SlideShare une entreprise Scribd logo

Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk

Télécharger en tant que PPTX, PDF
Nazar Tymoshyk, CEH, Ph.D.
Nazar Tymoshyk, CEH, Ph.D.
TechnologieFormation
1  sur  31
Unusual security vulnerabilities Yuriy Bilyk
Agenda RegExp Cryptography
RegExp? It’s simple! e-mail validation RegExp
Not sure if Chinese or Egyptian
Problems RegExp DoS attacks Issues in RegExp engine
RegExp: ^(([a-z])+.)+[A-Z]([a-z])+$ Input data: aaaaaaaaaaaaaaaa…aa 45 40 30 20 CHARS 0.003 TIME 0.339 41 466 RegExp DoS attacks
For the input aaaaX there are 16 possible paths in the above graph. But for aaaaaaaaaaaaaaaaX there are 65536 possible paths RegExp: ^(a+)+$ Where is the problem? a a 2 51 4 3 a a a a a a
Broken engine
• OpenID like auth, but we trust only local host • EXT HOST send AUTENICATED, if OK • We can set EXT HOST URL • RegExp to check RESPOND: /[^w]AUTHENTICATED[^w]*$/ RegExp Engine Issues Example
OpenID example TO EXTERNAL HOST->login:pass AUTHENTICATED LOCAL EXTERNAL HOST 1 2
Movie time
Double Request http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 TO EXTERNAL HOST->login:pass !AUTHENTICATED!n TO LOCAL HOST->login:pass 1 2 3
RegExp attack (Step 1) http://192.168.130 responded with: !AUTHENTICATED!n RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED 2 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 !AUTHENTICATED!n
RegExp attack (Step 2) http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n TO LOCAL HOST->login:pass 3 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED AGAIN
RegExp attack (Final Step) [Problem is]: body =~ /[^w]AUTHENTICATED[^w]*$/ • Normal RegExp engine stop after first line ($ - EOL): blablabla !AUTHENTICATED!n … blabla • Ruby interpreter $ as just EOL character, but scans next lines in the “file” http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n
• ReDoS Static Analysis – RXXR – http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml • Issues – know features of platform/language How to mitigate
Cryptography in God we trust the rest we test
Cryptography is cool Bitcoin – distributed cryptocurrency Kryptos - encrypted sculpture. One of the most famous unsolved codes in the world Crypto is widely used – wireless (WiFi,GSM,RFID etc.), banking, games (X- Box, PS3 etc.), e-mail anti-spam (DKIM)
I changed all my passwords to "incorrect", So whenever I forget, It will tell me "Your password is incorrect." some ideas need audit
Wrong usage is bad Using hash algorithms as crypto, and weak or custom realizations of crypto algorithms Neutralization all advantages of crypto through user comfort The believe, that crypto will secure you by itself Low level of understanding, why you need crypto
• User can send points to other user • All URL options/values signed by secret key • All transactions are visible to all SHA Length Extension Example
SHA: Message sign (MAC) http://...?to_user=guest&points=200|sign:675fsdg87gs3vh MSG Block 1 Block 2 Block N … HASH KEY +
SHA Padding: Theory (Hash BOX) KEY MESSAGE NULL Bytes Padding MESSAGE+KEY Length Just 1 Bit
SHA: Length extension attack MSG Block 1 Block 2 Block N … http://...?to_user=guest&points=200 &<PADDING>to_user=hacker|sign:f97h23n483a2ce PADDING + DATA HASH + KEY
SHA Padding: Theory (Attack) KEY Original MSG NULL Bytes Padding MESSAGE Length BOX 1 BOX 2 Extended Part
Where is the problem? HASH (KEY+MSG) is BAD - extension attack is possible HASH (MSG+KEY) is GOOD - extension attack is impossible
Order is important
• Use HMAC for signing • Use SHA-256 etc • Don’t create own crypto (only if you are not a genius in mathematic, but even you’re don’t do it!) How to mitigate
Kryptography is kind of art
Review • RegExp is powerful tool: –Even for DoS –Some engines work not as expected • Cryptography isn’t safe by itself: –Use industry standards –Understand how crypto is working –Make sure that your implementation/improvement isn’t broken
Questions?

