the security of thiness of the bank. We start with the a result, control lies in the ability and their browsers. assumption that the efficacy of security expertise of the developers and admin- Declarative HTTP response head- practices is directly proportional to the istrators to use these protection headers ers are not a part of the HTTP 1.0/1.1 bank’s assets. Banks with greater assets as a part of their applications. Let us specification. However, they are compat- tend to have more rigorous security take a look at specific headers and how ible with HTTP and work efficiently. mechanisms in order to provide a safe they work. 11 July 2011 Computer Fraud & Security
FEATURE actually clicking on a hidden link. This this option for a full domain because X-Frame-Options HTTP response header can prevent it can deny frames that load legitimate The X-Frame-Options HTTP response the malicious framing of a legitimate websites. However, it is a good practice header is used to control the framing of website. The DENY parameter compels to implement X-Frame-Options in a web page by a third-party website or browsers to prevent rendering of the application code to apply an extra layer a malicious domain.2,3 Generally, click- website in a frame (irrespective of par- of security in the critical web pages. jacking and auto-framing techniques ent frame), whereas the SAMEORIGIN A website might use frame-busting or are used to conduct stealth attacks by parameter allows the framing of web frame-killing code such as: concealing part of the user interface in pages on the same domain but restricts the browser.4,5,6 The framing of a web- the framing of a website from the third- <script type=“text/ site plays a critical role in a successful party parent frames. The header also javascript”> clickjacking attack in conjunction with requires secure frame communication if(top != self) CSRF attacks.7 Users believe that they to preserve integrity.8 In a real-time top.location. are clicking on a legitimate link, but are environment, it is not feasible to apply replace(location);</ script> …or… <script>if(top. location != location) top.location =self. location;</script> X-XSS-Protection The X-XSS-Protection HTTP response header has been implement- ed by Microsoft to sanitise reflective XSS attacks.9,10 Once a browser such as Internet Explorer receives this header it enables the XSS filter which prevents the rendering of content explicitly. Further, another HTTP response header has been released by Mozilla, named X-Content-Security- Policy, that works in a similar fashion to avoid rendering of malicious con- tent in the Mozilla browser.11 These HTTP declarative security headers are used to lower the risk of XSS attacks. However, some problems have been witnessed in the X-XSS-Protection header. 12 X-Content-Type-Options An attacker can inject code based on the content type set by the server. Browsers follow the content-type parameter in order to render the content of the page Figure 1: Applied declarative security as HTTP response headers in the world’s top 43 popular banks. correctly. They have to ensure that 12 Computer Fraud & Security July 2011
FEATURE content is rendered according to the data type set by the server. Browsers should not sniff out any other content type that is not specified by the server. Hence, the browser has to avoid sniffing MIME content that is not appropriate. Basically, the X-Content-Type-Options header can be used to prevent malicious rendering of content inside files by only allowing the parameter specified in the content- type HTTP response header.13,14 X-Download-Options As we know, browsers such as Internet Explorer provide an inbuilt functional- ity to open files directly on the domain when a download dialogue box is initi- ated. The X-Download-Options param- eter is provided by Microsoft in order to combat attacks that occur from the direct opening of files in the domain.15 Figure 2: An iframe injected into a vulnerable bank website. This HTTP response header forces IE to modify the user interface download dialog box, removing the open button Testing of attacks. The objective of this testing is (specifying a no-open value in the head- to check whether the critical web pages er). This prevents the user from opening The motivation behind this experiment (configuration pages and web pages with malicious files that might run content was to test the acceptability of new authentication) in the banks’ websites are directly on the domain. protection features in an industry most implementing declarative security. susceptible to exploitation on the web. During the course of the experiment, Strict-Transport-Security it’s possible to judge how well the top Methodology Strict-Transport-Security is a declara- banks are deploying this HTTP declara- In order to perform analytical tests, a list tive header that is used by websites to tive security. In general, a robust security of the top banks of 2010, as defined by force browsers to send all types of data solution is comprised of a collaborative Global Finance, was selected. The banks over HTTPS.15,16 A number of websites implementation of client and server secu- were chosen from around the world based use both HTTP and HTTPS interfaces rity. HTTP declarative security provides