Podcasts about cross site scripting

* Russian Hackers Leverage Wi-Fi to Bypass Security and Breach Networks* Australia Passes Landmark Cyber Security Legislation* Malicious Python Packages Exploit AI Enthusiasm* Ransomware Attack on Supply Chain Software Disrupts Major Retailers During Holidays* New CWE Methodology Shake up has Cross Site Scripting as 2024's Most Dangerous Software Weakness* Special Thanks to Justin Butterfield for contributing some of the interesting stories for this week's cyber bites. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

Today, we explore how Magnet Goblin, a cyber threat actor, exploits 1-day vulnerabilities for financial gain, targeting systems like Ivanti Connect Secure VPN and Magento. Learn about the widespread WordPress plugin vulnerability that left over 3,300 sites compromised with malware. Plus, unravel the complexities of Stored XSS, a persistent cyber threat lurking in databases and forums. Original Articles: For Magnet Goblin's exploits: https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/ WordPress plugin vulnerabilities: https://www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-flaw-to-infect-3-300-sites-with-malware/ Microsoft's chilly hack: https://www.theverge.com/2024/3/8/24094287/microsoft-hack-russian-security-attack-stolen-source-code Swiss government's ransomware dilemma: https://therecord.media/play-ransomware-leaked-government-files-swiss Duvel Moortgat Brewery's production pause: https://www.vrt.be/vrtnws/en/2024/03/06/cyber-attack-brings-production-at-duvel-moortgat-breweries-to-a/ FINTRAC's cyber incident: https://globalnews.ca/news/10335818/fintrac-cyber-incident/ Hamilton's ransomware attack: https://www.cbc.ca/news/canada/hamilton/ransomware-attack-1.7133457 Music: https://www.jeredjones.com/ Logo Design: https://www.zackgraber.com/ Tags: Magnet Goblin, WordPress Vulnerabilities, Popup Builder Plugin, CVE-2023-6000, Cybersecurity, HGF, 1-Day Vulnerabilities, Cross-Site Scripting, XSS, Malware Infections, Cyber Threat Actors, Web Security, Sucuri, Plugin Security, Website Hacking, Stored XSS, Cyber Attacks, Data Breach Search Phrases: Magnet Goblin cyber attacks WordPress Popup Builder plugin vulnerability Handling 1-Day vulnerabilities in cybersecurity Cross-Site Scripting attacks and prevention Latest malware infections in WordPress sites Cyber threat actors exploiting web vulnerabilities Sucuri reports on WordPress security How to secure websites against XSS vulnerabilities Understanding Stored XSS and its impacts Data breaches involving HGF this week Cybersecurity updates on WordPress plugins Protecting against Popup Builder CVE-2023-6000 Recent cyber attacks on web platforms Transcript: Mar 11 [00:00:00] transition: Welcome to The Daily Decrypt, the go to podcast for all things cyber security. Get ready to decrypt the complexities of cyber safety and stay informed. Stand at the frontier of cyber security news, where every insight is a key to unlocking the mysteries of the digital domain. Your voyage through the cyber news vortex starts now. [00:00:29] offsetkeyz: Welcome back to the daily decrypt. Today we're joined by hot girl farmer. Who's going to. Help recap the breaches from the last week. your favorite segment who's been popped. Then we're going to be talking about the magnet goblins gobbling up one day vulnerabilities. And finally. The word, press pop-up plugin vulnerability persists popping approximately 3,300 sites. [00:00:54] transition: Thanks for [00:01:00] watching! [00:01:00] hgf: first up on our list is a chili tail from the tech giant Microsoft on March 9th. Microsoft announced that Russian hackers, chilly from their previous solar winds attack, decided to warm up by spying on some emails of Microsoft, senior leaders. The hack evolved into a frosty situation with some of Microsoft secure source code stolen. Switching over to Switzerland where things got a bit too neutral for their liking on March 8th, the Swiss government found itself in a knot tighter than a Swiss wristwatch. A ransomware attack leaked 65,000 government documents. It appears the hackers played their cards, right with the play ransomware gang, proving that sometimes neutrality attracts more than just peace. You know, what if only they had some witches watching those Swiss wristwatches, which, which would, which, where, which Swiss watch. There were three witches. And there were three Swiss wristwatches, which witch would watch which Swiss wristwatch. Absolutely not. [00:02:00] Now pour one out for the Duvel Moortgat brewery on March 9th found its production as stale as the beer in a forgotten glass. The brewery known for its spirited, Duvel faced a ransomware attack that halted it's hops. It's a sobering reminder that no industry is immune and perhaps it's time for cyber attackers to barley there. Brew up some better hobbies, maybe. They be brewing up something. Yikes. March six, brought a cold front to Canada's fin track freezing some of it systems or the cyber incident as crisp as the Canadian winter, while their intelligence system stayed snug and warm. It's a stark reminder that even those guarding the treasure need to watch their own chest. Lastly Hamilton, a Canadian city got a taste of digital disruption, but services paralyzed faster than a moose caught in headlights. The ransomware attack confirmed on March 5th has shown that even city services can get frozen over in the cyber blizzard. It's a digital reminder that in the game of cybersecurity, sometimes you go hockey stick and sometimes you're [00:03:00] the puck. Mm. Canadians love hockey. Us too. That's what I hear anyways. [00:03:06] transition: Thanks for watching! [00:03:12] offsetkeyz: All right. So the magnet goblins are gobbling up one day. Vulnerabilities. This. Is coming to you from checkpoint research. Published on March 8th, check the show notes for the URL. But if financially motivated cyber threat actor called magnet goblin. Is getting really good at exploiting one day vulnerabilities. And one day vulnerabilities are essentially vulnerabilities that are announced. And discovered already. But not yet patched. So the one day signifies about how much time attackers have to exploit these vulnerabilities before they get patched. And the magnet goblets have gotten really good at exploiting one day vulnerabilities.. The magnet goblins have targeted such systems as Ivanti connect, secure VPN, Magento ClixSense and. [00:04:00] Potentially Apache active MQ. And they use these vulnerabilities to deploy a variety of malware, including the novel Linux version of nerdy and rat, which is a remote access Trojan and warp wire, a JavaScript credential stealer. Magnet goblins, rapid adoption of one day. Vulnerabilities really just emphasizes the problem we have with patching. And the need for it. There. Operations have historically centered around financial gain. As opposed to some other motivations, like. Political or social or hacktivism. They're all about the money. And they usually use techniques. Revolving around data theft to include ransomware. Really whatever they can use to get their money. There isn't much news here other than the fact that the magnet goblins. Are out there and we really. Are behind. On our practices of updating as well as on our updates. . So as soon as a one day vulnerability comes out, make sure to check. The specifics of [00:05:00] that vulnerability and look for the indicators of compromise surrounding it. [00:05:15] offsetkeyz: Alright, and to wrap up today's stories, We're going to be talking about that. WordPress pop-up plugin. Vulnerability that was announced last November. Recently seen an uptick. In exploits. It's impacting. The plugin version is 4.2 0.3 and older. And involves a cross site, scripting vulnerability. And really highlights the reluctance of WordPress users to update their plugins. So if you're a WordPress administrater or consumer of WordPress websites, which most of us are one of those two things. If not, both. The WordPress plugin must be active and also creating popups on your site. So for example, this plugin is enabled by default. When you. Launch a new WordPress website, which we don't [00:06:00] love. But the good news is that even though it's enabled by default, It must be creating pop-ups in order for it to be. Exploited. My fear when reading this was that, yes, this is a default plugin. And since it's a default plugin, there are what 300,000 WordPress sites out there, all with this plugin, just chilling, probably on updated. And unutilized but luckily it must be utilized as well as enabled. And that's because the attackers inject PHP code into one of the events. That triggers the pop-up. And that PHP code is then stored on the server, alongside the WordPress site, making it a stored cross site, scripting vulnerability. Which means that anyone who accesses the site and sees the pop-up. Is vulnerable. To that malicious PHP code. And that code can do many things. It can try to hijack your session cookie, which. Is the ultimate goal, because then the attacker is you [00:07:00] without actually having to log in. Or it could redirect you to fishing sites or really anything that they want. So if you're a WordPress admin, obviously update or disable. I'm going to lean towards disabled because pop-ups are really annoying. Especially since they're now vulnerable. Go ahead and use a banner. Go ahead and open up a new tab somewhere, but don't. Pop up right. As I'm about to click something on your website, I'm immediately going to navigate away from your website. If there's a, pop-up sorry for the rant. If you're a consumer. Try grabbing a pop-up blocker from Google Chrome app store. I think Google Chrome even comes with a built in app. For blocking pop-ups. And whether or not it blocks the specific pop-up on the site that you're visiting. It will at least alert you that there is a pop-up. And allow you to confirm or deny pop-ups on that site. So better than nothing. But yeah. Totally against pop-ups as a practice, I'm really glad my WordPress site doesn't have any popups for this reason. . And [00:08:00] also for the reason to not annoy the crap out of the few website, visitors that I get. If you'd like to visit a website with no popups, no advertisements. Go ahead and check out. Daily decrypt.news. Just the words, daily decrypt.news, and you will find words and pictures and sounds. But no ads. And no pop-ups. All right. That's all we've got for you today. Quick episode. Huge. Thanks to hot girl farmer for coming on and delivering the hot breaches in who's been popped. We will talk to you some more tomorrow. [00:09:00]

