Monday, August 13, 2007

Two kickass Web security papers recently published

1) The first out of the Stanford security lab, Protecting Browsers from DNS Rebinding Attacks by Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh. Everything you wanted to know about DNS Rebinding (formerly known as anti-DNS Pinning) and probably a lot you didn’t. My favorite part was the real-world experiment they performed using Flash 9 advertisements - very spooking, very easy and apparently highly effective stuff. And not to leave us wanting, the security lab guys also drafted a proposal for a long-term solution to DNS Rebinding attacks using Host Name Authorization (based upon Reverse DNS lookups).

2) The second paper is from Sensepost, It’s all about the timing…, by Haroon Meer and Marco Slaviero. Before they get to their real innovation, upfront they provide a detailed history of how Web-based timing attacks works. This would have been a fantastic resource if only for that and I’m going to have to go back and reread this a few more times and commit it to memory. The real gem though is their Cross Site Request Timing attack. Hopefully I’m describing it correctly, basically this is a way to leverage victim web browsers to blindly perform brute force attacks (among others) on third-party websites. Like I said, I’m going to have to study this more, but I was thoroughly impressed by what I saw.

8 comments:

Yousif Yalda said...

Whitehatsec.com doesn't respond to sales e-mail nor calls made to the company. They also filter people's e-mail addresses.

Jeremiah Grossman said...

Im fairly responsive, what can I help you with?

Yousif Yalda said...

I tried contacting you via e-mail and I was filtered through most of them and I even tried calling and left 2 voice mail's an got nothing. I have a few questions to ask you.

Jeremiah Grossman said...

doubtful you were filtered through my email (jeremiah _#_ whitehatsec _DOT_ com) and if you tried to reach me by corp telephone... good luck... the amount of bogus call volume I get now rivals my email making it completely unusable.

Feel free to email me though.

Jeremiah Grossman said...

I'll do the best I can... I'm flying out to D.C. today, if not today then.... sometime this week.

Yousif said...

Alright, just don't forget please.

Yousif Yalda said...

Hey Jeremiah, when do you think you can give me a call exactly?

Yousif said...

Nevermind, I got a call from one of your people, I think I'm more than qualified for the job but it's a requirement that you have to be on site, and I don't there on site, thanks anyways.