SlideShare une entreprise Scribd logo

HTTP REQUEST HIJACKING: HOW MOBILE APPS ARE AT RISK

Комсс Файквэе
Комсс Файквэе

Hta t07-did-you-read-the-news-http-request-hijacking

Technologie
1  sur  39
Télécharger pour lire hors ligne
DID YOU READ THE NEWS? HTTP REQUEST HIJACKING Yair Amit (@yairam) CTO & co-founder, Skycure Adi Sharabani (@adish) CEO & co-founder, Skycure Session ID: HTA-­‐T07   Session Classification: © 2013 Skycure
About the Presenters ▶  Yair Amit ▶  Adi Sharabani ▶  CTO & co-founder of Skycure ▶  Web, network and mobile researcher ▶  Inventor of 15+ patents ▶  Former manager of the Application Security & Research group at IBM #RSAC ▶  CEO & co-founder of Skycure ▶  Watchfire's research group [Acquired by IBM] ▶  Lead the security of IBM software ▶  Teacher at Ohel Shem high-school #Skycure
Agenda ▶  Background ▶  The Skycure Journal ▶  HTTP Request Hijacking ▶  Demonstration ▶  Impact ▶  Extensions to the attack ▶  Malicious Profiles ▶  Captive Networks ▶  Remediation #RSAC #Skycure
Want to participate? ▶  Ever wanted to be an editor of a newspaper? ▶  Tweet with #skycure during this presentation #RSAC #Skycure
Man in the Middle Challenges Temporal   Cache  Poisoning   Persistent   Sta>c   JavaScript   Dynamic   HTTP   SSLStrip   HTTPS   Specific   User  Ac>on   Ac>ve  Man  in  the  Middle   No  Ac>on   Required   Browsers   #RSAC #Skycure
Man in the Middle Challenges Hybrid  Mobile  Apps   Impact  increases:   Control  is  not  just  over  the   browser,  but  could  “hop”   to  na>ve  capabili>es   Na>ve  Mobile  Apps?   Hybrid  apps  rely  on  a   “browser”  technology   Can  a  dynamic  aSack   happen  here?   Browsers   #RSAC #Skycure
HTTP REQUEST HIJACKING “We accept the reality of the world with which we are presented, it's as simple as that.” - Christof, The Truman show #RSAC
Native Mobile Apps Request  for  content,  command     &  control,  configura>on,  etc.   Response  with  the  data   #RSAC #Skycure
The Skycure Journal ▶  While very basic, The Skycure Journal operates in a similar way to most major news apps: ▶  Load A JSON formatted feed ▶  Parse it ▶  Display to the reader… Code available at: hSps://github.com/skycure/Skycure_news   #RSAC #Skycure
Into the Code / Objective-C - (void)fetchArticles   {   NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"];   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl];   ! [request setValue:@"application/json” ! forHTTPHeaderField:@"Content-Type"];     self.connection = ! [[NSURLConnection alloc] initWithRequest:request delegate:self];   }     #RSAC #Skycure
HTTP Request Hijacking Let’s look at the actual network traffic... #RSAC #Skycure
HTTP Request Hijacking -  (void)fetchArticles   {   NSURL *serverUrl = ! @"http://journal.skycure.com"   [NSURL URLWithString:@"http://journal.skycure.com"];   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl];   ! HTTP  Request   [request setValue:@"application/json” ! Hijacking   forHTTPHeaderField:@"Content-Type"];     self.connection = ! [[NSURLConnection alloc] initWithRequest:request delegate:self];   }     NSURL *serverUrl =! [NSURL URLWithString:@"http://attacker.site/skycureJournal"];   @"http://attacker.site/skycureJournal"   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl];   #RSAC #Skycure
HTTP Request Hijacking Question: How is that done? Answer: Very simple! #RSAC #Skycure
RFC of 301 Moved Permanently “10.3.2 301 Moved Permanently The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.” Source:  RFC  2616  Fielding,  et  al #RSAC #Skycure
301 Moved Permanently ▶  “If you need to change the URL of a page as it is shown in search engine results, we recommend that you use a server-side 301 redirect.” (Google help page) ▶  Usage examples: ▶  Moving to a new domain ▶  Merging two websites ▶  Useful for the web, bad for mobile apps #RSAC #Skycure
HRH – Attack Flow A  while  later,   vic>m  opens  the  app   Vic8m  opens  the  app  in  an   untrusted  environment   App  logic  has   changed!   ASacker  returns  a  301   direc>ve  specifying  a   permanent  change  in  URI   App  con>nues  to  connect  to   the  malicious  server!   Malicious  server  can   return  actual  results   from  the  target  server   Vic>m  interacts  with  the   malicious  server   #RSAC #Skycure
HTTP Request Hijacking ▶  Requests can be hijacked! ▶  Seamlessly ▶  Permanently ▶  App logic practically changes ▶  Hidden ▶  Hard to remove #RSAC #Skycure
HRH - Demo This is where you get to dictate the news… #RSAC #Skycure
Impact - Example #RSAC #Skycure
