SlideShare une entreprise Scribd logo

Appsec2013 presentation

Télécharger en tant que PPTX, PDF
D
drewz lin
1  sur  23
Hacking Web File Servers for iOS Bruno Gonçalves de Oliveira Senior Security Consultant – Trustwave’s SpiderLabs
About Me #whoami • Bruno Gonçalves de Oliveira • Senior Security Consultant @ Trustwave’s SpiderLabs • MSc Candidate • Computer Engineer • Offensive Security • Talks: Silver Bullet, THOTCON, SOURCE Boston, Black Hat DC, SOURCE Barcelona, DEF CON, Hack In The Box Malaysia, Toorcon, YSTS e H2HC. Hosted by OWASP & the NYC Chapter
INTRO • Smartphones – A LOT OF information – iPhone is VERY popular • Mobile Applications – (MOST) Poorly designed • Old fashion vulnerabilities Hosted by OWASP & the NYC Chapter
What are those apps? • Designed to provide a storage system to iOS devices. • Data can be transferred utilizing bluetooth, iTunes and FTP. • Easiest way: HTTP protocol. • They are very popular.
Examples
Features • Manage/Storage files • Create Albums, etc. • Share Data
VULNERABILITIES
• No encryption (SSL):
• No authentication (by default):
• (Reflected) XSS
• (Persistent) XSS
• (Persistent) XSS http://www.vulnerability-lab.com/get_content.php?id=932
• Vulnerability-Lab Advisories: http://www.vulnerability-lab.com/show.php?cat=mobile
Disclaimer • Trustwave (me) did this research on March/13 and just now we are disclosing these advisories.
• Path Traversal • WiFi HD Free Path Traversal (CVE-2013-3923) • FTPDrive Path Traversal (CVE-2013-3922) • Easy File Manager Path Traversal (CVE-20133921) You probably want to test the app that you use.
• Path Traversal (DEMO)
• Easy File Manager • Unauthorized Access to File System (CVE2013-3960)
• Unauthorized Access to File System (CVE2013-3960)
• Getting worst with a jailbroken device.
• Remote Command Execution: Unauthorized Access to File System (CVE-2013-3960) – Jailbroken Device
• iOS 7 Security Improvement
How to find vulnerable systems mDNS Queries <= mDNS Watch for iOS
• Conclusions • Mobile Apps (already) are the future. • Mobile Apps designers still don’t care too much about security. • Too many apps, we have to take care. • Old fashion vulnerabilities still rock.

Recommandé

Remo presentatie v1
Remo presentatie v1Remo presentatie v1
Remo presentatie v1Onno Hansen-Staszyński
 
Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Lookout
 
The (almost) paperless office thomas vellacott v2
The (almost) paperless office thomas vellacott v2The (almost) paperless office thomas vellacott v2
The (almost) paperless office thomas vellacott v2WWF Switzerland
 
Blackhat USA Mobile Security Panel 2011
Blackhat USA Mobile Security Panel 2011Blackhat USA Mobile Security Panel 2011
Blackhat USA Mobile Security Panel 2011Tyler Shields
 
Im260 computer hacking powerpoint
Im260 computer hacking powerpointIm260 computer hacking powerpoint
Im260 computer hacking powerpointcarlyxxjo55
 
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...Asociación de Ejecutivos de Cooperativas de Puerto Rico
 
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with TelosNext-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with TelosAmazon Web Services
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 

Recommandé

Remo presentatie v1
Remo presentatie v1Remo presentatie v1
Remo presentatie v1Onno Hansen-Staszyński
 
Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Lookout
 
The (almost) paperless office thomas vellacott v2
The (almost) paperless office thomas vellacott v2The (almost) paperless office thomas vellacott v2
The (almost) paperless office thomas vellacott v2WWF Switzerland
 
Blackhat USA Mobile Security Panel 2011
Blackhat USA Mobile Security Panel 2011Blackhat USA Mobile Security Panel 2011
Blackhat USA Mobile Security Panel 2011Tyler Shields
 
Im260 computer hacking powerpoint
Im260 computer hacking powerpointIm260 computer hacking powerpoint
Im260 computer hacking powerpointcarlyxxjo55
 
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 ...Asociación de Ejecutivos de Cooperativas de Puerto Rico
 
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with TelosNext-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with TelosAmazon Web Services
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 
Making Secure Choices
Making Secure ChoicesMaking Secure Choices
Making Secure Choicescharlesgarrett
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data HackingMd Abu Syeem Dipu
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeNiraj Solanke
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security ProfessionalAmmar WK
 
So you want to be a wireless hacker
So you want to be a wireless hackerSo you want to be a wireless hacker
So you want to be a wireless hackerCasey Dunham
 
Internet security
Internet securityInternet security
Internet securityAntony Mathew
 
