Talking about Heartbleed, Information Security, Security Testing

1. Heartbleed e a inseguranca
da informacao
QA Night Recife
Guilherme Motta, @gfcmotta

2. about @gfcmotta
gfcmotta@gmail.com

15. WTFWTF

17. Protocolo HTTP
GET /index.html HTTP/1.1 Requisicao> GET metodo HTTP, HTTP
URI, 1.1 Versao
Host: www.example.com Valores no cabecalho (nome: valor)

18. Protocolo HTTP
HTTP/1.1 200 OK Resposta> HTTP/1.1 protocolo e versao, 200 status, OK
mensagem
Date: Mon, 23 May 2005 22:38:34 GMT Valores no cabecalho (nome: valor)
Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
ETag: "3f80f-1b6-3e1cb03b" Content-Type: text/html; charset=UTF-8
Content-Length: 131 Accept-Ranges: bytes Connection: close
<html> Corpo da mensagem
<head>
<title>An Example Page</title>
</head>
<body>
Hello World, this is a very simple HTML document.
</body>
</html>

19. Protocolo HTTP
cleartext
facil de ler :))))

20. Protocolo HTTPS
S de “seguro”
TLS/SSL

21. Protocolo HTTPS
S de “seguro”
<criptografia>
SSL/TLS

22. Protocolo HTTPS
SSL/TLS
-> Open SSL

23. Protocolo HTTPS
-> Open SSL
todos usa!

24. SSL/TLS
Heartbeat

25. SSL/TLS
Heartbeat

28. Heartbleed

29. Heartbleed
In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at
the University of Duisburg-Essen, implemented the Heartbeat Extension for
OpenSSL. Following Seggelmann's request to put the result of his work into
OpenSSL,[19][20][21] his change was reviewed by Stephen N. Henson, one of
OpenSSL's four core developers. Henson apparently failed to notice a bug in
Seggelmann's implementation,[22] and introduced the flawed code into
OpenSSL's source code repository on December 31, 2011. The vulnerable
code was adopted into widespread use with the release of OpenSSL version
1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing
affected versions to be vulnerable by default.[23][24][25]

30. Heartbleed
In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at
the University of Duisburg-Essen, implemented the Heartbeat Extension for
OpenSSL. Following Seggelmann's request to put the result of his work into
OpenSSL,[19][20][21] his change was reviewed by Dr. Stephen N. Henson, one of
OpenSSL's four core developers. Henson apparently failed to notice a bug in
Seggelmann's implementation,[22] and introduced the flawed code into
OpenSSL's source code repository on December 31, 2011. The vulnerable
code was adopted into widespread use with the release of OpenSSL version
1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing
affected versions to be vulnerable by default.[23][24][25]

31. Look at code examples

32. Look at code examples

33. Look at code examplesMetodologias!!!
OWASP
OSSTMM
ISSAF
IBM*
NIST 800.42
...

34. Look at code examples

35. Look at code examples

36. Look at code examples
http://en.wikipedia.org/wiki/Taint_checking

37. not so live demo
Hacking DVWA
- XSS (ultimos 2 minutos do video)
http://www.youtube.com/watch?v=-H1qjiwQldw
- SQL Injection
http://www.youtube.com/watch?v=7NCpvG7nY
b

38. not so live demo
Hacking DVWA
- remote command execution
http://www.youtube.com/watch?v=6hnCGsS-
V0Y
- Cookie hijacking
http://www.youtube.com/watch?v=qB9c01R3a
QU

39. not so live demo
Hacking DVWA
- CSFR (Cross-Site Request Forgery)
http://www.youtube.com/watch?v=2Y7IywV1YB
Q

40. Links
www.dvwa.co.uk/
www.backtrack-linux.org http://www.kali.org/
http://portswigger.net/burp/
http://www.wireshark.org/
http://wpepro.net/
http://cheatengine.org/