SlideShare a Scribd company logo

Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk

Download as PPTX, PDF
Nazar Tymoshyk, CEH, Ph.D.
Nazar Tymoshyk, CEH, Ph.D.
TechnologyEducation
1 of 31
Unusual security vulnerabilities Yuriy Bilyk
Agenda RegExp Cryptography
RegExp? It’s simple! e-mail validation RegExp
Not sure if Chinese or Egyptian
Problems RegExp DoS attacks Issues in RegExp engine
RegExp: ^(([a-z])+.)+[A-Z]([a-z])+$ Input data: aaaaaaaaaaaaaaaa…aa 45 40 30 20 CHARS 0.003 TIME 0.339 41 466 RegExp DoS attacks
For the input aaaaX there are 16 possible paths in the above graph. But for aaaaaaaaaaaaaaaaX there are 65536 possible paths RegExp: ^(a+)+$ Where is the problem? a a 2 51 4 3 a a a a a a
Broken engine
• OpenID like auth, but we trust only local host • EXT HOST send AUTENICATED, if OK • We can set EXT HOST URL • RegExp to check RESPOND: /[^w]AUTHENTICATED[^w]*$/ RegExp Engine Issues Example
OpenID example TO EXTERNAL HOST->login:pass AUTHENTICATED LOCAL EXTERNAL HOST 1 2
Movie time
Double Request http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 TO EXTERNAL HOST->login:pass !AUTHENTICATED!n TO LOCAL HOST->login:pass 1 2 3
RegExp attack (Step 1) http://192.168.130 responded with: !AUTHENTICATED!n RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED 2 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 !AUTHENTICATED!n
RegExp attack (Step 2) http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n TO LOCAL HOST->login:pass 3 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED AGAIN
RegExp attack (Final Step) [Problem is]: body =~ /[^w]AUTHENTICATED[^w]*$/ • Normal RegExp engine stop after first line ($ - EOL): blablabla !AUTHENTICATED!n … blabla • Ruby interpreter $ as just EOL character, but scans next lines in the “file” http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n
• ReDoS Static Analysis – RXXR – http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml • Issues – know features of platform/language How to mitigate
Cryptography in God we trust the rest we test
Cryptography is cool Bitcoin – distributed cryptocurrency Kryptos - encrypted sculpture. One of the most famous unsolved codes in the world Crypto is widely used – wireless (WiFi,GSM,RFID etc.), banking, games (X- Box, PS3 etc.), e-mail anti-spam (DKIM)
I changed all my passwords to "incorrect", So whenever I forget, It will tell me "Your password is incorrect." some ideas need audit
Wrong usage is bad Using hash algorithms as crypto, and weak or custom realizations of crypto algorithms Neutralization all advantages of crypto through user comfort The believe, that crypto will secure you by itself Low level of understanding, why you need crypto
• User can send points to other user • All URL options/values signed by secret key • All transactions are visible to all SHA Length Extension Example
SHA: Message sign (MAC) http://...?to_user=guest&points=200|sign:675fsdg87gs3vh MSG Block 1 Block 2 Block N … HASH KEY +
SHA Padding: Theory (Hash BOX) KEY MESSAGE NULL Bytes Padding MESSAGE+KEY Length Just 1 Bit
SHA: Length extension attack MSG Block 1 Block 2 Block N … http://...?to_user=guest&points=200 &<PADDING>to_user=hacker|sign:f97h23n483a2ce PADDING + DATA HASH + KEY
SHA Padding: Theory (Attack) KEY Original MSG NULL Bytes Padding MESSAGE Length BOX 1 BOX 2 Extended Part
Where is the problem? HASH (KEY+MSG) is BAD - extension attack is possible HASH (MSG+KEY) is GOOD - extension attack is impossible
Order is important
• Use HMAC for signing • Use SHA-256 etc • Don’t create own crypto (only if you are not a genius in mathematic, but even you’re don’t do it!) How to mitigate
Kryptography is kind of art
Review • RegExp is powerful tool: –Even for DoS –Some engines work not as expected • Cryptography isn’t safe by itself: –Use industry standards –Understand how crypto is working –Make sure that your implementation/improvement isn’t broken
Questions?

