SlideShare ist ein Scribd-Unternehmen logo
1 von 37
Downloaden Sie, um offline zu lesen
Phishing with Super Bait

Jeremiah Grossman
WhiteHat Security
Founder and Chief Technology Officer
Who am I?
Day Job:
Technology R&D and industry evangelist
Frequent Black Hat and industry speaker
Author of several web security articles/white papers

Night Job:
Founder of the Web Application Security Consortium (WASC)
www.webappsec.org

Past Job:
Yahoo Information Security Officer
WhiteHat Security
      Real-World Solutions for Web Application Security


WhiteHat Security is a leading provider of web
  application
security services. WhiteHat delivers comprehensive,
  easy-to
use, cost-effective solutions that enable companies to
  secure
valuable customer data, meet compliance standards,
  and
maintain brand integrity.
Discussion Topics
Current Web Security Models
Phishing and Cross-Site Scripting (XSS)
XSS-Phishing Hybrid Attacks
Next Generation XSS Attacks
Best-Practices
Current Web Security Models
Secure Sockets Layer (SSL)
Web Browser Security
Two-Factor Authentication
Secure Sockets Layer (SSL)
Encrypts data between the client and server while in transit.Verify
           the identity of the server and/or the client.
           (Anyone actually look at the certificates?)




  SSL does NOT make a website secure!
Browser Security:
           Same-Origin Policy
“The same origin policy prevents documents or scripts loaded from
    one
origin from getting or setting properties of a document from a
    different
origin.“
                                                 Standard permission
http://www.mozilla.org/projects/security/components/same-
 http://domain1.com/index.html                   denied error message
    origin.html


                                                OK
                     QuickTime™ and a
           TIFF (Uncompressed) decompressor
              are needed to see this picture.




                                                Deny
Two-Factor Authentication
Online Banks, AOL, and others will begin rolling out this
type of solution. More organizations will follow this trend.
Compromising passwords and/or accounts is more
difficult when using two-factor authentication.Tokens
protect against several types of attacks, including forms of
phishing and spyware, but they are not a cure all.

Bruce Schneier Blog
The Failure of Two-Factor Authentication
“Two-factor authentication isn't our savior. It won't defend
against phishing. It's not going to prevent identity theft. It's not
going to secure online accounts from fraudulent transactions. It
solves the security problems we had ten years ago, not the
security problems we have today.”
http://www.schneier.com/blog/archives/2005/03/the_failure_of.
   html
The Phishing Scam
  High-Tech version of the age-old confidence scam
“Phishing attacks use both social engineering and technical
subterfuge to steal consumers' personal identity data and financial
account credentials. Social engineering schemes use 'spoofed' e
mails to lead consumers to counterfeit websites designed to trick
recipients into divulging financial data such as credit card numbers,
account usernames, passwords and social security numbers.
Hijacking brand names of banks, e-retailers and credit card
companies, phishers often convince recipients to respond.”

Anti-Phishing Working Group
The Common Approach
                                                    Real Website
Attacker contacts a user with
  a forged email message
                     Qui ckTime™ and a
           TIFF (Uncompressed) decompressor
              are needed to see this pictur e.




                                                 User fills out the form
                                                 on the fake website
                 QuickTime™ and a
       TIFF (Uncompressed) decompressor
          are needed to see this picture.




                                                                           PROFIT!
Other Methods of
       Communication
Email
Instant Messages
Message Boards
Guestbooks
Blog Comments
Viruses, Trojan Horses, Spyware
etc.
Phishing Activity Trends Report
                       January 2005
         The Anti-Phishing Working Group (APWG)
               http://www.antiphishing.org/


Number of active phishing sites reported: 2560
Average monthly growth rate in phishing sites Jul-Jan:
  28%
Number of brands hijacked by phishing in January: 64
Average time online for site: 5.8 (days)
Longest time online for site: 31 days
Cross-Site Scripting (XSS)
Targets the user, not the website
Javascript is what makes XSS really bad (very powerful
    language)
Most commonly found web vulnerability
Impact generally underestimated or misunderstood
OWASP TOP-10 (A4)                                   CERT Malicious HTML Tags
http://www.owasp.org/documentation/topten/a4.html http://www.cert.org/advisories/CA-2000-02.html


