SlideShare une entreprise Scribd logo

proxy2: HTTPS pins and needles

I
inaz2

2015/05/09 すみだセキュリティ勉強会 2015#1

Technologie
1  sur  37
Télécharger pour lire hors ligne
PROXY2: HTTPS PINS AND NEEDLES 2015/05/09 すみだセキュリティ勉強会 2015#1 @INAZ2
ABOUT ME • @inaz2 • Security engineer & Python programmer • Girl idol freak • Blog: ももいろテクノロジー • http://inaz2.hatenablog.com/ 2
HTTPS EVERYWHERE [GOOGLE I/O 2014] • http://lanyrd.com/2014/io14/sdcgyb/ 3
HTTPS = HTTP OVER SSL/TLS [RFC 2818] • http://lanyrd.com/2014/io14/sdcgyb/ 4
SSL/TLS AUTHENTICATION • Certificate Authority (CA) issues the signed certificate for subject’s public key • Clients trust some root CAs beforehand • Clients verify the chain of certificates until it reaches the trusted root CA 5 Client Server CA Root CA Verify each signature by issuer’s public key Private key Public key signature = ENCRYPT(HASH(certificate content), privkey) sign
SSL/TLS ENCRYPTION • A client generate a session key (e.g. AES key) • The client and the server share the session key • By the key exchange algorithm (e.g. RSA or ECDHE) • After all, the payload is encrypted by the session key 6 Client Server Payload Session key (shared by each other)
WE CANNOT SEE HTTPS PAYLOADS AS IS • In Wireshark 1.12.4 7
DECRYPTING HTTPS PAYLOADS IN WIRESHARK • Register the destination server’s private key • Need to own the server • If I have Google’s private key, I will be in the jail • Only works when RSA key exchange is used • Ineffective against ECDHE key exchange (because of forward secrecy) 8
SSLKEYLOGFILE ENVIRONMENT VARIABLE • Make the browsers write session keys in a file • Configure Wireshark to use the file for decrypting • Don’t have to own the server & works with any key exchange algorithms 9
ANOTHER WAY… HTTPS PROXY • Intercept HTTPS connection by Man-in-the-Middle • The proxy terminates HTTPS connection and reconnects to the opposite • The proxy can decrypt the payload by its private key 10 Client Proxy w/ CA Internet sites HTTPS HTTPS I’ll trust the proxy! Decrypt all traffic! Hello, proxy.
FIDDLER, BURP PROXY, OWASP ZAP ETC. • Useful proxies for web vulnerability testing • All supports HTTPS • Programmable to some extent • But GUI • Basically they require user interactions 11
THERE’S A NEED FOR THE TOOL WITHOUT CLICKING 12
PROXY2
SONG 2 BY BLUR • https://www.youtube.com/watch?v=SSbBvKaM6sk • “I got my head checked By a jumbo jet It wasn't easy But nothing is No” 14
PROXY2 • https://github.com/inaz2/proxy2 • HTTP/HTTPS proxy in a single python script • A successor of SimpleHTTPProxy [sumidasec 2013/12] • Built on top of Python standard libraries (BaseHTTPServer, httplib, ssl etc.) • HTTPS features depend on OPENSSL(1) • Fully programmable by implementing handler functions in Python • Trace HTTPS payloads • Modify HTTPS payloads • Save HTTPS payloads or stats to the storage 15
NEED TO TRUST IT AS A PRIVATE CA • Execute “setup_https_intercept.sh” and run proxy2 • Configure the browser’s proxy setting • Then access to http://proxy2.test/ 16
TRACE HTTPS PAYLOADS • Implemented and enabled by default • Print headers and POST data with color • Pretty-output query parameters, Cookies and JSON data • Show the title of a HTML document • Decode the credential of basic auth 17
SERVER, X-POWERED-BY, VIA • http://hhvm.com/blog/7205/wikipedia-on-hhvm 18
SERVER, X-POWERED-BY, VIA • http://hhvm.com/blog/7205/wikipedia-on-hhvm 19 Nginx/1.6.2 with HHVM/3.3.1 3 reverse proxies (Varnish Cache) ?
20
X-REQUEST-ID, X-RUNTIME, X-SERVED-BY 21
X-REQUEST-ID, X-RUNTIME, X-SERVED-BY 22 The request 1f03c5 was responded by the server e68303 and it took 6.5 milliseconds
PRIVATE API ENDPOINT • Content-Type seems wrong 23
GMAIL LOGIN 24
GMAIL LOGIN 25
YOUTUBE’S SPF (STRUCTURED PAGE FRAGMENTS) • https://youtube.github.io/spfjs/ 26
YOUTUBE’S SPF (STRUCTURED PAGE FRAGMENTS) • https://youtube.github.io/spfjs/ 27
MODIFY HTTPS PAYLOADS • Change the User-Agent 28
29
30
SWAP A HTTPS CONTENT • Rewrite a request path 31
32
THIS WEBSITE IS SECURED BY SSL? • Yes, if you never trust any private CAs or compromised CAs • Why was Superfish a big topic? • A private CA was preinstalled in many Lenovo laptops • All HTTPS payloads were decrypted without notice • The same private key was embedded and its passphrase was weak • Cracked in a moment • As a result, anyone could be the CA and issue the certificate for any domains • Malwares may install a private CA silently • Certificate pinning doesn’t block it because it’s a PRIVATE CA • http://inaz2.hatenablog.com/entry/2015/02/25/024431 33
END-TO-END ENCRYPTION • Web Cryptography API • Run crypto algorithms on web browsers • http://www.w3.org/TR/2014/CR-WebCryptoAPI-20141211/ • Intel AES-NI and Intel Secure Key (RDRAND) • CPU instructions for AES calculation and random number generation • https://software.intel.com/en-us/articles/intel-advanced-encryption-standard- instructions-aes-ni/ • https://software.intel.com/en-us/articles/intel-digital-random-number-generator- drng-software-implementation-guide 34
RECAP • Trusted HTTPS proxy can trace/modify all HTTPS payloads • Useful for both web developers and security engineers • Happy hacking  35
REFERENCES • The HTTPS-Only Standard • https://https.cio.gov/ • ImperialViolet - Decrypting SSL packet dumps • https://www.imperialviolet.org/2012/06/25/wireshark.html • Proxy War [OWASP DAY 2014/11] • http://www.slideshare.net/zaki4649/proxy-war-42161988 • 自堕落な技術者の日記 : W3C Web Cryptography APIとの果てしなき戦い(第1 回) - livedoor Blog(ブログ) • http://blog.livedoor.jp/k_urushima/archives/1758899.html 36
THANK YOU! @INAZ2 Credits Clip arts: http://www.clker.com/ English Reviewing: @domiryuu

