SlideShare ist ein Scribd-Unternehmen logo

Renaud Bido & Mohammad Shams - Hijacking web servers & clients

Als PPT, PDF herunterladen
N
nooralmousa
Technologie
1 von 30
Hijacking Web Servers & Clients New generation threats and mitigation Renaud Bidou - CTO Mohammad ShAms – Director, ME Operations
DenyAll & RECRO-NET ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
DenyAll in France
DenyAll WorldWide DIRF – SOCIETE GENERALE – EGE - CNSS – etc. SOCIETE GENERALE ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc. SOCIETE GENERALE, etc. SH&Co, etc. BNPP, etc. SOCIETE GENERALE, etc. ACCOR - SOCIETE GENERALE - AREVA – etc. Accor, etc. BNP PARIBAS INSURANCE - ACCOR – etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP, etc. IP LIMITED, etc. SOCIETE GENERALE LUX – EBRC - CACEIS – etc. DANSKE BANK – KOPENHAGEN-FUR – etc. AKTIA BANK, etc. SENTOR – SVERIGE – etc TOYOTA BANK – etc. SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc. GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc. ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc. BNP PARIBAS UK - ARVAL UK – etc. . LA POSTE – DZ BANK – PETERCAM -etc INPS, etc
Threats Overview
Why Application Security ? 75% of all attacks are directed to the Web applications layer 2/3 of all Web applications are vulnerable In the first half 2010 web application vulnerabilities have reached 50 per cent of all code flaws reported. Most web site owners fail to scan effectively for the common flaws. Application patching is much slower than Operating System patching.
Web Attacks Targets & Impacts Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
Hijacking Servers & Clients Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
Threats Keyloggers
What is a keylogger ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Example : A simple keylogger ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Example : A simple keylogger
Threats Browsers Compromise
Code Injection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Browser Internals NTDLL.DLL KERNEL32.DLL USER32.DLL WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n IE user interface Bars, menus etc. Browser Control Navigation, history Exposes ActiveX interface Rendering MIME handling Code download Security IP Handler HTTP & FTP Windows UI Handles components Base API Calls NTDLL API Native API OS user-mode components ~200.000 function calls at IE launch You cannot monitor everything
Browser Attack Surface WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n Control navigation Control display Alter security policy Communicate…
An example ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Example : A simple keylogger
Threats Servers Compromise
What is Cross-Site Scripting ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Impacts of XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Dangers of XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
101 XSS exploitation ,[object Object],[object Object],[object Object],[object Object],[object Object]
Real XSS Exploitation Method ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
4 players game schema 1 . Hacker compromises Relay 2 . Hacker exploits XSS vulnerability 3 . Victim goes on compromised page 4 . Malicious Javascript is loaded on Victim 6 . Victim sends information to Relay 7 . Information sent back to Hacker 5 . Victim executes Javascript 8 . Relay sends new commands to Victim
PoC – The XSS Popup ,[object Object],[object Object]
Portscan ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Redirection ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Thank you for your valuable time Q&A
(Distributor for Middle East & SE Europe ) 2702A Business Central Towers Dubai Internet City, PO. Box: 503012 Dubai, United Arab Emirates Tel: 04-3754306 E-mail: middle-east@recro-net.com www.recro-net.com

Empfohlen

Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?
Distil Networks
 
Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin Cardwell
EC-Council
 
How to remove presto savings
How to remove presto savingsHow to remove presto savings
How to remove presto savings
MU
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
Amna
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
 
englishresume-sg
englishresume-sgenglishresume-sg
englishresume-sg
丽 管
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
Vijay Sarathy Rangayyan
 
Newtabcontent
NewtabcontentNewtabcontent
Newtabcontent
Ashok Albert
 

Empfohlen

Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?
Distil Networks
 
Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin Cardwell
EC-Council
 
How to remove presto savings
How to remove presto savingsHow to remove presto savings
How to remove presto savings
MU
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
Amna
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
 
englishresume-sg
englishresume-sgenglishresume-sg
englishresume-sg
丽 管
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
Vijay Sarathy Rangayyan
 
