POPULARITY
Sponsor by SEC Playground --- Support this podcast: https://podcasters.spotify.com/pod/show/chillchillsecurity/support
A mix of issues this week, not traditionally bounty topics, but there are some lessons that can be applied. First is a feature, turned vulnerability in VS Code which takes a look at just abusing intentional functionality. Several XOS bugs with a web-console. A Sonos Era 100 jailbreak which involves causing a particular call to fail, a common bug path we've seen before, and some discussion about doing fast DNS rebinding attacks against Chrome and Safari. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/231.html [00:00:00] Introduction [00:01:00] It's not a Feature, It's a Vulnerability [00:13:40] Multiple Vulnerabilities In Extreme Networks ExtremeXOS [00:24:06] Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100 [00:30:08] Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari [00:46:02] Apache Struts2 文件上传漏洞分析(CVE-2023-50164) - 先知社区 [00:48:49] Blind CSS Exfiltration: exfiltrate unknown web pages [00:51:11] Finding that one weird endpoint, with Bambdas The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9
In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company.Follow us on twitter at: @ctbbpodcastGet on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribeWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday's Guest:https://twitter.com/hacker_Article on the State of DNS Rebinding in 2023:https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/See @ArchAngelDDay's twitter thread about 100 bug bounty rules:https://twitter.com/ArchAngelDDay/status/1661924038875435008Talkback - Cybersecurity news aggregator:https://talkback.sh/PyPI announces mandatory 2FA:https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/Timestamps:(00:00:00) Introduction(01:05) State of DNS rebinding in 2023(04:40) 100 Bug Bounty Rules by @ArchAngelDDay(05:30) Give yourself a ‘no bug' limit(07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs(11:15) Reporting Out of Scope Bugs(14:30) Reporting IDORs as Access Control Bugs(17:28) Talkback(18:12) PyPI's mandatory 2FA implementation for software publishers(Start of main content)(20:07) Starting out in bug bounty/ethical hacking(25:00) Hacking methodology and mentorship(28:15) Identifying Load Balancers(33:20) Triage and live events:(38:30) College and Computer Science vs. Cybersecurity(45:45) Importance of writing for the Hacker Community(51:21) Storytelling and report writing.(55:00) When to stop doing recon and start hacking(01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.
Some RCE chains starting with DNS rebinding, always fun to see, a fairly basic SQL injection, and a JS sandbox escape for RCE in Spotify. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/171.html [00:00:00] Introduction [00:00:38] RCE in Tailscale, DNS Rebinding, and You [CVE-2022-41924] [00:17:55] SQL Injection in ManageEngine Privileged Access Management [CVE-2022-40300] [00:22:34] Unauthenticated Remote Code Execution in Spotify's Backstage [00:36:28] Till REcollapse [00:41:19] Chat Question: Alternatives to IDA Freeware The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9
Beschreibung: Wegen Umzug kam Ende Oktober keine Folge. Wir behandeln heute Oktober und November. Es gab Microsoft, Twitter, OpenSSL, den Pixel phone lock screen bypass, Tailscale und vieles mehr. Viel Spaß beim Hören! Shownotes: Domain fronting to be blocked on Azure AWS keys on PyPi for over a year “Invalid Username or Password”: a useless security measure - Kevin Burke Elon Musk Says Twitter Will Add Video and Voice Call, Encrypted DMs CVE-2022-41924 - RCE in Tailscale, DNS Rebinding, and You Russian 0day thirst traps 0XDEAD ZEPPELIN Hijacking AUR Packages by Searching for Expired Domains - Blog by Joren Vrancken urlscan.io's SOAR spot: Chatty security tools leaking private data - Positive Security Timing Attacks on WhatsApp, Signal, and Threema can Reveal User Location - RestorePrivacy Dangerous hole in Apache Commons Text – like Log4Shell all over again – Naked Security Toyota Suffered a Data Breach by Accidentally Exposing A Secret Key Publicly On GitHub Goggle Pixel Lock Screen Bypass