Recommandé

Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwordsinaz2
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Cloudflare
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Ontico
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 

Recommandé

Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwordsinaz2
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Cloudflare
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Ontico
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Cloudflare
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Improve App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyImprove App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyNGINX, Inc.
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureMRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureNGINX, Inc.
 
Maximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXMaximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXNGINX, Inc.
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)inaz2
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primerinaz2
 

Contenu connexe

Tendances

y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Cloudflare
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Improve App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyImprove App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyNGINX, Inc.
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureMRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureNGINX, Inc.
 
Maximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXMaximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXNGINX, Inc.
 

Tendances (18)

y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Improve App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyImprove App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX Amplify
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureMRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
 
Maximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXMaximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINX
 

En vedette

Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)inaz2
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primerinaz2
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?inaz2
 
楽しいバグハントの世界
楽しいバグハントの世界楽しいバグハントの世界
楽しいバグハントの世界llamakko_cafe
 
Find Blue Oceans - Through the Competitive World of Bug Bounty
Find Blue Oceans - Through the Competitive World of Bug BountyFind Blue Oceans - Through the Competitive World of Bug Bounty
Find Blue Oceans - Through the Competitive World of Bug BountyMuneaki Nishimura
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profitinaz2
 
バグハントの話2016up
バグハントの話2016upバグハントの話2016up
バグハントの話2016upYuji Kazan
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~inaz2
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksinaz2
 
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...Tomohiro Hanada
 
ES6時代におけるWeb開発者とセキュリティ業界の乖離
ES6時代におけるWeb開発者とセキュリティ業界の乖離ES6時代におけるWeb開発者とセキュリティ業界の乖離
ES6時代におけるWeb開発者とセキュリティ業界の乖離Yosuke HASEGAWA
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)inaz2
 
SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」Masato Kinugawa
 
バグハンターの哀しみ
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみMasato Kinugawa
 
스프링 프레임워크로 블로그 개발하기
스프링 프레임워크로 블로그 개발하기 스프링 프레임워크로 블로그 개발하기
스프링 프레임워크로 블로그 개발하기 라한사 아
 

En vedette (20)

Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
Abusing Interrupts for Reliable Windows Kernel Exploitation (ja)
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
WinDbg Primer
WinDbg PrimerWinDbg Primer
WinDbg Primer
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?
 