Recommandé

Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineering
slicklash
 
amani_rwc_password
amani_rwc_passwordamani_rwc_password
amani_rwc_password
Arvind Mani
 
SSL Primer
SSL PrimerSSL Primer
SSL Primer
Mahadev Gaonkar
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
Bob Novas
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
SupanShah2
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
Ernie Turner
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
Jose Manuel Ortega Candel
 

Recommandé

Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineering
slicklash
 
amani_rwc_password
amani_rwc_passwordamani_rwc_password
amani_rwc_password
Arvind Mani
 
SSL Primer
SSL PrimerSSL Primer
SSL Primer
Mahadev Gaonkar
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
Bob Novas
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
SupanShah2
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
Ernie Turner
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
Jose Manuel Ortega Candel
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
DefCamp
 
Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013
James Wickett
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
Rémi Dubois
 
SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand)
Maarten Mulders
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)
Maarten Mulders
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
Paula Januszkiewicz
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External Attack
All Things Open
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Paula Januszkiewicz
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
Maarten Mulders
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Ravi Rajput
 
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesDigital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
Priyanka Aash
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
Enrico Zimuel
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
MrArora Arjuna
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
Tiago Cruz
 
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
CODE BLUE
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
Great Wide Open
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Openssl
OpensslOpenssl
Openssl
Adam Moravcik
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
Nazar Tymoshyk, CEH, Ph.D.
 

Contenu connexe

Tendances

Tendances (20)

WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 
Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand)
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External Attack
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
 
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesDigital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Openssl
OpensslOpenssl
Openssl
 

En vedette

Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
Nazar Tymoshyk, CEH, Ph.D.
 
Media product evaluation
Media product evaluationMedia product evaluation
Media product evaluation
CharLilyMay
 
15082005174118 wca article-vfinal
15082005174118 wca article-vfinal15082005174118 wca article-vfinal
15082005174118 wca article-vfinal
sunilareddyk
 

En vedette (20)

Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Intro to Tools & Resources: UMSI Orientation Fall 2014
Intro to Tools & Resources: UMSI Orientation Fall 2014Intro to Tools & Resources: UMSI Orientation Fall 2014
Intro to Tools & Resources: UMSI Orientation Fall 2014
 
Presentation to BPS Wessex Student Conference 10th May 2014
Presentation to BPS Wessex Student Conference 10th May 2014Presentation to BPS Wessex Student Conference 10th May 2014
Presentation to BPS Wessex Student Conference 10th May 2014
 
Final suggestions
Final suggestionsFinal suggestions
Final suggestions
 
Media product evaluation
Media product evaluationMedia product evaluation
Media product evaluation
 
Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...
Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...
Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...
 
August 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & TazzyAugust 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & Tazzy
 
Music videos
Music videosMusic videos
Music videos
 
15082005174118 wca article-vfinal
15082005174118 wca article-vfinal15082005174118 wca article-vfinal
15082005174118 wca article-vfinal
 
Rpp bi new
Rpp bi newRpp bi new
Rpp bi new
 
Muhajadah sebagai pelajar
Muhajadah sebagai pelajarMuhajadah sebagai pelajar
Muhajadah sebagai pelajar
 
Jovin Retail Lampshade Catalog
Jovin Retail Lampshade CatalogJovin Retail Lampshade Catalog
Jovin Retail Lampshade Catalog
 
April 19 Treasure Emporium
April 19 Treasure EmporiumApril 19 Treasure Emporium
April 19 Treasure Emporium
 
Distribution
DistributionDistribution
Distribution
 
2.16 Fiesta Sunday Anymeeting Auction
2.16 Fiesta Sunday Anymeeting Auction2.16 Fiesta Sunday Anymeeting Auction
2.16 Fiesta Sunday Anymeeting Auction
 
Metabolic nutrition synedrex
Metabolic nutrition synedrexMetabolic nutrition synedrex
Metabolic nutrition synedrex
 
Isabella Trimmel_ Fine Art: works_overview
Isabella Trimmel_ Fine Art: works_overviewIsabella Trimmel_ Fine Art: works_overview
Isabella Trimmel_ Fine Art: works_overview
 

Similaire à Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk

[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
PROIDEA
 
MongoDB: tips, trick and hacks
MongoDB: tips, trick and hacksMongoDB: tips, trick and hacks
MongoDB: tips, trick and hacks
Scott Hernandez
 
Application Security
Application SecurityApplication Security
Application Security
florinc
 

Similaire à Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk (20)

Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
A 5 security x line platform
A 5 security x line platformA 5 security x line platform
A 5 security x line platform
 
PDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwordsPDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwords
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
 
Technology, Process, and Strategy
Technology, Process, and StrategyTechnology, Process, and Strategy
Technology, Process, and Strategy
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security Stance
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
Building Web-API without Rails, Registration or SMS
Building Web-API without Rails, Registration or SMSBuilding Web-API without Rails, Registration or SMS
Building Web-API without Rails, Registration or SMS
 
Wireless LAN Security Fundamentals
Wireless LAN Security FundamentalsWireless LAN Security Fundamentals
Wireless LAN Security Fundamentals
 
MongoDB: tips, trick and hacks
MongoDB: tips, trick and hacksMongoDB: tips, trick and hacks
MongoDB: tips, trick and hacks
 
Application Security
Application SecurityApplication Security
Application Security
 
Php Security
Php SecurityPhp Security
Php Security
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency wallet
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 

Plus de Nazar Tymoshyk, CEH, Ph.D.