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Half of all UK COBRA meetings are ransomware related Ransomware biggest risk to US port security White House to move on spyware industry EU to launch its own Starlink equivalent Much, much more AttackIQ's Jonathan Reiber will be joining us in this week's sponsor interview to talk about how companies and their boards are really moving towards outcomes-based security programs. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Ransomware incidents now make up majority of British government's crisis management COBRA meetings - The Record by Recorded Future DHS Secretary: Cyberattacks are the most significant threat to port infrastructure - The Record by Recorded Future Michigan school districts reopen after three-day closure due to ransomware attack - The Record by Recorded Future Microsoft: Royal ransomware group using Google Ads in campaign - The Record by Recorded Future Researchers Quietly Cracked Zeppelin Ransomware Keys – Krebs on Security Risky Biz News: Cyber Partisans hack and disrupt Kremlin censor US, Estonian authorities arrest two over $575 million cryptocurrency fraud - The Record by Recorded Future New FTX CEO details 'complete failure of corporate controls' at crypto platform OpenSSL Usage in UEFI Firmware Exposes Weakness in SBOMs EU reaches agreement on new satellite constellation - The Record by Recorded Future Ukraine's Engineers Dodged Russian Mines To Get Kherson Back Online–With A Little Help From Elon Musk's Satellites Senate Democrats call on FTC to investigate Twitter's data security 11.17.22 - FTC - Twitter Letter Twitter has a lot of your data. Here's what you can do about it. Mastodon vulnerable to multiple system configuration problems | The Daily Swig System misconfiguration is the number one vulnerability, at least for Mastodon White House expected to issue executive order reining in spyware H20220930-005_Himes-Speier cc's - DocumentCloud A Leak Details Apple's Secret Dirt on Corellium, a Trusted Security Startup | WIRED Risky Biz News: Iranian state hackers breached US government agency and deployed a cryptominer, out of all things India removes ban on VLC media player after cybersecurity concerns addressed - The Record by Recorded Future Amazon addresses vulnerability affecting AWS AppSync - The Record by Recorded Future CVE-2022-41924 - RCE in Tailscale, DNS Rebinding, and You Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations | CISA Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization | CISA
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Half of all UK COBRA meetings are ransomware related Ransomware biggest risk to US port security White House to move on spyware industry EU to launch its own Starlink equivalent Much, much more AttackIQ's Jonathan Reiber will be joining us in this week's sponsor interview to talk about how companies and their boards are really moving towards outcomes-based security programs. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Ransomware incidents now make up majority of British government's crisis management COBRA meetings - The Record by Recorded Future DHS Secretary: Cyberattacks are the most significant threat to port infrastructure - The Record by Recorded Future Michigan school districts reopen after three-day closure due to ransomware attack - The Record by Recorded Future Microsoft: Royal ransomware group using Google Ads in campaign - The Record by Recorded Future Researchers Quietly Cracked Zeppelin Ransomware Keys – Krebs on Security Risky Biz News: Cyber Partisans hack and disrupt Kremlin censor US, Estonian authorities arrest two over $575 million cryptocurrency fraud - The Record by Recorded Future New FTX CEO details 'complete failure of corporate controls' at crypto platform OpenSSL Usage in UEFI Firmware Exposes Weakness in SBOMs EU reaches agreement