on their financial ratings. This choice was to set sessions. It is considered as a risk an efficient way to provide some control made as the security of those banks that because an attacker can inject malicious of browsers in order to avoid a number attract the top ratings is critical for safe traffic to trick browsers in order to steal cookies if this parameter is deployed in all the communication processes under HTTPS. This should not be confused with the ‘secure’ parameter because it is only defined for exchanging cookies over HTTPS, whereas Strict-Transport- Security applies to the overall communi- cation. In general, X-Frame-Options and X-XSS-Protection have been used collabo- ratively to reduce the intensity of attacks. However, other response headers are used Figure 3: XSS exploited in a bank’s website in spite of Internet Explorer XSS filter. in specific applications and web servers. 13 July 2011 Computer Fraud & Security
FEATURE The outcome of this experiment is entirely based on the detection of differ- ent HTTP declarative security response headers. The research also covered all the sub-domains that are the subset of the main bank domains. The tests didn’t take into consideration different types of attacks such as HTTP response splitting, which alters the state of HTTP response headers. Something close to 7,786 web pages were analysed, including support- ing resources that are present in the dif- ferent bank domains. Overall, the experi- ment was conducted on close to 200 bank websites, although this article only covers the results of the top banks. Results Some interesting results arose during the course of this study. At the time of running these tests, not a single bank website out of the top 50 banks is using declarative security in HTTP response headers. It seems that the declarative security model has not been accepted by the online banking industry. Figure 1 Figure 4: XSS exploited in a bank’s website in spite of Google Chrome XSS Auditor. shows the results of this experiment. The NH parameter suggests that no server monetary transactions. The largest used the Firefox add-on HttpFox, header was received in the response. banks tend to be the preferred choice which is an HTTP traffic analyser Some of the banks did not send a of the attackers. for scrutinising the state of different ‘server:’ header in the responses and one The testing involved Perl-based HTTP headers.17 Other standard traf- of them used explicit names. The CDC, HTTP response enumeration scripts fic monitoring tools such as Wireshark BBVA, OCBC and DB banks did not which sent a crafted HTTP request to and Netmon by Microsoft were used disclose the ‘server:’ header in HTTP the web server and detected required for packet dissection analysis. The tests responses. Barclays bank alternatively HTTP declarative security response were conducted in Internet Explorer, changed the server header with ‘Red’, headers. In addition to this, the tests Firefox and Google Chrome. ‘Blue’, ‘Green’ and ‘Black’ values on con- secutive requests. During the research, a number of vulnerabilities were spotted in this set of banks. These were reported to the administrators of the banks’ websites. For completeness, the research included some tests to show that attacks are indeed possible. Figure 2 shows an iframe injection attack in one bank web- site that does not use X-Frame-Options. Since most of the browsers implement protection mechanisms based on declara- tive security, almost all browsers were tested in order to execute XSS. Apart Figure 5: XSS – Content-Rendering scripting attack. from this, a lot of XSS injections were 14 Computer Fraud & Security July 2011
FEATURE evident in the banks’ websites. Most of in HTTP response headers can be con- frame-busting-and-click-jacking-ui- the reflective XSS attacks were rendered sidered as an additional defence, even redressing>. successfully by the browsers having if proprietary web security solutions are 4. Hansen, R; Grossman, J. XSS filters. Figure 3 shows a successful deployed, because it triggers the security ‘Clickjacking’. Ha.ckers, 15 Sep XSS attack in Internet Explorer con- element in browsers. The online banking 2009. Accessed June 2011. <http:// ducted in one of the vulnerable bank industry should implement these protec- ha.ckers.org/blog/20080915/click- websites. Figure 4 shows the successful tions as opt-in security to thwart generic jacking>. XSS bypass in Google Chrome version targeted attacks. 5. Stone, Paul. ‘Next Generation 10.0.648.127. The examples discussed Clickjacking Attacks’. BlackHat in this section show the ineffectiveness About the authors Conference, 14 Apr 2010. Accessed of client-side XSS filters in a number Aditya K Sood is a security researcher, con- June 2011. <https://media.blackhat. of browsers. However, continuous sultant and PhD candidate at Michigan com/bh-eu-10/presentations/Stone/ research and development is resulting State University. He has worked in the BlackHat-EU-2010-Stone-Next- in more secure client-side XSS filtering. security domain for Armorize, COSEINC Generation-Clickjacking-slides. For generic XSS vulnerabilities, these and KPMG and founded SecNiche Security. pdf>. filters provide appropriate protections He has been an active speaker at confer- 