Web Security Threat Classification                  Gunter Ollmann
http://www.webappsec.org/threat.html                http://www.technicalinfo.net/papers/CSS.html

The Cross-Site Scripting FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml
JavaScript DOM Access
JavaScript has complete access to the DOM and is
  capable of
doing just about anything. But what is anything?

Possible To:
Alter the content of news articles
Change the ACTION attribute of HTML Forms
etc, etc, etc.

Very hard for user to detect
Type 1 (Direct Echo)
Most common variety of XSS
Requires the victim to click a link to be exploited
When the victim clicks and the JavaScript code executes, it does
so in the context of the victim domain.
                                                   Attacker retrieves the
Attacker sends user an email containing a          cookies from the web server
specially crafted link. The link has a hostname of logs where they can be
the victim website domain, looking legitimate, and used to hi-jack the users
laced with embedded JavScript code. When the session
user clicks the link...                            http://hacker.com/
http://victim.com/foo.cgi?q=<html_javascript_exploit_co
de>...


                                                    Cookies are sent off-             QuickTime™ and a
                         QuickTime™ and a                                   TIFF (Uncompressed) decompressor
               TIFF (Uncompressed) decompressor
                  are needed to see this picture.   domain using an            are needed to see this picture.


                                                    image object request
Type 2 (HTML Injection)
Most dangerous variety of XSS
Does not require a user click, just visit a web page
Commonly found in HTML E-Mail, Message Boards, and Blog
posts                                           Attacker retrieves the cookies
User clicks to view an email message sent by an     from the web server logs
Attacker. The email message contains JavaScript     where they can be used to hi-
exploit code. When the user loads the page...       jack the users session
http://victim.com/foo.cgi?q=<html_javascript_expl   http://hacker.com/
oit_code>...


                     QuickTime™ and a
           TIFF (Uncompressed) decompressor                           QuickTime™ and a
              are needed to see this picture.               TIFF (Uncompressed) decompressor
                                                               are needed to see this picture.




   Same attack, but requirements are less
XSS Can Be Used To...
Steal cookies and hi-jack sessions
Execute unintended website functionality
Harass users with malicious code
Alter any portion of the web page
Deface or DoS the website
Violate the same-origin policy
Aid in Phishing scams...
XSS-Phishing Hybrid Attack
              The genie is out of the bottle
Google Plugs Cookie-Theft Data Leak
http://www.eweek.com/article2/0,1759,1751689,00.aspeBay

Redirect Becomes Phishing Tool
http://www.betanews.com/article/eBay_Redirect_Becomes_Phishin
   g_Tool/1109886753

A phishing wolf in sheep's clothing
http://news.com.com/2100-7349_3-5616419.html

Online Banking Industry Very Vulnerable to Cross-Site Scripting
   Frauds
http://news.netcraft.com/archives/2005/03/11/online_banking_indus
   try_very_vulnerable_to_crosssite_scripting_frauds.html

Here's one more trick up hackers' sleeves
http://reviews.cnet.com/4520-3513_7-5021212.html
Hybrid Variants
Leveraging the target domain to convince the victim of
legitimacy

Attack Types:
XSS Redirect Disguise
XSS Page Re-writing
XSS Redirect Disguise
Phishing Activity Trends Report - January 2005