Challenges [1-2] ▶  Some limitations: ▶  Attack is only effective on HTTP ▶  Attacker has to be nearby the victim Answer: Malicious profiles! #RSAC #Skycure
Malicious Profiles ▶  Configuration profiles are a great mechanism to configure iOS devices ▶  However… they might be used for bad deeds: ▶  Tunnel all traffic through remote servers ▶  Install a root certificate ▶  Recently uncovered by Skycure #RSAC #Skycure
Malicious Profiles Demo #RSAC #Skycure
HRH + Malicious profiles ▶  Impact ▶  HRH Extended to HTTPS ▶  HRH can be carried from a different continent #RSAC #Skycure
Challenge [3] ▶  Challenge: ▶  Victim has to open the vulnerable app in the malicious network Answer: Captive! #RSAC #Skycure
Captive to the Rescue ▶  Captive to the rescue: ▶  Victim auto-connects to a network ▶ Pineapple, WifiGate, etc. ▶  Attacker remotely opens an arbitrary application ▶  Vulnerable app gets infected Demo #RSAC #Skycure
Putting it All Together ▶  Generalizing the attack: ▶  Automate an attack on a huge amount of people ▶  Plant malicious code today, perform the attack tomorrow #RSAC #Skycure
HRH-Persister – A Testing Tool ▶  Step 1 (Infect): ▶  Set up a proxy ▶  Open Tested app ▶  Return 301 for every GET request with an identification ▶ Identification could be a domain, sub-domain, path, etc. ▶  For the second “redirected” request, return the original response ▶  Step 2 (detect): ▶  Close the Tested app ▶  Open it again ▶  Look for requests with the identification value #RSAC #Skycure
Vulnerable Apps ▶  We tested a bunch of high profile apps ▶  Almost half of them were susceptible to HRH ▶  Responsible disclosure challenge: we cannot identify and contact all affected vendors #RSAC #Skycure
Developers - Best Practice ▶  Communicate via HTTPS instead of HTTP: ▶  Highly recommended ▶  Effective mitigation, not a fix #RSAC #Skycure
Developers - Best Practice ▶  Caching helps with performance ▶  However, it could lead to security threats ▶  Refrain from using caching in critical logic of the application when not needed* NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"];   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl! cachePolicy:NSURLRequestReloadIgnoringLocalAndRemoteCacheData! timeoutInterval:60.0];   #RSAC #Skycure
Developers – Remediation ▶  Change your cache policies to prevent 301 caching ▶  Impact ▶  Practically, remove support for 301 handling in mobile applications ▶  In most cases this is a acceptable ▶  We are talking about apps. If the developer wants to move to a new a page moves permanently, the developer can always update the app itself. #RSAC #Skycure
Developers – Remediation (cont.) @interface HRHResistantURLCache : NSURLCache   @end   @implementation HRHResistantURLCache!  ! - (void) storeCachedResponse:(NSCachedURLResponse *)cachedResponse! forRequest:(NSURLRequest *)request! {! NSInteger statusCode = ! [(NSHTTPURLResponse *)cachedResponse.response statusCode];! ! if (301 == statusCode)! {! return;! }! [super storeCachedResponse:cachedResponse forRequest:request];! }! @end ! #RSAC #Skycure
Developers – Remediation (cont.) ▶  Set the new cache policy to be used by the app ▶  Making sure you place the initialization code before any request in your code. HRHResistantURLCache *myCache = [[HRHResistantURLCache alloc]   initWithMemoryCapacity:512000   diskCapacity:10000000   diskPath:@"MyCache.db"];     [NSURLCache setSharedURLCache:myCache];! Source:  hSp://www.skycure.com/blog/hSp-­‐request-­‐hijacking/   #RSAC #Skycure
End Users ▶  Let us know if you think you have been under attack ▶  Remove and reinstall app to ensure removal of the attack ▶  Always be sure to update your apps ▶  Especially in the near future ▶  Auto-update in iOS 7 #RSAC #Skycure
Organizations/CISOs/IT ▶  Implement a mobile security tool that provides both visibility and protection for mobile related threats #RSAC #Skycure
Future work ▶  Research: ▶  308, 302 + Cache-Control ▶  Other operating systems ▶  RFC: ▶  Create a mobile application specific RFC #RSAC #Skycure
Summary Temporal   Cache  Poisoning   Persistent   Sta>c   HRH   Dynamic   HTTP   Malicious  Profiles   HTTPS   Specific   User  Ac>on   Cap>ve   No  Specific   Ac>on  Required   Na>ve  Apps   #RSAC #Skycure
Summary ▶  Tip of the iceberg ▶  App-level security ▶  Check out our blog for more information: ▶  http://www.skycure.com/blog/http-request-hijacking/ #RSAC #Skycure
Thank  you!   Yair Amit, Adi Sharabani Skycure twitter: YairAmit, AdiSharabani {yair,adi}@skycure.com http://www.skycure.com #RSAC