Plus de Nazar Tymoshyk, CEH, Ph.D. (8)

Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and Prevention
 
CIA Hacking Organization in the Nutshell
CIA Hacking Organization in the NutshellCIA Hacking Organization in the Nutshell
CIA Hacking Organization in the Nutshell
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Automotive security testing
Automotive security testing Automotive security testing
Automotive security testing
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Проект реабілітації військових в ІТ
Проект реабілітації військових в ІТПроект реабілітації військових в ІТ
Проект реабілітації військових в ІТ
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk

  • 3. RegExp? It’s simple! e-mail validation RegExp
  • 4. Not sure if Chinese or Egyptian
  • 6. RegExp: ^(([a-z])+.)+[A-Z]([a-z])+$ Input data: aaaaaaaaaaaaaaaa…aa 45 40 30 20 CHARS 0.003 TIME 0.339 41 466 RegExp DoS attacks
  • 7. For the input aaaaX there are 16 possible paths in the above graph. But for aaaaaaaaaaaaaaaaX there are 65536 possible paths RegExp: ^(a+)+$ Where is the problem? a a 2 51 4 3 a a a a a a
  • 9. • OpenID like auth, but we trust only local host • EXT HOST send AUTENICATED, if OK • We can set EXT HOST URL • RegExp to check RESPOND: /[^w]AUTHENTICATED[^w]*$/ RegExp Engine Issues Example
  • 10. OpenID example TO EXTERNAL HOST->login:pass AUTHENTICATED LOCAL EXTERNAL HOST 1 2
  • 12. Double Request http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 TO EXTERNAL HOST->login:pass !AUTHENTICATED!n TO LOCAL HOST->login:pass 1 2 3
  • 13. RegExp attack (Step 1) http://192.168.130 responded with: !AUTHENTICATED!n RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED 2 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 !AUTHENTICATED!n
  • 14. RegExp attack (Step 2) http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n TO LOCAL HOST->login:pass 3 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED AGAIN
  • 15. RegExp attack (Final Step) [Problem is]: body =~ /[^w]AUTHENTICATED[^w]*$/ • Normal RegExp engine stop after first line ($ - EOL): blablabla !AUTHENTICATED!n … blabla • Ruby interpreter $ as just EOL character, but scans next lines in the “file” http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n
  • 16. • ReDoS Static Analysis – RXXR – http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml • Issues – know features of platform/language How to mitigate
  • 17. Cryptography in God we trust the rest we test
  • 18. Cryptography is cool Bitcoin – distributed cryptocurrency Kryptos - encrypted sculpture. One of the most famous unsolved codes in the world Crypto is widely used – wireless (WiFi,GSM,RFID etc.), banking, games (X- Box, PS3 etc.), e-mail anti-spam (DKIM)
  • 19. I changed all my passwords to "incorrect", So whenever I forget, It will tell me "Your password is incorrect." some ideas need audit
  • 20. Wrong usage is bad Using hash algorithms as crypto, and weak or custom realizations of crypto algorithms Neutralization all advantages of crypto through user comfort The believe, that crypto will secure you by itself Low level of understanding, why you need crypto
  • 21. • User can send points to other user • All URL options/values signed by secret key • All transactions are visible to all SHA Length Extension Example
  • 22. SHA: Message sign (MAC) http://...?to_user=guest&points=200|sign:675fsdg87gs3vh MSG Block 1 Block 2 Block N … HASH KEY +
  • 23. SHA Padding: Theory (Hash BOX) KEY MESSAGE NULL Bytes Padding MESSAGE+KEY Length Just 1 Bit
  • 24. SHA: Length extension attack MSG Block 1 Block 2 Block N … http://...?to_user=guest&points=200 &<PADDING>to_user=hacker|sign:f97h23n483a2ce PADDING + DATA HASH + KEY
  • 25. SHA Padding: Theory (Attack) KEY Original MSG NULL Bytes Padding MESSAGE Length BOX 1 BOX 2 Extended Part
  • 26. Where is the problem? HASH (KEY+MSG) is BAD - extension attack is possible HASH (MSG+KEY) is GOOD - extension attack is impossible
  • 28. • Use HMAC for signing • Use SHA-256 etc • Don’t create own crypto (only if you are not a genius in mathematic, but even you’re don’t do it!) How to mitigate
  • 30. Review • RegExp is powerful tool: –Even for DoS –Some engines work not as expected • Cryptography isn’t safe by itself: –Use industry standards –Understand how crypto is working –Make sure that your implementation/improvement isn’t broken

Notes de l'éditeur

  1. Web security as example of easiest to attack
  2. Add ZOOM
  3. Own experiment
  4. Explanation
  5. Engine issues
  6. How hash works (whole hash is calculated from each block step by step)
  7. Padding detail
  8. Hacker uses padding to calculate new hash
  9. Padding+Extention
  10. Problem in key place in hash calculation
  11. Where is located