Security Day - Chesf

• 1. Novos ataques emwww.estuarioti.com.br Aplicaes Web.@estuariotiRafael Silva [email protected]

2. Agenda Whoami OWASP top 10 Ferramentas X SkillSet IFrames HTML 5 Hacking Features Cursor Hijack / Click Hijack HTTP Parameter Pollution HTTPOnly XSS Bypass www.estuarioti.com.br @estuarioti 3. $whoami OWASP Member rfdslabs || TheBug Magazine FAB (Fora Area Brasileira) C.E.S.A.R Tempest@rfdslabs EsturioTI www.estuarioti.com.br @estuarioti 4. Owasp TOP 10 www.estuarioti.com.br @estuarioti 5. Ferramentas X skillSet Nessus, Acunetix, Nstalker Attacks and Vulnerabilities Automated scanners not detect: Session Fixation Privilege Escalation [Horizontal and Vertical] Logout Logic Flaws Unauthenticated Direct Access Forgot my password www.estuarioti.com.br @estuarioti 6. IFRAMES Stealth Browser Exploit or JAVA or SWF Insert Malicious Javascript Stored XSS + IFRAME = Chaos Redirect Defacementwww.estuarioti.com.br @estuarioti 7. IFRAMESwww.estuarioti.com.br @estuarioti 8. IFRAMESDEMO 1 www.estuarioti.com.br @estuarioti 9. HTML 5 Hacking Features Cross Origin Resource Sharing Cross Domain AJAX With Cookies Blind Not limited to syntax Used to Trigger CSRF www.estuarioti.com.br @estuarioti 10. HTML 5 Hacking FeaturesCross Origin Resource Sharingwww.estuarioti.com.br @estuarioti 11. HTML 5 Hacking FeaturesCross Origin Resource Sharingwww.estuarioti.com.br @estuarioti 12. HTML 5 Hacking FeaturesSilent File Upload Java Script FileUpload!Stealth with any filename and content Use CORS How? Create raw multipart/form-data www.estuarioti.com.br @estuarioti 13. HTML 5 Hacking Features Silent File Uploadwww.estuarioti.com.br @estuarioti 14. HTML 5 Hacking Features Silent File Uploadwww.estuarioti.com.br @estuarioti 15. HTML 5 Hacking Features Silent File Upload No User Action No Frames Cross-domain with cookies Works in most browsers You can add more form fields-- CSRF flaw needed-- No access to responsewww.estuarioti.com.br @estuarioti 16. Cursor Hijack / Click Hijack Facebook Scams Actively Exploited Javascript in url bar NoScript Plugin to mitigate Use your creativitywww.estuarioti.com.br @estuarioti 17. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti 18. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti 19. Cursor Hijack / Click Hijack www.estuarioti.com.br @estuarioti 20. Cursor Hijack / Click HijackDEMO 2 www.estuarioti.com.br @estuarioti 21. Cursor Hijack / Click HijackDEMO 3 www.estuarioti.com.br @estuarioti 22. HTTP Parameter Pollution Query String Term ? Defined in the RFC 3986 GET and POST: Query string meta characters are & ? # ; = www.estuarioti.com.br @estuarioti 23. HTTP Parameter Pollution www.estuarioti.com.br @estuarioti 24. HTTP Parameter Pollution Bypass ModSecurityBusted Query:Accepted Query: www.estuarioti.com.br @estuarioti 25. HTTP Parameter Pollution Bypass IBM Web Application Firewall (FIXED)Busted Query:Accepted Query:Discovered by Wendel Henrique from Trustwave Labswww.estuarioti.com.br @estuarioti 26. HTTPOnly XSS Bypass Implemented in 2002 by Microsoft in IE 6 Additional FLAG included in a Set-Cookie HTTP respondeheader Exploiting a XSS with a HTTPOnly in response? No cookiesfor you? www.estuarioti.com.br @estuarioti 27. HTTPOnly XSS BypassHow to Bypass? Cross-Site Tracking HTTP TRACE (FIXED) XMLHttpRequest also blocked TRACE Method (FIXED) CVE-2009-0357 XMLHttpRequest in FireFox (FIXED) www.estuarioti.com.br @estuarioti 28. HTTPOnly XSS Bypass Java API Applet HTTP TACE (FIXED) www.estuarioti.com.br @estuarioti 29. HTTPOnly XSS Bypass Java GetHeaderField in java.net.URLConnection package(UNFIXED) By Aung Khant http://yehg.net www.estuarioti.com.br @estuarioti 30. HTTPOnly XSS Bypasswww.estuarioti.com.br @estuarioti 31. HTTPOnly XSS Bypass and WORKS! www.estuarioti.com.br @estuarioti 32. EsturioTI www.estuarioti.com.br @estuarioti 33. ReferencesTempest BlogSteffano di PaolaSecKB BlogOWASPMarcus Niemietzwww.estuarioti.com.br @estuarioti