Recommandé

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 

Recommandé

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentationFrans Lytzen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attackКомсс Файквэе
 
B intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usB intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usКомсс Файквэе
 

Contenu connexe

Tendances

Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentationFrans Lytzen
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 

Tendances (20)

Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 

En vedette

Внедрение автоматизации на проекте с действующим ручным тестированием
Внедрение автоматизации на проекте с действующим ручным тестированиемВнедрение автоматизации на проекте с действующим ручным тестированием
Внедрение автоматизации на проекте с действующим ручным тестированиемCOMAQA.BY
 
Rp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgRp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgКомсс Файквэе
 

En vedette (9)

Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
B intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usB intelligence report-08-2013.en-us
B intelligence report-08-2013.en-us
 
Внедрение автоматизации на проекте с действующим ручным тестированием
Внедрение автоматизации на проекте с действующим ручным тестированиемВнедрение автоматизации на проекте с действующим ручным тестированием
Внедрение автоматизации на проекте с действующим ручным тестированием
 
Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013
 
Apwg trends report_q2_2013
Apwg trends report_q2_2013Apwg trends report_q2_2013
Apwg trends report_q2_2013
 
Ksb 2013 ru
Ksb 2013 ruKsb 2013 ru
Ksb 2013 ru
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
 
Rp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgRp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xg
 
Scimp paper
Scimp paperScimp paper
Scimp paper
 

Similaire à HTTP REQUEST HIJACKING: HOW MOBILE APPS ARE AT RISK

Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecuritySkycure
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersFestGroup
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Sqreen
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 

Similaire à HTTP REQUEST HIJACKING: HOW MOBILE APPS ARE AT RISK (20)

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile Security
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 

Plus de Комсс Файквэе

Plus de Комсс Файквэе (20)