Recommended

Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
amani_rwc_password
amani_rwc_passwordamani_rwc_password
amani_rwc_passwordArvind Mani
 
SSL Primer
SSL PrimerSSL Primer
SSL PrimerMahadev Gaonkar
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Bob Novas
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API LandminesErnie Turner
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & SecurityJose Manuel Ortega Candel
 

Recommended

Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
amani_rwc_password
amani_rwc_passwordamani_rwc_password
amani_rwc_passwordArvind Mani
 
SSL Primer
SSL PrimerSSL Primer
SSL PrimerMahadev Gaonkar
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Bob Novas
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API LandminesErnie Turner
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & SecurityJose Manuel Ortega Candel
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"DefCamp
 
Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013James Wickett
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) Maarten Mulders
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)Maarten Mulders
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017Paula Januszkiewicz
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External AttackAll Things Open
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)Maarten Mulders
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesDigital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesPriyanka Aash
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...CODE BLUE
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Openssl
OpensslOpenssl
OpensslAdam Moravcik
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievNazar Tymoshyk, CEH, Ph.D.
 

More Related Content

What's hot

WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"DefCamp
 
Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013James Wickett
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) Maarten Mulders
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)Maarten Mulders
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017Paula Januszkiewicz
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External AttackAll Things Open
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)Maarten Mulders
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesDigital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesPriyanka Aash
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...CODE BLUE
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 

What's hot (20)

WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 
Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013Be Mean to Your Code - DevOps Days Austin 2013
Be Mean to Your Code - DevOps Days Austin 2013
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand)
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External Attack
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
 
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesDigital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
[CB20] Cryfind : A Static Tool to Identify Cryptographic Algorithm in Binary ...
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Openssl
OpensslOpenssl
Openssl
 

Viewers also liked

Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievNazar Tymoshyk, CEH, Ph.D.
 
Intro to Tools & Resources: UMSI Orientation Fall 2014
Intro to Tools & Resources: UMSI Orientation Fall 2014Intro to Tools & Resources: UMSI Orientation Fall 2014
Intro to Tools & Resources: UMSI Orientation Fall 2014Jackie Wolf
 
Presentation to BPS Wessex Student Conference 10th May 2014
Presentation to BPS Wessex Student Conference 10th May 2014Presentation to BPS Wessex Student Conference 10th May 2014
Presentation to BPS Wessex Student Conference 10th May 2014Elizabeth Beckingham
 
Final suggestions
Final suggestionsFinal suggestions
Final suggestionsDavid Mohn
 
Media product evaluation
Media product evaluationMedia product evaluation
Media product evaluationCharLilyMay
 
Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...
Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...
Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...businessup
 
August 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & TazzyAugust 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & TazzyBritney Stanley-Wyatt
 
15082005174118 wca article-vfinal
15082005174118 wca article-vfinal15082005174118 wca article-vfinal
15082005174118 wca article-vfinalsunilareddyk
 
Muhajadah sebagai pelajar
Muhajadah sebagai pelajarMuhajadah sebagai pelajar
Muhajadah sebagai pelajarSMAN 54 Jakarta
 
Jovin Retail Lampshade Catalog
Jovin Retail Lampshade CatalogJovin Retail Lampshade Catalog
Jovin Retail Lampshade CatalogJovin
 
2.16 Fiesta Sunday Anymeeting Auction
2.16 Fiesta Sunday Anymeeting Auction2.16 Fiesta Sunday Anymeeting Auction
2.16 Fiesta Sunday Anymeeting AuctionBritney Stanley-Wyatt
 
Metabolic nutrition synedrex
Metabolic nutrition synedrexMetabolic nutrition synedrex
Metabolic nutrition synedrexPaul Davidson
 

Viewers also liked (20)

Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Intro to Tools & Resources: UMSI Orientation Fall 2014
Intro to Tools & Resources: UMSI Orientation Fall 2014Intro to Tools & Resources: UMSI Orientation Fall 2014
Intro to Tools & Resources: UMSI Orientation Fall 2014
 
Presentation to BPS Wessex Student Conference 10th May 2014
Presentation to BPS Wessex Student Conference 10th May 2014Presentation to BPS Wessex Student Conference 10th May 2014
Presentation to BPS Wessex Student Conference 10th May 2014
 
Final suggestions
Final suggestionsFinal suggestions
Final suggestions
 
Media product evaluation
Media product evaluationMedia product evaluation
Media product evaluation
 
Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...
Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...
Dall'impiantistica alla tecnologia integrata per edifici: storia di una riorg...
 