6. Balduzzi, M; Egele, M; Kirda, E; by default, as well as offering some secu- ences such as RSA, Toorcon, Hacker Halted, Balzarotti, D; Kruegel, C. ‘A solution for rity with declarative security in HTTP TRISC, EuSecwest, XCON, OWASP the automated detection of clickjacking response headers. AppSec, CERT-IN and has written content attacks’. In ASI-ACCS’10, 2010. XSS attacks are versatile in nature. Even for HITB Ezine, ISSA, ISACA, Elsevier, 7. Barth, A; Jackson, C; Mitchell, JC. with the presence of filters, it is often easy Hakin9 and Usenix Login. ‘Robust defenses for cross-site request to bypass them. However, in certain cases Dr Richard Enbody is an Associate forgery’. In proceedings of 15th the declarative security headers used to Professor in the Department of Computer ACM Conference on Computer and control XSS fail. In addition to this, it’s Science and Engineering, Michigan State CommunicationsSecurity also notable that it was possible to manip- University. He joined the faculty in 1987 (CCS 2008), 2008. ulate the content-type of the required after earning his PhD in Computer Science 8. Barth, A; Jackson, C; Mitchell. page to conduct the attack. In this attack, from the University of Minnesota. His ‘Securing frame communication in it was possible to render a malicious PDF research interests are in computer security, browsers’. Communications of the in one of the vulnerable bank domains computer architecture, web-based distance ACM(CACM 2009), 2009. which executed the script. On testing, it education and parallel processing. He has 9. ‘Event 1046 – Cross-Site Scripting was found that the domain was not con- two patents pending on hardware buffer- Filter’. MSDN. <http://msdn. figured to send X-Content-Type-Options. overflow protection, which will prevent most microsoft.com/en-us/library/ Figure 5 shows a successful content-type computer worms and viruses. He recently co- dd565647%28v=vs.85%29.aspx>. manipulation attack by exploiting the RFI authored a CS1 Python book, The Practice 10. ‘IE8 Security Part IV: The XSS vulnerability in one of the bank websites. of Computing using Python. Filter’. IEBlog, 2 Jul 2008. Accessed This experiment shows the state of declar- June 2011. <http://blogs.msdn. ative security in bank websites. References com/b/ie/archive/2008/07/02/ie8- 1. ‘World’s 50 Safest Banks 2010’. security-part-iv-the-xss-filter.aspx>. Global Finance, 2 Sep 2010. 11. Secure Content Policy. Mozilla Conclusion Accessed June 2011. <http://www. Developer Network. 21 May 2010. This was a survey of the deployment of gfmag.com/tools/best-banks/10533- Accessed June 2011. <https://wiki. HTTP declarative security in the world’s worlds-50-safest-banks-2010.html> mozilla.org/Security/CSP/Spec>. top banks. After analysing domains 2. Lam, Jason. ‘Adoption of x-frame- 12. Coates, Michael. ‘IE8 XSS Filter and sub domains, it was found that, at options header’. SANS AppSec Blog, Bug’. 20 Nov 2009. Accessed June the time of conducting these tests, not 15 Oct 2009. Accessed June 2011. 2011. <http://michael-coates.blogspot. a single bank website shows the use of <http://blogs.sans.org/appsecstreet- com/2009/11/ie8-xss-filter-bug.html>. declarative security in the HTTP response fighter/2009/10/15/adoption-of-x- 13. ‘HOWTO protect against mali- headers. Hence, the results show that frame-options-header/>. cious images and other non- exploitation of security flaws can be 3. ‘Preventing Framebusting and HTML content’. Google Code. reduced to some extent using declarative Clickjacking’. Coderrr, 13 Feb 2009. Restricted access. <http://code. security because it forces the browser to Accessed 2011. <http://coderrr.word- google.com/p/doctype/wiki/ enforce protection. Declarative security press.com/2009/02/13/preventing- ArticleContentSniffing>. 15 July 2011 Computer Fraud & Security
FEATURE 14. ‘IE8 Security Part VI: Beta 2 Update’. 16. ‘Strict Transport Security’. W3C Resources IEBlog, 3 Sep 2008. Accessed June Open Specification, 18 Dec 2009. 2011. <http://blogs.msdn.com/b/ie/ Accessed June 2011. <http://lists. • ‘IE8 Security Part V: archive/2008/09/02/ie8-security-part- w3.org/Archives/Public/www- Comprehensive Protection’. IEBlog, vi-beta-2-update.aspx>. archive/2009Dec/att-0048/draft-hodg- 2 Jul 2008. Accessed June 2011. 15. Jackson, C; Barth, A. ‘ForceHTTPS: es-strict-transport-sec-06.plain.html>. <http://blogs.msdn.com/b/ie/ Protecting High-Security Web Sites 17. HttpFox browser add-on. Mozilla. archive/2008/07/02/ie8-security- from Network Attacks’. In proceedings Accessed June 2011. <https://addons. part-v-comprehensive-protection. of the 17th International World Wide mozilla.org/en-us/firefox/addon/http- aspx>. Web Conference (WWW 2008). fox/>. Security in the value chain Simon Walker, Quantainia Simon Walker Stephen Bonner, Barclay’s Bank’s CISO, recently likened technology controls to literate that needs to be globally acces- the railings around a balcony – they allow you to get closer to the edge without sible, you’re mapping quite neatly onto falling off. Indeed, risk analysis of information assets is not wholly unlike buy- the demographic that is often keenest to ing and selling houses. It is a complex process, there are lots of hoops to jump attempt breaking technology. through, and there is a number of pitfalls. Neither