Analitika web 2012_positive_technologies
Analitika web 2012_positive_technologiesAnalitika web 2012_positive_technologies
Analitika web 2012_positive_technologies
 
B istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-usB istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-us
 
Threat report h1_2013
Threat report h1_2013Threat report h1_2013
Threat report h1_2013
 
Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012
 
Kaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportKaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_report
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 
Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2
 
Panda labs annual-report-2012
Panda labs annual-report-2012Panda labs annual-report-2012
Panda labs annual-report-2012
 
H02 syllabus
H02 syllabusH02 syllabus
H02 syllabus
 
Course reader-title
Course reader-titleCourse reader-title
Course reader-title
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013
 
2012 browser phishing
2012 browser phishing2012 browser phishing
2012 browser phishing
 
Technology auto protection_from_exploit
Technology auto protection_from_exploitTechnology auto protection_from_exploit
Technology auto protection_from_exploit
 
Ndss12 woodpecker
Ndss12 woodpeckerNdss12 woodpecker
Ndss12 woodpecker
 
Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02
 
Bilge12 zero day
Bilge12 zero dayBilge12 zero day
Bilge12 zero day
 
P50 fahl
P50 fahlP50 fahl
P50 fahl
 
2
22
2
 
Bilge12 zero day
Bilge12 zero dayBilge12 zero day
Bilge12 zero day
 

Dernier

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Dernier (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