Episode 182 contains the important Digital Marketing News and Updates from the week of Oct 9-13, 2023.1. Google's Demand Gen Ads: The AI-Powered Video Ads  - If you're using social media platforms like Facebook and Instagram for advertising, you'll want to know about Google's latest ad product: Demand Gen campaigns. Google Ads is a platform that allows you to place advertisements on Google's search engine and other platforms. Demand Gen is Google's newest effort to compete with traditional social media sites for your advertising dollars.What sets Demand Gen apart? It uses Artificial Intelligence (AI) to create highly targeted video and image ads, specifically designed for platforms like YouTube. These ads can be up to 15 seconds long, ideal for YouTube placements, and can also feature image carousels tailored for mobile users. The tool uses Google's powerful AI to identify "lookalike audiences" that share characteristics with your existing customers, allowing for more targeted advertising.Why is this important for you? Consumer habits are changing. People are now splitting their time between traditional social media platforms and video sites like YouTube. Google's Demand Gen aims to help you capitalize on this shift by offering visually compelling ads tailored to specific audiences. Early adopters have already seen promising results; for example, Argentine fintech startup Naranja X reported 3x higher click-through rates at 61% lower costs compared to its paid social campaigns.2. Google Ads Policy Update: What You Need to Know About Offering Rewards

From the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing to their victim's browser. XSS takes advantage of the fact that roughly 90% of web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious javascript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim's computer and the victim's browser runs the code.