Firefoxの倒し方
Firefoxの倒し方Firefoxの倒し方
Firefoxの倒し方
 
楽しいバグハントの世界
楽しいバグハントの世界楽しいバグハントの世界
楽しいバグハントの世界
 
Find Blue Oceans - Through the Competitive World of Bug Bounty
Find Blue Oceans - Through the Competitive World of Bug BountyFind Blue Oceans - Through the Competitive World of Bug Bounty
Find Blue Oceans - Through the Competitive World of Bug Bounty
 
Making a Proxy for Fun and Profit
Making a Proxy for Fun and ProfitMaking a Proxy for Fun and Profit
Making a Proxy for Fun and Profit
 
バグハントの話2016up
バグハントの話2016upバグハントの話2016up
バグハントの話2016up
 
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
Sniffing BitTorrent DHT ~人はBTで何を落とすのか~
 
How to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocksHow to apt-get from the internal network: remote sshd with kneesocks
How to apt-get from the internal network: remote sshd with kneesocks
 
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
バイオメトリクス認証Hacks(AVtokyo2008 After Party: KA – E – DA - MA(Biometrics Authenti...
 
ES6時代におけるWeb開発者とセキュリティ業界の乖離
ES6時代におけるWeb開発者とセキュリティ業界の乖離ES6時代におけるWeb開発者とセキュリティ業界の乖離
ES6時代におけるWeb開発者とセキュリティ業界の乖離
 
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
ROP Illmatic: Exploring Universal ROP on glibc x86-64 (ja)
 
いでよ、電卓!
いでよ、電卓!いでよ、電卓!
いでよ、電卓!
 
SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」
 
バグハンターの哀しみ
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみ
 
스프링 프레임워크로 블로그 개발하기
스프링 프레임워크로 블로그 개발하기 스프링 프레임워크로 블로그 개발하기
스프링 프레임워크로 블로그 개발하기
 

Similaire à proxy2: HTTPS pins and needles

Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSwhj76337
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)Guy Podjarny
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentationFrans Lytzen
 
Maximizing SPDY and SSL Performance (June 2014)
Maximizing SPDY and SSL Performance (June 2014)Maximizing SPDY and SSL Performance (June 2014)
Maximizing SPDY and SSL Performance (June 2014)Zoompf
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Applications and deployment patterns of o auth and open id connect
Applications and deployment patterns of o auth and open id connectApplications and deployment patterns of o auth and open id connect
Applications and deployment patterns of o auth and open id connectKavindu Dodanduwa
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019Taswar Bhatti
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸Amazon Web Services
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 

Similaire à proxy2: HTTPS pins and needles (20)

Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
 
HTTP/2 in Examples
HTTP/2 in ExamplesHTTP/2 in Examples
HTTP/2 in Examples
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
Maximizing SPDY and SSL Performance (June 2014)
Maximizing SPDY and SSL Performance (June 2014)Maximizing SPDY and SSL Performance (June 2014)
Maximizing SPDY and SSL Performance (June 2014)
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Applications and deployment patterns of o auth and open id connect
Applications and deployment patterns of o auth and open id connectApplications and deployment patterns of o auth and open id connect
Applications and deployment patterns of o auth and open id connect
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
 