of these are particularly abstruse One of the most common errors is to ensure that products and services deliver facts, so what can have gone wrong? base actions on superficially attractive but on their promised value; it prevents nasty, practically inadequate information – for expensive surprises; and it is the basis for example, overestimating the value of the sound decision-making. Perhaps most Sony’s value chain property you’re trying to sell, or under- importantly, it may be what stops your Initial suggestions from Sony that the estimating how painful a big mortgage chief executive having to make embarrass- incident was orchestrated by ‘hacktivist’ might become. Skimping on research will ing public statements about subjects he group Anonymous have since been dis- almost certainly result in pain later on. doesn’t really understand. missed by the group itself. Anonymous You might be tempted to base decisions was quick to issue a denial of this accusa- on a convenient pipedream – ‘my small tion. This seems to have been an attempt house is worth at least £1m. Buyers will The PlayStation Network by Sony to excuse the incident and is in be queuing up. Never mind the leaking The recent high-profile hacking of the any case an irrelevance: the root causes of roof. Or the illegal extension. And I won’t Sony PlayStation Network (PSN) has the incident were endemic, not a result of spend money on a lick of paint, or the provided some invaluable lessons for us the actions of external influences. railings on the balcony.’ But this fantasy all. The PSN service has a clear customer The ‘value chain’ is a model that will rarely survive contact with reality. proposition. Its prime attractions rest in describes the activities of a firm within So it is with the risk assessment of the open architecture and ready supply a specific industry, and consists of both information assets. Just like property of downloadable games to purchase. Ease primary and support activities. In Sony’s deals, the security assessor is likely to be of access to services tends to mean quick case the former would include research, part of a chain. A common pitfall is for authentication and seamless payment, development, manufacture, marketing senior leadership to skip over security risk which also means that user details, includ- and sales, and after-sales service. Support assessment activity because the results are ing card details, are stored somewhere activities would traditionally include difficult to interpret, or merely politically easily accessible. Where you have such organisational infrastructure elements – inconvenient. A classic example here is data stored, you have a cluster of informa- the internal IT, HR and other functions penetration testing. Effective security risk tion assets and hence you have something that span the primary productive ones. assessment, on the other hand, makes worth stealing. Also, if you’re releasing a Each element has costs, and adds sense on a number of levels: it helps product for the young and technology- (or subtracts) value from the end result. 16 Computer Fraud & Security July 2011

Empfohlen

Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...Aditya K Sood
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 

Empfohlen

Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...Aditya K Sood
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 

Weitere ähnliche Inhalte

Mehr von Aditya K Sood

BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 

Mehr von Aditya K Sood (20)

BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 

Kürzlich hochgeladen

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Kürzlich hochgeladen (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

The State of Declarative Security in HTTP Response Headers - Bank Study

  • 1. FEATURE The state of HTTP declarative security in online banking Aditya Sood Richard Enbody websites Aditya Sood and Richard Enbody, Michigan State University The banking industry is grappling with the problem of malware infections in and trusted environment for transac- clients. The exploitation of web vulnerabilities in a bank’s website can expose tions. The aim of this study is to gauge online monetary transactions to fraud. Vulnerabilities such as Cross-Site the deployment of declarative security in Scripting (XSS), clickjacking, MIME sniffing and Cross-Site Request Forgery the real world, and in banking in partic- (CSRF) allow information in one session to be stolen from another. However, ular. Since declarative security is relative- browser security can play a critical role in preventing successful exploitation. ly new, one would not expect widespread adoption. This study reflects the current To this end, new and flexible protection The initial HTTP declarative response state of security in online banking with features have been introduced in the headers are X-XSS-Protection, X-Frame- respect to declarative security. form of declarative security in HTTP Options, X-Content-Type-Options, response headers. These protection X-Download-Options and X-Content- Declarative security and mechanisms are based on the concept Security-Policy. Strict-Transport-Security of providing explicit security parameters can also be considered in this