Ethical hacking demo
Ethical hacking demoEthical hacking demo
Ethical hacking demoTendai Marengereke
 
Computer Security
Computer SecurityComputer Security
Computer SecurityGreater Noida Institute Of Technology
 
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Andrew Schwabe
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Internet security
Internet securityInternet security
Internet securityReisn Felicite
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingLalit Kumar
 
The State Department and Net Freedom: A year of great challenges & opportunities
The State Department and Net Freedom: A year of great challenges & opportunitiesThe State Department and Net Freedom: A year of great challenges & opportunities
The State Department and Net Freedom: A year of great challenges & opportunitiesFreedom House
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Mike Kleviansky
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101Jeff Niebaum, M.A
 
Dark web by Pranesh Kulkarni
Dark web by Pranesh KulkarniDark web by Pranesh Kulkarni
Dark web by Pranesh KulkarniPraneshKulkarni22
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online SecurityConn Ó Muíneacháin
 
Dark web
Dark webDark web
Dark webSafwan Hashmi
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
T4 淘宝私有云
T4 淘宝私有云T4 淘宝私有云
T4 淘宝私有云drewz lin
 
Agile2012 rev4.pptx
Agile2012 rev4.pptxAgile2012 rev4.pptx
Agile2012 rev4.pptxdrewz lin
 

Contenu connexe

Tendances

Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security ProfessionalAmmar WK
 
So you want to be a wireless hacker
So you want to be a wireless hackerSo you want to be a wireless hacker
So you want to be a wireless hackerCasey Dunham
 
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Andrew Schwabe
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
The State Department and Net Freedom: A year of great challenges & opportunities
The State Department and Net Freedom: A year of great challenges & opportunitiesThe State Department and Net Freedom: A year of great challenges & opportunities
The State Department and Net Freedom: A year of great challenges & opportunitiesFreedom House
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Mike Kleviansky
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
Dark web by Pranesh Kulkarni
Dark web by Pranesh KulkarniDark web by Pranesh Kulkarni
Dark web by Pranesh KulkarniPraneshKulkarni22
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online SecurityConn Ó Muíneacháin
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 

Tendances (20)

Making Secure Choices
Making Secure ChoicesMaking Secure Choices
Making Secure Choices
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data Hacking
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security Professional
 
So you want to be a wireless hacker
So you want to be a wireless hackerSo you want to be a wireless hacker
So you want to be a wireless hacker
 
Internet security
Internet securityInternet security
Internet security
 
Ethical hacking demo
Ethical hacking demoEthical hacking demo
Ethical hacking demo
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
Internet security
Internet securityInternet security
Internet security
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
The State Department and Net Freedom: A year of great challenges & opportunities
The State Department and Net Freedom: A year of great challenges & opportunitiesThe State Department and Net Freedom: A year of great challenges & opportunities
The State Department and Net Freedom: A year of great challenges & opportunities
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017)
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101
 
Dark web by Pranesh Kulkarni
Dark web by Pranesh KulkarniDark web by Pranesh Kulkarni
Dark web by Pranesh Kulkarni
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online Security
 
Dark web
Dark webDark web
Dark web
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 

En vedette

T4 淘宝私有云
T4 淘宝私有云T4 淘宝私有云
T4 淘宝私有云drewz lin
 
Agile2012 rev4.pptx
Agile2012 rev4.pptxAgile2012 rev4.pptx
Agile2012 rev4.pptxdrewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
淘宝软件基础设施构建实践
淘宝软件基础设施构建实践淘宝软件基础设施构建实践
淘宝软件基础设施构建实践drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架drewz lin
 
云存储系统设计
云存储系统设计云存储系统设计
云存储系统设计drewz lin
 
Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民drewz lin
 
Top100summit 支付宝-贺三元-支付宝无线快捷支付的抉择
Top100summit 支付宝-贺三元-支付宝无线快捷支付的抉择 Top100summit 支付宝-贺三元-支付宝无线快捷支付的抉择
Top100summit 支付宝-贺三元-支付宝无线快捷支付的抉择 drewz lin
 
Top100summit 腾讯-周健-服务化与体系化解决大量定制小项目开发困境
Top100summit 腾讯-周健-服务化与体系化解决大量定制小项目开发困境Top100summit 腾讯-周健-服务化与体系化解决大量定制小项目开发困境
Top100summit 腾讯-周健-服务化与体系化解决大量定制小项目开发困境drewz lin
 
人人网服务化与架构变迁V3
人人网服务化与架构变迁V3人人网服务化与架构变迁V3
人人网服务化与架构变迁V3drewz lin
 
Agile 2012 the 0-page agile test plan - paul carvalho
Agile 2012 the 0-page agile test plan - paul carvalhoAgile 2012 the 0-page agile test plan - paul carvalho
Agile 2012 the 0-page agile test plan - paul carvalhodrewz lin
 