From the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing to their victim's browser. XSS takes advantage of the fact that roughly 90% of web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious javascript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim's computer and the victim's browser runs the code. Learn more about your ad choices. Visit megaphone.fm/adchoices

Im Jahr 2020 gründet ein britischer Informatiker ein Unternehmen mit einem besonderen Namen. Der Name besteht aus einer Zeichenfolge, die auf anfälligen Webseiten ein fremdes Skript einschleust. Das nennt man Cross Site Scripting oder kurz XSS. Und es gehört seit Jahren zu den häufigsten Sicherheitslücken im Internet. In dieser Folge geht es nicht nur um die Geschichte, sondern auch um die Frage, warum man Benutzereingaben niemals trauen sollte. Sprecher & Produktion: Wolfgang Schoch Musik: BACKPLATE von https://josephmcdade.com

We've got a cloud focused episode this week, starting with a logging bypass in AWS CloudTrail, a SSH Key injection, and cross-tenant data access in Azure Cognitive Search. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/181.html [00:00:00] Introduction [00:00:25] Undocumented API allows CloudTrail bypass [00:06:00] Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434) [00:14:53] SSH key injection in Google Cloud Compute Engine [Google VRP] [00:19:08] Chat Question: Why is Cross-Site Scripting called That [00:22:36] Cross-tenant network bypass in Azure Cognitive Search The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Diese Episode informiert darüber, was sich hinter dem Begriff Cross-Site-Scripting (XSS) verbirgt und warum die Bezeichnung irreführend ist.

