SlideShare ist ein Scribd-Unternehmen logo

Sunil - Hacking Firefox - ClubHack2007

Als PPT, PDF herunterladen
ClubHack
ClubHack
TechnologieNews & Politik
1 von 19
Hack Firefox to steal web-secrets Sunil Arora
How many of you use Firefox ?
Firefox and extensions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object]
Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.
John’s online world Problem Statement How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource (Gmail /Yahoo/Banking website etc)
Malware -Architecture Our Malware is nothing but a malicious Firefox extension Target List Secret List Secret Collector Engine Communicator Module
[object Object],Malware - Secret Collector -I Normal http request process Parse http request And Retrieve user typed Web secrets
Malware - Secret Collector - II ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],How to intercept http request “ Notifications” mechanism in Firefox ???
Malware -Target List Set of websites we want to steal secrets for URL: https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd
Malware - Secret List Set of collected secrets URL: https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:john@gmail.com Name: Passwd Value :helloworld
Communicator Module Target List Secret List Internet
How it can find its way to john’s Firefox - I ,[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],How it can find its way to john’s FireFox - II
Firefox extension upgrade vulnerability ,[object Object],[object Object],[object Object],[object Object]
Facebook Extension ,[object Object],[object Object],[object Object],[object Object]
Attack Flow Facebook extension update Server Attacker’s update Server Hosting malicious extension John’s FF running Facebook extension Hacker running Master Server X Y Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets
Advisory ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Thank U [email_address]

Empfohlen

Wordpress security 101 202
Wordpress security 101 202Wordpress security 101 202
Wordpress security 101 202James Ruffer
 
Security presentation
Security presentationSecurity presentation
Security presentationSmart Mirror
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksValency Networks
 
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and PrivacyCSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and PrivacyYhal Htet Aung
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry VirusEast West University
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Onsachettih
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you thinkNathan Winters
 
The trojan horse virus
The trojan horse virusThe trojan horse virus
The trojan horse virusHTS Hosting
 

Empfohlen

Wordpress security 101 202
Wordpress security 101 202Wordpress security 101 202
Wordpress security 101 202James Ruffer
 
Security presentation
Security presentationSecurity presentation
Security presentationSmart Mirror
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksValency Networks
 
CSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and PrivacyCSC1100 - Chapter09 - Computer Security, Ethics and Privacy
CSC1100 - Chapter09 - Computer Security, Ethics and PrivacyYhal Htet Aung
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry VirusEast West University
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Onsachettih
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you thinkNathan Winters
 
The trojan horse virus
The trojan horse virusThe trojan horse virus
The trojan horse virusHTS Hosting
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challengesMartins Chibuike Onuoha
 
Techno Savvy Course Presentation
Techno Savvy Course PresentationTechno Savvy Course Presentation
Techno Savvy Course PresentationJesse Emerick
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to MalwaresAbdelhamid Limami
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES Sagilasagi1
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part Onebackdoor
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Symptoms of aol and remove
Symptoms of aol and removeSymptoms of aol and remove
Symptoms of aol and removejreidmichele
 
Rock you social game strategies
Rock you social game strategiesRock you social game strategies
Rock you social game strategiesweichengwendao
 
interview
interviewinterview
interviewKanishka Singh
 
Mujeres wayuu,
Mujeres wayuu,Mujeres wayuu,
Mujeres wayuu,walo0825
 
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOSHERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOSdianalzate87
 
Planificadorhoy. terminado
Planificadorhoy. terminadoPlanificadorhoy. terminado
Planificadorhoy. terminadomilesape
 
Splash page_2
Splash page_2Splash page_2
Splash page_2wallpapergirl
 
Creativos V2. .
Creativos V2. .Creativos V2. .
Creativos V2. .Inside Out Marketing
 
certificateMSU (17)
certificateMSU (17)certificateMSU (17)
certificateMSU (17)Kevin Parrish
 
Subtraccao e Adicao
Subtraccao e AdicaoSubtraccao e Adicao
Subtraccao e AdicaoRute Guilherme
 
International Shipping - Growing US Exports
International Shipping - Growing US ExportsInternational Shipping - Growing US Exports
International Shipping - Growing US Exportsbrianhodgson
 
Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008ClubHack
 
AnbeFBECHeng
AnbeFBECHengAnbeFBECHeng
AnbeFBECHengCarsten Holm
 
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000Roxana Mazilu
 
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09weichengwendao
 

Weitere ähnliche Inhalte

Was ist angesagt?