Cross-Site Scripting / Redirects
“During the month of January, Websense Security saw a number of
    attacks
using cross-site scripting to redirect URL’s from popular web sites in
    order to
better present themselves and as a means to prevent blocking. An
    example of
this is an attack that was discovered utilized the Lycos search
    engine. By crafting
a URL, the hacker can redirect any end user though Lycos directory
    to their
fraudulent page. An example is below:

http://r.lycos.com/r/BJTWQSAUE/http://www.websensesecuritylabs.com

This link will automatically send the end user to Lycos, which in turn
   redirects the
XSS Redirect Disguise
Attacker sends user an email containing a
specially crafted link. The link has a hostname
of the victim website domain, to appear
legitamate, and has an embedded redirect          Fake WebsiteURL doesn‟t look
URL. When a user clicks the link, the
browser is re-directed to the injected URL.       right, but is the user looking?
http://victim.com/redirect.cgi?url=http://www.b   http://hacker.com/
     ofa.com




                       QuickTime™ and a
             TIFF (Uncompressed) decompressor
                are needed to see this picture.




  Simple. Effective.
XSS Page-Rewriting
This is a highly convincing and dangerous issue
We should be seeing more of this attack in the near future
Leverages XSS Type 1 (Direct Echo)

JavaScript can alter just about any aspect of a    Attacker retrieves the cookies
web page. Its possible to change the location of   from the web server logs where
where a HTML Form POSTS to, while the URL          they can be used to hi-jack the
remains looking legitimate.                        users session
http://victim.com/webapp.cgi?url=<html_javascri    http://hacker.com/
pt_exploit_code>...



                                                                   QuickTime™ and a
                                                         TIFF (Uncompressed) decompressor
                       QuickTime™ and a                     are needed to see this picture.
             TIFF (Uncompressed) decompressor
                are needed to see this picture.
Next Generation XSS Attacks
Moving beyond simple garden variety XSS exploits to
           explore what is truly possible


Several concepts based on...

XSS-Proxy
“An advanced Cross-Site-Scripting (XSS) attack
  tool”
Developer: Anton Ranger
http://xss-proxy.sourceforge.net/
Current XSS Limitations
Victim-Attacker connection is not persistent.

Once the user clicks, the attacker loses control.

Off-Domain data transfer mechanism is only one-way
*Victim to Attacker*
Goals of XSS Exploitation
Persistent remote communication with the browser, even
if the user clicks around on the website

Complete control over the web browser and environment

Monitor several XSS‟ed clients simultaneously

As invisible as possible

Circumvent all previously described security models
XSS Remote Control
  A User is cross-site scripted and third-party JavaScript exploit code
                        performs the following...
Empties the contents of the current
   window.

Creates a full screen IFRAME with the
    SRC
attribute equal to the URL of the current
page. To the user, nothing has been
    visibly
affected and they continuously click within
    the                                                         QuickTime™ and a
                                                      TIFF (Uncompressed) decompressor
                                                         are needed to see this picture.
IFRAME.

Whenever a link is clicked, the web page
contents are sent to an off-domain
server.

Keystroke recording is enabled capturing
    any
text entered into HTML form fields.
    Including
usernames and passwords.
Monitoring the Viewport
An IFRAME is an HTML tag used to
Include one web page within
another.The IFRAME is created to
    be
displayed full-screen, making any
    clicks                                       QuickTime™ and a
                                       TIFF (Uncompressed) decompressor

occurring within its borders. Since       are needed to see this picture.



    the
exploit code is loaded from the same
domain as the IFRAME, it has full
    access
to the DOM.
Data Capturing
                  Saving the data

JavaScript saves data from
  the
DOM including HTML,
  cookies,
User-Agent, and keystrokes.                   QuickTime™ and a
                                    TIFF (Uncompressed) decompressor
                                       are needed to see this picture.
Data Transfering
Transferring large amounts of data while bypassing the
                   same-origin policy
Split the data into blocks. 2,000
    bytes is
a large enough without exceeding
browser URL length limits.Base64
encode the blocks before transit.
Encoding ensures the data is not
altered by the browser.Data block
    are
transferred individually with multiple
off-domain GET requests using
JavaScript image objects.