A CISO's Guide to Pentesting References https://en.wikipedia.org/wiki/Penetration_test https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf  https://pentest-standard.readthedocs.io/en/latest/ https://www.isecom.org/OSSTMM.3.pdf https://s2.security/the-mage-platform/ https://bishopfox.com/platform https://www.pentera.io/ https://www.youtube.com/watch?v=g3yROAs-oAc    **************************** Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.   Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.   What is it Where are good places to order it What should I look for in a penetration testing provider What does a penetration testing provider need to provide What's changing on this going forward First of all, let's talk about what a pentest is NOT.  It is not a simple vulnerability scan.  That's something you can do yourself with any number of publicly available tools.  However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest.  Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?   Now let's start with providing a definition of a penetration test.  According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system.  It's really designed to show weaknesses in a system that can be exploited.  Let's think of things we want to test.  It can be a website, an API, a mobile application, an endpoint, a firewall, etc.  There's really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm.  You need to focus on high likelihood and impact because professional penetration tests are not cheap.  Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it's not unheard of to go up to $100,000.  As a CISO you need to be able to defend this expenditure of resources.  So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year.   My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest.  Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better.  He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies."   Please do not confuse a penetration test with a Red Team exercise.  A red team exercise just wants to accomplish an objective like steal data from an application.  A penetration test wants to enumerate vulnerabilities in a scoped target system so the developer can patch and remediate.  It's a subtle difference but consider that a red team only needs to find one vulnerability to declare success, whereas a penetration test keeps going to help identify potentially exploitable vulnerabilities.  Now, is a pentest about finding ALL vulnerabilities?  I would say no – there are vulnerabilities that might require a disproportionate amount of resources to exploit for little or no value – something with a CVSS score of 4.0 or the like.  Those can often be left unpatched without consequence – the cost of remediating may exceed the value of the risk avoided.  There really is a “good enough” standard of risk, and that is called “acceptable risk.”  So, when scoping a pentest or reviewing results, make sure that any findings are both relevant and make economic sense to remediate.   Let's take the example that you want to perform a web application pentest on your public website so you can fix the vulnerabilities before the bad actors find them.  The first question you should consider is do you want an internal or an external penetration test.  Well, the classic answer of "it depends" is appropriate.  If this website is something of a service that you are selling to other companies, then chances are those companies are going to ask you for things like an ISO 27001 certification or SOC 2 Type 2 Report and both of those standards require, you guessed it, a penetration Test.  In this case your company would be expected to document a pentest performed by an external provider.  Now if your company has a website that is selling direct to a consumer, then chances are you don't have the same level of requirement for an external pentest.  So, you may be able to just perform an internal penetration test performed by your company's employees.   I'd be remiss if I didn't mention the Center for Internet Security Critical Controls, formerly know as the SANS Top 20.  The current version, eight, has 18 controls that are listed in order of importance, and they include pentesting.  What is the priority of pentesting, you may ask?  #18 of 18 -- dead last.  Now, that doesn't mean pentests are not valuable, or not useful, or even not important.  What it does mean is that pentests come at the end of building your security framework and implementing controls.  Starting with a pentest makes no sense IMHO, although compliance-oriented organizations probably do this more often than they should.  That approach makes the pen testers job one of filtering through noise -- there are probably a TON of vulnerabilities and weaknesses that should have been remediated in advance and could have been with very little effort.  Think of a pentest as a final exam if you will.  Otherwise, it's an expensive way to populate your security to-do list.   OK let's say we want to have an external penetration test and we have the 10-30K on hand to pay an external vendor.  Remember this, a penetration test is only as good as the conductor of the penetration test.  Cyber is a very unregulated industry which means it can be tricky to know who is qualified.  Compare this to the medical industry.  If you go to a hospital, you will generally get referred to a Medical Doctor or Physician.  This is usually someone who has a degree such as a MD or DO which proves their competency.  They will also have a license from the state to practice medicine legally.  Contrast this to the cyber security industry.  There is no requirement for a degree to practice Cyber in the workforce.  Also, there is no license issued by the state to practice cyber or develop software applications.  Therefore, you need to look for relevant Cyber certifications to demonstrate competency to perform a Penetration Test.  There's a number of penetration testing certifications such as the Certified Ethical Hacker or CEH, Global Information Assurance Certification or GIAC GPEN or GWAP, and the Offensive Security Certified Professional or OSCP.   We strongly recommend anyone performing an actual penetration test have an OSCP.  This certification is difficult to pass.  A cyber professional must be able to perform an actual penetration test and produce a detailed report to get the actual certification.  This is exactly what you want in a pentester, which is why we are big fans of this certification.  This certification is a lot more complicated than remembering a bunch of textbook answers and filling in a multiple-choice test.  Do yourself a favor and ask for individuals performing penetration tests at your company to possess this certification.  It may mean your penetration tests cost more, but it's a really good way to set a bar of qualified folks who can perform quality penetration tests to secure your company.   Now you have money, and you know you want to look for penetration tests from companies that have skilled cyber professionals with years of experience and an OSCP.  What companies should you look at?  Usually, we see three types of penetration testing companies.  Companies that use their existing auditors to perform penetration tests – firms like KPMG, EY, PWC, or Deloitte (The Big 4 1/2).  This is expensive but it's easy to get them approved since most large companies already have contracts with at least one of these companies.  The second type of company that we see are large penetration testing companies.  Companies like Bishop Fox, Black Hills Information Security, NCC Group, and TrustedSec, focus largely on penetration testing and don't extend into other areas like financial auditing.  They have at least 50+ penetration testers with experience from places like the CIA, NSA, and other large tech companies.  Note they are often highly acclaimed so there is often a waitlist of a few months before you can get added as a new client.  Finally, there are boutique shops that specialize in particular areas.  For example, you might want to hire a company that specializes in testing mobile applications, Salesforce environments, embedded devices, or APIs.  This is a more specialized skill and a bit harder to find so you have to find a relevant vendor.  Remember if someone can pass the OSCP it means they know how to test and usually have a background in Web Application Penetration testing.  Attacking a Web application means being an expert in using a tool like Burp Suite to look for OWASP Top 10 attacks like SQL injection or Cross Site Scripting.  This is a very different set of skills from someone who can hack a Vehicle Controller Area Network (CAN) bus or John Deere Tractor that requires reverse engineering and C++ coding.   Once you pick your vendor and successfully negotiate a master license agreement be sure to check that you are continuing to get the talent you expect.  It's common for the first penetration test to have skilled testers but over time to have a vendor replace staff with cheaper labor who might not have the OSCP or same level of experience that you expect.  Don't let this happen to your company and review the labor and contract requirements in a recurring fashion.   Alright, let's imagine you have a highly skilled vendor who meets these requirements.  How should they perform a penetration test?  Well, if you are looking for a quality penetration testing guide, we recommend following the one used by Google.  Google, whose parent company is called Alphabet, has publicly shared their penetration testing guidelines and we have attached a link to it in our show notes.  It's a great read so please take a look.  Now Google recommends that a good penetration test report should clearly follow an assessment methodology during the assessment.  Usually, penetration testers will follow an industry recognized standard like the OWASP Web Security Testing Guide, the OWASP Mobile Security Testing Guide, the OWASP Firmware Security Testing Guide, the PCI DSS Penetration Testing Guide, The Penetration Testing Execution Standard, or the OSSTMM which stands for The Open Source Security Testing Methodology Manual.  These assessment methodologies can be used to show that extensive evaluation was done, and a multitude of steps/attacks were carried out.  They can also standardize the documentation of findings.  Here you will want a list showing risk severity level, impact from a business/technical perspective, clear concise steps to reproduce the finding, screenshots showing evidence of the finding, and recommendations on how to resolve the finding.  This will allow you to build a quality penetration test that you can reuse in an organization to improve your understanding of technical risks.     If I can get good penetration tests today, perhaps we should think about how penetration testing is changing in the future?  The answer is automation.  Now we have had automated vulnerability management tools for decades.  But please don't think that running a Dynamic Application Security Testing Tool or DAST such as Web Inspect is the same thing as performing a full penetration test.  A penetration test usually takes about a month of work from a trained professional which is quite different from a 30-minute scan.  As a cyber industry we are starting to see innovative Penetration Testing companies build out Continuous and Automated Penetration Testing tooling.  Examples of this include Bishop Fox's Cosmos, Pentera's Automated Security Validation Platform, and Stage 2 Security Voodoo and Mage tooling.  Each of these companies are producing some really interesting tools and we think they will be a strong complement to penetration tests performed by actual teams.  This means that companies can perform more tests on more applications.  The other major advantage with these tools is repeatability.  Usually, a penetration test is a point in time assessment.  For example, once a year you schedule a penetration test on your application.  That means if a month later if you make changes, updates, or patches to your application then there can easily be new vulnerabilities introduced which were never assessed by your penetration test.  So having a continuous solution to identify common vulnerabilities is important because you always want to find your vulnerabilities first before bad actors.   Here's one final tip.  Don't rely on a single penetration testing company.  Remember we discussed that a penetration testing company is only as good as the tester and the toolbox.  So, try changing out the company who tests the same application each year.  For example, perhaps you have contracts with Bishop Fox, Stage 2 Security, and Black Hill Information Security where each company performs a number of penetration tests for your company each year.  You can alternate which company scans which application.  Therefore, have Bishop Fox perform a pentest of your public website in 2022, then Stage 2 Security test it in 2023, then Black Hills test it in 2024.  Every penetration tester looks for something different and they will bring different skills to the test.  If you leverage this methodology of changing penetration testing vendors each cycle, then you will get more findings which allows you to remediate and lower risk.  It allows you to know if a penetration testing vendor's pricing is out of the norm.  You can cancel or renegotiate one contract if a penetration testing vendor wants to double their prices.  And watch the news -- even security companies have problems, and if a firm's best pentesters all leave to join a startup, that loss of talent may impact the quality of your report.   Thank you for listening to CISO Tradecraft, and we hope you have found this episode valuable in your security leadership journey.  As always, we encourage you to follow us on LinkedIn, and help us out by letting your podcast provider know you value this show.  This is your host, G. Mark Hardy, and until next time, stay safe.

In this episode, I will be covering topics from Domain 2 of CompTIA Security+ Sy 601. Topics covered in the episode are, Physical Security Data Sanitization Secure Code Design, and DevSecOps Application Attacks like SQL Injection, Buffer Overflow, Cross-Site Scripting, etc. Input Validation and Code Reviews.

