Presentation On "XSS Defeating Concept in (Secure) SiteHoster": 'Nullcon Dwitiya 2011'

http://nullcon.
net
NEW CONCEPTS
DEFEATING
WEB ATTACKS
(secure) SiteHoster
 Family Named: AbhishekKr
Friends Call: ABK
g33k Handle: aBionic
 IndependentSecurity Enthusiast/Researcher
 Also a Member of „EvilFingers‟ (other than ‘NULL’)
 Application-Developer in ThoughtWorks Inc.

 OpenSource Lover
http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB

 Other than expanding to (secure)SiteHoster
A Fresh A Lab (s)SH

Approach RAT
http://sourceforge.net/projects/sitehoster

http://null.co.in
http://nullcon.net
It‟s The Same Old Problem
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
Same Old Problem
With A New Perspective To Solve It

aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
offensive security to secure
aBionic@
ATTACK THE ATTACKER
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
Major Threats for Web Applications
Stats are not same (of 2009) …

aBionic@
twitter,linkedin,FB
But t h r e a t s are
XSS Defeating Concept
always aim the strongest opponent first,
makes you win battle easily

IT IS JUST A PIECE OF CODE
aBionic@twitter,linkedin,FB
<TAGS/> R GooD
And if it’s Code…
http://null.co.in
http://nullcon.net
!dea is to
aBionic@
BUG
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
3 Major XSS Attack Patterns

All Effect From Options of User Input, a Web2.0 Gift
aBionic@
twitter,linkedin,FB
+ Karthik calling Karthik…
http://null.co.in
+ User (tricked) Input…
http://nullcon.net
Included or injected <script/>

What You See Is (*NOT*) What You Get
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
Who calls, or who injects

What finally happens is unwanted <script/>
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
Disarm <script/>
Take away all its POWER!!!!!
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
Dis-Infect Entire Body

To kill all unwanted „Creepy-Living‟ Beings
aBionic@
twitter,linkedin,FB
Generated HyperText
<html>
<head><script>function h(){alert(“some dev-script in HEAD
Tag”);}</script></head>
<body>
<script DEFER>heavy_stuff=true;</script>
name: <div id=”fromDB” onMouseOver=”h();”>
<script>alert(„attacker injected it, could do anything‟);</script>
</div>
</body>
</html>
Server Patched View
<html>
<head>
<script> function h(){alert(“this is dev-scripts in HEAD Tag”);}</script>
</head>
<BD>
<BODY >
<script DEFER>heavy_stuff=true;</script>
<script type='text/javascript'>
x=document.getElementsByTagName("BODY");
x[0].innerHTML = "name:<div id=\"fromDB\" onclick=\"h();\">
<script>alert(\'attacker injected it, could do anything\');<\/script><\/div>“;
</script>
</BODY>
</BD>
</html>
http://null.co.in
http://nullcon.net
But… still 
…other two monkeys got a chance
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
„javascript:‟ may effect as
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
So „javascript:<bugMe/>‟
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
1 Monkey can wreck havoc

2 are pwn3d… but 3rd is powerful enough
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
„Be Kind‟ on Entropy

-says „JS-Events‟
aBionic@
twitter,linkedin,FB
Ninja Parse User Input
Bug-it-su pwn JS-Events
hardcore ‘js-events’ pwnage
http://null.co.in
http://nullcon.net
XSS Attack gets bugged

<TAGS/> go Green
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
Innocence Is Saved
Normal User Input Matching Attack aint Filtered
aBionic@
twitter,linkedin,FB
http://null.co.in
http://nullcon.net
All Monkeys Defeated

And so are Script-Junkies
aBionic@
twitter,linkedin,FB
CURRENTLY JUST DEV PERSPECTIVE
For Un-Privileged AXNs
Old Wine, Why Not Always Used
DB
all boss
Read on Read,write.*
Table T1
Read,Write
on Table t2
User- Web-App
Mapper
http://null.co.in
http://nullcon.net
& For Condition Match

An A Apple Hash A An Day Input
Keeps The Doctor Attacker Away
aBionic@
twitter,linkedin,FB
 I Tweet Tech: http://www.twitter.com/aBionic
 I Blog Tech: http://abhishekkr.wordpress.com/
 I OpenSource
 GitHub: https://github.com/abhishekkr
 SourceForge: http://sourceforge.net/users/abhishekkr
 I Socialize: http://www.facebook.com/aBionic
 I Techalize: http://in.linkedin.com/in/abionic
 I Deviantize: http://abhishekkr.deviantart.com/

Presentation On "XSS Defeating Concept in (Secure) SiteHoster": 'Nullcon Dwitiya 2011'

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Presentation On "XSS Defeating Concept in (Secure) SiteHoster": 'Nullcon Dwitiya 2011'

Caricato da

Copyright:

Formati disponibili

http://nullcon.

 Application-Developer in ThoughtWorks Inc.

http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB

A Fresh A Lab (s)SH

http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB

It‟s The Same Old Problem

Same Old Problem

With A New Perspective To Solve It

offensive security to secure

Major Threats for Web Applications

Stats are not same (of 2009) …

http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB

3 Major XSS Attack Patterns

Included or injected <script/>

Who calls, or who injects

Dis-Infect Entire Body

„javascript:‟ may effect as

1 Monkey can wreck havoc

„Be Kind‟ on Entropy

XSS Attack gets bugged

All Monkeys Defeated

& For Condition Match

http://null.co.in http://nullcon.net aBionic@twitter,linkedin,FB

Potrebbero piacerti anche