on new satellite constellation - The Record by Recorded Future Ukraine's Engineers Dodged Russian Mines To Get Kherson Back Online–With A Little Help From Elon Musk's Satellites Senate Democrats call on FTC to investigate Twitter's data security 11.17.22 - FTC - Twitter Letter Twitter has a lot of your data. Here's what you can do about it. Mastodon vulnerable to multiple system configuration problems | The Daily Swig System misconfiguration is the number one vulnerability, at least for Mastodon White House expected to issue executive order reining in spyware H20220930-005_Himes-Speier cc's - DocumentCloud A Leak Details Apple's Secret Dirt on Corellium, a Trusted Security Startup | WIRED Risky Biz News: Iranian state hackers breached US government agency and deployed a cryptominer, out of all things India removes ban on VLC media player after cybersecurity concerns addressed - The Record by Recorded Future Amazon addresses vulnerability affecting AWS AppSync - The Record by Recorded Future CVE-2022-41924 - RCE in Tailscale, DNS Rebinding, and You Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations | CISA Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization | CISA
Sponsor by SEC Playground แบบสอบถามเพื่อปรับปรุง Chill Chill Security Channel: https://forms.gle/e5K396JAox2rZFp19 Music by https://www.bensound.com/ --- Support this podcast: https://anchor.fm/chillchillsecurity/support
NextCloud I want to install NextCloud for my family, but only for my family. This means making things hard for myself by installing it behind my firewall with a private nat ipaddress. That presented problems with getting a valid Let's encrypt cert. It all now works, and thanks to timttmy I was able to get the WireGuard VPN installed and working. Pi 4 Get a Pi, and a SSD, enable it. You should review Raspberry Pi 4 USB Boot Config Guide for SSD / Flash Drives, for issues with SSD drives and the Raspberry Pi. You can install Raspbian as normal. I already covered this in hpr2356 :: Safely enabling ssh in the default Raspbian Image, and Safely enabling ssh in the default Raspberry Pi OS (previously called Raspbian) Image. And then follow the instructions in How to Boot Raspberry Pi 4 From a USB SSD or Flash Drive. Next Cloud Install Apache, MariaDB, and PHP How to install Nextcloud 20 on Ubuntu Server 20.04 NextCloud - Installation and server configuration - Installation on Linux Download NextCloud # diff /etc/apache2/apache2.conf /etc/apache2/apache2.conf.orig 171,172c171,172 < Options FollowSymLinks < AllowOverride All --- > Options Indexes FollowSymLinks > AllowOverride None Install PHPMyAdmin How to Install PHPMyAdmin on the Raspberry Pi Required Changes to nextcloud config. root@nextcloud:~# diff /root/nextcloud-config.php.orig /var/www/html/nextcloud/config/config.php > 1 => 'nextcloud', > 2 => '192.168.123.123', > 3 => 'nextcloud.example.com', > 'memcache.local' => 'OCMemcacheAPCu', # diff /etc/apache2/sites-available/000-default.conf.orig /etc/apache2/sites-enabled/000-default.conf 28a29,32 > RewriteEngine On > RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] > Redirect 301 /.well-known/carddav /var/www/html/nextcloud/remote.php/dav > Redirect 301 /.well-known/caldav /var/www/html/nextcloud/remote.php/dav Required Changes to php.ini config. root@nextcloud:~# diff /etc/php/7.3/apache2/php.ini.orig /etc/php/7.3/apache2/php.ini 401c401 < memory_limit = 128M --- > memory_limit = 2000M 689c689 < post_max_size = 8M --- > post_max_size = 2048M 841c841 < upload_max_filesize = 2M --- > upload_max_filesize = 2048M Upgrade You can upgrade using the procedure described by klaatu in hpr3232 :: Nextcloud, or as admin via the UI https://nextcloud.example.com/nextcloud/index.php/settings/user, Administration, Overview. You will see a lot of Warnings on Admin Page, but don't panic. The server is not accessible on the Internet after all. The errors have links to how you can fix them and some are very easy to do. I got an error "Error occurred while checking server setup". I used