Newtabcontent
NewtabcontentNewtabcontent
Newtabcontent
Ashok Albert
 
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
HackIT Ukraine
 
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Bishop Fox
 
Ransomware
RansomwareRansomware
Ransomware
Chaitali Sharma
 
Web Security Training : Tonex Training
Web Security Training : Tonex TrainingWeb Security Training : Tonex Training
Web Security Training : Tonex Training
Bryan Len
 
Ransomware attacks 2017
Ransomware attacks 2017Ransomware attacks 2017
Ransomware attacks 2017
Thesis Scientist Private Limited
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
Cyphort
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
Site guard
Site guardSite guard
Site guard
Complethost Soluciones Internet
 
Securing Remote Access
Securing Remote AccessSecuring Remote Access
Securing Remote Access
Granbury Solutions
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
phexcom1
 
Ransomware Attack
Ransomware AttackRansomware Attack
Ransomware Attack
doiss delhi
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
Jeremiah Grossman
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
Wail Hassan
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Wayne Huang
 
StMaarten-workshop-final
StMaarten-workshop-finalStMaarten-workshop-final
StMaarten-workshop-final
Anton Kaska
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
Atlantic Security Conference
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Roger Hagedorn
 
Ransomware
RansomwareRansomware
Ransomware
Akshita Pillai
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
HackIT Ukraine
 
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Bishop Fox
 
Web Security Training : Tonex Training
Web Security Training : Tonex TrainingWeb Security Training : Tonex Training
Web Security Training : Tonex Training
Bryan Len
 
Site guard
Site guardSite guard
Site guard
Complethost Soluciones Internet
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Wayne Huang
 
StMaarten-workshop-final
StMaarten-workshop-finalStMaarten-workshop-final
StMaarten-workshop-final
Anton Kaska
 

Was ist angesagt? (20)

Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
 
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
 
Ransomware
RansomwareRansomware
Ransomware
 
Web Security Training : Tonex Training
Web Security Training : Tonex TrainingWeb Security Training : Tonex Training
Web Security Training : Tonex Training
 
Ransomware attacks 2017
Ransomware attacks 2017Ransomware attacks 2017
Ransomware attacks 2017
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
Site guard
Site guardSite guard
Site guard
 
Securing Remote Access
Securing Remote AccessSecuring Remote Access
Securing Remote Access
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
 
Ransomware Attack
Ransomware AttackRansomware Attack
Ransomware Attack
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
StMaarten-workshop-final
StMaarten-workshop-finalStMaarten-workshop-final
StMaarten-workshop-final
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
 
Ransomware
RansomwareRansomware
Ransomware
 

Ähnlich wie Renaud Bido & Mohammad Shams - Hijacking web servers & clients

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
Volume And Vectors 090416
Volume And Vectors 090416Volume And Vectors 090416
Volume And Vectors 090416
Anthony Arrott
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 

Ähnlich wie Renaud Bido & Mohammad Shams - Hijacking web servers & clients (20)

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
 
WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?
 
web-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdfweb-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdf
 
Volume And Vectors 090416
Volume And Vectors 090416Volume And Vectors 090416
Volume And Vectors 090416
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
The Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersThe Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security Providers
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
4.Xss
4.Xss4.Xss
4.Xss
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Security_Bootcamp_Intro
Security_Bootcamp_IntroSecurity_Bootcamp_Intro
Security_Bootcamp_Intro
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 

Mehr von nooralmousa

Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
nooralmousa
 
Mr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsMr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovations
nooralmousa
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
Mr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securityMr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it security
nooralmousa
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
nooralmousa
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.
nooralmousa
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
nooralmousa
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
Ahmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatAhmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threat
nooralmousa
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
nooralmousa
 
Mohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsMohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environments
nooralmousa
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for ciso
nooralmousa
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metrics
nooralmousa
 
Khaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysKhaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keys
nooralmousa
 
Hisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudHisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloud
nooralmousa
 