category, threat model that can be used to compel browsers to but it has a different naming convention. The HTTP header protections target perform specific security functions. Declarative security in HTTP response specific attack vectors. These types of Declarative security obliges a devel- headers has been introduced to make the protection are a set of opt-in security oper to specially configure the appli- browsers more proactive and intelligent mechanisms addressing a specific threat cation that sends HTTP response in dealing with the manipulative content landscape. These attacks include click- headers so that, on receiving them, that is a result of the exploitation of web jacking, MIME sniffing, manipulating browsers trigger security protections. vulnerabilities. file downloads, CSRF and XSS vari- These declarative security parameters This research is based on an analysis of ants that have proven to be difficult can also be specified in the web server the traffic flow of major bank websites to handle in real time. Each technique configuration file. The result is that in order to understand how declara- includes an HTTP header that has to declarative security can be considered tive security is being deployed in online be declared by the developer on the web as a portable and flexible defence. No banking. Banking websites were selected server as well as the security actions that protection method is foolproof, but from a list of the world’s top 40-plus saf- the browser triggers on the client side. for implementing generic protection, est banks of 2010 as provided by Global Once a specific HTTP header is detect- HTTP declarative response headers Finance.1 The ranking is based on the ed, the browser is supposed to execute yield promising results. In addition, long-term credit and the total assets of the required security mechanisms. Of this concept is gaining traction as it has the banks. Basically, it determines the course, this protection strategy fails if been adopted by Microsoft and Mozilla solvency and the relative credit-wor- the HTTP headers are not defined. As in order to strengthen the security of thiness of the bank. We start with the a result, control lies in the ability and their browsers. assumption that the efficacy of security expertise of the developers and admin- Declarative HTTP response head- practices is directly proportional to the istrators to use these protection headers ers are not a part of the HTTP 1.0/1.1 bank’s assets. Banks with greater assets as a part of their applications. Let us specification. However, they are compat- tend to have more rigorous security take a look at specific headers and how ible with HTTP and work efficiently. mechanisms in order to provide a safe they work. 11 July 2011 Computer Fraud & Security
  • 2. FEATURE actually clicking on a hidden link. This this option for a full domain because X-Frame-Options HTTP response header can prevent it can deny frames that load legitimate The X-Frame-Options HTTP response the malicious framing of a legitimate websites. However, it is a good practice header is used to control the framing of website. The DENY parameter compels to implement X-Frame-Options in a web page by a third-party website or browsers to prevent rendering of the application code to apply an extra layer a malicious domain.2,3 Generally, click- website in a frame (irrespective of par- of security in the critical web pages. jacking and auto-framing techniques ent frame), whereas the SAMEORIGIN A website might use frame-busting or are used to conduct stealth attacks by parameter allows the framing of web frame-killing code such as: concealing part of the user interface in pages on the same domain but restricts the browser.4,5,6 The framing of a web- the framing of a website from the third- <script type=“text/ site plays a critical role in a successful party parent frames. The header also javascript”> clickjacking attack in conjunction with requires secure frame communication if(top != self) CSRF attacks.7 Users believe that they to preserve integrity.8 In a real-time top.location. are clicking on a legitimate link, but are environment, it is not feasible to apply replace(location);</ script> …or… <script>if(top. location != location) top.location =self. location;</script> X-XSS-Protection The X-XSS-Protection HTTP response header has been implement- ed by Microsoft to sanitise reflective XSS attacks.9,10 Once a browser such as Internet Explorer receives this header it enables the XSS filter which prevents the rendering of content explicitly. Further, another HTTP response header has been released by Mozilla, named X-Content-Security- Policy, that works in a similar fashion to avoid rendering of malicious con- tent in the Mozilla browser.11 These HTTP declarative security headers are used to lower the risk of XSS attacks. However, some problems have been witnessed in the X-XSS-Protection header. 12 X-Content-Type-Options An attacker can inject code based on the content type set by the server. Browsers follow the content-type parameter in order to render the content of the page Figure 1: Applied declarative security as HTTP response headers in the world’s top 43 popular banks. correctly. They have to ensure that 12 Computer Fraud & Security July 2011