this tip to move root owned files out of next cloud dir. For me it was mostly about enabling caching via APCU, and enabling You are accessing this site via HTTP. The first is fixed in the nextcloud/config/config.php page, the next is fixed by installing a valid SSL cert from Let's Encrypt. SSL Let's Encrypt Based on the following article I installed it manually. Obtain Let's Encrypt SSL Certificate Using Manual DNS Verification Install certbot # apt install certbot Then run the script manually specifying that the challenge should be over dns. # certbot certonly --manual --preferred-challenges dns Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): letsencrypt@example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): nextcloud.example.com Obtaining a new certificate Performing the following challenges: dns-01 challenge for nextcloud.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.nextcloud.example.com with the following value: 0c5dbJpS5t0VKzglhdfFhZ6CGmZlLHNaNnAQe2VeJyKi Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue It was at this point I went to my hosting companys page and created a subdomain called nextcloud. Then I added a TXT record called _acme-challenge with the text 0c5dbJpS5t0VKzglhdfFhZ6CGmZlLHNaNnAQe2VeJyKi. In order to verify that we use the command: # apt-get install -y dnsutils $ dig -t TXT _acme-challenge.nextcloud.example.com ; DiG 9.11.5-P4-5.1+deb10u2-Debian -t TXT _acme-challenge.nextcloud.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER users in an admin account. I created an account for each of the family members, a generic one for the house, and a readonly one for the MagicMirror. The house account houses (pun intended) the shared calendar, files, and contacts. All the family accounts have read and write access to these, except for the MagicMirror one which only needs to read the calendar and contacts. Fdroid Now you can install the software you will need on your phones. NextCloud Synchronization client DAVx DAVx? CalDAV/CardDAV Synchronization and Client OpenTasks Keep track of your list of goals WireGuard Next generation secure VPN network tunnel You will need to setup the NextCloud client using the url https://nextcloud.example.com/nextcloud/, username and password. Then you set up DAVx using another url https://nextcloud.example.com/nextcloud/remote.php/dav, but the same , username and password. By the way if you want to access files you can do so via davs://nextcloud.example.com/nextcloud/remote.php/dav/files/house/ I set up the NextCloud client to automatically upload photos, and videos to the server. To set up WireGuard you need to create a connection for each device connecting root@nextcloud:~# pivpn add Enter a Name for the Client: Mobile_Worker ::: Client Keys generated ::: Client config generated ::: Updated server config ::: WireGuard reloaded ====================================================================== ::: Done! Mobile_Worker.conf successfully created! ::: Mobile_Worker.conf was copied to /home/ken/configs for easy transfer. ::: Please use this profile only on one device and create additional ::: profiles for other devices. You can also use pivpn -qr ::: to generate a QR Code you can scan with the mobile app. ====================================================================== Then open display the qrcode as follows: root@nextcloud:~# pivpn qrcode :: Client list :: 1) Mobile_Worker Please enter the Index/Name of the Client to show: Pressing 1 in my case will display the QRCode. Open the WireGuard app on the phone and press + to add an account, and select scan from qr code. Point it to QRCode and that's it. If you want to remove a client, you can just use pivpn remove root@nextcloud:~# pivpn remove :: Client list :: 1) Mobile_Worker Please enter the Index/Name of the Client to be removed from the list above: 6 Do you really want to delete Mobile_Worker? [Y/n] y ::: Updated server config ::: Client config for Mobile_Worker removed ::: Client Keys for Mobile_Worker removed ::: Successfully deleted