August 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & TazzyAugust 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & Tazzy
 
Music videos
Music videosMusic videos
Music videos
 
15082005174118 wca article-vfinal
15082005174118 wca article-vfinal15082005174118 wca article-vfinal
15082005174118 wca article-vfinal
 
Rpp bi new
Rpp bi newRpp bi new
Rpp bi new
 
Muhajadah sebagai pelajar
Muhajadah sebagai pelajarMuhajadah sebagai pelajar
Muhajadah sebagai pelajar
 
Jovin Retail Lampshade Catalog
Jovin Retail Lampshade CatalogJovin Retail Lampshade Catalog
Jovin Retail Lampshade Catalog
 
April 19 Treasure Emporium
April 19 Treasure EmporiumApril 19 Treasure Emporium
April 19 Treasure Emporium
 
Distribution
DistributionDistribution
Distribution
 
2.16 Fiesta Sunday Anymeeting Auction
2.16 Fiesta Sunday Anymeeting Auction2.16 Fiesta Sunday Anymeeting Auction
2.16 Fiesta Sunday Anymeeting Auction
 
Metabolic nutrition synedrex
Metabolic nutrition synedrexMetabolic nutrition synedrex
Metabolic nutrition synedrex
 
Isabella Trimmel_ Fine Art: works_overview
Isabella Trimmel_ Fine Art: works_overviewIsabella Trimmel_ Fine Art: works_overview
Isabella Trimmel_ Fine Art: works_overview
 

Similar to Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk

Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5bilcorry
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
A 5 security x line platform
A 5 security x line platformA 5 security x line platform
A 5 security x line platformLINE Corporation
 
PDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwordsPDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwordsRyan Smith
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...PROIDEA
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.pptssuserec53e73
 
Technology, Process, and Strategy
Technology, Process, and StrategyTechnology, Process, and Strategy
Technology, Process, and Strategyereddick
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Building Web-API without Rails, Registration or SMS
Building Web-API without Rails, Registration or SMSBuilding Web-API without Rails, Registration or SMS
Building Web-API without Rails, Registration or SMSPivorak MeetUp
 
MongoDB: tips, trick and hacks
MongoDB: tips, trick and hacksMongoDB: tips, trick and hacks
MongoDB: tips, trick and hacksScott Hernandez
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletNemanja Nikodijević
 

Similar to Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk (20)

Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
A 5 security x line platform
A 5 security x line platformA 5 security x line platform
A 5 security x line platform
 
PDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwordsPDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwords
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
 
Technology, Process, and Strategy
Technology, Process, and StrategyTechnology, Process, and Strategy
Technology, Process, and Strategy
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
Preventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security Stance
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
Building Web-API without Rails, Registration or SMS
Building Web-API without Rails, Registration or SMSBuilding Web-API without Rails, Registration or SMS
Building Web-API without Rails, Registration or SMS
 
Wireless LAN Security Fundamentals
Wireless LAN Security FundamentalsWireless LAN Security Fundamentals
Wireless LAN Security Fundamentals
 
MongoDB: tips, trick and hacks
MongoDB: tips, trick and hacksMongoDB: tips, trick and hacks
MongoDB: tips, trick and hacks
 
Application Security
Application SecurityApplication Security
Application Security
 
Php Security
Php SecurityPhp Security
Php Security
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency wallet
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 

More from Nazar Tymoshyk, CEH, Ph.D.

Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionNazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рухNazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Проект реабілітації військових в ІТ
Проект реабілітації військових в ІТПроект реабілітації військових в ІТ
Проект реабілітації військових в ІТNazar Tymoshyk, CEH, Ph.D.
 

More from Nazar Tymoshyk, CEH, Ph.D. (8)

Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and Prevention
 
CIA Hacking Organization in the Nutshell
CIA Hacking Organization in the NutshellCIA Hacking Organization in the Nutshell
CIA Hacking Organization in the Nutshell
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Automotive security testing
Automotive security testing Automotive security testing
Automotive security testing
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Проект реабілітації військових в ІТ
Проект реабілітації військових в ІТПроект реабілітації військових в ІТ
Проект реабілітації військових в ІТ
 