  • 3. FEATURE content is rendered according to the data type set by the server. Browsers should not sniff out any other content type that is not specified by the server. Hence, the browser has to avoid sniffing MIME content that is not appropriate. Basically, the X-Content-Type-Options header can be used to prevent malicious rendering of content inside files by only allowing the parameter specified in the content- type HTTP response header.13,14 X-Download-Options As we know, browsers such as Internet Explorer provide an inbuilt functional- ity to open files directly on the domain when a download dialogue box is initi- ated. The X-Download-Options param- eter is provided by Microsoft in order to combat attacks that occur from the direct opening of files in the domain.15 Figure 2: An iframe injected into a vulnerable bank website. This HTTP response header forces IE to modify the user interface download dialog box, removing the open button Testing of attacks. The objective of this testing is (specifying a no-open value in the head- to check whether the critical web pages er). This prevents the user from opening The motivation behind this experiment (configuration pages and web pages with malicious files that might run content was to test the acceptability of new authentication) in the banks’ websites are directly on the domain. protection features in an industry most implementing declarative security. susceptible to exploitation on the web. During the course of the experiment, Strict-Transport-Security it’s possible to judge how well the top Methodology Strict-Transport-Security is a declara- banks are deploying this HTTP declara- In order to perform analytical tests, a list tive header that is used by websites to tive security. In general, a robust security of the top banks of 2010, as defined by force browsers to send all types of data solution is comprised of a collaborative Global Finance, was selected. The banks over HTTPS.15,16 A number of websites implementation of client and server secu- were chosen from around the world based use both HTTP and HTTPS interfaces rity. HTTP declarative security provides on their financial ratings. This choice was to set sessions. It is considered as a risk an efficient way to provide some control made as the security of those banks that because an attacker can inject malicious of browsers in order to avoid a number attract the top ratings is critical for safe traffic to trick browsers in order to steal cookies if this parameter is deployed in all the communication processes under HTTPS. This should not be confused with the ‘secure’ parameter because it is only defined for exchanging cookies over HTTPS, whereas Strict-Transport- Security applies to the overall communi- cation. In general, X-Frame-Options and X-XSS-Protection have been used collabo- ratively to reduce the intensity of attacks. However, other response headers are used Figure 3: XSS exploited in a bank’s website in spite of Internet Explorer XSS filter. in specific applications and web servers. 13 July 2011 Computer Fraud & Security
  • 4. FEATURE The outcome of this experiment is entirely based on the detection of differ- ent HTTP declarative security response headers. The research also covered all the sub-domains that are the subset of the main bank domains. The tests didn’t take into consideration different types of attacks such as HTTP response splitting, which alters the state of HTTP response headers. Something close to 7,786 web pages were analysed, including support- ing resources that are present in the dif- ferent bank domains. Overall, the experi- ment was conducted on close to 200 bank websites, although this article only covers the results of the top banks. Results Some interesting results arose during the course of this study. At the time of running these tests, not a single bank website out of the top 50 banks is using declarative security in HTTP response headers. It seems that the declarative security model has not been accepted by the online banking industry. Figure 1 Figure 4: XSS exploited in a bank’s website in spite of Google Chrome XSS Auditor. shows the results of this experiment. The NH parameter suggests that no server monetary transactions. The largest used the Firefox add-on HttpFox, header was received in the response. banks tend to be the preferred choice which is an HTTP traffic analyser Some of the banks did not send a of the attackers. for scrutinising the state of different ‘server:’ header in the responses and one The testing involved Perl-based HTTP headers.17 Other standard traf- of them used explicit names. The CDC, HTTP response enumeration scripts fic monitoring tools such as Wireshark BBVA, OCBC and DB banks did not which sent a crafted HTTP request to and Netmon by Microsoft were used disclose the ‘server:’ header in HTTP the web server and detected required for packet dissection analysis. The tests responses. Barclays bank alternatively HTTP declarative security response were conducted in Internet Explorer, changed the server header with ‘Red’, headers. In addition to this, the tests Firefox and Google Chrome. ‘Blue’, ‘Green’ and ‘Black’ values on con- secutive requests. During the research, a number of vulnerabilities were spotted in this set of banks. These were reported to the administrators of the banks’ websites. For completeness, the research included some tests to show that attacks are indeed possible. Figure 2 shows an iframe injection attack in one bank web- site that does not use X-Frame-Options. Since most of the browsers implement protection mechanisms based on declara- tive security, almost all browsers were tested in order to execute XSS. Apart Figure 5: XSS – Content-Rendering scripting attack. from this, a lot of XSS injections were 14 Computer Fraud & Security July 2011
