The proliferation of mobile devices has led to increased emphasis on native applications, such as Objective-C applications written for iOS or Java applications written for Android. Nonetheless, these native client applications frequently use HTTP APIs to communicate with a backend server. In addition, browser-based applications are growing more complex, and are also more likely to make asynchronous calls to HTTP APIs.
In this presentation, we walk through a common (but insecure) method of securing HTTP APIs with SSL. As we will demonstrate, properly configured SSL will protect a protocol from eavesdropping (man-in-the-middle attack) but will not protect that protocol from the end user himself. In particular, we demonstrate how an end user can use an SSL proxy to decrypt and reverse engineer the HTTP API.
We will show a hypothetical HTTP API over SSL that tracks high scores for games. Then we will demonstrate an attack on that HTTP API using mitmproxy, an open source SSL proxy, to show how an attacker can forge a high score, even though the protocol is tunneled over SSL. We will then demonstrate a modified HTTP API that is resistant to this type of attack.
Finally, we will wrap up by discussing other applications of SSL proxies to web application security testing, such as analyzing HTTP APIs to see if any personal information – such as a user’s address book – are being transmitted over the API. This is the same technique used by researcher Arun Thampi in February 2012 to determine that the Path application on iOS was secretly uploading users’ contacts to its HTTP API.
This speech will focus on Reverse Engineering and Evaluations of .NET Framework Desktop Software.
I will show the basics of doing Reverse Engineering
-How to get source code
-What to look for
-What are easy vulns to find
This speech will then go a step further into the bleeding edge by modifying the protection/security areas of applications, both adding and removing security systems. I will also show building basic Malware payloads and infecting critical software as well as finding Malware and disecting it.
This speech should give a security professional the basic understanding of how to do a light Black-Box code analysis.
This speech should give a programmer the basics of finding, fighting, and production of MalWare.
One of the most vital pieces of a secure SDLC is security training – not only for developers, but for Architects, QA and anyone else involved in the creation of software. Too frequently, this is minimized, overlooked or completely absent within an organization. In some cases, the very idea of application security is dismissed as unnecessary.
This talk starts by making a strong argument for developer education, and how it fits into any organization’s SDLC. Training will be put into the context of NIST’s “Security considerations in System Development Life Cycle” Document, Microsoft’s Simplified SDL, BSIMM3 and OWASP Open SAMM.
From there, we discuss other OWASP resources and projects dedicated to developer education, and an in-depth discussion of OWASP WebGoat.NET – an ASP.NET specific re-design of OWASP which meets the needs and addresses the challenges of modern application security training programs.
Lecture will be delivered by Jerry Hoff, VP of Static Code Analysis Division at WhiteHat Security. Jerry is the leader of the OWASP Appsec Tutorial Series, WebGoat.NET and AntiSamy.NET. Jerry is a former developer, author, and has over 10,000 hours delivering technical training. Jerry holds a Masters degree in Computer Science from Washington University in St. Louis.
Key Points:
- Developers need a better way to be education in AppSec
- Equip participants with the tools and evidence they need make an irrefutable case for developer security training
- Analysis of tools/docuemnts/videos that OWASP provides for training
- Introduction of WebGoat.NET: OWASP’s latest tool to help education developers
- Interactive demonstration of WebGoat.NET with full audience participation
Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a completely new approach - analyzing code execution, memory and data in runtime, allowing for accurate inspection of the application. We will discuss IAST technology (introduced into the 2011 Hype Cycle) compared with DAST/SAST, and the benefits it provides.