Mobile_Worker ::: WireGuard reloaded MagicMirror The final step is to have the MagicMirror in the living room display the shared calendar. To display your calendar there, you need to have an ics iCalendar file. You can get that by login into NextCloud as the MagicMirror user via the web, going to the calendar you desire to export. Click the ... menu and select "Copy Private Link". You can then add the ?export at the end of the url to get an ical export. Dave gave me a tip on how to have MagicMirror serve this file, by using its own local webserver. You point it to a local directory eg: http://localhost:8080/modules/.calendars/. Don't forget to create it. mkdir -p ~/MagicMirror/modules/.calendars/ I wrote a script that would first get a new version of the ical file, and if it is downloaded correctly would immediately overwrite the previous one. [magicmirror@magicmirror ~]$ cat /home/pi/bin/cal.bash #!/bin/bash wget --quiet --output-document /home/pi/MagicMirror/modules/.calendars/home_calendar.ics.tmp --auth-no-challenge --http-user=magicmirror --http-password="PASSWORD" "https://nextcloud.example.com/nextcloud/remote.php/dav/calendars/magicmirror/personal_shared_by_House/?export" > /dev/null 2>&1 if [ -s /home/pi/MagicMirror/modules/.calendars/home_calendar.ics.tmp ] then mv /home/pi/MagicMirror/modules/.calendars/home_calendar.ics.tmp /home/pi/MagicMirror/modules/.calendars/home_calendar.ics fi [snip...] I then scheduled this to run every 15 minutes. [magicmirror@magicmirror ~]$ crontab -l */15 * * * * /home/pi/bin/cal.bash >/dev/null 2>&1 The final step was to update my Calendar entry in the ~/MagicMirror/config/config.js config file. // Calendar { module: "calendar", header: "Calendar", position: "top_center", config: { colored: true, maxTitleLength: 30, fade: false, calendars: [ { name: "Family Calendar", url: "http://localhost:8080/modules/.calendars/home_calendar.ics", symbol: "calendar-check", color: "#825BFF" // violet-ish }, { name: "Birthday Calendar", url: "http://localhost:8080/modules/.calendars/birthday_calendar.ics", symbol: "calendar-check", color: "#FFCC00" // violet-ish }, { // Calendar uses repeated 'RDATE' entries, which this iCal parser // doesn't seem to recognise. Only the next event is visible, and // the calendar has to be refreshed *after* the event has passed. name: "HPR Community News recordings", url: "http://hackerpublicradio.org/HPR_Community_News_schedule.ics", symbol: "calendar-check", color: "#C465A7" // purple }, { // https://inzamelkalender.gad.nl/ical-info name: "GAD Calendar", url: "https://inzamelkalender.gad.nl/ical/0381200000107654", symbol: "calendar-check", color: "#00CC00" // Green }, ] } }, The contacts birthday wasn't available to the MagicMirror user immediately after I created it, so I was able to force an update as follows: root@nextcloud:/var/www/html/nextcloud# sudo -u www-data php occ dav:sync-birthday-calendar Start birthday calendar sync for all users ... 7 [============================] Conclusion With that we have a family sharing solution just like other normal house holds. Yet with the security of knowing that the data doesn't leave the house, and is not being used without your approval. You can tell it's a hit, because now people are scheduling tech support tasks via the app. Ah well.
It’s a TechSNAP introduction to Terraform, a tool for building, changing, and versioning infrastructure safely and efficiently. Plus a recent spat of data leaks suggest a common theme, Microsoft’s self inflicted Total Meltdown flaw, and playing around with DNS Rebinding attacks for fun.
We cut through the noise and explain in clear terms what’s really been discovered. The botched disclosure of flaws in AMD products has overshadowed the technical details of the vulnerabilities, and we aim to fix that.. Plus another DNS Rebinding attack is in the wild and stealing Ethereum, Microsoft opens up a new bug bounty program, Expedia gets hacked, and we perform a TechSNAP checkup.
Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.