                       QuickTime™ and a
             TIFF (Uncompressed) decompressor
                are needed to see this picture.
Bi-Directional Communication
 Send JavaScript command from the remote server to the client

In a continuous loop, a new “script”
   tag
object is created with the src
   attribute
URL of a remote location. When the                    QuickTime™ and a
                                            TIFF (Uncompressed) decompressor

remote JavaScript file is updated, its         are needed to see this picture.




executes within the clients browser.

JavaScript violates the same origin
policy by accessing data outside the
originating domain.
Success!
All security models previously mentioned have been circumvented.
With complete control over the user‟s web browser you can...

Use the doorway to automatically XSS other websites invisibly

Force the user to “hack” the website - download illegal content

Change the URL they are visiting

Anything.
Data sanitizing
The answer is to not be vulnerable to XSS.
The best way is to validate your input (query data, post data, cookies,
   etc).
Developers, do not trust the client and do not use what you don‟t use
expect to receive. If at all possible, do not echo user supplied data to
   the
screen. <                &lt;
                                   At the time when untrusted data is
        >              &gt;        used (i.e. printing to screen)
        “             &quot;       substitute the following characters
                                   with the equivalent HTML entities.
         „           &rsquo;       This process renders echoed HTML
                                   laced data as unexecutable by the
        (             &#40;        web browser.
        )             &#41;
         :            &#58;
Code Snippets
                       XSS Filters
Perl
$data =~ s/(<|>|"|'|(|)|:)/'&#'.ord($1).';'/sge;
or
$data =~ s/([^w])/'&#'.ord($1).';'/sge;

PHP
<?php
$new = htmlspecialchars("<a href='url'>XSS</a>",
ENT_QUOTES);
echo $new;
// &lt;a href=&#039;url&#039;&gt;XSS&lt;/a&gt;
?>
Application platform security
Apache -Mod_Security
http://www.modsecurity.org/

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Prevent XSS atacks # (HTML/Javascript injection)
SecFilter "<(.|n)+>”
</IfModule>
Application platform security
Microsoft IIS 6.0
Default .NET configuration is configured to prevent XSS

IIS Lockdown
http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/win
    dows2000/en/server /iis/htm/core/iierrabt.htm

URL Scan
http://www.microsoft.com/technet/security/tools/urlscan.mspx
(May not be helpful if using IIS 6.0)

SecureIIS
http://www.eeye.com/html/products/secureiis/
Frame-Busting code
Add the following JavaScript code to your web pages.
  This
code prevents other web pages from including your web
pages within HTML frames. Prevents client-side HTML
sniffing.


<SCRIPT language="javascript">
if (top != self) top.location.href =
   location.href;
</SCRIPT>
THANK YOU
http://www.whitehatsec.com
jeremiah@whitehatsec.com

Weitere ähnliche Inhalte

Was ist angesagt?

BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server SecurityJITENDRA KUMAR PATEL
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 

Was ist angesagt? (20)

BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelines
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
 

Ähnlich wie Phishing with Super Bait

Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpJoann Davis
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)msz
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAThuy_Dang
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossmanguestdb261a
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_pptNarayanan
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSheri Elliott
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxmydrynan
 

Ähnlich wie Phishing with Super Bait (20)

Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)
 
Ransomware attacks 2017
Ransomware attacks 2017Ransomware attacks 2017
Ransomware attacks 2017
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEA
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Web application security
Web application securityWeb application security
Web application security
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 
Secure client
Secure clientSecure client
Secure client
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application Environment
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
 

Mehr von Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 

Mehr von Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 

Kürzlich hochgeladen

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 

Kürzlich hochgeladen (20)