Continuing our celebration of Black History Month, Malik Smith, Operations Security Engineer, discusses his work at ASM Research ·which involve cross site scripting among other cybersecurity threats He also discussed working with his father's IT company and developing the website for his mother's company.

Have you ever heard someone say our firewalls block this type of attack?  In this episode, you can increase your understanding of firewalls so it won't just be another buzzword.  6 Basic categories of firewalls that we discuss on the show include:   Packet Filters focus on IP and port blocking  Stateful Inspection Firewall looks at active connections and consider context Network Address Translation Firewalls tools that allow private networks to connect to public ones and create secure enclaves Proxy Servers classify web traffic into topics that might be allowed or not allowed Web Application Firewalls block Web Application Attacks (SQL Injection,Cross Site Scripting, …) Next Generation Firewalls that try to do everything. References - sitereview.bluecoat.com

In dieser spannenden Folge Digitalisierungsfieber spricht IT- und Datenschutzexperte Andreas Kunz gemeinsam mit Niklas Raczek, Spezialist für die sichere Entwicklung von Webanwendungen, über die Gefahren von Cross Site Scripting und worauf es ankommt.

1. Cross-site scripting (XSS) cheat sheet​Learn XSS at a depth that you can explain it to anyone, and understand the diversity of attack that exists across the set of XSS vectors.​2. Why DevOps Will Cease to ExistJust like DevOps is integrated into every developer's job, so is security.​3. OAuth 2.0 Threat Model Pentesting Checklist​OAuth 2.0 is used everywhere, and many developers and security people aren't aware of the depth of threat that exists.4. A deep dive into how we investigate and secure GitLab packagesSolving the software supply chain security issues requires a coordinated and organizationally wide approach.5. Modern Static Analysis: how the best tools empower creativityIf you haven't evaluated semgrep as a tool for inclusion in your application security program, it's time.

This week Jeff Foley hangs all to talk about asset discovery using amass, recon methodologies,  hashcat style brute forcing vs. wordlists, extending functionality via the embedded Lua engine and more. My 3 main takeaways were 1) how to find assets that don't share a domain name using JARM 2) how they made scanning faster by essentially lowering the DNS brute forcing query rate and 3) what the future has in store for the project For more information, including the show notes check out https://breachsense.io/podcast            This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords This week Charlie Belmer joins the show to chat about NoSQLi, web proxies, cloud security, tips to get started in InfoSec and more. My 3 main takeaways were 1) how SQLi differs from NoSQLi 2) why privacy still matters and 3) How cookieless tracking works and some of the frightening techniques used For more information, including the show notes check out https://breachsense.io/podcast 

        This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords This week Jeff Foley hangs all to talk about asset discovery using amass, recon methodologies,  hashcat style brute forcing vs. wordlists, extending functionality via the embedded Lua engine and more. My 3 main takeaways were 1) how to find assets that don't share a domain name using JARM 2) how they made scanning faster by essentially lowering the DNS brute forcing query rate and 3) what the future has in store for the project For more information, including the show notes check out https://breachsense.io/podcast 

Traemos un episodio muy divertido. Os contamos las noticias que nos parecen más relevantes de la quincena, la segunda parte de la trilogía sobre Cross-Site Scripting y un homenaje muy especial.

    This week Jim Manico joins the show to talk about Cross Site Scripting, CSPs, strict dynamic, trusted types, SameSite cookies,  NIST SP 800-63, password shucking and more. My 3 main takeaways were 1) how to do input validation correctly 2) why using nonces in your CSP is safer than creating an allowed list policy and 3) the right way to handle passwords For more information, including the show notes check out https://breachsense.io/podcast 

This week on the podcast we take a look at Content Security Policy, a web app security standard designed to combat Cross Site Scripting attacks against websites and web apps. Before that though, we'll cover the latest security news including a resurgence in ransomware attacks and the long overdue death of TLS versions 1.0 and 1.1.

Don’t let hackers execute different client-side attacks on your website. In this episode, Prasad Salvi will cover some of the most important concepts in his Pluralsight Web Application Penetration Testing: Client-side Testing course. Discover how to be proficient in performing client-side attacks like Cross-Site Scripting, HTML Injection, Client-side redirects, and how to fix them. Listen up!

From the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing to their victim’s browser. XSS takes advantage of the fact that roughly 90% of web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious javascript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim’s computer and the victim’s browser runs the code.

Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.Founder: We Hack Purple (Academy, Community and Podcast), WoSEC International (Women of Security), OWASP DevSlop, OWASP Victoria, #CyberMentoringMonday. Chapter List: 00:00:20 Opening00:00:47 About @SheHacksPurple00:01:55 Tanya is here!00:02:21 Red Team, Blue Team, Purple Team00:04:20 Purple Trait: Empathy00:05:02 Purple Trait: Advocacy00:06:50 Young Coding00:08:04 Childhood and parents00:08:37 "The Shirt Story"00:09:12 Discovering that Code should be secure00:11:20 Educating Students00:12:15 "Cross Site Scripting" meaning00:13:52 Introducing WeHackPurple.com00:16:52 "DevSecOps" Definition00:19:02 Public Speaking00:19:54 Meet WOSEC00:22:45 Big Shoutout to Chloé Messdaghi00:24:22 Cyber Mentoring Monday00:26:15 Mentee Responsibilities00:28:25 Everyone needs a mentor00:29:56 Salary negotiations00:32:40 Less Traveling is good.00:34:30 Management vs. Leadership00:37:10 Diversity and Inclusion00:37:40 Shout out to Jane Franklin and Tara Wheeler00:42:22 Cookies!!!00:43:20 Advice to a younger Tanya00:46:34 Tribe of Hackers: Security Leaders00:49:00 Signing off, parting wisdom from Tanya

From the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing to their victim’s browser. XSS takes advantage of the fact that roughly 90% of web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious javascript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim’s computer and the victim’s browser runs the code.