Dernier

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 

Dernier (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

proxy2: HTTPS pins and needles

  • 1. PROXY2: HTTPS PINS AND NEEDLES 2015/05/09 すみだセキュリティ勉強会 2015#1 @INAZ2
  • 2. ABOUT ME • @inaz2 • Security engineer & Python programmer • Girl idol freak • Blog: ももいろテクノロジー • http://inaz2.hatenablog.com/ 2
  • 3. HTTPS EVERYWHERE [GOOGLE I/O 2014] • http://lanyrd.com/2014/io14/sdcgyb/ 3
  • 4. HTTPS = HTTP OVER SSL/TLS [RFC 2818] • http://lanyrd.com/2014/io14/sdcgyb/ 4
  • 5. SSL/TLS AUTHENTICATION • Certificate Authority (CA) issues the signed certificate for subject’s public key • Clients trust some root CAs beforehand • Clients verify the chain of certificates until it reaches the trusted root CA 5 Client Server CA Root CA Verify each signature by issuer’s public key Private key Public key signature = ENCRYPT(HASH(certificate content), privkey) sign
  • 6. SSL/TLS ENCRYPTION • A client generate a session key (e.g. AES key) • The client and the server share the session key • By the key exchange algorithm (e.g. RSA or ECDHE) • After all, the payload is encrypted by the session key 6 Client Server Payload Session key (shared by each other)
  • 7. WE CANNOT SEE HTTPS PAYLOADS AS IS • In Wireshark 1.12.4 7
  • 8. DECRYPTING HTTPS PAYLOADS IN WIRESHARK • Register the destination server’s private key • Need to own the server • If I have Google’s private key, I will be in the jail • Only works when RSA key exchange is used • Ineffective against ECDHE key exchange (because of forward secrecy) 8
  • 9. SSLKEYLOGFILE ENVIRONMENT VARIABLE • Make the browsers write session keys in a file • Configure Wireshark to use the file for decrypting • Don’t have to own the server & works with any key exchange algorithms 9
  • 10. ANOTHER WAY… HTTPS PROXY • Intercept HTTPS connection by Man-in-the-Middle • The proxy terminates HTTPS connection and reconnects to the opposite • The proxy can decrypt the payload by its private key 10 Client Proxy w/ CA Internet sites HTTPS HTTPS I’ll trust the proxy! Decrypt all traffic! Hello, proxy.
  • 11. FIDDLER, BURP PROXY, OWASP ZAP ETC. • Useful proxies for web vulnerability testing • All supports HTTPS • Programmable to some extent • But GUI • Basically they require user interactions 11
  • 12. THERE’S A NEED FOR THE TOOL WITHOUT CLICKING 12
  • 14. SONG 2 BY BLUR • https://www.youtube.com/watch?v=SSbBvKaM6sk • “I got my head checked By a jumbo jet It wasn't easy But nothing is No” 14
  • 15. PROXY2 • https://github.com/inaz2/proxy2 • HTTP/HTTPS proxy in a single python script • A successor of SimpleHTTPProxy [sumidasec 2013/12] • Built on top of Python standard libraries (BaseHTTPServer, httplib, ssl etc.) • HTTPS features depend on OPENSSL(1) • Fully programmable by implementing handler functions in Python • Trace HTTPS payloads • Modify HTTPS payloads • Save HTTPS payloads or stats to the storage 15
  • 16. NEED TO TRUST IT AS A PRIVATE CA • Execute “setup_https_intercept.sh” and run proxy2 • Configure the browser’s proxy setting • Then access to http://proxy2.test/ 16
  • 17. TRACE HTTPS PAYLOADS • Implemented and enabled by default • Print headers and POST data with color • Pretty-output query parameters, Cookies and JSON data • Show the title of a HTML document • Decode the credential of basic auth 17
  • 18. SERVER, X-POWERED-BY, VIA • http://hhvm.com/blog/7205/wikipedia-on-hhvm 18
  • 19. SERVER, X-POWERED-BY, VIA • http://hhvm.com/blog/7205/wikipedia-on-hhvm 19 Nginx/1.6.2 with HHVM/3.3.1 3 reverse proxies (Varnish Cache) ?
  • 20. 20
  • 22. X-REQUEST-ID, X-RUNTIME, X-SERVED-BY 22 The request 1f03c5 was responded by the server e68303 and it took 6.5 milliseconds
  • 23. PRIVATE API ENDPOINT • Content-Type seems wrong 23
  • 26. YOUTUBE’S SPF (STRUCTURED PAGE FRAGMENTS) • https://youtube.github.io/spfjs/ 26
  • 27. YOUTUBE’S SPF (STRUCTURED PAGE FRAGMENTS) • https://youtube.github.io/spfjs/ 27
  • 28. MODIFY HTTPS PAYLOADS • Change the User-Agent 28
  • 29. 29
  • 30. 30
  • 31. SWAP A HTTPS CONTENT • Rewrite a request path 31
  • 32. 32
  • 33. THIS WEBSITE IS SECURED BY SSL? • Yes, if you never trust any private CAs or compromised CAs • Why was Superfish a big topic? • A private CA was preinstalled in many Lenovo laptops • All HTTPS payloads were decrypted without notice • The same private key was embedded and its passphrase was weak • Cracked in a moment • As a result, anyone could be the CA and issue the certificate for any domains • Malwares may install a private CA silently • Certificate pinning doesn’t block it because it’s a PRIVATE CA • http://inaz2.hatenablog.com/entry/2015/02/25/024431 33
  • 34. END-TO-END ENCRYPTION • Web Cryptography API • Run crypto algorithms on web browsers • http://www.w3.org/TR/2014/CR-WebCryptoAPI-20141211/ • Intel AES-NI and Intel Secure Key (RDRAND) • CPU instructions for AES calculation and random number generation • https://software.intel.com/en-us/articles/intel-advanced-encryption-standard- instructions-aes-ni/ • https://software.intel.com/en-us/articles/intel-digital-random-number-generator- drng-software-implementation-guide 34
  • 35. RECAP • Trusted HTTPS proxy can trace/modify all HTTPS payloads • Useful for both web developers and security engineers • Happy hacking  35
  • 36. REFERENCES • The HTTPS-Only Standard • https://https.cio.gov/ • ImperialViolet - Decrypting SSL packet dumps • https://www.imperialviolet.org/2012/06/25/wireshark.html • Proxy War [OWASP DAY 2014/11] • http://www.slideshare.net/zaki4649/proxy-war-42161988 • 自堕落な技術者の日記 : W3C Web Cryptography APIとの果てしなき戦い(第1 回) - livedoor Blog(ブログ) • http://blog.livedoor.jp/k_urushima/archives/1758899.html 36
  • 37. THANK YOU! @INAZ2 Credits Clip arts: http://www.clker.com/ English Reviewing: @domiryuu