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 

Phishing with Super Bait

  • 1. Phishing with Super Bait Jeremiah Grossman WhiteHat Security Founder and Chief Technology Officer
  • 2. Who am I? Day Job: Technology R&D and industry evangelist Frequent Black Hat and industry speaker Author of several web security articles/white papers Night Job: Founder of the Web Application Security Consortium (WASC) www.webappsec.org Past Job: Yahoo Information Security Officer
  • 3. WhiteHat Security Real-World Solutions for Web Application Security WhiteHat Security is a leading provider of web application security services. WhiteHat delivers comprehensive, easy-to use, cost-effective solutions that enable companies to secure valuable customer data, meet compliance standards, and maintain brand integrity.
  • 4. Discussion Topics Current Web Security Models Phishing and Cross-Site Scripting (XSS) XSS-Phishing Hybrid Attacks Next Generation XSS Attacks Best-Practices
  • 5. Current Web Security Models Secure Sockets Layer (SSL) Web Browser Security Two-Factor Authentication
  • 6. Secure Sockets Layer (SSL) Encrypts data between the client and server while in transit.Verify the identity of the server and/or the client. (Anyone actually look at the certificates?) SSL does NOT make a website secure!
  • 7. Browser Security: Same-Origin Policy “The same origin policy prevents documents or scripts loaded from one origin from getting or setting properties of a document from a different origin.“ Standard permission http://www.mozilla.org/projects/security/components/same- http://domain1.com/index.html denied error message origin.html OK QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Deny
  • 8. Two-Factor Authentication Online Banks, AOL, and others will begin rolling out this type of solution. More organizations will follow this trend. Compromising passwords and/or accounts is more difficult when using two-factor authentication.Tokens protect against several types of attacks, including forms of phishing and spyware, but they are not a cure all. Bruce Schneier Blog The Failure of Two-Factor Authentication “Two-factor authentication isn't our savior. It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today.” http://www.schneier.com/blog/archives/2005/03/the_failure_of. html
  • 9. The Phishing Scam High-Tech version of the age-old confidence scam “Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social engineering schemes use 'spoofed' e mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond.” Anti-Phishing Working Group
  • 10. The Common Approach Real Website Attacker contacts a user with a forged email message Qui ckTime™ and a TIFF (Uncompressed) decompressor are needed to see this pictur e. User fills out the form on the fake website QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. PROFIT!
  • 11. Other Methods of Communication Email Instant Messages Message Boards Guestbooks Blog Comments Viruses, Trojan Horses, Spyware etc.
  • 12. Phishing Activity Trends Report January 2005 The Anti-Phishing Working Group (APWG) http://www.antiphishing.org/ Number of active phishing sites reported: 2560 Average monthly growth rate in phishing sites Jul-Jan: 28% Number of brands hijacked by phishing in January: 64 Average time online for site: 5.8 (days) Longest time online for site: 31 days
  • 13. Cross-Site Scripting (XSS) Targets the user, not the website Javascript is what makes XSS really bad (very powerful language) Most commonly found web vulnerability Impact generally underestimated or misunderstood OWASP TOP-10 (A4) CERT Malicious HTML Tags http://www.owasp.org/documentation/topten/a4.html http://www.cert.org/advisories/CA-2000-02.html Web Security Threat Classification Gunter Ollmann http://www.webappsec.org/threat.html http://www.technicalinfo.net/papers/CSS.html The Cross-Site Scripting FAQ http://www.cgisecurity.com/articles/xss-faq.shtml
  • 14. JavaScript DOM Access JavaScript has complete access to the DOM and is capable of doing just about anything. But what is anything? Possible To: Alter the content of news articles Change the ACTION attribute of HTML Forms etc, etc, etc. Very hard for user to detect