Summary Security researcher Scott Helme tells me how Content Security Policy and Subresource Integrity are used to fight cross site scripting. Details Who he is, what he does. What cross site scripting is; well known examples; how it works; crypto mining with cross site scripting (XSS). Input validation, output encoding, more frameworks are handling validation. Content Security Policy (CSP), what it is, how it works; trusting CDNs; how to use CSP on a site, CSP Wizard, browser support; future changes. Subresource Integrity, what it is, how it works; trusting third party scripts; what happens if script fails validation. NoScript, browser extensions, DNS filters and VPNs. Scott's upcoming events; training. Full show notes

Today on SDL, Russ is out sick with something he caught from eating shawarma from street vendors somewhere so we are going to talk, by which I mean, I am going to rattle on about Cross-Site Scripting Attacks and how they work. These attacks, which are far more common that bad shawarma, are used to collect data. So, on the final SDL of 2018, stick around.   Full Show Notes: https://wiki.securityweekly.com/SDL_Episode93   Visit our website: http://securedigitallife.com Follow us on Twitter: https://www.twitter.com/SecureDigLife Like us on Facebook: https://www.facebook.com/SecureDigLife

Today on SDL, Russ is out sick with something he caught from eating shawarma from street vendors somewhere so we are going to talk, by which I mean, I am going to rattle on about Cross-Site Scripting Attacks and how they work. These attacks, which are far more common that bad shawarma, are used to collect data. So, on the final SDL of 2018, stick around. Full Show Notes: https://wiki.securityweekly.com/SDL_Episode93 Visit our website: http://securedigitallife.com Follow us on Twitter: https://www.twitter.com/securediglife

In der Hausmeisterei geht es heute um unseren Wechsel der DAW hin zu Reaper/Ultraschall. Außerdem gehen wir auf ein Feedback ein, dass uns freundlicherweise per Mail erreichte. Nach dem Newsteil versucht Sven zu erklären (nicht einfach, wenn man nur erzählen und nicht zeigen kann), was Cross-Site-Scripting ist, was damit erreicht wird und wie man es verhindern kann. Stefan widmet sich im zweiten Thema der Key Reinstallation Attack (kurz KRACK), die kurz nach unserer letzten Episode in den Medien einschlug und unnötige Hektik verbreitete. Auch dieses Mal gibts wieder ein Geschenk für Sven, der bei der Gelegenheit erfährt, warum ihm Stefan über das Jahr die vielen Geschenke gemacht hat ;) Disclaimer In diesem Podcast werden Techniken oder Hardware vorgestellt, die geeignet sind, externe Geräte anzugreifen. Dies geschieht ausschließlich zu Bildungszwecken, denn nur, wenn man die Angriffstechniken kennt, kann man sich effektiv davor schützen. Denkt immer daran, diese Techniken oder Hardware nur bei Geräten anzuwenden, deren Eigner oder Nutzer das erlaubt haben.Der unerlaubte Zugriff auf fremde Infrastruktur ist strafbar (In Deutschland §202a, §202b, §202c StGB).

Next in the OWASP Top 10 series is number 3, Cross Site Scripting (XSS). This vulnerability is the most common of the Top 10. It can open your application to user impersonation, session stealing to data dumps. This episode goes over what XSS is and some of the steps and resources you can use to help prevent them. OWASP XSS Page OWASP XSS Cheat Sheet Types of XSS   Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Podcast RSS - http://securityinfive.libsyn.com/rss Twitter @binaryblogger - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 YouTube - https://www.youtube.com/binaryblogger TuneIn Radio - 

PHP 7.2 Release Date Time Table - 4 Minutes Lately in PHP podcast episode 83 By Manuel Lemos Now that PHP 7.2 release managers were elected, the time table for each alpha, beta, release candidate and general availablity dates were announced. This was one of the main topics discussed by Manuel Lemos and Arturs Sosins on the episode 83 of the Lately in PHP podcast. In this episode they also talked about the problem of casting objects to scalars passed by reference to functions, supporting float data types in PDO, implementing a better interface for serializing objects, and improvements for the filter extension. They also talked about PHP tutorial articles on using dynClass as an improvement to PHP stdClass, installing Laravel 5 on Ubuntu and the problems of Chrome trying to block bogus Cross-Site Scripting security attacks. This article also contains a podcast summary as a text transcript and a 4 minute video of the summary. Listen to the podcast, or watch the hangout video, or read the transcript text to learn more about these interesting PHP topics.

In diesem Podcast diskutieren digital kompakt und Johannes Schaback zusammen mit dem Cyber Security Experten Sven Weizenegger über Cyberattacken, typische Einfallstore in IT-Systemen, den Aufbau einer einer sicheren IT-Infrastruktur und wie man sich vor Angriffen schützen kann. Du erfährst... 1) …wie IT-Infrastrukturen angegriffen werden können 2) …wie man Cyberangriffe gegen IT-Systeme verhindern kann 3) …wie man ein Unternehmen gegen Cyberattacken absichert 4) …wie Schlüssel, Zertifikate und HTTPS funktionieren

Over the past 10+ years, Cross-Site Scripting has made its way into just about every ‘top-ten vulnerability' list and has consistently starred in headlines and POCs. XSS vulnerabilities are also commonly submitted through bug bounty programs, and many write them off as ‘low hanging fruit.' We're here to tell you that not all XSS are created equal. In this podcast, Haddix will… -Provide technical and historical context around ‘XSS-fatigue' -Address what makes XSS unique and the general instances in which it can be particularly impactful -Review specific XSS bugs submitted through bounty programs, how they were discovered, and the potential impact of those vulnerabilities Get full resources and references for this episode here: COMING SOON.