The goal of the talk is to examine and discuss technological concepts rather than specific products or solutions, and includes a technical drill-down into the technology specifics. The talk will begin by presenting the standard IAST building blocks and their benefits, and continue by showing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more…
Social-Engineering is nothing new. From the dawn of man, social-engineering has been an avenue to obtain results through manipulation and deception (not always). As the creator of the Social-Engineer Toolkit (SET), I get a wide variety of experiences and new techniques in identifying ways to penetration organizations in a unique way. You never know what you are going to get on the other end. It's a game of chance, odds, and confidence. During this talk, we'll dive down into how social-engineering and technology can be used in order to compromise multiple avenues of an organization and live demonstrations of a new version of the Social-Engineer Toolkit. I'll also be walking through some of the different SE scenarios and how I overcame a number of challenges and hurdles while performing some of the most difficult red team exercises. Let's play a game of spin the bottle, where the person on the other end is a complete anomaly and unknown. Where your confidence matters and your pretext is everything.
This is a version of the talk I gave at Black Hat USA 2012, updated specifically for the AppSec USA audience. The original BlackHat slides are available at "http://www.scribd.com/doc/101185061/Blended-Threats-and-JavaScript", and the source code used in the demonstrations is available at "https://github.com/superevr/ddwrt-install-tool".
During Black Hat 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls and "Hack Intranet Websites from the Outside." In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary.
This presentation will cover state-of-the-art browser-to-network threats launched with JavaScript, using zero to minimal user interaction and complete every step of the exploit attack cycle. Starting with enumeration and discovery, escalating the attack further upstream and into embedded network devices, and ultimately mass-scale permanent compromise.
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
HTML5 has empowered browser with a number of new features and functionalities. Browsers with this new architecture include features like XMLHttpRequest Object (L2), Local Storage, File System APIs, WebSQL, WebSocket, File APIs and many more. The browser is emerging as a platform like a little operating system and expanded its attack surface significantly. Applications developed in this new architecture are exposed to an interesting set of vulnerabilities and exploits. Both traditional vulnerabilities like CSRF and XSS can be exploited in this new HTML5 architecture. In this talk we will cover following new attack vectors and variants of XSS and CSRF.
HTML5 driven CSRF with XMLHttpRequest (Level 2)
CSRF with two way attack stream
Cross Site Response Extraction attacks using CSRF
Cross Origing Resource Sharing (CORS) policy hacking and CSRF injections
DOM based XSS with HTML5 applications
Exploiting HTML5 tags, attributes and events
DOM variable extraction with XSS
Exploiting Storage, File System and WebSQL with HTML5 XSS
Layered XSS and making it sticky with HTML5 based iframe sandbox
Jacking with HTML5 tags and features
In this session we will cover new methodology and tools along with some real life cases and demonstration. At the end we will cover some interesting defense methodologies to secure your HTML5 applications.
This presentation is centered on a new theory of attack prevention known as the Counterintelligence Attack Theory. The NSA has developed and published an approach to cyber security known as Defense In Depth. It is a practical strategy for achieving Information Assurance in today’s highly networked environments, yet it is used as more of a catch phase than a realistic approach. Best practices and defense simply cannot prevent the attacks which have not been predefined or previously observed.
The Defense In Depth stratagem will be reviewed and the procedure of Counterintelligence Attack Theory is presented as the missing element. The presentation concludes that Cyber Intelligence Analysts are missing from corporate organizations and are needed to develop the ability to understand cyber-attacks through a more holistic approach.
Further Info:
Public entities and private corporations incur considerable expenditures to prevent, mitigate, or remediate cyber-attacks. The current strategy employed is known as Defense In Depth. This is a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the protection capability and cost, performance, and operational considerations. Unfortunately, the techniques that are used today are mostly based on deploying software and hardware technologies that provide an ability to restrict known attacks (or the proverbial low-hanging-fruit) and are at best reactive in nature.
Best practices simply cannot prevent the attacks which have not been predefined or previously observed. This talk will present a new theory on attack prevention known as the Counterintelligence Attack Theory. It is not from a military perspective and is meant to address those with corporate responsibility for cyber security. Without addressing the legal framework or possible complications of a covert cyber action, this theory is designed to be an additional method of collection for the cyber intelligence analyst.