Recently uploaded

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk

  • 3. RegExp? It’s simple! e-mail validation RegExp
  • 4. Not sure if Chinese or Egyptian
  • 6. RegExp: ^(([a-z])+.)+[A-Z]([a-z])+$ Input data: aaaaaaaaaaaaaaaa…aa 45 40 30 20 CHARS 0.003 TIME 0.339 41 466 RegExp DoS attacks
  • 7. For the input aaaaX there are 16 possible paths in the above graph. But for aaaaaaaaaaaaaaaaX there are 65536 possible paths RegExp: ^(a+)+$ Where is the problem? a a 2 51 4 3 a a a a a a
  • 9. • OpenID like auth, but we trust only local host • EXT HOST send AUTENICATED, if OK • We can set EXT HOST URL • RegExp to check RESPOND: /[^w]AUTHENTICATED[^w]*$/ RegExp Engine Issues Example
  • 10. OpenID example TO EXTERNAL HOST->login:pass AUTHENTICATED LOCAL EXTERNAL HOST 1 2
  • 12. Double Request http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 TO EXTERNAL HOST->login:pass !AUTHENTICATED!n TO LOCAL HOST->login:pass 1 2 3
  • 13. RegExp attack (Step 1) http://192.168.130 responded with: !AUTHENTICATED!n RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED 2 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 !AUTHENTICATED!n
  • 14. RegExp attack (Step 2) http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n TO LOCAL HOST->login:pass 3 http://192.168.22.129/?pingback= -> http://192.168.22.129/?pingback=http://192.168.130 RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED AGAIN
  • 15. RegExp attack (Final Step) [Problem is]: body =~ /[^w]AUTHENTICATED[^w]*$/ • Normal RegExp engine stop after first line ($ - EOL): blablabla !AUTHENTICATED!n … blabla • Ruby interpreter $ as just EOL character, but scans next lines in the “file” http://192.168.22.129/?pingback=http://192.168.130 responded with: blablabla !AUTHENTICATED!n … blablan !AUTHENTICATED!n
  • 16. • ReDoS Static Analysis – RXXR – http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml • Issues – know features of platform/language How to mitigate
  • 17. Cryptography in God we trust the rest we test
  • 18. Cryptography is cool Bitcoin – distributed cryptocurrency Kryptos - encrypted sculpture. One of the most famous unsolved codes in the world Crypto is widely used – wireless (WiFi,GSM,RFID etc.), banking, games (X- Box, PS3 etc.), e-mail anti-spam (DKIM)
  • 19. I changed all my passwords to "incorrect", So whenever I forget, It will tell me "Your password is incorrect." some ideas need audit
  • 20. Wrong usage is bad Using hash algorithms as crypto, and weak or custom realizations of crypto algorithms Neutralization all advantages of crypto through user comfort The believe, that crypto will secure you by itself Low level of understanding, why you need crypto
  • 21. • User can send points to other user • All URL options/values signed by secret key • All transactions are visible to all SHA Length Extension Example
  • 22. SHA: Message sign (MAC) http://...?to_user=guest&points=200|sign:675fsdg87gs3vh MSG Block 1 Block 2 Block N … HASH KEY +
  • 23. SHA Padding: Theory (Hash BOX) KEY MESSAGE NULL Bytes Padding MESSAGE+KEY Length Just 1 Bit
  • 24. SHA: Length extension attack MSG Block 1 Block 2 Block N … http://...?to_user=guest&points=200 &<PADDING>to_user=hacker|sign:f97h23n483a2ce PADDING + DATA HASH + KEY
  • 25. SHA Padding: Theory (Attack) KEY Original MSG NULL Bytes Padding MESSAGE Length BOX 1 BOX 2 Extended Part
  • 26. Where is the problem? HASH (KEY+MSG) is BAD - extension attack is possible HASH (MSG+KEY) is GOOD - extension attack is impossible
  • 28. • Use HMAC for signing • Use SHA-256 etc • Don’t create own crypto (only if you are not a genius in mathematic, but even you’re don’t do it!) How to mitigate
  • 30. Review • RegExp is powerful tool: –Even for DoS –Some engines work not as expected • Cryptography isn’t safe by itself: –Use industry standards –Understand how crypto is working –Make sure that your implementation/improvement isn’t broken

Editor's Notes

  1. Web security as example of easiest to attack
  2. Add ZOOM
  3. Own experiment
  4. Explanation
  5. Engine issues
  6. How hash works (whole hash is calculated from each block step by step)
  7. Padding detail
  8. Hacker uses padding to calculate new hash
  9. Padding+Extention
  10. Problem in key place in hash calculation
  11. Where is located