Friday, May 25, 2007

Intranet Hacking (Take 2) for BH USA 2007

I was just informed by BlackHat that my presentation (Hacking Intranet Websites from the Outside (Take 2)–"Fun with and without JavaScript malware") was selected! Woot! I have some good stuff planned (description below). As always its an honor to be chosen amongst the industries top experts. The selection committee has a really tough job wading through a ton of solid submissions. There's going to be a lot going on during the show this year, I can't wait. Presentations, book signings, vendor parties, WASC meet-up, etc . Time to get working on my slides and demos. :)

Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack.

One quote from a member of the community summed it way:

"The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left—including the "I'll just browse without JavaScript" mantra. Could you really call that browsing anyway?"
-Kryan

That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques—such as Browser Intranet Hacking, Port Scanning, and History Stealing—can still be perpetrated. From an enterprise security perspective, when users are visiting "normal" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network.

This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking/Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks.

You'll see:

  • Web Browser Intranet Hacking / Port Scanning - (with and without JavaScript)
  • Web Browser History Stealing / Login Detection - (with and without JavaScript)
  • Bypassing Mozilla Port Blocking / Vertical Port Scanning
  • The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.)
  • Fundamentals of DNS Pinning and Anti-DNS Pinning
  • Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)

10 comments:

ntp said...

so nothing new? you're doing the same talk again? this is why i stopped going to blackhat/defcon ten years ago...

you'll get to join the ranks of ofir arkin and dan kaminsky. maybe get yourself a fanclub. somebody will make a tshirt design with your face on it, or better yet - an action figure that comes with a little computer with the word SENTINEL cheesily written on it

Jeremiah Grossman said...

are you purposely trying to pick a fight or what?

Jeremiah Grossman said...

To answer your question..... There will be plenty of new stuff and cool demos for people to enjoy, perhaps not for someone of your caliber though.

Chris Shiflett said...

I'd like to see someone put the pieces together and scan for vulnerabilities in intranet web sites via XSS / CSRF. Optionally, you could even search for persistent XSS vulnerabilities that enable you to inject code to continuously monitor intranet web sites.

In other words, I'd like to see a demo of the intranet edition of Sentinel. :-)

ntp said...

sorry i was trying to come off more as funny than a jerk.

are you going to have any slides about how great WAF's are?

Jeremiah Grossman said...

ahh OK, my mistake, I understood. Text sucks at translating humor at times. My personality is an introvert, so the last thing I want is a fan club. Maybe RSnake does. :)

Though I do appreciate when people say hi when I meet them in person or who compliment some of the work I've done. That I find really cool to have made a difference.

Slides about WAFs, hmmm... unlikely for this particular presentation. I do pay WAFs homage is some other slide decks though. I remember how you feel about those. :)

Chris_B said...

Hope you make it to BH Japan as well.

Jeremiah Grossman said...

I hope so to. I try to make it every year.

Anonymous said...

is your presentation going to be available anywhere else beside blackhat, meaning video, audio, slides, papers...
for us who can't make it to blackhat

Jeremiah Grossman said...

The slides will be available almost immediately after the show, but what everyone will probably want to see is the demos and the PoC code. If the presentation is well received, more than likely I'll walk it around the conference circuit for others to enjoy. The WH PR team does a good job of keeping the event schedule on our website updated.