A guy from websense gave a cool talk on Ajax Honeypots. The basic idea is to set up ebay, myspace, etc accounts and what happens. Watch who trys to put iframes into your site, who tries to be your friend...that sort of thing. Intersting way to gain intelligence.
The speaker went on to describe an ebay auction he started to sell a (poorly drawn) picture of a bicycle. Immedially he got serveral bids, and once the aution closed, the highest bid was at $300. So he sent an email asking how the buyer wanted to pay for the picture. The buyer used some stall tactics over several emails, but indicated the picture was worth it and so forth. In the final email the bidder asked for bank routing information and other personal information so that a payment could be made to the sellers account.
Mark Tobias was at DC15 again. Man this guy is good. He is a laywer and expert in physical bypass techniques. He gave another public service anouncement to help accurtatly represent the state of insecurity of currently locks. He talked about all sorts of engineering and production issues with lock manufacuteres that leed to defects but are primarily the failure of imagination within the design groups of the manufactureures.
The pointed out the most important aspect of physical and cyber security. We have to remember the key does not open the lock. The key actuates a mechanism that opens the lock. There is always a way to actuate the gating mechanism without the key....
There was another demonstration of bumpkey-ing. If you have not heard of it, check out youtube. It is just another defect found in almost all classes of locks, that allow them to be opened by unskilled people.
Although I did no participate in any contests this year, DC15 had a lockpicking village with representation from all over, including toool.nl.
xs-snipers gave a presnetation called "bitting the hand that feeds me"
They talked about dns-pinning, classic CSRF...and then this way cool use of CSRF on well known web sites to anonymously host web badware.
who do you trust/DNS
browser restricitons/ssl cert/phishing filters/human trust
classic CSRF
GET /tranfer.do?toAcct=nate&amount=1
USE XSS create an invisabel iframe
array or usernames passwords
test for xss then execute an xss request that only works with auth creds, use the xss to ping you back....exponential xss
xss sniper.com
put file that you want tp serve on one of the mail servers,
domain switching
store the file on the mailserver, find xss in yahoo, send a link with your xssesd page to send from yahoo
gmail
signup
storing content on gmail, no exe, it uploads to gmail anyway...they have taken ownership of cmd.exe
get location for the get request (copy short cut)
find xss, create invisable iframe, serve exe from gmail
people trust yahoo
you can host warez on on gmail and yahoo
write a full blown applicaiton to take advantage to this
Flash - cossdamin.xml loadpolicy in flash7
create invidabel iframe xss and specify the exact request to make the cross domain request somewhere
uri handler abuse - problem handling double quotes
firefox://
uris interact in whatever they want...
you can activate these to to interact with the user and the app
cross browser scripting
firefox
cross applciation scripting - own aim via i.e., command injection
remote command execution
in ff, mailto: double encoded nulls mis handles when ie7 is installed
xss-sniper
-Commonly used terms thoughout the con
same origin policy/mpack/web2.0
-
Posts
No comments:
Post a Comment