Design bugs are really difficult to fix -- nobody ever takes a dependency on a buffer overflow, after all. Few things have had their design stretched as far as the web; as such, I've been starting to take a look at some interesting aspects of the "Web 2.0" craze. Here's a few things I've been looking at: Slirpie: VPN'ing into Protected Networks With Nothing But A Lured Web Browser. Part of the design of the web is that browsers are able to collect and render resources across security boundaries. This has a number of issues, but they've historically been mitigated with what's known as the Same Origin Policy, which attempts to restrict scripting and other forms of enhanced access to sites with the same name. But scripts are not acquired from names; they come from addresses. As RSnake of ha.ckers.org and Dan Boneh of Stanford University have pointed out, so-called "DNS Rebinding" attacks can break the link between the names that are trusted, and the addresses that are connected to, allowing an attacker to proxy connectivity from a client. I will demonstrate an extension of RSnake and Boneh's work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page. I will also discuss how the existence of attacks such as Slirpie creates special requirements for anyone intending to design or deploy Web Single Sign On technologies. Slirpie falls to some of them, but slices through the rest handily. p0wf: Passing Fingerprinting of Web Content Frameworks. Traditional OS fingerprinting has looked to identify the OS Kernel that one is communicating with, based on the idea that if one can identify the kernel, one can target daemons that tend to be associated with it. But the web has become almost an entirely separate OS layer of its own, and especially with AJAX and Web 2.0, new forms of RPC and marshalling are showing up faster than anyone can identify. p0wf intends to analyze these streams and determine just which frameworks are being exposed on what sites. LudiVu: A number of web sites have resorted to mechanisms known as CAPTCHAs, which are intended to separate humans from automated submission scripts. For accessibility reasons, these CAPTCHAs need to be both visual and auditory. They are usually combined with a significant amount of noise, so as to make OCR and speech recognition impossible. I was in the process of porting last year's dotplot similarity analysis code to audio streams for non-security related purposes, when Zane Lackey of iSec Partners proposed using this to analyze CAPTCHAs. It turns out that, indeed, Audio CAPTCHAs exhibit significant self-similarity that visualizes well in dotplot form. This will probably be the first Black Hat talk to use WinAMP as an attack tool. A number of other projects are also being worked on -- I've been sending billions of packets for a reason, after all, and they haven't been coming from WinAMP :) There will be some updates on the analysis tools discussed during Black Ops 2006 as well.
Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.
Design bugs are really difficult to fix -- nobody ever takes a dependency on a buffer overflow, after all. Few things have had their design stretched as far as the web; as such, I've been starting to take a look at some interesting aspects of the "Web 2.0" craze. Here's a few things I've been looking at: Slirpie: VPN'ing into Protected Networks With Nothing But A Lured Web Browser. Part of the design of the web is that browsers are able to collect and render resources across security boundaries. This has a number of issues, but they've historically been mitigated with what's known as the Same Origin Policy, which attempts to restrict scripting and other forms of enhanced access to sites with the same name. But scripts are not acquired from names; they come from addresses. As RSnake of ha.ckers.org and Dan Boneh of Stanford University have pointed out, so-called "DNS Rebinding" attacks can break the link between the names that are trusted, and the addresses that are connected to, allowing an attacker to proxy connectivity from a client. I will demonstrate an extension of RSnake and Boneh's work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page. I will also discuss how the existence of attacks such as Slirpie creates special requirements for anyone intending to design or deploy Web Single Sign On technologies. Slirpie falls to some of them, but slices through the rest handily. p0wf: Passing Fingerprinting of Web Content Frameworks. Traditional OS fingerprinting has looked to identify the OS Kernel that one is communicating with, based on the idea that if one can identify the kernel, one can target daemons that tend to be associated with it. But the web has become almost an entirely separate OS layer of its own, and especially with AJAX and Web 2.0, new forms of RPC and marshalling are showing up faster than anyone can identify. p0wf intends to analyze these streams and determine just which frameworks are being exposed on what sites. LudiVu: A number of web sites have resorted to mechanisms known as CAPTCHAs, which are intended to separate humans from automated submission scripts. For accessibility reasons, these CAPTCHAs need to be both visual and auditory. They are usually combined with a significant amount of noise, so as to make OCR and speech recognition impossible. I was in the process of porting last year's dotplot similarity analysis code to audio streams for non-security related purposes, when Zane Lackey of iSec Partners proposed using this to analyze CAPTCHAs. It turns out that, indeed, Audio CAPTCHAs exhibit significant self-similarity that visualizes well in dotplot form. This will probably be the first Black Hat talk to use WinAMP as an attack tool. A number of other projects are also being worked on -- I've been sending billions of packets for a reason, after all, and they haven't been coming from WinAMP :) There will be some updates on the analysis tools discussed during Black Ops 2006 as well.