  • 5. FEATURE evident in the banks’ websites. Most of in HTTP response headers can be con- frame-busting-and-click-jacking-ui- the reflective XSS attacks were rendered sidered as an additional defence, even redressing>. successfully by the browsers having if proprietary web security solutions are 4. Hansen, R; Grossman, J. XSS filters. Figure 3 shows a successful deployed, because it triggers the security ‘Clickjacking’. Ha.ckers, 15 Sep XSS attack in Internet Explorer con- element in browsers. The online banking 2009. Accessed June 2011. <http:// ducted in one of the vulnerable bank industry should implement these protec- ha.ckers.org/blog/20080915/click- websites. Figure 4 shows the successful tions as opt-in security to thwart generic jacking>. XSS bypass in Google Chrome version targeted attacks. 5. Stone, Paul. ‘Next Generation 10.0.648.127. The examples discussed Clickjacking Attacks’. BlackHat in this section show the ineffectiveness About the authors Conference, 14 Apr 2010. Accessed of client-side XSS filters in a number Aditya K Sood is a security researcher, con- June 2011. <https://media.blackhat. of browsers. However, continuous sultant and PhD candidate at Michigan com/bh-eu-10/presentations/Stone/ research and development is resulting State University. He has worked in the BlackHat-EU-2010-Stone-Next- in more secure client-side XSS filtering. security domain for Armorize, COSEINC Generation-Clickjacking-slides. For generic XSS vulnerabilities, these and KPMG and founded SecNiche Security. pdf>. filters provide appropriate protections He has been an active speaker at confer- 6. Balduzzi, M; Egele, M; Kirda, E; by default, as well as offering some secu- ences such as RSA, Toorcon, Hacker Halted, Balzarotti, D; Kruegel, C. ‘A solution for rity with declarative security in HTTP TRISC, EuSecwest, XCON, OWASP the automated detection of clickjacking response headers. AppSec, CERT-IN and has written content attacks’. In ASI-ACCS’10, 2010. XSS attacks are versatile in nature. Even for HITB Ezine, ISSA, ISACA, Elsevier, 7. Barth, A; Jackson, C; Mitchell, JC. with the presence of filters, it is often easy Hakin9 and Usenix Login. ‘Robust defenses for cross-site request to bypass them. However, in certain cases Dr Richard Enbody is an Associate forgery’. In proceedings of 15th the declarative security headers used to Professor in the Department of Computer ACM Conference on Computer and control XSS fail. In addition to this, it’s Science and Engineering, Michigan State CommunicationsSecurity also notable that it was possible to manip- University. He joined the faculty in 1987 (CCS 2008), 2008. ulate the content-type of the required after earning his PhD in Computer Science 8. Barth, A; Jackson, C; Mitchell. page to conduct the attack. In this attack, from the University of Minnesota. His ‘Securing frame communication in it was possible to render a malicious PDF research interests are in computer security, browsers’. Communications of the in one of the vulnerable bank domains computer architecture, web-based distance ACM(CACM 2009), 2009. which executed the script. On testing, it education and parallel processing. He has 9. ‘Event 1046 – Cross-Site Scripting was found that the domain was not con- two patents pending on hardware buffer- Filter’. MSDN. <http://msdn. figured to send X-Content-Type-Options. overflow protection, which will prevent most microsoft.com/en-us/library/ Figure 5 shows a successful content-type computer worms and viruses. He recently co- dd565647%28v=vs.85%29.aspx>. manipulation attack by exploiting the RFI authored a CS1 Python book, The Practice 10. ‘IE8 Security Part IV: The XSS vulnerability in one of the bank websites. of Computing using Python. Filter’. IEBlog, 2 Jul 2008. Accessed This experiment shows the state of declar- June 2011. <http://blogs.msdn. ative security in bank websites. References com/b/ie/archive/2008/07/02/ie8- 1. ‘World’s 50 Safest Banks 2010’. security-part-iv-the-xss-filter.aspx>. Global Finance, 2 Sep 2010. 11. Secure Content Policy. Mozilla Conclusion Accessed June 2011. <http://www. Developer Network. 21 May 2010. This was a survey of the deployment of gfmag.com/tools/best-banks/10533- Accessed June 2011. <https://wiki. HTTP declarative security in the world’s worlds-50-safest-banks-2010.html> mozilla.org/Security/CSP/Spec>. top banks. After analysing domains 2. Lam, Jason. ‘Adoption of x-frame- 12. Coates, Michael. ‘IE8 XSS Filter and sub domains, it was found that, at options header’. SANS AppSec Blog, Bug’. 20 Nov 2009. Accessed June the time of conducting these tests, not 15 Oct 2009. Accessed June 2011. 2011. <http://michael-coates.blogspot. a single bank website shows the use of <http://blogs.sans.org/appsecstreet- com/2009/11/ie8-xss-filter-bug.html>. declarative security in the HTTP response fighter/2009/10/15/adoption-of-x- 13. ‘HOWTO protect against mali- headers. Hence, the results show that frame-options-header/>. cious images and other non- exploitation of security flaws can be 3. ‘Preventing Framebusting and HTML content’. Google Code. reduced to some extent using declarative Clickjacking’. Coderrr, 13 Feb 2009. Restricted access. <http://code. security because it forces the browser to Accessed 2011. <http://coderrr.word- google.com/p/doctype/wiki/ enforce protection. Declarative security press.com/2009/02/13/preventing- ArticleContentSniffing>. 15 July 2011 Computer Fraud & Security