HTTP REQUEST HIJACKING: HOW MOBILE APPS ARE AT RISK

  • 1. DID YOU READ THE NEWS? HTTP REQUEST HIJACKING Yair Amit (@yairam) CTO & co-founder, Skycure Adi Sharabani (@adish) CEO & co-founder, Skycure Session ID: HTA-­‐T07   Session Classification: © 2013 Skycure
  • 2. About the Presenters ▶  Yair Amit ▶  Adi Sharabani ▶  CTO & co-founder of Skycure ▶  Web, network and mobile researcher ▶  Inventor of 15+ patents ▶  Former manager of the Application Security & Research group at IBM #RSAC ▶  CEO & co-founder of Skycure ▶  Watchfire's research group [Acquired by IBM] ▶  Lead the security of IBM software ▶  Teacher at Ohel Shem high-school #Skycure
  • 3. Agenda ▶  Background ▶  The Skycure Journal ▶  HTTP Request Hijacking ▶  Demonstration ▶  Impact ▶  Extensions to the attack ▶  Malicious Profiles ▶  Captive Networks ▶  Remediation #RSAC #Skycure
  • 4. Want to participate? ▶  Ever wanted to be an editor of a newspaper? ▶  Tweet with #skycure during this presentation #RSAC #Skycure
  • 5. Man in the Middle Challenges Temporal   Cache  Poisoning   Persistent   Sta>c   JavaScript   Dynamic   HTTP   SSLStrip   HTTPS   Specific   User  Ac>on   Ac>ve  Man  in  the  Middle   No  Ac>on   Required   Browsers   #RSAC #Skycure
  • 6. Man in the Middle Challenges Hybrid  Mobile  Apps   Impact  increases:   Control  is  not  just  over  the   browser,  but  could  “hop”   to  na>ve  capabili>es   Na>ve  Mobile  Apps?   Hybrid  apps  rely  on  a   “browser”  technology   Can  a  dynamic  aSack   happen  here?   Browsers   #RSAC #Skycure
  • 7. HTTP REQUEST HIJACKING “We accept the reality of the world with which we are presented, it's as simple as that.” - Christof, The Truman show #RSAC
  • 8. Native Mobile Apps Request  for  content,  command     &  control,  configura>on,  etc.   Response  with  the  data   #RSAC #Skycure
  • 9. The Skycure Journal ▶  While very basic, The Skycure Journal operates in a similar way to most major news apps: ▶  Load A JSON formatted feed ▶  Parse it ▶  Display to the reader… Code available at: hSps://github.com/skycure/Skycure_news   #RSAC #Skycure
  • 10. Into the Code / Objective-C - (void)fetchArticles   {   NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"];   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl];   ! [request setValue:@"application/json” ! forHTTPHeaderField:@"Content-Type"];     self.connection = ! [[NSURLConnection alloc] initWithRequest:request delegate:self];   }     #RSAC #Skycure
  • 11. HTTP Request Hijacking Let’s look at the actual network traffic... #RSAC #Skycure
  • 12. HTTP Request Hijacking -  (void)fetchArticles   {   NSURL *serverUrl = ! @"http://journal.skycure.com"   [NSURL URLWithString:@"http://journal.skycure.com"];   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl];   ! HTTP  Request   [request setValue:@"application/json” ! Hijacking   forHTTPHeaderField:@"Content-Type"];     self.connection = ! [[NSURLConnection alloc] initWithRequest:request delegate:self];   }     NSURL *serverUrl =! [NSURL URLWithString:@"http://attacker.site/skycureJournal"];   @"http://attacker.site/skycureJournal"   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl];   #RSAC #Skycure
  • 13. HTTP Request Hijacking Question: How is that done? Answer: Very simple! #RSAC #Skycure
  • 14. RFC of 301 Moved Permanently “10.3.2 301 Moved Permanently The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.” Source:  RFC  2616  Fielding,  et  al #RSAC #Skycure
  • 15. 301 Moved Permanently ▶  “If you need to change the URL of a page as it is shown in search engine results, we recommend that you use a server-side 301 redirect.” (Google help page) ▶  Usage examples: ▶  Moving to a new domain ▶  Merging two websites ▶  Useful for the web, bad for mobile apps #RSAC #Skycure
  • 16. HRH – Attack Flow A  while  later,   vic>m  opens  the  app   Vic8m  opens  the  app  in  an   untrusted  environment   App  logic  has   changed!   ASacker  returns  a  301   direc>ve  specifying  a   permanent  change  in  URI   App  con>nues  to  connect  to   the  malicious  server!   Malicious  server  can   return  actual  results   from  the  target  server   Vic>m  interacts  with  the   malicious  server   #RSAC #Skycure
  • 17. HTTP Request Hijacking ▶  Requests can be hijacked! ▶  Seamlessly ▶  Permanently ▶  App logic practically changes ▶  Hidden ▶  Hard to remove #RSAC #Skycure
  • 18. HRH - Demo This is where you get to dictate the news… #RSAC #Skycure
  • 20. Challenges [1-2] ▶  Some limitations: ▶  Attack is only effective on HTTP ▶  Attacker has to be nearby the victim Answer: Malicious profiles! #RSAC #Skycure