Automated tests workshop
Automated tests workshopAutomated tests workshop
Automated tests workshopdrewz lin
 
Top100summit用友 池建强-构建企业级应用开发平台
Top100summit用友 池建强-构建企业级应用开发平台Top100summit用友 池建强-构建企业级应用开发平台
Top100summit用友 池建强-构建企业级应用开发平台drewz lin
 
Mobile app security
Mobile app securityMobile app security
Mobile app securitydrewz lin
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
阿里云技术实践
阿里云技术实践阿里云技术实践
阿里云技术实践drewz lin
 

En vedette (17)

T4 淘宝私有云
T4 淘宝私有云T4 淘宝私有云
T4 淘宝私有云
 
Agile2012 rev4.pptx
Agile2012 rev4.pptxAgile2012 rev4.pptx
Agile2012 rev4.pptx
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
淘宝软件基础设施构建实践
淘宝软件基础设施构建实践淘宝软件基础设施构建实践
淘宝软件基础设施构建实践
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
云存储系统设计
云存储系统设计云存储系统设计
云存储系统设计
 
Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民
 
Top100summit 支付宝-贺三元-支付宝无线快捷支付的抉择
Top100summit 支付宝-贺三元-支付宝无线快捷支付的抉择 Top100summit 支付宝-贺三元-支付宝无线快捷支付的抉择
Top100summit 支付宝-贺三元-支付宝无线快捷支付的抉择
 
Top100summit 腾讯-周健-服务化与体系化解决大量定制小项目开发困境
Top100summit 腾讯-周健-服务化与体系化解决大量定制小项目开发困境Top100summit 腾讯-周健-服务化与体系化解决大量定制小项目开发困境
Top100summit 腾讯-周健-服务化与体系化解决大量定制小项目开发困境
 
人人网服务化与架构变迁V3
人人网服务化与架构变迁V3人人网服务化与架构变迁V3
人人网服务化与架构变迁V3
 
Agile 2012 the 0-page agile test plan - paul carvalho
Agile 2012 the 0-page agile test plan - paul carvalhoAgile 2012 the 0-page agile test plan - paul carvalho
Agile 2012 the 0-page agile test plan - paul carvalho
 
Automated tests workshop
Automated tests workshopAutomated tests workshop
Automated tests workshop
 
Top100summit用友 池建强-构建企业级应用开发平台
Top100summit用友 池建强-构建企业级应用开发平台Top100summit用友 池建强-构建企业级应用开发平台
Top100summit用友 池建强-构建企业级应用开发平台
 
Mobile app security
Mobile app securityMobile app security
Mobile app security
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
阿里云技术实践
阿里云技术实践阿里云技术实践
阿里云技术实践
 

Similaire à Appsec2013 presentation

Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012Tjylen Veselyj
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
liferay-safe-slides.pdf
liferay-safe-slides.pdfliferay-safe-slides.pdf
liferay-safe-slides.pdfSalini P
 
Vest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenVest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenMarc Hullegie
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardPositive Hack Days
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecturePaul Fremantle
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudWSO2
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeekNightHyderabad
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...Abhinav Biswas
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?morisson
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking BadNUS-ISS
 

Similaire à Appsec2013 presentation (20)

Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
liferay-safe-slides.pdf
liferay-safe-slides.pdfliferay-safe-slides.pdf
liferay-safe-slides.pdf
 
Vest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenVest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuven
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year Backward
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And More
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecture
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day Conference
 
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
Smart Defense: Strategic Approach to fight contemporary Security, Privacy & A...
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 

Plus de drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usadrewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiudrewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)drewz lin
 
天猫后端技术架构优化实践
天猫后端技术架构优化实践天猫后端技术架构优化实践
天猫后端技术架构优化实践drewz lin
 
天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电drewz lin
 
互联网海量运维 20130807
互联网海量运维 20130807互联网海量运维 20130807
互联网海量运维 20130807drewz lin
 

Plus de drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
 
天猫后端技术架构优化实践
天猫后端技术架构优化实践天猫后端技术架构优化实践
天猫后端技术架构优化实践
 
天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电
 
互联网海量运维 20130807
互联网海量运维 20130807互联网海量运维 20130807
互联网海量运维 20130807
 

Appsec2013 presentation

Notes de l'éditeur

  1. Well, vulnerabilities to compromise data shared/stored
  2. Explain
  3. Take a look on the date
  4. Old vulnerabilities,ios 7, etcetc
  5. After changed the password, the hashes will be stored at /etc/master.passwd and no longer access to the mobile user.
  6. It works utilizing public IP as well.
  7. The path traversal also won’t work on ios7