  • 6. FEATURE 14. ‘IE8 Security Part VI: Beta 2 Update’. 16. ‘Strict Transport Security’. W3C Resources IEBlog, 3 Sep 2008. Accessed June Open Specification, 18 Dec 2009. 2011. <http://blogs.msdn.com/b/ie/ Accessed June 2011. <http://lists. • ‘IE8 Security Part V: archive/2008/09/02/ie8-security-part- w3.org/Archives/Public/www- Comprehensive Protection’. IEBlog, vi-beta-2-update.aspx>. archive/2009Dec/att-0048/draft-hodg- 2 Jul 2008. Accessed June 2011. 15. Jackson, C; Barth, A. ‘ForceHTTPS: es-strict-transport-sec-06.plain.html>. <http://blogs.msdn.com/b/ie/ Protecting High-Security Web Sites 17. HttpFox browser add-on. Mozilla. archive/2008/07/02/ie8-security- from Network Attacks’. In proceedings Accessed June 2011. <https://addons. part-v-comprehensive-protection. of the 17th International World Wide mozilla.org/en-us/firefox/addon/http- aspx>. Web Conference (WWW 2008). fox/>. Security in the value chain Simon Walker, Quantainia Simon Walker Stephen Bonner, Barclay’s Bank’s CISO, recently likened technology controls to literate that needs to be globally acces- the railings around a balcony – they allow you to get closer to the edge without sible, you’re mapping quite neatly onto falling off. Indeed, risk analysis of information assets is not wholly unlike buy- the demographic that is often keenest to ing and selling houses. It is a complex process, there are lots of hoops to jump attempt breaking technology. through, and there is a number of pitfalls. Neither of these are particularly abstruse One of the most common errors is to ensure that products and services deliver facts, so what can have gone wrong? base actions on superficially attractive but on their promised value; it prevents nasty, practically inadequate information – for expensive surprises; and it is the basis for example, overestimating the value of the sound decision-making. Perhaps most Sony’s value chain property you’re trying to sell, or under- importantly, it may be what stops your Initial suggestions from Sony that the estimating how painful a big mortgage chief executive having to make embarrass- incident was orchestrated by ‘hacktivist’ might become. Skimping on research will ing public statements about subjects he group Anonymous have since been dis- almost certainly result in pain later on. doesn’t really understand. missed by the group itself. Anonymous You might be tempted to base decisions was quick to issue a denial of this accusa- on a convenient pipedream – ‘my small tion. This seems to have been an attempt house is worth at least £1m. Buyers will The PlayStation Network by Sony to excuse the incident and is in be queuing up. Never mind the leaking The recent high-profile hacking of the any case an irrelevance: the root causes of roof. Or the illegal extension. And I won’t Sony PlayStation Network (PSN) has the incident were endemic, not a result of spend money on a lick of paint, or the provided some invaluable lessons for us the actions of external influences. railings on the balcony.’ But this fantasy all. The PSN service has a clear customer The ‘value chain’ is a model that will rarely survive contact with reality. proposition. Its prime attractions rest in describes the activities of a firm within So it is with the risk assessment of the open architecture and ready supply a specific industry, and consists of both information assets. Just like property of downloadable games to purchase. Ease primary and support activities. In Sony’s deals, the security assessor is likely to be of access to services tends to mean quick case the former would include research, part of a chain. A common pitfall is for authentication and seamless payment, development, manufacture, marketing senior leadership to skip over security risk which also means that user details, includ- and sales, and after-sales service. Support assessment activity because the results are ing card details, are stored somewhere activities would traditionally include difficult to interpret, or merely politically easily accessible. Where you have such organisational infrastructure elements – inconvenient. A classic example here is data stored, you have a cluster of informa- the internal IT, HR and other functions penetration testing. Effective security risk tion assets and hence you have something that span the primary productive ones. assessment, on the other hand, makes worth stealing. Also, if you’re releasing a Each element has costs, and adds sense on a number of levels: it helps product for the young and technology- (or subtracts) value from the end result. 16 Computer Fraud & Security July 2011