  • 21. Malicious Profiles ▶  Configuration profiles are a great mechanism to configure iOS devices ▶  However… they might be used for bad deeds: ▶  Tunnel all traffic through remote servers ▶  Install a root certificate ▶  Recently uncovered by Skycure #RSAC #Skycure
  • 23. HRH + Malicious profiles ▶  Impact ▶  HRH Extended to HTTPS ▶  HRH can be carried from a different continent #RSAC #Skycure
  • 24. Challenge [3] ▶  Challenge: ▶  Victim has to open the vulnerable app in the malicious network Answer: Captive! #RSAC #Skycure
  • 25. Captive to the Rescue ▶  Captive to the rescue: ▶  Victim auto-connects to a network ▶ Pineapple, WifiGate, etc. ▶  Attacker remotely opens an arbitrary application ▶  Vulnerable app gets infected Demo #RSAC #Skycure
  • 26. Putting it All Together ▶  Generalizing the attack: ▶  Automate an attack on a huge amount of people ▶  Plant malicious code today, perform the attack tomorrow #RSAC #Skycure
  • 27. HRH-Persister – A Testing Tool ▶  Step 1 (Infect): ▶  Set up a proxy ▶  Open Tested app ▶  Return 301 for every GET request with an identification ▶ Identification could be a domain, sub-domain, path, etc. ▶  For the second “redirected” request, return the original response ▶  Step 2 (detect): ▶  Close the Tested app ▶  Open it again ▶  Look for requests with the identification value #RSAC #Skycure
  • 28. Vulnerable Apps ▶  We tested a bunch of high profile apps ▶  Almost half of them were susceptible to HRH ▶  Responsible disclosure challenge: we cannot identify and contact all affected vendors #RSAC #Skycure
  • 29. Developers - Best Practice ▶  Communicate via HTTPS instead of HTTP: ▶  Highly recommended ▶  Effective mitigation, not a fix #RSAC #Skycure
  • 30. Developers - Best Practice ▶  Caching helps with performance ▶  However, it could lead to security threats ▶  Refrain from using caching in critical logic of the application when not needed* NSURL *serverUrl = ! [NSURL URLWithString:@"http://journal.skycure.com"];   ! NSMutableURLRequest *request =! [NSMutableURLRequest requestWithURL:serverUrl! cachePolicy:NSURLRequestReloadIgnoringLocalAndRemoteCacheData! timeoutInterval:60.0];   #RSAC #Skycure
  • 31. Developers – Remediation ▶  Change your cache policies to prevent 301 caching ▶  Impact ▶  Practically, remove support for 301 handling in mobile applications ▶  In most cases this is a acceptable ▶  We are talking about apps. If the developer wants to move to a new a page moves permanently, the developer can always update the app itself. #RSAC #Skycure
  • 32. Developers – Remediation (cont.) @interface HRHResistantURLCache : NSURLCache   @end   @implementation HRHResistantURLCache!  ! - (void) storeCachedResponse:(NSCachedURLResponse *)cachedResponse! forRequest:(NSURLRequest *)request! {! NSInteger statusCode = ! [(NSHTTPURLResponse *)cachedResponse.response statusCode];! ! if (301 == statusCode)! {! return;! }! [super storeCachedResponse:cachedResponse forRequest:request];! }! @end ! #RSAC #Skycure
  • 33. Developers – Remediation (cont.) ▶  Set the new cache policy to be used by the app ▶  Making sure you place the initialization code before any request in your code. HRHResistantURLCache *myCache = [[HRHResistantURLCache alloc]   initWithMemoryCapacity:512000   diskCapacity:10000000   diskPath:@"MyCache.db"];     [NSURLCache setSharedURLCache:myCache];! Source:  hSp://www.skycure.com/blog/hSp-­‐request-­‐hijacking/   #RSAC #Skycure
  • 34. End Users ▶  Let us know if you think you have been under attack ▶  Remove and reinstall app to ensure removal of the attack ▶  Always be sure to update your apps ▶  Especially in the near future ▶  Auto-update in iOS 7 #RSAC #Skycure
  • 35. Organizations/CISOs/IT ▶  Implement a mobile security tool that provides both visibility and protection for mobile related threats #RSAC #Skycure
  • 36. Future work ▶  Research: ▶  308, 302 + Cache-Control ▶  Other operating systems ▶  RFC: ▶  Create a mobile application specific RFC #RSAC #Skycure
  • 37. Summary Temporal   Cache  Poisoning   Persistent   Sta>c   HRH   Dynamic   HTTP   Malicious  Profiles   HTTPS   Specific   User  Ac>on   Cap>ve   No  Specific   Ac>on  Required   Na>ve  Apps   #RSAC #Skycure
  • 38. Summary ▶  Tip of the iceberg ▶  App-level security ▶  Check out our blog for more information: ▶  http://www.skycure.com/blog/http-request-hijacking/ #RSAC #Skycure
  • 39. Thank  you!   Yair Amit, Adi Sharabani Skycure twitter: YairAmit, AdiSharabani {yair,adi}@skycure.com http://www.skycure.com #RSAC