  • 15. Type 1 (Direct Echo) Most common variety of XSS Requires the victim to click a link to be exploited When the victim clicks and the JavaScript code executes, it does so in the context of the victim domain. Attacker retrieves the Attacker sends user an email containing a cookies from the web server specially crafted link. The link has a hostname of logs where they can be the victim website domain, looking legitimate, and used to hi-jack the users laced with embedded JavScript code. When the session user clicks the link... http://hacker.com/ http://victim.com/foo.cgi?q=<html_javascript_exploit_co de>... Cookies are sent off- QuickTime™ and a QuickTime™ and a TIFF (Uncompressed) decompressor TIFF (Uncompressed) decompressor are needed to see this picture. domain using an are needed to see this picture. image object request
  • 16. Type 2 (HTML Injection) Most dangerous variety of XSS Does not require a user click, just visit a web page Commonly found in HTML E-Mail, Message Boards, and Blog posts Attacker retrieves the cookies User clicks to view an email message sent by an from the web server logs Attacker. The email message contains JavaScript where they can be used to hi- exploit code. When the user loads the page... jack the users session http://victim.com/foo.cgi?q=<html_javascript_expl http://hacker.com/ oit_code>... QuickTime™ and a TIFF (Uncompressed) decompressor QuickTime™ and a are needed to see this picture. TIFF (Uncompressed) decompressor are needed to see this picture. Same attack, but requirements are less
  • 17. XSS Can Be Used To... Steal cookies and hi-jack sessions Execute unintended website functionality Harass users with malicious code Alter any portion of the web page Deface or DoS the website Violate the same-origin policy Aid in Phishing scams...
  • 18. XSS-Phishing Hybrid Attack The genie is out of the bottle Google Plugs Cookie-Theft Data Leak http://www.eweek.com/article2/0,1759,1751689,00.aspeBay Redirect Becomes Phishing Tool http://www.betanews.com/article/eBay_Redirect_Becomes_Phishin g_Tool/1109886753 A phishing wolf in sheep's clothing http://news.com.com/2100-7349_3-5616419.html Online Banking Industry Very Vulnerable to Cross-Site Scripting Frauds http://news.netcraft.com/archives/2005/03/11/online_banking_indus try_very_vulnerable_to_crosssite_scripting_frauds.html Here's one more trick up hackers' sleeves http://reviews.cnet.com/4520-3513_7-5021212.html
  • 19. Hybrid Variants Leveraging the target domain to convince the victim of legitimacy Attack Types: XSS Redirect Disguise XSS Page Re-writing
  • 20. XSS Redirect Disguise Phishing Activity Trends Report - January 2005 Cross-Site Scripting / Redirects “During the month of January, Websense Security saw a number of attacks using cross-site scripting to redirect URL’s from popular web sites in order to better present themselves and as a means to prevent blocking. An example of this is an attack that was discovered utilized the Lycos search engine. By crafting a URL, the hacker can redirect any end user though Lycos directory to their fraudulent page. An example is below: http://r.lycos.com/r/BJTWQSAUE/http://www.websensesecuritylabs.com This link will automatically send the end user to Lycos, which in turn redirects the
  • 21. XSS Redirect Disguise Attacker sends user an email containing a specially crafted link. The link has a hostname of the victim website domain, to appear legitamate, and has an embedded redirect Fake WebsiteURL doesn‟t look URL. When a user clicks the link, the browser is re-directed to the injected URL. right, but is the user looking? http://victim.com/redirect.cgi?url=http://www.b http://hacker.com/ ofa.com QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Simple. Effective.
  • 22. XSS Page-Rewriting This is a highly convincing and dangerous issue We should be seeing more of this attack in the near future Leverages XSS Type 1 (Direct Echo) JavaScript can alter just about any aspect of a Attacker retrieves the cookies web page. Its possible to change the location of from the web server logs where where a HTML Form POSTS to, while the URL they can be used to hi-jack the remains looking legitimate. users session http://victim.com/webapp.cgi?url=<html_javascri http://hacker.com/ pt_exploit_code>... QuickTime™ and a TIFF (Uncompressed) decompressor QuickTime™ and a are needed to see this picture. TIFF (Uncompressed) decompressor are needed to see this picture.
  • 23. Next Generation XSS Attacks Moving beyond simple garden variety XSS exploits to explore what is truly possible Several concepts based on... XSS-Proxy “An advanced Cross-Site-Scripting (XSS) attack tool” Developer: Anton Ranger http://xss-proxy.sourceforge.net/
  • 24. Current XSS Limitations Victim-Attacker connection is not persistent. Once the user clicks, the attacker loses control. Off-Domain data transfer mechanism is only one-way *Victim to Attacker*
