Artwork

Kandungan disediakan oleh Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.. Semua kandungan podcast termasuk episod, grafik dan perihalan podcast dimuat naik dan disediakan terus oleh Black Hat Briefings, USA 2007 [Video] Presentations from the security conference. atau rakan kongsi platform podcast mereka. Jika anda percaya seseorang menggunakan karya berhak cipta anda tanpa kebenaran anda, anda boleh mengikuti proses yang digariskan di sini https://ms.player.fm/legal.
Player FM - Aplikasi Podcast
Pergi ke luar talian dengan aplikasi Player FM !

Jeremiah Grossman & Robert Hansen: Hacking Intranet Websites from the Outside (Take 2) - "Fun with and without JavaScript malware

54:40
 
Kongsi
 

Manage episode 152211992 series 1053194
Kandungan disediakan oleh Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.. Semua kandungan podcast termasuk episod, grafik dan perihalan podcast dimuat naik dan disediakan terus oleh Black Hat Briefings, USA 2007 [Video] Presentations from the security conference. atau rakan kongsi platform podcast mereka. Jika anda percaya seseorang menggunakan karya berhak cipta anda tanpa kebenaran anda, anda boleh mengikuti proses yang digariskan di sini https://ms.player.fm/legal.
Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack.
One quote from a member of the community summed it way:
""The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left - including the ""I'll just browse without JavaScript"" mantra. Could you really call that browsing anyway?""
-Kryan
That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques - such as Browser Intranet Hacking, Port Scanning, and History Stealing - can still be perpetrated. From an enterprise security perspective, when users are visiting ""normal"" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network.
This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking / Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks.
You'll see:
- Web Browser Intranet Hacking / Port Scanning - (with and without JavaScript)
- Web Browser History Stealing / Login Detection - (with and without JavaScript)
- Bypassing Mozilla Port Blocking / Vertical Port Scanning
- The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.)
- Fundamentals of DNS Pinning and Anti-DNS Pinning
- Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)
  continue reading

89 episod

Artwork
iconKongsi
 
Manage episode 152211992 series 1053194
Kandungan disediakan oleh Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.. Semua kandungan podcast termasuk episod, grafik dan perihalan podcast dimuat naik dan disediakan terus oleh Black Hat Briefings, USA 2007 [Video] Presentations from the security conference. atau rakan kongsi platform podcast mereka. Jika anda percaya seseorang menggunakan karya berhak cipta anda tanpa kebenaran anda, anda boleh mengikuti proses yang digariskan di sini https://ms.player.fm/legal.
Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack.
One quote from a member of the community summed it way:
""The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left - including the ""I'll just browse without JavaScript"" mantra. Could you really call that browsing anyway?""
-Kryan
That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques - such as Browser Intranet Hacking, Port Scanning, and History Stealing - can still be perpetrated. From an enterprise security perspective, when users are visiting ""normal"" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network.
This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking / Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks.
You'll see:
- Web Browser Intranet Hacking / Port Scanning - (with and without JavaScript)
- Web Browser History Stealing / Login Detection - (with and without JavaScript)
- Bypassing Mozilla Port Blocking / Vertical Port Scanning
- The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.)
- Fundamentals of DNS Pinning and Anti-DNS Pinning
- Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)
  continue reading

89 episod

Semua episod

×
 
Loading …

Selamat datang ke Player FM

Player FM mengimbas laman-laman web bagi podcast berkualiti tinggi untuk anda nikmati sekarang. Ia merupakan aplikasi podcast terbaik dan berfungsi untuk Android, iPhone, dan web. Daftar untuk melaraskan langganan merentasi peranti.

 

Panduan Rujukan Pantas

Podcast Teratas