Techno Savvy Course Presentation
Techno Savvy Course PresentationTechno Savvy Course Presentation
Techno Savvy Course PresentationJesse Emerick
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES Sagilasagi1
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part Onebackdoor
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Symptoms of aol and remove
Symptoms of aol and removeSymptoms of aol and remove
Symptoms of aol and removejreidmichele
 

Was ist angesagt? (8)

Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
 
Techno Savvy Course Presentation
Techno Savvy Course PresentationTechno Savvy Course Presentation
Techno Savvy Course Presentation
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to Malwares
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
 
Ne Course Part One
Ne Course Part OneNe Course Part One
Ne Course Part One
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
Symptoms of aol and remove
Symptoms of aol and removeSymptoms of aol and remove
Symptoms of aol and remove
 

Andere mochten auch

Rock you social game strategies
Rock you social game strategiesRock you social game strategies
Rock you social game strategiesweichengwendao
 
Mujeres wayuu,
Mujeres wayuu,Mujeres wayuu,
Mujeres wayuu,walo0825
 
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOSHERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOSdianalzate87
 
Planificadorhoy. terminado
Planificadorhoy. terminadoPlanificadorhoy. terminado
Planificadorhoy. terminadomilesape
 
International Shipping - Growing US Exports
International Shipping - Growing US ExportsInternational Shipping - Growing US Exports
International Shipping - Growing US Exportsbrianhodgson
 
Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008ClubHack
 
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000Roxana Mazilu
 
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09weichengwendao
 
moca Poster a2 2
moca Poster a2 2moca Poster a2 2
moca Poster a2 2Arai Ran
 
Elisangel apassoapasso maiseducacao
Elisangel apassoapasso maiseducacaoElisangel apassoapasso maiseducacao
Elisangel apassoapasso maiseducacaoSirlene Sena
 

Andere mochten auch (20)

Rock you social game strategies
Rock you social game strategiesRock you social game strategies
Rock you social game strategies
 
interview
interviewinterview
interview
 
Mujeres wayuu,
Mujeres wayuu,Mujeres wayuu,
Mujeres wayuu,
 
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOSHERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
HERRAMIENTAS DIGITALES PARA LA GESTIÓN DEL CONOCIMIENTOS
 
Planificadorhoy. terminado
Planificadorhoy. terminadoPlanificadorhoy. terminado
Planificadorhoy. terminado
 
Splash page_2
Splash page_2Splash page_2
Splash page_2
 
Creativos V2. .
Creativos V2. .Creativos V2. .
Creativos V2. .
 
certificateMSU (17)
certificateMSU (17)certificateMSU (17)
certificateMSU (17)
 
Subtraccao e Adicao
Subtraccao e AdicaoSubtraccao e Adicao
Subtraccao e Adicao
 
International Shipping - Growing US Exports
International Shipping - Growing US ExportsInternational Shipping - Growing US Exports
International Shipping - Growing US Exports
 
Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008Sheetal - Wirelesss Hacking - ClubHack2008
Sheetal - Wirelesss Hacking - ClubHack2008
 
AnbeFBECHeng
AnbeFBECHengAnbeFBECHeng
AnbeFBECHeng
 
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
Manual pentru evaluarea adecvata a impactului in siturile Natura 2000
 
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
Com score state_of_social_networks_in_ap_with_focus_on_singapore_nov09
 
Photography.compressed
Photography.compressedPhotography.compressed
Photography.compressed
 
7
77
7
 
moca Poster a2 2
moca Poster a2 2moca Poster a2 2
moca Poster a2 2
 
Adam
AdamAdam
Adam
 
Elisangel apassoapasso maiseducacao
Elisangel apassoapasso maiseducacaoElisangel apassoapasso maiseducacao
Elisangel apassoapasso maiseducacao
 
Healbe
HealbeHealbe
Healbe
 

Ähnlich wie Sunil - Hacking Firefox - ClubHack2007

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna) ClubHack
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security LandscapePeter Wood
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
File Inclusion.pdf
File Inclusion.pdfFile Inclusion.pdf
File Inclusion.pdfOkan YILDIZ
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Denise Bailey
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxDrMajidMumtaz
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.pptSadiaMuqaddas
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network SecurityAsif Raza
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.pptROHITCHHOKER3
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)Wail Hassan
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesBunmi Sowande
 
091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Securitydkp205
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 

Ähnlich wie Sunil - Hacking Firefox - ClubHack2007 (20)

Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
File Inclusion.pdf
File Inclusion.pdfFile Inclusion.pdf
File Inclusion.pdf
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network Security
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Use
 
Password Attack
Password Attack Password Attack
Password Attack
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
 
091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Security
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 

Mehr von ClubHack

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber InsuranceClubHack
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack
 

Mehr von ClubHack (20)

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 

Kürzlich hochgeladen

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Kürzlich hochgeladen (20)

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Sunil - Hacking Firefox - ClubHack2007

  • 1. Hack Firefox to steal web-secrets Sunil Arora
  • 2. How many of you use Firefox ?
  • 3.
  • 4.
  • 5. Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.
  • 6. John’s online world Problem Statement How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource (Gmail /Yahoo/Banking website etc)
  • 7. Malware -Architecture Our Malware is nothing but a malicious Firefox extension Target List Secret List Secret Collector Engine Communicator Module
  • 8.
  • 9.
  • 10. Malware -Target List Set of websites we want to steal secrets for URL: https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd
  • 11. Malware - Secret List Set of collected secrets URL: https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:john@gmail.com Name: Passwd Value :helloworld
  • 12. Communicator Module Target List Secret List Internet
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. Attack Flow Facebook extension update Server Attacker’s update Server Hosting malicious extension John’s FF running Facebook extension Hacker running Master Server X Y Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets
  • 18.