AppSecUSA 2012 has ended
Friday, October 26 • 11:00am - 11:45am
Blended Threats and JavaScript: A Plan for Permanent Network Compromise

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

This is a version of the talk I gave at Black Hat USA 2012, updated specifically for the AppSec USA audience. The original BlackHat slides are available at "http://www.scribd.com/doc/101185061/Blended-Threats-and-JavaScript", and the source code used in the demonstrations is available at "https://github.com/superevr/ddwrt-install-tool".

During Black Hat 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls and "Hack Intranet Websites from the Outside." In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary.

This presentation will cover state-of-the-art browser-to-network threats launched with JavaScript, using zero to minimal user interaction and complete every step of the exploit attack cycle. Starting with enumeration and discovery, escalating the attack further upstream and into embedded network devices, and ultimately mass-scale permanent compromise.



Security Associate, Bishop Fox
The number of companies with bug bounty programs has increased dramatically over the last five years. A clever researcher can make easy money disclosing security vulnerabilities responsibly, and some have even turned it into a full-time job. But how do these programs actually work? I will use my personal experiences on both sides of the fence - as a bug hunter and as a bug bounty submission reviewer - to provide an exclusive look into the world of vulnerability reporting. Learn about the most common eligible vulnerabilities... Read More →

Friday October 26, 2012 11:00am - 11:45am CDT
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

Attendees (0)