This episode gives a high level overview of what XSS is and why it is of concern.  Future episodes will dig deeper into the vulnerability.

Before Jens 'Atom' Steube wrote hashcat, he was a bug hunter for fun, focusing on open source software. After 2005 he only did bug hunting on commercial software and therefore not allowed to disclose product names. In 2010 he started hashcat and since that time it's the only project he's been working on. Thomas MacKenzie works for NCC Group as a Security Consultant, conducting all different types of security assessments. Ryan Dewhurst works for NCC Group as a Security Consultant, conducting all different types of security assessments. ScriptAlert1.com is a very simple and concise platform to explain Cross-Site Scripting, it's dangers and mitigation. Our aim is for penetration testers to include a link in their pen test reports to the resource and to get it to be the de facto description for semi-technical/tech savvy managers.

Thomas works for NCC Group as a Security Consultant, conducting all different types of security assessments. Ryan is a British Computer Security graduate, security enthusiast and Security Engineer for RandomStorm living in France. He is interested in Web Application Security and Information Security in general. http://www.scriptalert1.com is a very simple and concise platform to explain Cross-Site Scripting, it's dangers and mitigation. Our aim is for penetration testers to include a link in their pen test reports to the resource and to get it to be the de facto description for semi-technical / tech savvy managers.

Have you heard of those scam phone calls from "Windows" where the person on the other end of the phone claims to know there's a problem with your computer ("Is it running more slowly lately?") and they even have you test it out by running some commands and referring to common files as viruses. Then they're so friendly that if you simply go to their web site and download a couple files, they'll clean it all up for you. Maybe one of the worst people they could possibly call would be the head guy at Black Hills Information Security, John Strand. Yep, and John was only too happy to give them just enough rope to hang themselves. Listen along for how John was also able to irritate the scammers. Then we tried to get going on the stories of the week and were off to a great start but very quickly got derailed with a story from Australia. Apparently the Australian government is looking to put a filter on the internet in their country that would completely block all perceived porn sites. If someone wants to be able to access porn web sites from inside Australia, they'd need to "opt out" of the filter by simply contacting the government. What could possibly go wrong with this idea? I'm certain that there wouldn't be any privacy issues whatsoever. Additionally, wasn't the internet basically invented for the purpose of porn consumption? Ok, back to the rest of the stories discussed. Remember a few weeks ago when we talked about a scumbag who intruded upon a family through their baby monitor and was able to shout at the baby and parents through the monitor. Well, the Federal Trade Commission (FTC) has slapped down a manufacturer of different brand of baby monitor and said they may no longer market their product as being "secure" until they fix these flaws. The flaws being that they say the feeds are private while anyone can view them on the internet at least in part because the authentication from the internet is clear-text and needs to be encrypted. Here we are already seeing where it seems like a great idea for manufacturers to internetify their product but don't completely understand all aspects of that or at least don't understand basic security needs. I don't know which is the chicken and which is the egg yet, but with the promise of IPv6, we're going to eventually see just about everything we own trying to have some sort of presence on the internet and these basic security precautions will need to be met. Allison alerted us to the fact that Burp Suite got an upgrade this week. I'm constantly amazed at how much Burp can do especially when you consider the $300 price. Sure, there's also ZAP available from OWASP for even cheaper (free) but I think Burp is one of those tools that just about everyone uses because of its awesomeness. If I had to pick out just one of the new features, I'd mention the "Plug 'n Hack". According to Portswigger: "This enables faster configuration of the browser to work with Burp, by automatically configuring the browser to use Burp as its proxy, and installing Burp's CA certificate in the browser." We also found out more details this week about another trojan called FinFisher by Gamma. The existence of FinFisher had been previously revealed but in a presentation by Mikko Hypponen, he talked about some of the things that the tool can do, including cracking WPA1 and WPA2, decrypting common email sites and even copying over a whole drive encrypted with TrueCrypt via a USB stick. Reportedly, the tool had only been available to governments in order to conduct their own national intelligence, but by now there's no way of knowing whether this has slipped out into the wild and in the hands of just anyone. At Black Hat this year, Mike Shema from Qualys talked about a new way to possibly prevent CSRF. As we've seen in the past, the only way to reliably prevent the attack is to place a token in the action and have the server validate that token. This requires that the developer of the application understand CSRF and understand an API for creating the token, and to also implement it properly. If you're in the training or penetration testing business, this sounds like a great thing for job security. However there are millions of developers worldwide and training all of them may take a while. Heck, look at how prevalent much simpler attacks like SQL injection and Cross Site Scripting are. Do we really think that we'll be able to "train away" CSRF? This is where Shema has the idea of "Session Origin Security" and put the token in the browser. Now instead of training millions of developers, we simply get about five browser developers to jump on board. But the gang was a little skeptical about other plugins to work around this as well as breaking valid sessions and backward compatibility. We also wondered whether it may make more sense to allow the browser to choose whether it wants the CSRF protection and turn it on by default and let the user turn it off if there's a good reason to. These all seem to be questions that Shema and his team are looking into. Jack told us about a post from Gunnar Peterson and the "Five Guys Burgers Method of Security". I don't think it means where it's so good for the first ten minutes and then you feel like crap about it for the next few hours. It's the idea that when you go to a Five Guys (and if you haven't yet, you should) they have two things, burgers and fries. They do these two things exceptionally well. They haven't morphed into also being a chicken place, and a fish place and a milkshake place and a coffee place and then letting the overall quality slip. They are focused on doing their two things and doing them extremely well. And I wondered if this is where so many in the security industry get frustrated and eventually burned out. As John brought up, the frustration often comes when there is so much compliance and documentation required, which yeah, I can see that as well. Who likes checking boxes and meeting with guys in ties to explain how you meet the PII, PCI, SOX and whatever other acronyms? I also wonder if there's also frustration in that we're hired to be "the security person" and we have areas that we're good at and enjoy. Whether that's network security, mobile security, web security or whichever. But due to budgets and many other reasons, we are expected to be experts in all areas, much unlike Five Guys. The Five Guys philosophy is if you want a great chicken sandwich, go to a chicken place. If you want a great milkshake, go to a milkshake joint. However in our jobs, we are the burgers and fries and chicken and fish and milkshakes and we're expected to be perfect at all of them. Anyway, it's an interesting take. Do you have a Web site? No? Ok, then you're probably safe. Robert "Rsnake" Hansen put together an infographic about all the different things that you need to worry about today when securing your web site. It started out as a joke but then got a bit too close to reality and finally just got head-shakingly scary. Finally, if you haven't already, check to see if your web site is "locked." Simply do a whois on your site and see if you have at a minimum a status of "ClientTransferProhibited." Some have said the recent NY Times hack was able to happen because the domain was not locked and the Syrian Electronic Army (SEA) was able to get the DNS credentials from someone and then change the DNS records to their own server. But if your DNS is locked, it'll take a bit more work to make the updates. Your registrar will go through additional validation steps before the DNS records are updated. This is likely enough that if someone is looking to hijack web sites, they'll realize yours isn't worth the both and move on to an easier target. With Congress possibly authorizing an attack on Syria and with the twelfth anniversary of the September 11, 2001 attacks upcoming, it would not be surprising to see another round of attacks on web infrastructure. So take this very easy step and protect your site.