Ghassan farra it security a cio perspective
Ghassan farra it security a cio perspectiveGhassan farra it security a cio perspective
Ghassan farra it security a cio perspective
nooralmousa
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
nooralmousa
 

Mehr von nooralmousa (17)

Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
 
Mr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsMr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovations
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Mr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securityMr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it security
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Ahmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatAhmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threat
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Mohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsMohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environments
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for ciso
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metrics
 
Khaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysKhaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keys
 
Hisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudHisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloud
 
Ghassan farra it security a cio perspective
Ghassan farra it security a cio perspectiveGhassan farra it security a cio perspective
Ghassan farra it security a cio perspective
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Kürzlich hochgeladen (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Renaud Bido & Mohammad Shams - Hijacking web servers & clients

  • 1. Hijacking Web Servers & Clients New generation threats and mitigation Renaud Bidou - CTO Mohammad ShAms – Director, ME Operations
  • 2.
  • 4. DenyAll WorldWide DIRF – SOCIETE GENERALE – EGE - CNSS – etc. SOCIETE GENERALE ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc. SOCIETE GENERALE, etc. SH&Co, etc. BNPP, etc. SOCIETE GENERALE, etc. ACCOR - SOCIETE GENERALE - AREVA – etc. Accor, etc. BNP PARIBAS INSURANCE - ACCOR – etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP Insurance, etc. BNPP, etc. IP LIMITED, etc. SOCIETE GENERALE LUX – EBRC - CACEIS – etc. DANSKE BANK – KOPENHAGEN-FUR – etc. AKTIA BANK, etc. SENTOR – SVERIGE – etc TOYOTA BANK – etc. SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc. GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc. ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc. BNP PARIBAS UK - ARVAL UK – etc. . LA POSTE – DZ BANK – PETERCAM -etc INPS, etc
  • 6. Why Application Security ? 75% of all attacks are directed to the Web applications layer 2/3 of all Web applications are vulnerable In the first half 2010 web application vulnerabilities have reached 50 per cent of all code flaws reported. Most web site owners fail to scan effectively for the common flaws. Application patching is much slower than Operating System patching.
  • 7. Web Attacks Targets & Impacts Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
  • 8. Hijacking Servers & Clients Information Leak Credentials Theft Identity Theft Authorization Abuses Transaction Compromise Defacement Malware Planting Session Hijacking Denial of Service Bounce Password Guess Remote Control Data Theft Data Corruption Data Deletion Remote Control Persistent Injections Processes Corruption Data Interception Denial of Service Client Web Server Database Server Application Servers / Web Services
  • 10.
  • 11.
  • 12. Example : A simple keylogger
  • 14.
  • 15. Browser Internals NTDLL.DLL KERNEL32.DLL USER32.DLL WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n IE user interface Bars, menus etc. Browser Control Navigation, history Exposes ActiveX interface Rendering MIME handling Code download Security IP Handler HTTP & FTP Windows UI Handles components Base API Calls NTDLL API Native API OS user-mode components ~200.000 function calls at IE launch You cannot monitor everything
  • 16. Browser Attack Surface WININET.DLL URLMON.DLL MSHTML.DLL SHDOCVW.DLL BROWSEUI.DLL IEXPLORE.EXE Tab 1 Tab n Control navigation Control display Alter security policy Communicate…
  • 17.
  • 18. Example : A simple keylogger
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. 4 players game schema 1 . Hacker compromises Relay 2 . Hacker exploits XSS vulnerability 3 . Victim goes on compromised page 4 . Malicious Javascript is loaded on Victim 6 . Victim sends information to Relay 7 . Information sent back to Hacker 5 . Victim executes Javascript 8 . Relay sends new commands to Victim
  • 26.
  • 27.
  • 28.
  • 29. Thank you for your valuable time Q&A
  • 30. (Distributor for Middle East & SE Europe ) 2702A Business Central Towers Dubai Internet City, PO. Box: 503012 Dubai, United Arab Emirates Tel: 04-3754306 E-mail: middle-east@recro-net.com www.recro-net.com