Presentation is loading. Please wait.

Presentation is loading. Please wait.

Petko D. Petkov Senior IT Security Consultant

Published byBeverly Austin Modified over 6 years ago

Similar presentations

Presentation on theme: "Petko D. Petkov Senior IT Security Consultant"— Presentation transcript:

1 Petko D. Petkov Senior IT Security Consultant pdp@gnucitizen.org
Advanced Web Hacking Petko D. Petkov Senior IT Security Consultant

2 Powered by...

3 Clarifications!!! Not everything is in the slides! The subject is quite big! Talk to me after the presentation! Check the references!

4 Topics to Discuss Introductive Main Web Security since 2005
The State of JavaScript Hacking Main Web Security 2007 Web Exploits Security Mashups Worms and Bots

5 They have always been with us
Web Security since 2005 They have always been with us XSS CSRF Browser Port Scanners CSS History Stealers Application State Scanners Inter-protocol Communication Techniques Same Origin Policy Unification Techniques JIKTO – browser based security scanner

6 The State of JavaScript Hacking
JavaScript is a GLUE Technology Web Pages Adobe Products WSCRIPT and CSCRIPT Mobile Devices One Language to Rule Them All Cross-site scripting Cross-zone scripting

7 Web Security 2007 Web Exploits Security Mashups Worms and Botnets

8 The need for web exploits
for testing purposes for demonstration purposes non-exploitative web app testing does not exist How to test for SQL Injection without exploiting the application? How to test for Cross-site scripting without exploiting the application? My name is O‘Neill.

9 Hundreds of them available online already!
Web Exploits Hundreds of them available online already! Milw0rm Full-disclosure Who is going to unify them? Exploit Environments Metasploit good but limiting The Browser probably what we want

10 Web Exploits The browser as exploit development framework

11 Web Exploits Pragmatics Semantics All together Code Database Services
Mashup

12 Security Mashups A Mashup is…
a website or application that combines content from more than one source into an integrated experience. Wikipedia largely based on online services and APIs. a way to circumvent various browser limitations.

13 Security Mashups Technology Benefits XML – it all started with that
XMLRPC – unifies the data structure SOAP – defines the transportation mechanism JSON – plays nice with browsers Benefits Distributed Knowledge Distributed Processing Power

14 Security Mashups A Security Mashup is…
a way to create largely distributed testing infrastructures. a mechanism for instantly accruing dynamic knowledge. a mechanism that has a lot of potential for bad purposes. a way to bypass the Same Origin Policies to an extend.

15 Security Mashups Origin Unification with Proxies

16 Security Mashups Origin Unification with Services
we are interested in the data not the data retrieving mechanism

17 Security Mashups APIs Google Yahoo Dapper AJAX Search API – search API
AJAX Feed API – RSS feed API Yahoo Pipes – mashup power tool Dapper Dapper – screen scraping tool

18 Security Mashups Services DIGG TinyURL DIGG – user powered content
TinyURL – URL/data storage service

19 Security Mashups Yahoo Pipes TinyURL FS

20 Security Mashups Yahoo Pipes Google Proxy

21 JIKTO in a lot less lines of code
Security Mashups JIKTO in a lot less lines of code function handleData(d) { for (var i d.items) ypipeProxy(target + d.items[i]); } function handleYPipeProxy(d) { // read the data from here } JavaScript on demand (aka JSON) in YPipes id=nvTyLSDv2xGkB7MlJhOy0Q&_run=1&_render =json&_callback=handleYPipeProxy&url=htt p%3A//example.com

22 Security Mashups JavaScript Spider quite stable
function spider(url, callback, conf) { var conf = (conf != undefined)?conf:{}; conf.pipe = (conf.pipe != undefined)?conf.pipe:'lruY6uXk2xGdxK66l7okhQ'; conf.depth = (conf.depth != undefined)?conf.depth:3; function walkJSON(j, c) { if (typeof(c) != 'function') { return; …

23 Security Mashups Malicious code and security testing tools

24 Security Mashups Possibilities are endless! Time for a demo!

25 Impossible to fight against
Worms and Bots No hosting required Totally distributed Dynamically managed Impossible to fight against Do you have any ideas? How shall we handle this problem?

26 Worms and Bots Worms and Bots look like normal Web applications
JavaScript malware is too dynamic to be handled by signatures

27 Worms and Bots Controlling Botnets through DIGG

28 Where does this leave us? What shell we do? Will we see 2NG Sammy?
Worms and Bots Where does this leave us? Even experts can’t tell. What shell we do? Improve community awareness. Will we see 2NG Sammy? It is inevitable. How to protect against? Be very conscious with your Web Activities.

29 References GNUCITIZEN Yahoo Pipes Google APIs Dapper
conference Yahoo Pipes Google APIs Dapper

30 Questions? Win a book. Share your thoughts.

Download ppt "Petko D. Petkov Senior IT Security Consultant"

Similar presentations

By Loukik Purohit & Rohit Ghatol

By Loukik Purohit & Rohit Ghatol
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
ITEC810 Project By: P. M. Mathindri Nilushika Pathiraja 1.

ITEC810 Project By: P. M. Mathindri Nilushika Pathiraja 1.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Does Ajax suck? CS575 Spring 2007 Chanwit Suebsureekul.

Does Ajax suck? CS575 Spring 2007 Chanwit Suebsureekul.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego.

When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego.
Web Services & Widgets Godmar Back. Mash-Ups Applications that combine information from different sources in one web page Different architectural choices.

Web Services & Widgets Godmar Back. Mash-Ups Applications that combine information from different sources in one web page Different architectural choices.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Www.bzupages.com Web engineering. www.bzupages.com Topic: DHTML Presented by: Shah Rukh 07-22 Presented to: Sir Ahsan raza.

Web engineering. Topic: DHTML Presented by: Shah Rukh Presented to: Sir Ahsan raza.
5 th Annual Conference on Technology & Standards April 28 – 30, 2008 Hyatt Regency Washington on Capitol Hill www.PESC.org Web Tools A Technical Perspective.

5 th Annual Conference on Technology & Standards April 28 – 30, 2008 Hyatt Regency Washington on Capitol Hill Web Tools A Technical Perspective.
CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer Delivering an Internet-based platform of Next.

CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
Web Mashups -Nirav Shah.

Web Mashups -Nirav Shah.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Web Mashups Presented By: Saket Goel Uni: sg2679.

Web Mashups Presented By: Saket Goel Uni: sg2679.

Similar presentations

Ads by Google