Guest David Naylor discusses a recent an article about a serious vulnerability I found in Twitter entitled Massive Twitter Cross-Site Scripting Vulnerability.

Wer sich im Internet bewegt, der sieht sich mit "Cross-Site Scripting"-Lücken konfrontiert. Egal ob man als Anwender oder als Entwickler unterwegs ist. Schlimm wenn man da nichtmal genau weiß was XSS überhaupt ist und wie man sich schützen kann. Daniel Jagszent klärt Sascha Postner und die Hörer auf.

Another common security issue is cross site scripting. In this episode you will see why it is so important to escape any HTML a user may submit.

Another common security issue is cross site scripting. In this episode you will see why it is so important to escape any HTML a user may submit.

"Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."

Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."

"Imagine you?re visiting a popular website and invisible JavaScript Malware steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005?s ""Phishing with Superbait"" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite.Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript Malware that automatically reconfigures your company?s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it?s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You?ll see: * Port scanning and attacking intranet devices using JavaScript Malware * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing"

Cross Site Scripting has received much attention over the last several years, although some of its more ominous implications have not received much attention. Anti-DNS pinning is a relatively new threat that, while not well understood by most security professionals, is far from theoretical. This presentation will focus on a live demonstration of anti-DNS pinning techniques. A victim web browser will be used to execute arbitrary, interactive HTTP requests to any server, completely bypassing perimeter firewalls. This is NOT a Jickto knockoff. Jickto relies on using a proxy or caching site like Google to place both sites in the same domain. This does not allow for full interaction with dynamic pages, or any interaction with internal web sites. This demonstration allows full interaction with arbitrary web servers in the intranet environment. No browser bugs or plug-ins are required to accomplish this, only JavaScript. The presenter will demonstrate an automated attack process that provides an HTTP proxy service for the attacker?s browser after scanning the internal network for web servers. New requests are retrieved from the attack server by using the width and height of truncated images (only 66 bytes) as a covert channel.*** This bypasses the browser DOM normal behavior of allowing data to be requested only from the server that provided the HTML. Before demonstrating the tool, anti-DNS pinning will be explained in a way that anyone familiar with the basics of DNS and HTTP will understand. The presenter will describe the presentation environment and attack components, then walk through the steps in an attack. Once the foundation concepts have been established, the live demonstration will be performed. Towards the end, the presentation will also briefly cover suggested defenses, including changing pinning behavior in browsers, better intranet security, gateway behavioral scanners, increased granularity for IE security zones, and introduction of security zones into Mozilla and other browsers.

Cross Site Scripting has received much attention over the last several years, although some of its more ominous implications have not received much attention. Anti-DNS pinning is a relatively new threat that, while not well understood by most security professionals, is far from theoretical. This presentation will focus on a live demonstration of anti-DNS pinning techniques. A victim web browser will be used to execute arbitrary, interactive HTTP requests to any server, completely bypassing perimeter firewalls. This is NOT a Jickto knockoff. Jickto relies on using a proxy or caching site like Google to place both sites in the same domain. This does not allow for full interaction with dynamic pages, or any interaction with internal web sites. This demonstration allows full interaction with arbitrary web servers in the intranet environment. No browser bugs or plug-ins are required to accomplish this, only JavaScript. The presenter will demonstrate an automated attack process that provides an HTTP proxy service for the attacker?s browser after scanning the internal network for web servers. New requests are retrieved from the attack server by using the width and height of truncated images (only 66 bytes) as a covert channel.*** This bypasses the browser DOM normal behavior of allowing data to be requested only from the server that provided the HTML. Before demonstrating the tool, anti-DNS pinning will be explained in a way that anyone familiar with the basics of DNS and HTTP will understand. The presenter will describe the presentation environment and attack components, then walk through the steps in an attack. Once the foundation concepts have been established, the live demonstration will be performed. Towards the end, the presentation will also briefly cover suggested defenses, including changing pinning behavior in browsers, better intranet security, gateway behavioral scanners, increased granularity for IE security zones, and introduction of security zones into Mozilla and other browsers.