  • 25. Goals of XSS Exploitation Persistent remote communication with the browser, even if the user clicks around on the website Complete control over the web browser and environment Monitor several XSS‟ed clients simultaneously As invisible as possible Circumvent all previously described security models
  • 26. XSS Remote Control A User is cross-site scripted and third-party JavaScript exploit code performs the following... Empties the contents of the current window. Creates a full screen IFRAME with the SRC attribute equal to the URL of the current page. To the user, nothing has been visibly affected and they continuously click within the QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. IFRAME. Whenever a link is clicked, the web page contents are sent to an off-domain server. Keystroke recording is enabled capturing any text entered into HTML form fields. Including usernames and passwords.
  • 27. Monitoring the Viewport An IFRAME is an HTML tag used to Include one web page within another.The IFRAME is created to be displayed full-screen, making any clicks QuickTime™ and a TIFF (Uncompressed) decompressor occurring within its borders. Since are needed to see this picture. the exploit code is loaded from the same domain as the IFRAME, it has full access to the DOM.
  • 28. Data Capturing Saving the data JavaScript saves data from the DOM including HTML, cookies, User-Agent, and keystrokes. QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 29. Data Transfering Transferring large amounts of data while bypassing the same-origin policy Split the data into blocks. 2,000 bytes is a large enough without exceeding browser URL length limits.Base64 encode the blocks before transit. Encoding ensures the data is not altered by the browser.Data block are transferred individually with multiple off-domain GET requests using JavaScript image objects. QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
  • 30. Bi-Directional Communication Send JavaScript command from the remote server to the client In a continuous loop, a new “script” tag object is created with the src attribute URL of a remote location. When the QuickTime™ and a TIFF (Uncompressed) decompressor remote JavaScript file is updated, its are needed to see this picture. executes within the clients browser. JavaScript violates the same origin policy by accessing data outside the originating domain.
  • 31. Success! All security models previously mentioned have been circumvented. With complete control over the user‟s web browser you can... Use the doorway to automatically XSS other websites invisibly Force the user to “hack” the website - download illegal content Change the URL they are visiting Anything.
  • 32. Data sanitizing The answer is to not be vulnerable to XSS. The best way is to validate your input (query data, post data, cookies, etc). Developers, do not trust the client and do not use what you don‟t use expect to receive. If at all possible, do not echo user supplied data to the screen. < &lt; At the time when untrusted data is > &gt; used (i.e. printing to screen) “ &quot; substitute the following characters with the equivalent HTML entities. „ &rsquo; This process renders echoed HTML laced data as unexecutable by the ( &#40; web browser. ) &#41; : &#58;
  • 33. Code Snippets XSS Filters Perl $data =~ s/(<|>|"|'|(|)|:)/'&#'.ord($1).';'/sge; or $data =~ s/([^w])/'&#'.ord($1).';'/sge; PHP <?php $new = htmlspecialchars("<a href='url'>XSS</a>", ENT_QUOTES); echo $new; // &lt;a href=&#039;url&#039;&gt;XSS&lt;/a&gt; ?>
  • 34. Application platform security Apache -Mod_Security http://www.modsecurity.org/ <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Prevent XSS atacks # (HTML/Javascript injection) SecFilter "<(.|n)+>” </IfModule>
  • 35. Application platform security Microsoft IIS 6.0 Default .NET configuration is configured to prevent XSS IIS Lockdown http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/win dows2000/en/server /iis/htm/core/iierrabt.htm URL Scan http://www.microsoft.com/technet/security/tools/urlscan.mspx (May not be helpful if using IIS 6.0) SecureIIS http://www.eeye.com/html/products/secureiis/
  • 36. Frame-Busting code Add the following JavaScript code to your web pages. This code prevents other web pages from including your web pages within HTML frames. Prevents client-side HTML sniffing. <SCRIPT language="javascript"> if (top != self) top.location.href = location.href; </SCRIPT>